diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 000000000..6f778feb8
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,5 @@
+### mondoohq/docs CODEOWNERS
+
+# Markdown updates should be reviewed by an editor
+*.md @mondoohq/mondoo-editors
+*.mdx @mondoohq/mondoo-editors
diff --git a/.github/ISSUE_TEMPLATE/content-issue.md b/.github/ISSUE_TEMPLATE/content-issue.md
new file mode 100644
index 000000000..9392630f1
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/content-issue.md
@@ -0,0 +1,35 @@
+---
+name: Content issue
+about: Info in the docs is incorrect, missing, or problematic
+title: ""
+labels: ""
+assignees: ""
+---
+
+#### Summarize the content issue
+
+For example, write "Can't find info on xxx " or "Required permissions for Azure scan are out of date."
+
+#### URL(s)
+
+Provide the URL(s) for the page(s) where the issue exists.
+
+#### What the docs say
+
+If there's existing, incorrect content, paste it here.
+
+#### What the docs SHOULD say
+
+Provide the correct info here (if you know it).
+
+#### Screenshots
+
+If applicable, add screenshots to demonstrate the problem.
+
+#### References
+
+If applicable, provide links to relevant sources of info.
+
+#### Notes
+
+Add any other info you want to provide.
diff --git a/.github/ISSUE_TEMPLATE/functional-bug.md b/.github/ISSUE_TEMPLATE/functional-bug.md
new file mode 100644
index 000000000..7b10cb5f6
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/functional-bug.md
@@ -0,0 +1,42 @@
+---
+name: Functional bug report
+about: Something in the docs is functionally broken
+title: ""
+labels: ""
+assignees: ""
+---
+
+#### Describe what function in the docs is broken
+
+For example, write "Broken link on Google Container Registry page" or "Long resource names are cut off in left navigation pane."
+
+#### Provide steps to reproduce
+
+Steps to reproduce the behavior:
+
+1. Go to [URL]
+2. Scroll to [xxx] section
+3. Select [xxx]
+
+#### Expected behavior
+
+Write a clear and concise description of what you expect to happen.
+
+#### Actual behavior
+
+Write a clear and concise description of what actually happens.
+
+#### Screenshots
+
+If applicable, add screenshots to demonstrate the problem.
+
+#### System info
+
+- OS: [e.g., macOS]
+- OS version: [e.g., 13.0]
+- Browser if applicable: [e.g., Chrome, Firefox]
+- Browser version: [e.g., 106]
+
+#### Notes
+
+Add any other info you want to provide.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 000000000..4ad0dc0fc
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,28 @@
+
+
+#### Description
+
+
+
+#### Related issue
+
+
+
+#### Types of changes
+
+
+
+- [ ] Functional documentation bug fix (i.e., broken link or some other busted behavior)
+- [ ] New functional doc capabilities (i.e., filter search results)
+- [ ] New content
+- [ ] Revision to existing content
+- [ ] Chore (non-breaking change that does not add functionality or fix an issue)
+
+#### Checklist
+
+
+
+
+- [ ] I have read the **README** document about contributing to this repo.
+- [ ] I have tested my changes locally and there are no issues.
+- [ ] All commits are signed.
diff --git a/.github/actions/PREview-data/action.yaml b/.github/actions/PREview-data/action.yaml
new file mode 100644
index 000000000..892b9a2eb
--- /dev/null
+++ b/.github/actions/PREview-data/action.yaml
@@ -0,0 +1,38 @@
+## NOTE: THIS IS A COMPOSABLE ACTION, NOT A WORKFLOW.
+name: "PREview: Data"
+description: "Caluculate branch, bucket, and PREview URL."
+
+outputs:
+ url:
+ description: "PREview URL"
+ value: ${{ steps.data.outputs.url }}
+ branch:
+ description: "Branch Name"
+ value: ${{ steps.data.outputs.branch }}
+ bucket:
+ description: "Bucket for PREview"
+ value: ${{ steps.data.outputs.bucket }}
+
+runs:
+ using: "composite"
+ steps:
+ - name: Determine branch shortname, bucket name and URL.
+ id: data
+ shell: bash
+ run: |
+ BRANCH=`echo ${GITHUB_HEAD_REF} | sed 's/.*\///'`
+ echo "::set-output name=branch::${BRANCH}"
+ echo "::set-output name=bucket::mondoo-pre-docs-${BRANCH}/docs"
+ echo "::set-output name=url::https://mondoo-pre-docs-${BRANCH}.storage.googleapis.com/docs/index.html"
+ - name: Determine branch shortname and bucket name
+ shell: bash
+ run: |
+ BRANCH=`echo ${GITHUB_HEAD_REF} | sed 's/.*\///'`
+ echo BRANCH=${BRANCH} >> $GITHUB_ENV
+ echo BUCKET=mondoo-pre-docs-${BRANCH} >> $GITHUB_ENV
+ echo URL=https://mondoo-pre-docs-${BRANCH}.storage.googleapis.com/docs/index.html >> $GITHUB_ENV
+ - name: Verify env variables
+ shell: bash
+ id: env
+ run: |
+ env
diff --git a/.github/actions/spelling/README.md b/.github/actions/spelling/README.md
new file mode 100644
index 000000000..562091eda
--- /dev/null
+++ b/.github/actions/spelling/README.md
@@ -0,0 +1,15 @@
+# check-spelling/check-spelling configuration
+
+| File | Purpose | Format | Info |
+| -------------------------------------------------- | --------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
+| [allow.txt](allow.txt) | Add words to the dictionary | one word per line (only letters and `'`s allowed) | [allow](https://github.com/check-spelling/check-spelling/wiki/Configuration#allow) |
+| [reject.txt](reject.txt) | Remove words from the dictionary (after allow) | grep pattern matching whole dictionary words | [reject](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-reject) |
+| [excludes.txt](excludes.txt) | Files to ignore entirely | perl regular expression | [excludes](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-excludes) |
+| [only.txt](only.txt) | Only check matching files (applied after excludes) | perl regular expression | [only](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-only) |
+| [patterns.txt](patterns.txt) | Patterns to ignore from checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) |
+| [line_forbidden.patterns](line_forbidden.patterns) | Patterns to flag in checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) |
+| [expect.txt](expect.txt) | Expected words that aren't in the dictionary | one word per line (sorted, alphabetically) | [expect](https://github.com/check-spelling/check-spelling/wiki/Configuration#expect) |
+| [advice.md](advice.md) | Supplement for GitHub comment when unrecognized words are found | GitHub Markdown | [advice](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice) |
+
+Note: you can replace any of these files with a directory by the same name (minus the suffix)
+and then include multiple files inside that directory (with that suffix) to merge multiple files together.
diff --git a/.github/actions/spelling/advice.md b/.github/actions/spelling/advice.md
new file mode 100644
index 000000000..cea808b11
--- /dev/null
+++ b/.github/actions/spelling/advice.md
@@ -0,0 +1,23 @@
+
+If the flagged items are false positives
+
+If items relate to a ...
+
+- binary file (or some other file you wouldn't want to check at all).
+
+ Please add a file path to the `excludes.txt` file matching the containing file.
+
+ File paths are Perl 5 Regular Expressions - you can [test](https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your files.
+
+ `^` refers to the file's path from the root of the repository, so `^README\.md$` would exclude README.md (on whichever branch you're using).
+
+- well-formed pattern.
+
+ If you can write a [pattern](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns) that would match it,
+ try adding it to the `patterns.txt` file.
+
+ Patterns are Perl 5 Regular Expressions - you can [test](https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your lines.
+
+ Note that patterns can't match multiline strings.
+
+
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/actions/spelling/excludes.txt b/.github/actions/spelling/excludes.txt
new file mode 100644
index 000000000..c013ab542
--- /dev/null
+++ b/.github/actions/spelling/excludes.txt
@@ -0,0 +1,50 @@
+# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-excludes
+(?:^|/)(?i)COPYRIGHT
+(?:^|/)(?i)LICEN[CS]E
+(?:^|/)go\.sum$
+(?:^|/)package(?:-lock|)\.json$
+(?:^|/)vendor/
+ignore$
+\.a$
+\.ai$
+\.avi$
+\.bmp$
+\.bz2$
+\.crt$
+\.dll$
+\.DS_Store$
+\.eot$
+\.exe$
+\.gif$
+\.gitattributes$
+\.graffle$
+\.gz$
+\.icns$
+\.ico$
+\.jar$
+\.jpe?g$
+\.key$
+\.lib$
+\.lock$
+\.map$
+\.min\..
+\.mod$
+\.mp[34]$
+\.o$
+\.ocf$
+\.otf$
+\.pdf$
+\.pem$
+\.png$
+\.psd$
+\.s$
+\.svg$
+\.tiff?$
+\.ttf$
+\.wav$
+\.webm$
+\.webp$
+\.woff2?$
+\.zip$
+^\.github/actions/spelling/
+^\Q.github/workflows/spelling.yml\E$
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
new file mode 100644
index 000000000..7a89c207c
--- /dev/null
+++ b/.github/actions/spelling/expect.txt
@@ -0,0 +1,409 @@
+aaaaaaaabnjfuyr
+aaaaaaaavixjk
+AAAAB
+abcbcada
+abelhju
+acr
+activitylog
+adduser
+aea
+afe
+AKIAI
+AKIAIOSFODNN
+alswrv
+amazonses
+AMIIBCg
+ampl
+anya
+APK
+apparmor
+appengine
+applicationinsight
+appsettings
+appstore
+ashburn
+assetid
+ASUSTe
+atlassian
+auths
+autodisconnect
+autoremove
+autoscaler
+backupconfiguration
+badssm
+baf
+BAQEFAAOCAQ
+bba
+bbeb
+bccbcb
+bdc
+bdn
+BGhg
+Bgkqhki
+bigquery
+BJHy
+BMDH
+BNdp
+bqthk
+bsdutils
+BUGZILLA
+BVWP
+byh
+bytematchstatement
+CABTk
+cavium
+cbc
+CBYq
+ccl
+cdn
+cdzrr
+Ceph
+certificatechains
+cfee
+cffae
+cim
+classname
+clientid
+cloudlinux
+Clw
+cmek
+CODENAME
+codeql
+computeservice
+connectionstrings
+Cooldown
+coreutils
+cosmosdb
+cpe
+crcsmnky
+credentialreport
+crowdsource
+cryptokey
+currencyservice
+customresources
+cvmsroot
+cyclonedx
+CYEXAMPLEKEY
+datacompute
+datapath
+dbf
+dcea
+Ddos
+debconf
+dfw
+dgrrz
+DHE
+DLken
+Dlp
+dlq
+eae
+Ecn
+eddqq
+EDE
+efbe
+efc
+efcfc
+Ehd
+eig
+EIP
+EKfj
+ekm
+Ekoslaq
+enableforcedlogoff
+enablesecuritysignature
+ENM
+ERXy
+Eso
+euleros
+EXAMPLEKEY
+exo
+EXTERNALID
+externalsender
+EZel
+FAgb
+falsey
+fbcaaa
+FBTJf
+FCAHd
+fcb
+Fdq
+FEMI
+Fgi
+fromjson
+FURSBLR
+Fwa
+Fwc
+Fxo
+gcfs
+geomatchstatement
+GFj
+GGJXG
+Ghpcn
+gistfile
+gmail
+googleusercontent
+gpu
+guncl
+gvnic
+hashs
+Hcz
+headerorder
+heu
+HHq
+hostkeys
+hvm
+iac
+iap
+Iavfv
+Iiwic
+Ijoi
+IKTK
+ilb
+ingresstls
+installassistant
+ipsetforwardedipconfig
+ipsetreferencestatement
+Jalr
+JDAOZ
+jdata
+jdiaz
+jdp
+jglt
+Jhb
+jira
+Jivv
+jjnhz
+joq
+jsonbody
+JTi
+KCAQEAx
+kembe
+KEYFILE
+keyout
+kidgu
+KKBABCDE
+KKBUGHG
+Kuwyd
+KVZv
+KXI
+labelmatchstatement
+lappy
+libwebsockets
+linux
+linuxmint
+logd
+logfiles
+loggingservice
+Lqc
+LQp
+LThh
+LTU
+lun
+managedrulegroupstatement
+managedzone
+MANIFESTFILE
+manjaro
+marsrover
+maxbackup
+maxsize
+Mbeze
+MDENG
+messagestoragepolicy
+Metasploit
+mfs
+MFx
+MHNy
+MIIBIj
+Mjk
+MKGQ
+mmvv
+moids
+mpim
+MSsqm
+multani
+multistring
+mwezi
+myemail
+mypro
+mypwd
+mysupernotexistingbucket
+mysystem
+mytarget
+myuser
+nameterraform
+NDdh
+NDgz
+netsh
+networkservice
+newkey
+nginx
+Nlcy
+noarch
+nodepool
+NSIs
+NSUl
+nsurlsessiond
+Nsxr
+NTk
+nvb
+ocid
+OFafff
+openssh
+openssl
+opensuse
+oraclelinux
+orstatement
+osoverview
+OTIy
+PACKNAME
+pagerduty
+pcx
+Pesoa
+PGbf
+Phl
+Pids
+pki
+pkr
+pmh
+Pmwtt
+postgre
+PROFILENAME
+PROJECTID
+pushconfig
+pytz
+QHONv
+QIDAQAB
+Qls
+QQO
+querypack
+QUERYUID
+Qwm
+ratebasedstatement
+regexmatchstatement
+regexpatternsetreferencestatement
+requiresecuritysignature
+resourcegroup
+restrictnullsessaccess
+Rfi
+rhcos
+rhel
+RLBUE
+rmcfv
+rmi
+Robl
+ROLEARN
+Ronacher
+rrfqiu
+RRQo
+rulegroup
+rulegroupreferencestatement
+saasure
+Sas
+sbom
+scim
+scsd
+Scz
+sdc
+SECRETID
+SECRETVALUE
+securetty
+securityimages
+SEfirewall
+serviceprincipals
+shm
+singlequeryargument
+sizeconstraintstatement
+skype
+sle
+Snat
+SOgp
+spdx
+spo
+sqli
+sqlimatchstatement
+sqlserver
+srvsvc
+stdevel
+Stupakov
+sudolog
+suki
+SXp
+Tdej
+teamsmeetingpolicyconfig
+tenantfederationconfig
+testcase
+testname
+testring
+testsuite
+tfblock
+tmg
+tmpkqyme
+toplevel
+tpu
+tsuki
+TYb
+UFJJVk
+uksouth
+UNeh
+unversioned
+uppercasing
+Utk
+UWl
+Vadym
+VAULTNAME
+vdcs
+vjtestpriv
+Vkt
+Vlc
+Vnet
+vnic
+Vtpm
+Vtz
+vulnerabilityassessment
+vulnerabilityassessmentsettings
+vulnmgmt
+vyeygprgjtgg
+webserver
+westeurope
+WEx
+Wib
+widescale
+wil
+winhttp
+winsock
+WNl
+wordpress
+wpe
+WTY
+xmna
+Xnp
+xoxb
+XPgk
+xrl
+XRu
+Xsf
+xssmatchstatement
+XUtn
+XWZG
+XXXXXX
+XXXXXXXXX
+YAMLFILE
+yast
+yescrypt
+yiesxpwx
+YOHu
+YWlu
+YWNl
+YXB
+YXBw
+ZFW
+ZGMx
+ZRg
+ZUXg
+ZWl
+ZWRl
+ZXIt
+ZXJz
+zxkk
+Zzd
+zzg
diff --git a/.github/actions/spelling/line_forbidden.patterns b/.github/actions/spelling/line_forbidden.patterns
new file mode 100644
index 000000000..03d870382
--- /dev/null
+++ b/.github/actions/spelling/line_forbidden.patterns
@@ -0,0 +1,619 @@
+# Detect common combinations of valid words that are in fact invalid.
+# Useful for brand capitalizations
+
+# Catch PR links left in the release notes
+\bhttps:\/\/github.com\/mondoohq\/.*\/pull\/\d*
+
+#
+# Terms to avoid
+#
+
+# s.b. Allow list
+\swhitelist\b
+\swhitelisting\b
+\swhitelisted\b
+\swhite list\b
+\swhite listing\b
+\swhite listed\b
+
+# s.b. Block list
+\sblacklist\b
+\sblacklisting\b
+\sblacklisted\b
+\sblack list\b
+\sblack listing\b
+\sblack listed\b
+
+#
+# Our Terms
+#
+
+# s.b. Mondoo Platform
+\sMondoo platform\b
+
+# s.b. Compliance Hub
+\scompliance hub\b
+\sCompliance hubplatform\b
+
+#
+# Industry Terms
+#
+
+# s.b. Side scanning
+\bSidescanning\b
+\bsidescanning\b
+
+# s.b. DevOps
+\bDev Ops\b
+\bDevops\b
+
+# s.b. SaaS
+\bSaas\b
+\bsaas\b
+
+# s.b. Docker Hub
+\bDockerHub\b
+\bDockerhub\b
+
+# s.b. REST API
+\bRest API\b
+\brest API\b
+\brest api\b
+
+# s.b. DevSecOps
+\bDevsecops\b
+
+# s.b. on-premises
+\bon-premise\b
+
+# s.b. email
+\be-mail\b
+
+#
+# Product Names
+#
+
+# s.b. Jira
+\bJIRA\b
+
+# s.b. MariaDB
+\bMaria DB\b
+\bmariaDB\b
+# \bmariaDb\b causes failures in MQL queries
+
+# s.b. PostgreSQL
+\bPostgreSql\b
+
+# s.b. Firefox
+\bFireFox\b
+
+# s.b. CentOS
+\bCentos\b
+\bCent OS\b
+\bcentOS\b
+
+# s.b. macOS
+\bOS X\b
+\bMacOS\b
+\bMac OS\b
+
+# s.b. Okta
+\bOcta\b
+
+# s.b. Elasticsearch
+\bElasticSearch\b
+
+# s.b. DocuSign
+\bDocu Sign\b
+
+# s.b. DocuSign
+\bDocu Sign\b
+
+# s.b. DocuSign
+\bDocu Sign\b
+\bDocusign\b
+
+# s.b. MongoDB
+\bMongo DB\b
+\bMongoDb\b
+
+# s.b. MySQL
+\bMysql\b
+\bMySql\b
+
+# s.b. OpenStack
+\bOpen Stack\b
+\bOpenstack\b
+
+# s.b. Red Hat
+\bRedHat\b
+\bRedhat\b
+
+# s.b. EuroLinux
+\bEurolinux\b
+\bEuro Linux\b
+
+# s.b. AlmaLinux
+\bAlma Linux\b
+
+# s.b. openSUSE
+\bOpenSUSE\b
+
+# s.b. openSUSE
+\bopenSuse\b
+
+# s.b. CircleCI
+\bCircleCi\b
+\bCircle CI\b
+
+# s.b. AppArmor
+\bApparmor\b
+\bApp Armor\b
+
+# s.b. SELinux
+\bSeLinux\b
+\bSelinux\b
+
+# s.b. InSpec
+\b[Ii]nspec\b
+
+# s.b. GitHub
+\bGithub\b
+
+# s.b. GitLab
+\bGitlab\b
+
+# s.b. JavaScript
+\bJavascript\b
+
+# s.b. OpenSSL
+\bOpenssl\b
+\bopenSSL\b
+
+# s.b. CloudBees
+\bCloudbees\b
+
+# s.b. System76
+\bSystem 76\b
+
+# s.b. VirtualBox
+\bvirtualbox\b
+\bVirtualbox\b
+\bVirtual Box\b
+
+#
+# HashiCorp Products
+#
+
+# s.b. HashiCorp
+\bHashicorp\b
+
+# s.b. Terraform
+\bTerraForm\b
+
+# s.b. Vagrantfile
+\bVagrant file\b
+\bVagrantFile\b
+
+#
+# Microsoft Products
+#
+
+# s.b. Microsoft
+\bMicroSoft\b
+
+# s.b. PowerPoint
+\bPower Point\b
+\bPowerpoint\b
+
+# s.b. OneNote
+\bOne Note\b
+\bOnenote\b
+
+# s.b. Windows Server
+\bWindows server\b
+
+# s.b. Team Foundation Server
+\bTeam foundation server\b
+\bteam foundation server\b
+
+# s.b. Active Directory
+\bActive directory\b
+\bactive directory\b
+
+# s.b. Group Policy Object
+\bGroup policy object\b
+\bgroup policy object\b
+\bGroup Policy object\b
+
+# s.b. Power BI
+\bPowerBI\b
+
+# s.b. SharePoint
+\bSharepoint\b
+\bShare Point\b
+
+# s.b. BitLocker
+\bBitlocker\b
+\bbitLocker\b
+
+# s.b. VS Code
+\bVSCode\b
+\bVScode\b
+
+# s.b. LinkedIn
+\bLinked In\b
+\bLinkedin\b
+
+#
+# VMware Products
+#
+
+# s.b. VMware
+\bVmware\b
+\bVMWare\b
+
+# s.b. vCenter
+\bVcenter\b
+\bVCenter\b
+
+# s.b. vSphere
+\bVsphere\b
+\bVSphere\b
+
+# s.b. ESXi
+\bEsxi\b
+
+#
+# AWS Products
+#
+
+# s.b. App2Container
+\bApp2container\b
+
+# s.b. AppFlow
+\bAppflow\b
+
+# s.b. AppSync
+\bAppsync\b
+
+# s.b. CloudEnsure
+\bCloudensure\b
+
+# s.b. CloudFormation
+\bCloudformation\b
+\bCloud Formation\b
+
+# s.b. CloudFront
+\bCloudfront\b
+
+# s.b. CloudHSM
+\bCloudHsm\b
+\bCloudhsm\b
+
+# s.b. CloudSearch
+\bCloudsearch\b
+
+# s.b. CloudShell
+# we can't check for Cloud Shell since that's what Azure calls it
+\bCloudshell\b
+# cloudshell results in false positives
+
+# s.b. CloudTrail
+\bCloudtrail\b
+
+# s.b. CloudWatch
+\bCloudwatch\b
+
+# s.b. CodeArtifact
+\bCodeartifact\b
+
+# s.b. CodeBuild
+\bCodebuild\b
+
+# s.b. CodeCommit
+\bCodecommit\b
+
+# s.b. CodeDeploy
+\bCodedeploy\b
+
+# s.b. CodeGuru
+\bCodeguru\b
+
+# s.b. CodePipeline
+\bCodepipeline\b
+
+# s.b. CodeStar
+\bCodestar\b
+
+# s.b. Copilot
+\bCoPilot\b
+
+# s.b. DeepRacer
+\bDeepracer\b
+
+# s.b. DocumentDB
+\bDocument DB\b
+\bDocumentDb\b
+
+# s.b. DynamoDB
+\bDynamo DB\b
+\bDynamoDb\b
+
+# s.b. ElastiCache
+\bElasticache\b
+
+# s.b. EventBridge
+\bEventbridge\b
+
+# s.b. Fargate
+\bFarGate\b
+\bFar Gate\b
+
+# s.b. FinSpace
+\bFinSpace\b
+
+# s.b. FSx
+\bFSX\b
+
+# s.b. GameLift
+\bGamelift\b
+
+# s.b. GuardDuty
+\bGuardduty\b
+
+# s.b. Honeycode
+\bHoneyCode\b
+
+# s.b. Lambda
+\bLamba\b
+
+# s.b. Lightsail
+\bLightSail\b
+
+# s.b. MXNet
+\bMxnet\b
+\bMXnet\b
+
+# s.b. OpenSearch
+\bOpensearch\b
+
+# s.b. OpenShift
+\bOpenshift\b
+
+# s.b. PrivateLink
+\bPrivatelink\b
+
+# s.b. QuickSight
+\bQuicksight\b
+
+# s.b. Redshift
+\bRedShift\b
+
+# s.b. RoboMaker
+\bRobomaker\b
+
+# s.b. Route 53
+\bRoute53\b
+
+# s.b. SageMaker
+\bSagemaker\b
+
+# s.b. SiteWise
+\bSitewise\b
+
+# s.b. StackSets
+\bStacksets\b
+
+# s.b. WorkDocs
+\bWorkdocs\b
+
+# s.b. WorkMail
+\bWorkmail\b
+
+#
+# GCP Products
+#
+
+# s.b. AlloyDB
+\bAlloy DB\b
+
+# s.b. AppEngine
+\bApp Engine\b
+
+# s.b. BigLake
+\bBig Lake\b
+
+# s.b. BigQuery
+\bBig Query\b
+
+# s.b. Cloud Build
+\bCloudBuild\b
+\bCloud build\b
+
+# s.b. Cloud CDN
+\bCloudCDN\b
+
+# s.b. Cloud Functions
+\bCloud functions\b
+
+# disabled for now in this repo due to false positives
+# s.b. Cloud Run
+# \bCloudRun\b
+# \bCloud run\b
+
+# s.b. Cloud SQL
+\bCloudSQL\b
+
+# s.b. Compute Engine
+\bComputeEngine\b
+\bCompute engine\b
+
+# s.b. Dataplex
+\bDataPlex\b
+
+# s.b. Datastream
+\bDataStream\b
+\bData Stream\b
+
+# s.b. Dialogflow
+\bDialogFlow\b
+
+# s.b. Firestore
+\bFireStore\b
+
+# s.b. gVNIC
+\bGVNIC\b
+
+# s.b. Knative
+\bKNative\b
+
+# s.b. Memorystore
+\bMemoryStore\b
+\bMemory Store\b
+
+# s.b. Pub/Sub
+\bPubSub\b
+
+# s.b. TensorFlow
+\bTensor Flow\b
+
+# s.b. Vertex AI
+\bVertexAI\b
+
+# s.b. VMware Engine
+\bVMware engine\b
+\bVMWare Engine\b
+
+#
+# Azure Products
+#
+
+# s.b. Azure Pipelines
+\bAzure DevOps Pipelines\b
+
+# s.b. Key Vault
+\bKey vault\b
+# \bKeyVault\b # disabled for now in this repo due to false positives
+
+# s.b. Ampere
+\bampere\b
+
+# s.b. Azure DevOps Server
+\bAzure DevOps server\b
+
+# s.b. Synapse Analytics
+\bSynapse analytics\b
+\bsynapse analytics\b
+
+# s.b. Cognitive Services
+\bCognitive services\b
+\bcognitive services\b
+
+# s.b. Event Hubs
+\bEvent hubs\b
+\bevent hubs\b
+
+# s.b. CloudOps
+\bCloud Ops\b
+\bCloud ops\b
+\bcloud ops\b
+
+# s.b. Batch Service
+\bBatch service\b
+\bbatch service\b
+
+# s.b. Service Fabric Cluster
+\bservice fabric cluster\b
+
+# s.b. Azure Kubernetes Service
+\bAzure Kubernetes service\b
+
+# s.b. Cosmos DB
+\bCosmosDB\b
+\bCosmoDB\b
+\bCosmo DB\b
+
+# s.b. SignalR Service
+\bSignalR service\b
+\bSignal R Service\b
+
+# s.b. App Service Certificate
+\bapp service certificate\b
+
+# s.b. Privileged Identity Management
+\bprivileged identity management\b
+
+# s.b. BizTalk Service
+\bBizTalk service\b
+\bBiztalk service\b
+\bBiz Talk service\b
+\bBiz Talk Service\b
+
+# s.b. Data Box
+\bdata box\b
+
+# s.b. Database Migration Service
+\bdatabase migration service\b
+
+# s.b. Internet Analyzer
+\bInternet analyzer\b
+\binternet analyzer\b
+
+# s.b. Web Application Firewall
+\bWeb application firewall\b
+\bweb Application Firewall\b
+
+# s.b. SQL Vulnerability Assessment
+\bSQL vulnerability assessment\b
+
+# s.b. StorSimple
+\bStor Simple\b
+
+#
+# Common Typos
+#
+
+# s.b. another
+\ban[- ]other\b
+
+# s.b. greater than
+\bgreater then\b
+
+# s.b. less than
+\bless then\b
+
+# s.b. otherwise
+\bother[- ]wise\b
+
+# s.b. nonexistent
+\bnon existing\b
+\b[Nn]o[nt][- ]existent\b
+
+# s.b. preexisting
+[Pp]re-existing
+
+# s.b. preempt
+[Pp]re-empt\b
+
+# s.b. preemptively
+[Pp]re-emptively
+
+# s.b. reentrancy
+[Rr]e-entrancy
+
+# s.b. reentrant
+[Rr]e-entrant
+
+# s.b. policies
+[Pp]olices
+
+# s.b. ID
+# \bId\b # disabled in this repo due to false positives
+
+# s.b. CSV
+\bCVS\b
+
+# Reject duplicate words
+\s([A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})\s\g{-1}\s
+
diff --git a/.github/actions/spelling/only.txt b/.github/actions/spelling/only.txt
new file mode 100644
index 000000000..91e0c2f9f
--- /dev/null
+++ b/.github/actions/spelling/only.txt
@@ -0,0 +1,3 @@
+^README\.md$
+(?:^|/)docs/
+(?:^|/)releases/
diff --git a/.github/actions/spelling/patterns.txt b/.github/actions/spelling/patterns.txt
new file mode 100644
index 000000000..7eb4c3cbf
--- /dev/null
+++ b/.github/actions/spelling/patterns.txt
@@ -0,0 +1,91 @@
+# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns
+
+# acceptable duplicates
+# ls directory listings
+[-bcdlpsw](?:[-r][-w][-sx]){3}\s+\d+\s+(\S+)\s+\g{-1}\s+\d+\s+
+
+# Commit message -- Signed-off-by and friends
+^\s*(?:(?:Based-on-patch|Co-authored|Helped|Mentored|Reported|Reviewed|Signed-off)-by|Thanks-to): (?:[^<]*<[^>]*>|[^<]*)\s*$
+
+# Autogenerated revert commit message
+^This reverts commit [0-9a-f]{40}\.$
+
+# ignore long runs of a single character:
+\b([A-Za-z])\g{-1}{3,}\b
+
+# ignore funky space IDs that blow up spell checking
+api\.mondoo\.app\/space.*\b
+console\.mondoo\.com\/space.*\b
+
+# azure subscription ID
+[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}
+
+# azure subscriptions URL
+\/subscriptions\/\S*
+
+# docker container
+\b[a-z,0-9]{12}\b
+
+# URLs in markdown links / images
+]\(.*\)
+
+# Azure Key Vault Vault. It feels wrong, but it's technically right
+Key Vault Vault
+
+# luna containers in scan output
+\bluna/.*\b
+
+# this comes up in permissions and is valid
+\broot root\b
+
+# AWS resources
+(ami|subnet|vpc|sg)-[0-9a-fA-F]{17}
+
+# http and https URLs
+https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)
+
+# registry key paths
+HKEY_[\w\\]*
+
+# Container digests
+\bsha256:\w*
+
+# mime types
+\bapplication\/\S*
+
+# skip mql uids
+uid:\s.*$
+
+# ARN values
+\barn:\S*
+
+# mac user dir path
+\/Users\/\S*
+
+# AWS Token, ID access key, etc
+aws_session_token\s+\=(\s+)?.+
+aws_access_key_id\s+\=(\s+)?.+
+aws_secret_access_key\s+\=(\s+)?.+
+
+# PGP
+\b(?:[0-9A-F]{4} ){9}[0-9A-F]{4}\b
+# GPG keys
+\b(?:[0-9A-F]{4} ){5}(?: [0-9A-F]{4}){5}\b
+
+# uuid
+\b[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b
+
+# curl arguments
+\b(?:\\n|)curl(?:\s+-[a-zA-Z]{1,2}\b)*(?:\s+-[a-zA-Z]{3,})(?:\s+-[a-zA-Z]+)*
+
+# set arguments
+\bset(?:\s+-[abefimouxE]{1,2})*\s+-[abefimouxE]{3,}(?:\s+-[abefimouxE]+)*
+
+# tar arguments
+\b(?:\\n|)g?tar(?:\.exe|)(?:(?:\s+--[-a-zA-Z]+|\s+-[a-zA-Z]+|\s[ABGJMOPRSUWZacdfh-pr-xz]+\b)(?:=[^ ]*|))+
+
+# file permissions
+['"`\s][-bcdLlpsw](?:[-r][-w][-Ssx]){2}[-r][-w][-SsTtx]\+?['"`\s]
+
+# score score is valid in MQL docs
+score score
diff --git a/.github/actions/spelling/reject.txt b/.github/actions/spelling/reject.txt
new file mode 100644
index 000000000..a2d814de9
--- /dev/null
+++ b/.github/actions/spelling/reject.txt
@@ -0,0 +1,12 @@
+ad-hoc
+^attache$
+benefitting
+occurences?
+^dependan.*
+^oer$
+Sorce
+^[Ss]pae.*
+^untill$
+^untilling$
+^wether.*
+deets
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..d487a0c2c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+---
+version: 2
+updates:
+ - package-ecosystem: npm
+ directory: /
+ schedule:
+ interval: daily
+ - package-ecosystem: docker
+ directory: /
+ schedule:
+ interval: daily
+ - package-ecosystem: github-actions
+ directory: /
+ schedule:
+ interval: daily
diff --git a/.github/workflows/PREview-create.yaml b/.github/workflows/PREview-create.yaml
new file mode 100644
index 000000000..e91f1fad6
--- /dev/null
+++ b/.github/workflows/PREview-create.yaml
@@ -0,0 +1,87 @@
+name: "PREview: Create"
+
+on:
+ pull_request:
+ types: [opened, reopened]
+
+jobs:
+ create-preview:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ - uses: mshick/add-pr-comment@v2
+ with:
+ message: |
+ **Starting creation of the PREview environment...**
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ repo-token-user-login: "github-actions[bot]"
+ allow-repeats: true
+ - name: Obtain Bucket Name
+ uses: ./.github/actions/PREview-data
+ - name: Authenticate with Google Cloud
+ uses: "google-github-actions/auth@v2"
+ with:
+ credentials_json: "${{secrets.GCP_SERVICE_ACCOUNT}}"
+ - name: "Set up Cloud SDK"
+ uses: "google-github-actions/setup-gcloud@v2"
+ - name: Create PReview bucket
+ run: gsutil mb gs://${BUCKET}
+ - name: Configure bucket for public access
+ run: gsutil iam ch allUsers:legacyObjectReader gs://${BUCKET}
+ - name: Configure bucket web properties
+ run: gsutil web set -m index.html -e 404.html gs://${BUCKET}
+ - uses: mshick/add-pr-comment@v2
+ if: success()
+ with:
+ message: |
+ **PREview is ready at [${{ env.URL }}](${{ env.URL }})**
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ repo-token-user-login: "github-actions[bot]"
+ allow-repeats: true
+
+ data:
+ runs-on: ubuntu-latest
+ outputs:
+ branch: ${{ steps.data.outputs.branch }}
+ bucket: ${{ steps.data.outputs.bucket }}
+ url: ${{ steps.data.outputs.url }}
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ - name: Determine branch shortname, bucket name and URL.
+ id: data
+ shell: bash
+ run: |
+ BRANCH=`echo ${GITHUB_HEAD_REF} | sed 's/.*\///'`
+ echo "::set-output name=branch::${BRANCH}"
+ echo "::set-output name=bucket::mondoo-pre-docs-${BRANCH}/docs"
+ echo "::set-output name=url::https://mondoo-pre-docs-${BRANCH}.storage.googleapis.com/docs/index.html"
+ env
+
+ build:
+ uses: ./.github/workflows/_build.yaml
+ with:
+ output_dir: build
+ secrets: inherit
+
+ deploy-update:
+ needs: [data, build]
+ uses: ./.github/workflows/_deploy.yaml
+ with:
+ src_dir: build
+ bucket: ${{ needs.data.outputs.bucket }}
+ secrets: inherit
+
+ notify:
+ runs-on: ubuntu-latest
+ needs: [deploy-update, data]
+ steps:
+ - uses: mshick/add-pr-comment@v2
+ if: success()
+ with:
+ message: |
+ **PREview has been updated at ${{ needs.data.outputs.url }}**
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ repo-token-user-login: "github-actions[bot]"
+ allow-repeats: true
diff --git a/.github/workflows/PREview-delete.yaml b/.github/workflows/PREview-delete.yaml
new file mode 100644
index 000000000..5a67e9c7c
--- /dev/null
+++ b/.github/workflows/PREview-delete.yaml
@@ -0,0 +1,37 @@
+name: "PREview: Delete"
+
+on:
+ pull_request:
+ types: [closed]
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ - uses: mshick/add-pr-comment@v2
+ with:
+ message: |
+ **Cleaning up PREview environment...**
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ repo-token-user-login: "github-actions[bot]"
+ allow-repeats: true
+ - name: Obtain Bucket Name
+ uses: ./.github/actions/PREview-data
+ - name: Authenticate with Google Cloud
+ uses: "google-github-actions/auth@v2"
+ with:
+ credentials_json: "${{secrets.GCP_SERVICE_ACCOUNT}}"
+ - name: "Set up Cloud SDK"
+ uses: "google-github-actions/setup-gcloud@v2"
+ - name: Delete PReview bucket
+ run: gsutil rm -r gs://${BUCKET}
+ - uses: mshick/add-pr-comment@v2
+ if: success()
+ with:
+ message: |
+ **PREview environment deleted.**
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ repo-token-user-login: "github-actions[bot]"
+ allow-repeats: true
diff --git a/.github/workflows/PREview-update.yaml b/.github/workflows/PREview-update.yaml
new file mode 100644
index 000000000..c171eaa67
--- /dev/null
+++ b/.github/workflows/PREview-update.yaml
@@ -0,0 +1,51 @@
+name: "PREview: Update"
+
+on:
+ pull_request:
+ types: [synchronize]
+
+jobs:
+ data:
+ runs-on: ubuntu-latest
+ outputs:
+ branch: ${{ steps.data.outputs.branch }}
+ bucket: ${{ steps.data.outputs.bucket }}
+ url: ${{ steps.data.outputs.url }}
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ - name: Determine branch shortname, bucket name and URL.
+ id: data
+ shell: bash
+ run: |
+ BRANCH=`echo ${GITHUB_HEAD_REF} | sed 's/.*\///'`
+ echo "::set-output name=branch::${BRANCH}"
+ echo "::set-output name=bucket::mondoo-pre-docs-${BRANCH}/docs"
+ echo "::set-output name=url::https://mondoo-pre-docs-${BRANCH}.storage.googleapis.com/docs/index.html"
+
+ build:
+ uses: ./.github/workflows/_build.yaml
+ with:
+ output_dir: build
+ secrets: inherit
+
+ deploy-update:
+ needs: [data, build]
+ uses: ./.github/workflows/_deploy.yaml
+ with:
+ src_dir: build
+ bucket: ${{ needs.data.outputs.bucket }}
+ secrets: inherit
+
+ notify:
+ runs-on: ubuntu-latest
+ needs: [deploy-update, data]
+ steps:
+ - uses: mshick/add-pr-comment@v2
+ if: success()
+ with:
+ message: |
+ **PREview has been updated at ${{ needs.data.outputs.url }}**
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ repo-token-user-login: "github-actions[bot]"
+ allow-repeats: true
diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml
new file mode 100644
index 000000000..c16e3b7d3
--- /dev/null
+++ b/.github/workflows/_build.yaml
@@ -0,0 +1,42 @@
+name: Build Static Site
+
+on:
+ workflow_call:
+ inputs:
+ output_dir:
+ description: "The directory to use for static content build output"
+ default: "build"
+ required: false
+ type: string
+ secrets:
+ ALGOLIA_API_KEY:
+ description: "The Algolia API key to use for indexing"
+ ALGOLIA_APP_ID:
+ description: "The Algolia App ID to use for indexing"
+ HS_ACCOUNTID:
+ description: "The HubSpot Account ID to use for tracking"
+
+jobs:
+ build-static:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ - name: Setup Node v20
+ uses: actions/setup-node@v4
+ with:
+ node-version: 20
+ - name: Install YARN dependencies
+ run: yarn install
+ - name: Replace secrets
+ run: |
+ sed -i "s/ALGOLIA_API_KEY/${{ secrets.ALGOLIA_API_KEY }}/g" docusaurus.config.js
+ sed -i "s/ALGOLIA_APP_ID/${{ secrets.ALGOLIA_APP_ID }}/g" docusaurus.config.js
+ sed -i "s/HS_ACCOUNTID/${{ secrets.HS_ACCOUNTID }}/g" docusaurus.config.js
+ - name: Build site
+ run: yarn build
+ - name: Cache Content
+ uses: actions/cache@v4
+ with:
+ path: ${{ inputs.output_dir }}/*
+ key: ${{ github.sha }}
diff --git a/.github/workflows/_deploy.yaml b/.github/workflows/_deploy.yaml
new file mode 100644
index 000000000..a3628246e
--- /dev/null
+++ b/.github/workflows/_deploy.yaml
@@ -0,0 +1,34 @@
+name: Deploy Static Site to GCS
+
+on:
+ workflow_call:
+ inputs:
+ src_dir:
+ description: "The directory containing static content"
+ default: "build"
+ required: false
+ type: string
+ bucket:
+ description: "The GCS Bucket to write to"
+ required: true
+ type: string
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ - name: Recall Cache Content
+ uses: actions/cache@v4
+ with:
+ path: ${{ inputs.src_dir }}/*
+ key: ${{ github.sha }}
+ - name: Authenticate with Google Cloud
+ uses: "google-github-actions/auth@v2"
+ with:
+ credentials_json: "${{ secrets.GCP_SERVICE_ACCOUNT }}"
+ - name: "Set up Cloud SDK"
+ uses: "google-github-actions/setup-gcloud@v2"
+ - name: Upload static content to buckets
+ run: gsutil -m -h "Cache-control:public, max-age=60" rsync -r -c -C -d ${{ inputs.src_dir }}/ gs://${{ inputs.bucket }}
diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
new file mode 100644
index 000000000..6774453a4
--- /dev/null
+++ b/.github/workflows/cla.yaml
@@ -0,0 +1,26 @@
+name: "CLA Assistant"
+on:
+ issue_comment:
+ types: [created]
+ pull_request_target:
+ types: [opened, closed, synchronize]
+
+jobs:
+ CLAssistant:
+ runs-on: ubuntu-latest
+ steps:
+ - name: "CLA Assistant"
+ if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Mondoo CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+ uses: contributor-assistant/github-action@v2.3.1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_ACCESS_TOKEN }}
+ with:
+ path-to-signatures: "signatures/version1/cla.json"
+ path-to-document: "https://github.com/mondoohq/.github/blob/master/CLA.md"
+ custom-pr-sign-comment: "I have read the Mondoo CLA Document and I hereby sign the CLA"
+ custom-notsigned-prcomment: "Thank you for your submission. We really appreciate it. Before we can accept your contribution, we ask that you sign the [Mondoo Contributor License Agreement](https://github.com/mondoohq/.github/blob/master/CLA.md). You can sign the CLA by adding a new comment to this pull request and pasting exactly the following text."
+ remote-repository-name: cla
+ remote-organization-name: mondoohq
+ branch: "main"
+ allowlist: mondoo-tools,github-actions[bot],dependabot[bot]
diff --git a/.github/workflows/deploy-mondoo-com.yaml b/.github/workflows/deploy-mondoo-com.yaml
new file mode 100644
index 000000000..38f9eed32
--- /dev/null
+++ b/.github/workflows/deploy-mondoo-com.yaml
@@ -0,0 +1,19 @@
+name: Publish Mondoo.com/docs (Prod)
+
+on:
+ release:
+ types: [published]
+ workflow_dispatch:
+
+jobs:
+ build:
+ uses: ./.github/workflows/_build.yaml
+ secrets: inherit
+
+ deploy-production:
+ needs: build
+ uses: ./.github/workflows/_deploy.yaml
+ with:
+ src_dir: build
+ bucket: mondoo-io-docs/docs
+ secrets: inherit
diff --git a/.github/workflows/deploy-mondoo-love.yaml b/.github/workflows/deploy-mondoo-love.yaml
new file mode 100644
index 000000000..0a491ff41
--- /dev/null
+++ b/.github/workflows/deploy-mondoo-love.yaml
@@ -0,0 +1,36 @@
+name: Publish Mondoo.love (Staging)
+
+on:
+ pull_request:
+ types:
+ - closed
+ workflow_dispatch:
+
+jobs:
+ build:
+ uses: ./.github/workflows/_build.yaml
+ if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
+ secrets: inherit
+
+ deploy-staging:
+ needs: build
+ uses: ./.github/workflows/_deploy.yaml
+ with:
+ src_dir: build
+ bucket: mondoo-docs-edge/docs
+ secrets: inherit
+
+ notify:
+ needs: deploy-staging
+ runs-on: ubuntu-latest
+ steps:
+ - name: Update PR with Status (Completed Success)
+ if: success()
+ uses: mshick/add-pr-comment@v2
+ with:
+ message: |
+ **Deployment to mondoo.love/docs complete!**
+ [https://mondoo.love/docs](https://mondoo.love/docs)
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ repo-token-user-login: "github-actions[bot]"
+ allow-repeats: false
diff --git a/.github/workflows/image-optimize.yaml b/.github/workflows/image-optimize.yaml
new file mode 100644
index 000000000..166fe77ca
--- /dev/null
+++ b/.github/workflows/image-optimize.yaml
@@ -0,0 +1,25 @@
+name: "Optimize Images"
+
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - main
+ paths:
+ - "**.jpg"
+ - "**.jpeg"
+ - "**.png"
+ - "**.gif"
+ - "**.svg"
+ - "**.webp"
+
+jobs:
+ imgcmp:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: write
+ pull-requests: write
+ steps:
+ - uses: 9sako6/imgcmp@v2.0.4
+ with:
+ token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/spell-check.yaml b/.github/workflows/spell-check.yaml
new file mode 100644
index 000000000..57be00a2d
--- /dev/null
+++ b/.github/workflows/spell-check.yaml
@@ -0,0 +1,53 @@
+---
+name: Spell Checking
+
+on:
+ pull_request:
+ types: [opened, reopened, synchronize]
+
+jobs:
+ spelling:
+ name: Run spell check
+ permissions:
+ contents: read
+ pull-requests: read
+ actions: read
+ outputs:
+ followup: ${{ steps.spelling.outputs.followup }}
+ runs-on: ubuntu-latest
+ if: "contains(github.event_name, 'pull_request') || github.event_name == 'push'"
+ concurrency:
+ group: spelling-${{ github.event.pull_request.number || github.ref }}
+ # note: If you use only_check_changed_files, you do not want cancel-in-progress
+ cancel-in-progress: true
+ steps:
+ - name: check-spelling
+ id: spelling
+ uses: check-spelling/check-spelling@v0.0.22
+ with:
+ disable_checks: noisy-file
+ suppress_push_for_open_pull_request: 1
+ checkout: true
+ post_comment: 0
+ dictionary_source_prefixes: '{"mondoo": "https://raw.githubusercontent.com/mondoohq/spellcheck-dictionary/main/", "cspell": "https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20230509/dictionaries/"}'
+ extra_dictionaries: cspell:aws/aws.txt
+ cspell:filetypes/filetypes.txt
+ cspell:software-terms/src/software-terms.txt
+ cspell:software-terms/src/software-tools.txt
+ cspell:companies/src/companies.txt
+ mondoo:mondoo_dictionary.txt
+
+ comment:
+ name: Report
+ runs-on: ubuntu-latest
+ needs: spelling
+ permissions:
+ contents: write
+ pull-requests: write
+ if: (success() || failure()) && needs.spelling.outputs.followup
+ steps:
+ - name: comment
+ uses: check-spelling/check-spelling@v0.0.22
+ with:
+ checkout: true
+ task: ${{ needs.spelling.outputs.followup }}
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000..b2d6de306
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,20 @@
+# Dependencies
+/node_modules
+
+# Production
+/build
+
+# Generated files
+.docusaurus
+.cache-loader
+
+# Misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 000000000..50a48e9b3
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,4 @@
+{
+ "files.insertFinalNewline": true,
+ "files.trimTrailingWhitespace": true
+}
diff --git a/Caddyfile b/Caddyfile
new file mode 100644
index 000000000..968213ef0
--- /dev/null
+++ b/Caddyfile
@@ -0,0 +1,30 @@
+:{$PORT} {
+
+ header {
+ Access-Control-Allow-Origin "*"
+ Access-Control-Request-Method "GET"
+ Access-Control-Request-Headers "Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Accept-Encoding, X-Requested-With, User-Agent"
+ }
+
+ encode zstd gzip
+ root * {$ROOT_DIR}
+ file_server
+
+ redir /references/cli/mondoo_agents /references/cli/mondoo_client
+ redir /references/cli/mondoo_agents/ /references/cli/mondoo_client
+ redir /references/cli/mondoo_agents_generate-credentials* /references/cli/mondoo_client_generate-credentials
+ redir /references/cli/mondoo_agents_generate-token* /references/cli/mondoo_client_generate-token
+ redir /getstarted/introduction_mql_shell* /platform/console/policies/policy-as-code
+ redir /policies/overview* /platform/console/policies/overview
+ redir /policies/* /platform/console/policies/overview
+ redir /installation/operating_systems/installation /cnspec/
+ redir /installation/operating_systems* /cnspec/cnspec-adv-install/overview
+
+ handle_errors {
+ @404 {
+ expression {http.error.status_code} == 404
+ }
+ rewrite @404 /404.html
+ file_server
+ }
+}
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 000000000..4a092e8e3
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,3 @@
+FROM caddy:2.7.6-alpine
+ADD build /usr/share/caddy
+ADD Caddyfile /etc/caddy/Caddyfile
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 000000000..14e2f777f
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+ means each individual or legal entity that creates, contributes to
+ the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+ means the combination of the Contributions of others (if any) used
+ by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+ means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+ means Source Code Form to which the initial Contributor has attached
+ the notice in Exhibit A, the Executable Form of such Source Code
+ Form, and Modifications of such Source Code Form, in each case
+ including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+ means
+
+ (a) that the initial Contributor has attached the notice described
+ in Exhibit B to the Covered Software; or
+
+ (b) that the Covered Software was made available under the terms of
+ version 1.1 or earlier of the License, but not also under the
+ terms of a Secondary License.
+
+1.6. "Executable Form"
+ means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+ means a work that combines Covered Software with other material, in
+ a separate file or files, that is not Covered Software.
+
+1.8. "License"
+ means this document.
+
+1.9. "Licensable"
+ means having the right to grant, to the maximum extent possible,
+ whether at the time of the initial grant or subsequently, any and
+ all of the rights conveyed by this License.
+
+1.10. "Modifications"
+ means any of the following:
+
+ (a) any file in Source Code Form that results from an addition to,
+ deletion from, or modification of the contents of Covered
+ Software; or
+
+ (b) any new file in Source Code Form that contains any Covered
+ Software.
+
+1.11. "Patent Claims" of a Contributor
+ means any patent claim(s), including without limitation, method,
+ process, and apparatus claims, in any patent Licensable by such
+ Contributor that would be infringed, but for the grant of the
+ License, by the making, using, selling, offering for sale, having
+ made, import, or transfer of either its Contributions or its
+ Contributor Version.
+
+1.12. "Secondary License"
+ means either the GNU General Public License, Version 2.0, the GNU
+ Lesser General Public License, Version 2.1, the GNU Affero General
+ Public License, Version 3.0, or any later versions of those
+ licenses.
+
+1.13. "Source Code Form"
+ means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+ means an individual or a legal entity exercising rights under this
+ License. For legal entities, "You" includes any entity that
+ controls, is controlled by, or is under common control with You. For
+ purposes of this definition, "control" means (a) the power, direct
+ or indirect, to cause the direction or management of such entity,
+ whether by contract or otherwise, or (b) ownership of more than
+ fifty percent (50%) of the outstanding shares or beneficial
+ ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+ Licensable by such Contributor to use, reproduce, make available,
+ modify, display, perform, distribute, and otherwise exploit its
+ Contributions, either on an unmodified basis, with Modifications, or
+ as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+ for sale, have made, import, and otherwise transfer either its
+ Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+ or
+
+(b) for infringements caused by: (i) Your and any other third party's
+ modifications of Covered Software, or (ii) the combination of its
+ Contributions with other software (except as part of its Contributor
+ Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+ its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+ Form, as described in Section 3.1, and You must inform recipients of
+ the Executable Form how they can obtain a copy of such Source Code
+ Form by reasonable means in a timely manner, at a charge no more
+ than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+ License, or sublicense it under different terms, provided that the
+ license for the Executable Form does not attempt to limit or alter
+ the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+* *
+* 6. Disclaimer of Warranty *
+* ------------------------- *
+* *
+* Covered Software is provided under this License on an "as is" *
+* basis, without warranty of any kind, either expressed, implied, or *
+* statutory, including, without limitation, warranties that the *
+* Covered Software is free of defects, merchantable, fit for a *
+* particular purpose or non-infringing. The entire risk as to the *
+* quality and performance of the Covered Software is with You. *
+* Should any Covered Software prove defective in any respect, You *
+* (not any Contributor) assume the cost of any necessary servicing, *
+* repair, or correction. This disclaimer of warranty constitutes an *
+* essential part of this License. No use of any Covered Software is *
+* authorized under this License except under this disclaimer. *
+* *
+************************************************************************
+
+************************************************************************
+* *
+* 7. Limitation of Liability *
+* -------------------------- *
+* *
+* Under no circumstances and under no legal theory, whether tort *
+* (including negligence), contract, or otherwise, shall any *
+* Contributor, or anyone who distributes Covered Software as *
+* permitted above, be liable to You for any direct, indirect, *
+* special, incidental, or consequential damages of any character *
+* including, without limitation, damages for lost profits, loss of *
+* goodwill, work stoppage, computer failure or malfunction, or any *
+* and all other commercial damages or losses, even if such party *
+* shall have been informed of the possibility of such damages. This *
+* limitation of liability shall not apply to liability for death or *
+* personal injury resulting from such party's negligence to the *
+* extent applicable law prohibits such limitation. Some *
+* jurisdictions do not allow the exclusion or limitation of *
+* incidental or consequential damages, so this exclusion and *
+* limitation may not apply to You. *
+* *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+ This Source Code Form is subject to the terms of the Mozilla Public
+ License, v. 2.0. If a copy of the MPL was not distributed with this
+ file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+ This Source Code Form is "Incompatible With Secondary Licenses", as
+ defined by the Mozilla Public License, v. 2.0.
diff --git a/Makefile b/Makefile
new file mode 100644
index 000000000..6395905b7
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,53 @@
+.PHONY: yarn
+yarn:
+ yarn install
+
+.PHONY: fmt
+fmt: yarn
+ yarn prettier --write .
+
+.PHONY: test/fmt
+test/fmt: yarn
+ yarn prettier --check .
+
+.PHONY: build
+build: yarn fmt
+ yarn build
+
+.PHONY: serve
+serve: yarn fmt build
+ yarn run serve
+
+###
+### Caddy
+###
+.PHONY: caddy/run
+caddy/run: build
+ PORT=8080 ROOT_DIR=./build caddy run
+
+###
+### Dockerized for Cloud Run
+###
+.PHONY: container/build
+container/build: build
+ docker build --no-cache --platform linux/amd64 -t mondoo/docs .
+
+.PHONY: container/serve
+container/serve:
+ docker run -d --rm -p 8080:8080 -e PORT=8080 -e ROOT_DIR=/usr/share/caddy mondoo/docs
+
+DOCS_SERVICE_NAME=docs
+SERVICE_REGION=us-central1
+container/deploy/staging: container/build
+ docker tag mondoo/docs gcr.io/mondoo-dev-262313/docs
+ docker push gcr.io/mondoo-dev-262313/docs
+ gcloud run deploy "${DOCS_SERVICE_NAME}" --project mondoo-dev-262313 --concurrency=1 --memory=512Mi --image gcr.io/mondoo-dev-262313/docs --platform managed --region ${SERVICE_REGION} --set-env-vars=ROOT_DIR=/usr/share/caddy
+
+DOCS_SERVICE_NAME=docs
+SERVICE_REGION=us-central1
+container/deploy/production: container/build
+ docker tag mondoo/docs gcr.io/mondoo-base-infra/docs
+ docker push gcr.io/mondoo-base-infra/docs
+ gcloud run deploy "${DOCS_SERVICE_NAME}" --project mondoo-base-infra --concurrency=1 --memory=512Mi --image gcr.io/mondoo-base-infra/docs --platform managed --region ${SERVICE_REGION} --set-env-vars=ROOT_DIR=/usr/share/caddy
+
+
diff --git a/README.md b/README.md
index 1dc6372f7..15845bc78 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,64 @@
-# docs
\ No newline at end of file
+# Mondoo documentation
+
+This repo contains the open source Mondoo documentation, which includes Mondoo, cnspec, cnquery, and MQL. It's built using [Docusaurus 3](https://docusaurus.io/), deployed to a Google Cloud Storage bucket, and published at [mondoo.com/docs](https://mondoo.com/docs/).
+
+## Want to contribute to the Mondoo docs?
+
+Great! If you're just fixing a typo or making a small change to an existing topic, just submit a merge request in this repo. For larger contributions, please create a GitHub issue in this repo to discuss the changes before you begin.
+
+## Install Docusaurus locally
+
+Install Docusaurus environment so you can build and test your contributions.
+
+### Install Node and Yarn
+
+This project uses Node.js version 20 and the Yarn package manager. If you don't already have these installed:
+
+- [Get Node.js](https://nodejs.org/en/download/)
+- [Get Yarn](https://yarnpkg.com/getting-started/install)
+
+Note: Make sure to follow the instructions to update your shell's profile for Node.
+
+### Install Docusaurus and other dependencies
+
+To set up Docusaurus and its dependencies, run this command:
+
+```bash
+yarn install
+```
+
+## Make changes
+
+To make a small fix, just find the source file and go for it! For larger changes, please create an issue here in GitHub so we can discuss it before you begin.
+
+### Find the files
+
+The markdown files that form the content of the docs are in the `/docs` directory. The Releases blog is in the `/releases` directory. Find images in `/static/img`.
+
+Note: We programmatically generate MQL resource and cnspec/cnquery command line reference topics from .lr and .yaml files in the [mondoohq/cnquery](https://github.com/mondoohq/cnquery) codebase. To make changes to those references docs, you must change the source content in the cnquery repo. Our tools regularly overwrite any changes made to that content the docs repo.
+
+### Follow our style
+
+Until we make our documentation style guide public, please try to follow the [Google
+developer documentation style guide](https://developers.google.com/style). With a few exceptions, that's what we do.
+
+## Locally build and test the Mondoo docs
+
+To generate a local build of the Mondoo docs, run this command:
+
+```bash
+make serve
+```
+
+Docusaurus generates the static content in the `build/` directory and launches a preview in your default web browser on a local development server (by default http://localhost:3000).
+
+## Request to merge
+
+Submit a request to merge your branch. We accept only [signed Git commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits).
+
+Thank you for your contribution!
+
+## Legal
+
+- **Copyright:** 2018-2024, Mondoo, Inc.
+- **License:** MPL 2.0
diff --git a/babel.config.js b/babel.config.js
new file mode 100644
index 000000000..bfd75dbdf
--- /dev/null
+++ b/babel.config.js
@@ -0,0 +1,3 @@
+module.exports = {
+ presets: [require.resolve("@docusaurus/core/lib/babel/preset")],
+};
diff --git a/docs/cnquery/README.md b/docs/cnquery/README.md
new file mode 100644
index 000000000..7a49b640c
--- /dev/null
+++ b/docs/cnquery/README.md
@@ -0,0 +1,120 @@
+---
+title: Get Started with cnquery
+id: cnquery-get-started
+sidebar_label: Get Started with cnquery
+displayed_sidebar: cnquery
+sidebar_position: 2
+description: cnquery is Mondoo's open source, cloud-native tool that answers every question about your infrastructure. Install, and get up and running with cnquery.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Welcome to cnquery, an open source project created by [Mondoo](https://mondoo.com)!
+
+-> [Learn about cnquery](/cnquery/cnquery-about)
+
+## Download and install cnquery
+
+Install cnquery with our installation script:
+
+### Linux and macOS
+
+```bash
+bash -c "$(curl -sSL https://install.mondoo.com/sh)"
+```
+
+(You can read the [Linux/macOS installation script](https://install.mondoo.com/sh).)
+
+### Windows
+
+```powershell
+Set-ExecutionPolicy Unrestricted -Scope Process -Force;
+[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
+iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1/cnquery'));
+Install-Mondoo -Product cnquery;
+```
+
+(You can read the [Windows installation script](https://install.mondoo.com/ps1/cnquery).)
+
+### Install manually
+
+Manual installation packages are available on [GitHub releases](https://github.com/mondoohq/cnquery/releases/latest).
+
+:::note
+
+If you install cnquery on machines that can't download and install updates (because they're air-gapped or don't give cnquery write access), you must install cnquery providers. To learn more, read [Manage cnquery Providers](/cnquery/providers/).
+
+:::
+
+## Run queries in the cnquery shell
+
+The easiest way to discover cnquery's capabilities is to use the interactive shell, which has auto-complete to guide you:
+
+```
+cnquery shell
+```
+
+Once inside the shell, you can enter MQL queries. For example, this query returns the name of the current machine and the platform it's running:
+
+```coffee
+asset { name title }
+```
+
+### Get help in the cnquery shell
+
+To see what information cnquery can retrieve, use the `help` command. These are some examples of how the help can guide you:
+
+| This command... | Describes the queryable resources for... |
+| ---------------------- | ---------------------------------------- |
+| `help` | All of cnquery |
+| `help k8s` | Kubernetes |
+| `help k8s.statefulset` | Kubernetes Cluster StatefulSets |
+| `help azure` | Azure |
+| `help terraform` | Terraform |
+
+### Exit the cnquery shell
+
+To exit cnquery shell, either press `Ctrl + D` or type `exit`.
+
+## Run queries in your own shell
+
+To run standalone queries in your shell, use the cnquery run command:
+
+```bash
+cnquery run TARGET -c "QUERY"
+```
+
+| For... | Substitute... |
+| -------- | ----------------------------------------------------------------------- |
+| `TARGET` | The asset to query, such as `local` or a transport to a remote machine. |
+| `QUERY` | The MQL query that specifies the information you want. |
+
+For example, this command runs a query against your local system. It lists the services installed and whether each service is running:
+
+```bash
+cnquery run local -c "services.list { name running }"
+```
+
+For a list of supported targets, use the help command:
+
+```bash
+cnquery help run
+```
+
+## Explore your infrastructure in Mondoo Platform
+
+To more easily explore your infrastructure, sign up for a free Mondoo Platform account. Mondoo's web-based console allows you to navigate, search, and inspect all of your assets.
+
+To learn about Mondoo Platform, read the [Mondoo Platform docs](../intro.md) or visit [mondoo.com](https://mondoo.com).
+
+To learn how to sign up for a free Mondoo account and register cnquery, read [Log into Mondoo Platform for More Capabilities](/cnquery/cnquery-platform/).
+
+## Learn more
+
+- To get started with AWS, read [Query AWS](/cnquery/cnquery-aws/).
+- To get started with Google Cloud, read [Query Google Cloud](/cnquery/cnquery-gcp/)
+- To get started with Kubernetes, read [Query Kubernetes](/cnquery/cnquery-k8s/)
+- To explore cnquery commands, read [CLI Reference](/cnquery/cli/cnquery).
+- To explore the capabilities of the MQL language, read the [MQL docs](/mql/resources).
+- To learn what technologies cnquery integrates with, read [Supported Query Targets](/cnquery/cnquery-supported).
+
+---
diff --git a/docs/cnquery/_cnquery-distribute.md b/docs/cnquery/_cnquery-distribute.md
new file mode 100644
index 000000000..8b63b171d
--- /dev/null
+++ b/docs/cnquery/_cnquery-distribute.md
@@ -0,0 +1,37 @@
+---
+title: Distribute Queries Across Your Infrastructure
+id: cnquery-distribute
+sidebar_label: Distribute Across Your Infrastructure
+displayed_sidebar: cnquery
+sidebar_position: 7
+description: Share cnquery query packs across your infrastructure using the Mondoo Query Hub.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+:::note
+
+This feature is in development.
+
+:::
+
+You can share query packs across your infrastructure using the Mondoo Query Hub. The Query Hub creates a secure, private environment in your account that stores data about your assets. You can make all assets report on query packs, and you can define custom rules for your infrastructure.
+
+To use the Query Hub:
+
+```bash
+cnquery auth login
+```
+
+Once set up, you can collect your asset's data:
+
+```bash
+cnquery scan local
+```
+
+To add custom query packs, you can upload them:
+
+```bash
+cnquery pack upload mypack.mql.yaml
+```
+
+---
diff --git a/docs/cnquery/_cnquery-explore.md b/docs/cnquery/_cnquery-explore.md
new file mode 100644
index 000000000..1879080ce
--- /dev/null
+++ b/docs/cnquery/_cnquery-explore.md
@@ -0,0 +1,43 @@
+---
+title: Explore Your Infrastructure
+id: cnquery-explore
+sidebar_label: Explore Your Infrastructure
+displayed_sidebar: cnquery
+sidebar_position: 7
+description: Explore the assets in your infrastructure
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Use the `cnquery scan` command to explore an asset's configuration based on a query pack. This command retrieves an asset's configuration details. For example, you can scan the local system with its pre-configured query pack.
+
+```bash
+cnquery scan local
+```
+
+
+
+## Explore your infrastructure in Mondoo Platform
+
+To more easily explore your infrastructure, sign up for a free Mondoo Platform account. Mondoo's web-based console allows you to navigate, search, and arrange all of your assets.
+
+Go to [console.mondoo.com](https://console.mondoo.com) to sign up.
+
+To learn about Mondoo Platform, read the [Mondoo Platform docs](../intro.md) or visit [mondoo.com](https://mondoo.com).
+
+---
diff --git a/docs/cnquery/_cnquery-install.mdx b/docs/cnquery/_cnquery-install.mdx
new file mode 100644
index 000000000..da3dbb88c
--- /dev/null
+++ b/docs/cnquery/_cnquery-install.mdx
@@ -0,0 +1,18 @@
+## Install cnquery on Linux or macOS
+
+```bash
+bash -c "$(curl -sSL https://install.mondoo.com/sh)"
+```
+
+## Install cnquery on Windows
+
+```powershell
+Set-ExecutionPolicy Unrestricted -Scope Process -Force;
+[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
+iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1/cnquery'));
+Install-Mondoo -Product cnquery;
+```
+
+## Package install
+
+If you prefer a package, find it on [GitHub releases](https://github.com/mondoohq/cnquery/releases).
diff --git a/docs/cnquery/_cnquery-output.md b/docs/cnquery/_cnquery-output.md
new file mode 100644
index 000000000..ac6cad484
--- /dev/null
+++ b/docs/cnquery/_cnquery-output.md
@@ -0,0 +1,31 @@
+---
+title: Manage Query Output
+id: cnquery-format-results
+sidebar_label: Manage Query Output
+displayed_sidebar: cnquery
+sidebar_position: 5
+description: Learn what you can do with the output of cnquery queries
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+You can see verbose query results, output results to JSON, and share results with your team.
+
+## See verbose query results
+
+To see detailed progress as the query runs, use `-v` or `--verbose`. For example:
+
+```bash
+cnquery run local -c "services.list{*}" -v
+```
+
+## Output results to JSON
+
+To convert the output of your query to JSON, use `-j` or `--json`. For example:
+
+```bash
+cnquery run local -c "services.list{*}" -j
+```
+
+You can then pipe the output to jq or other applications.
+
+---
diff --git a/docs/cnquery/cli/_category_.json b/docs/cnquery/cli/_category_.json
new file mode 100644
index 000000000..41757f5f1
--- /dev/null
+++ b/docs/cnquery/cli/_category_.json
@@ -0,0 +1,3 @@
+{
+ "label": "CLI Commands"
+}
diff --git a/docs/cnquery/cli/cnquery.md b/docs/cnquery/cli/cnquery.md
new file mode 100644
index 000000000..2f9fa37f4
--- /dev/null
+++ b/docs/cnquery/cli/cnquery.md
@@ -0,0 +1,35 @@
+---
+id: cnquery
+title: cnquery
+---
+
+cnquery CLI
+
+### Synopsis
+
+cnquery is a cloud-native tool for querying your entire infrastructure.
+
+### Options
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ -h, --help help for cnquery
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery bundle](cnquery_bundle.md) - Create, upload, and validate query packs
+- [cnquery login](cnquery_login.md) - Register with Mondoo Platform
+- [cnquery logout](cnquery_logout.md) - Log out from Mondoo Platform
+- [cnquery providers](cnquery_providers.md) - Providers add connectivity to all assets
+- [cnquery run](cnquery_run.md) - Run an MQL query
+- [cnquery sbom](cnquery_sbom.md) - Experimental: Generate a software bill of materials (SBOM) for a given asset
+- [cnquery scan](cnquery_scan.md) - Scan assets with one or more query packs
+- [cnquery shell](cnquery_shell.md) - Interactive query shell for MQL
+- [cnquery status](cnquery_status.md) - Verify access to Mondoo Platform
+- [cnquery vault](cnquery_vault.md) - Manage vault environments
+- [cnquery version](cnquery_version.md) - Display the cnquery version
diff --git a/docs/cnquery/cli/cnquery_bundle.md b/docs/cnquery/cli/cnquery_bundle.md
new file mode 100644
index 000000000..b1de64e0e
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_bundle.md
@@ -0,0 +1,29 @@
+---
+id: cnquery_bundle
+title: cnquery bundle
+---
+
+Create, upload, and validate query packs
+
+### Options
+
+```
+ -h, --help help for bundle
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
+- [cnquery bundle init](cnquery_bundle_init.md) - Create an example query pack
+- [cnquery bundle lint](cnquery_bundle_lint.md) - Apply style formatting to a query pack
+- [cnquery bundle publish](cnquery_bundle_publish.md) - Add a user-owned query pack to the Mondoo Security Registry
diff --git a/docs/cnquery/cli/cnquery_bundle_init.md b/docs/cnquery/cli/cnquery_bundle_init.md
new file mode 100644
index 000000000..798488adf
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_bundle_init.md
@@ -0,0 +1,34 @@
+---
+id: cnquery_bundle_init
+title: cnquery bundle init
+---
+
+Create an example query pack
+
+### Synopsis
+
+Create an example query pack that you can use as a starting point. If you don't provide a filename, cnquery uses `example-pack.mql.yaml`.
+
+```
+cnquery bundle init [path] [flags]
+```
+
+### Options
+
+```
+ -h, --help help for init
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery bundle](cnquery_bundle.md) - Create, upload, and validate query packs
diff --git a/docs/cnquery/cli/cnquery_bundle_lint.md b/docs/cnquery/cli/cnquery_bundle_lint.md
new file mode 100644
index 000000000..0aa119422
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_bundle_lint.md
@@ -0,0 +1,30 @@
+---
+id: cnquery_bundle_lint
+title: cnquery bundle lint
+---
+
+Apply style formatting to a query pack
+
+```
+cnquery bundle lint [path] [flags]
+```
+
+### Options
+
+```
+ -h, --help help for lint
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery bundle](cnquery_bundle.md) - Create, upload, and validate query packs
diff --git a/docs/cnquery/cli/cnquery_bundle_publish.md b/docs/cnquery/cli/cnquery_bundle_publish.md
new file mode 100644
index 000000000..84e850bc2
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_bundle_publish.md
@@ -0,0 +1,31 @@
+---
+id: cnquery_bundle_publish
+title: cnquery bundle publish
+---
+
+Add a user-owned query pack to the Mondoo Security Registry
+
+```
+cnquery bundle publish [path] [flags]
+```
+
+### Options
+
+```
+ -h, --help help for publish
+ --pack-version string Override the version of each pack in the bundle
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery bundle](cnquery_bundle.md) - Create, upload, and validate query packs
diff --git a/docs/cnquery/cli/cnquery_login.md b/docs/cnquery/cli/cnquery_login.md
new file mode 100644
index 000000000..d0cf97406
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_login.md
@@ -0,0 +1,47 @@
+---
+id: cnquery_login
+title: cnquery login
+---
+
+Register with Mondoo Platform
+
+### Synopsis
+
+Log in to Mondoo Platform using a registration token. To pass in the token, use
+the '--token' flag.
+
+You can generate a new registration token on the Mondoo Dashboard. Go to
+https://console.mondoo.com -> Space -> Settings -> Registration Token. Copy the token and pass it in
+using the '--token' argument.
+
+You remain logged in until you explicitly log out using the 'logout' subcommand.
+
+```
+cnquery login [flags]
+```
+
+### Options
+
+```
+ --annotation stringToString Set the client annotations. (default [])
+ --api-endpoint string Set the Mondoo API endpoint.
+ -h, --help help for login
+ --name string Set asset name.
+ --splay int Randomize the timer by up to this many minutes.
+ --timer int Set the scan interval in minutes.
+ -t, --token string Set a client registration token.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
diff --git a/docs/cnquery/cli/cnquery_logout.md b/docs/cnquery/cli/cnquery_logout.md
new file mode 100644
index 000000000..52e35aeeb
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_logout.md
@@ -0,0 +1,36 @@
+---
+id: cnquery_logout
+title: cnquery logout
+---
+
+Log out from Mondoo Platform
+
+### Synopsis
+
+This process also revokes the Mondoo Platform service account to
+ensure the credentials cannot be used in the future.
+
+```
+cnquery logout [flags]
+```
+
+### Options
+
+```
+ --force Force re-authentication
+ -h, --help help for logout
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
diff --git a/docs/cnquery/cli/cnquery_providers.md b/docs/cnquery/cli/cnquery_providers.md
new file mode 100644
index 000000000..117634f95
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_providers.md
@@ -0,0 +1,36 @@
+---
+id: cnquery_providers
+title: cnquery providers
+---
+
+Providers add connectivity to all assets
+
+### Synopsis
+
+Manage your providers. List and install new ones or update existing ones.
+
+```
+cnquery providers [flags]
+```
+
+### Options
+
+```
+ -h, --help help for providers
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
+- [cnquery providers install](cnquery_providers_install.md) - Install or update a provider.
+- [cnquery providers list](cnquery_providers_list.md) - List all providers on the system.
diff --git a/docs/cnquery/cli/cnquery_providers_install.md b/docs/cnquery/cli/cnquery_providers_install.md
new file mode 100644
index 000000000..18fbe15ac
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_providers_install.md
@@ -0,0 +1,32 @@
+---
+id: cnquery_providers_install
+title: cnquery providers install
+---
+
+Install or update a provider.
+
+```
+cnquery providers install [flags]
+```
+
+### Options
+
+```
+ -f, --file string install a provider via a file
+ -h, --help help for install
+ --url string install a provider via URL
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery providers](cnquery_providers.md) - Providers add connectivity to all assets
diff --git a/docs/cnquery/cli/cnquery_providers_list.md b/docs/cnquery/cli/cnquery_providers_list.md
new file mode 100644
index 000000000..9de29090c
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_providers_list.md
@@ -0,0 +1,30 @@
+---
+id: cnquery_providers_list
+title: cnquery providers list
+---
+
+List all providers on the system.
+
+```
+cnquery providers list [flags]
+```
+
+### Options
+
+```
+ -h, --help help for list
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery providers](cnquery_providers.md) - Providers add connectivity to all assets
diff --git a/docs/cnquery/cli/cnquery_run.md b/docs/cnquery/cli/cnquery_run.md
new file mode 100644
index 000000000..6aa624442
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_run.md
@@ -0,0 +1,40 @@
+---
+id: cnquery_run
+title: cnquery run
+---
+
+Run an MQL query
+
+### Synopsis
+
+Run an MQL query on the CLI and displays its results.
+
+```
+cnquery run [flags]
+```
+
+### Options
+
+```
+ --ast Parse the query and return the abstract syntax tree (AST).
+ -c, --command string MQL query to executed in the shell.
+ -h, --help help for run
+ --info Parse the query and provide information about it.
+ -j, --json Run the query and return the object in a JSON structure.
+ --parse Parse the query and return the logical structure.
+ --platform-id string Select a specific target asset by providing its platform ID.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
diff --git a/docs/cnquery/cli/cnquery_sbom.md b/docs/cnquery/cli/cnquery_sbom.md
new file mode 100644
index 000000000..6bafaa589
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_sbom.md
@@ -0,0 +1,51 @@
+---
+id: cnquery_sbom
+title: cnquery sbom
+---
+
+Experimental: Generate a software bill of materials (SBOM) for a given asset
+
+### Synopsis
+
+Generate a software bill of materials (SBOM) for a given asset. The SBOM
+is a representation of the asset's software components and their dependencies.
+
+The following formats are supported:
+
+- list (default)
+- cnquery-json
+- cyclonedx-json
+- cyclonedx-xml
+- spdx-json
+- spdx-tag-value
+
+Note this command is experimental and may change in the future.
+
+```
+cnquery sbom [flags]
+```
+
+### Options
+
+```
+ --annotation stringToString Add an annotation to the asset. (default [])
+ --asset-name string User-override for the asset name.
+ -h, --help help for sbom
+ -o, --output string Set output format: json, cyclonedx-json, cyclonedx-xml, spdx-json, spdx-tag-value, table (default "list")
+ --output-target string Set output target to which the sbom report will be written.
+ --with-evidence Display evidence for each component
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
diff --git a/docs/cnquery/cli/cnquery_scan.md b/docs/cnquery/cli/cnquery_scan.md
new file mode 100644
index 000000000..30ede879e
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_scan.md
@@ -0,0 +1,54 @@
+---
+id: cnquery_scan
+title: cnquery scan
+---
+
+Scan assets with one or more query packs
+
+### Synopsis
+
+This command scans an asset using a query pack. For example, you can scan
+the local system with its pre-configured query pack:
+
+ $ cnquery scan local
+
+To manually configure a query pack, use this:
+
+ $ cnquery scan local -f bundle.mql.yaml --incognito
+
+```
+cnquery scan [flags]
+```
+
+### Options
+
+```
+ --annotation stringToString Add an annotation to the asset. (default [])
+ --asset-name string User-override for the asset name
+ --detect-cicd Try to detect CI/CD environments. If detected, set the asset category to 'cicd'. (default true)
+ -h, --help help for scan
+ --incognito Run in incognito mode. Do not report scan results to Mondoo Platform.
+ --inventory-ansible Set the inventory format to Ansible.
+ --inventory-domainlist Set the inventory format to domain list.
+ --inventory-file string Set the path to the inventory file.
+ -j, --json Run the query and return the object in a JSON structure.
+ -o, --output string Set output format: compact, csv, full, json, summary, yaml (default "compact")
+ --platform-id string Select a specific target asset by providing its platform ID.
+ --props stringToString Custom values for properties (default [])
+ --querypack querypack-bundle Set the query packs to execute. This requires querypack-bundle. You can specify multiple UIDs.
+ -f, --querypack-bundle strings Path to local query pack file
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
diff --git a/docs/cnquery/cli/cnquery_shell.md b/docs/cnquery/cli/cnquery_shell.md
new file mode 100644
index 000000000..3ece877b8
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_shell.md
@@ -0,0 +1,36 @@
+---
+id: cnquery_shell
+title: cnquery shell
+---
+
+Interactive query shell for MQL
+
+### Synopsis
+
+Allows the interactive exploration of MQL queries
+
+```
+cnquery shell [flags]
+```
+
+### Options
+
+```
+ -c, --command string MQL query to executed in the shell.
+ -h, --help help for shell
+ --platform-id string Select a specific target asset by providing its platform ID.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
diff --git a/docs/cnquery/cli/cnquery_status.md b/docs/cnquery/cli/cnquery_status.md
new file mode 100644
index 000000000..9c1433e83
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_status.md
@@ -0,0 +1,35 @@
+---
+id: cnquery_status
+title: cnquery status
+---
+
+Verify access to Mondoo Platform
+
+### Synopsis
+
+Status sends a ping to Mondoo Platform to verify the credentials.
+
+```
+cnquery status [flags]
+```
+
+### Options
+
+```
+ -h, --help help for status
+ -o, --output string Set output format. Accepts json or yaml.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
diff --git a/docs/cnquery/cli/cnquery_vault.md b/docs/cnquery/cli/cnquery_vault.md
new file mode 100644
index 000000000..a047e2121
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_vault.md
@@ -0,0 +1,28 @@
+---
+id: cnquery_vault
+title: cnquery vault
+---
+
+Manage vault environments
+
+### Options
+
+```
+ -h, --help help for vault
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
+- [cnquery vault add-secret](cnquery_vault_add-secret.md) - Store a secret in a vault
+- [cnquery vault configure](cnquery_vault_configure.md) - Configure a vault environment
diff --git a/docs/cnquery/cli/cnquery_vault_add-secret.md b/docs/cnquery/cli/cnquery_vault_add-secret.md
new file mode 100644
index 000000000..b280d8764
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_vault_add-secret.md
@@ -0,0 +1,31 @@
+---
+id: cnquery_vault_add-secret
+title: cnquery vault add-secret
+---
+
+Store a secret in a vault
+
+```
+cnquery vault add-secret SECRETID SECRETVALUE [flags]
+```
+
+### Options
+
+```
+ -h, --help help for add-secret
+ --inventory-file string Set the path to the inventory file.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery vault](cnquery_vault.md) - Manage vault environments
diff --git a/docs/cnquery/cli/cnquery_vault_configure.md b/docs/cnquery/cli/cnquery_vault_configure.md
new file mode 100644
index 000000000..594469e06
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_vault_configure.md
@@ -0,0 +1,37 @@
+---
+id: cnquery_vault_configure
+title: cnquery vault configure
+---
+
+Configure a vault environment
+
+### Synopsis
+
+cnquery vault configure mondoo-client-vault --type linux-kernel-keyring
+
+```
+cnquery vault configure VAULTNAME [flags]
+```
+
+### Options
+
+```
+ -h, --help help for configure
+ --inventory-file string Set the path to the inventory file.
+ --option stringToString addition vault connection options, multiple options via --option key=value (default [])
+ --type string possible values: encrypted-file | aws-parameter-store | memory | linux-kernel-keyring | keyring | hashicorp-vault | gcp-secret-manager | aws-secrets-manager | gcp-berglas | none
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery vault](cnquery_vault.md) - Manage vault environments
diff --git a/docs/cnquery/cli/cnquery_version.md b/docs/cnquery/cli/cnquery_version.md
new file mode 100644
index 000000000..9797847ef
--- /dev/null
+++ b/docs/cnquery/cli/cnquery_version.md
@@ -0,0 +1,30 @@
+---
+id: cnquery_version
+title: cnquery version
+---
+
+Display the cnquery version
+
+```
+cnquery version [flags]
+```
+
+### Options
+
+```
+ -h, --help help for version
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnquery](cnquery.md) - cnquery CLI
diff --git a/docs/cnquery/cnquery-about.mdx b/docs/cnquery/cnquery-about.mdx
new file mode 100644
index 000000000..1034f5c85
--- /dev/null
+++ b/docs/cnquery/cnquery-about.mdx
@@ -0,0 +1,37 @@
+---
+title: What Is cnquery?
+id: cnquery-about
+sidebar_label: What Is cnquery?
+displayed_sidebar: cnquery
+sidebar_position: 1
+description: An introduction to cnquery, an open source, cloud-native tool that answers every question about your infrastructure
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+-> To install and get up and running quickly, read [Get Started with cnquery](/cnquery/).
+
+cnquery is Mondoo's open source, cloud-native tool that answers every question about your infrastructure. It integrates with [over 600 resources](/mql/resources) to provide quick insight into your operations and development platforms.
+
+Use cnquery to learn about your systems and reveal information that would otherwise be difficult or impossible to uncover. For example:
+
+- Aggregate all packages installed across containers, regardless of the OS.
+- Find cloud instances exposed to the internet.
+- Reveal old certificates on Kubernetes clusters.
+
+Now consider what's possible when you write automation around cnquery. It's an incredibly broad and versatile tool for solving DevOps challenges.
+
+Our query language is MQL, which combines a graph database approach and powerful filters. Simply describe what you want, and get only the results you need—fast! To explore MQL's capabilities, browse the [MQL docs](/mql/resources).
+
+## Explore your infrastructure in Mondoo Platform
+
+To more easily explore your infrastructure, sign up for a [free Mondoo Platform](https://console.mondoo.com) account. Mondoo's web-based console allows you to navigate, search, and inspect all of your assets.
+
+To learn about Mondoo Platform, read the [Mondoo Platform docs](../intro.md) or visit [mondoo.com](https://mondoo.com).
+
+To learn how to sign up for a free Mondoo account and register cnquery, read [Log into Mondoo Platform for More Capabilities](/cnquery/cnquery-platform/).
+
+## Learn more
+
+- To learn what technologies cnquery integrates with, read [Supported Scan Targets](/cnquery/cnquery-supported).
+
+---
diff --git a/docs/cnquery/cnquery-aws/README.mdx b/docs/cnquery/cnquery-aws/README.mdx
new file mode 100644
index 000000000..3456d4945
--- /dev/null
+++ b/docs/cnquery/cnquery-aws/README.mdx
@@ -0,0 +1,44 @@
+---
+title: Query AWS
+id: cnquery-aws-intro
+sidebar_label: Get Started
+displayed_sidebar: cnquery
+sidebar_position: 1
+description: Explore and analyze your AWS infrastructure with cnquery
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+With cnquery, you can explore and interrogate your entire AWS infrastructure. It's like having a powerful search engine for your AWS environment. For example, you can analyze IAM practices, identify containers running across all EKS clusters, or find S3 buckets that don't use encryption... all with a single tool.
+
+cnquery provides the answers you need about every AWS configuration. For a list of AWS resources you can query, read [Mondoo Amazon Web Services (AWS) Resource Pack Reference](/mql/resources/aws-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnquery with your AWS environment
+
+### Requirements
+
+To analyze and explore your AWS environment with cnquery, you must have:
+
+- [cnquery installed on your workstation](/cnquery/).
+- [An AWS account](https://aws.amazon.com/free/).
+- Your AWS credentials. To learn about creating a new access key pair, read [Creating new access keys for an IAM user](https://docs.aws.amazon.com/keyspaces/latest/devguide/access.credentials.html#create.keypair) in the AWS documentation.
+- The `AWS_REGION` environment variable configured. To learn how to set your region, read [How to set environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-set) in the AWS documentation.
+
+### Verify with a quick AWS query
+
+To quickly confirm that cnquery has access to your AWS environment, run this query from your terminal:
+
+```bash
+cnquery run aws -c aws.account
+```
+
+cnquery returns the AWS account ID:
+
+```shell
+> aws.account: aws.account id="aws.account/123456789000"
+```
+
+## Next step
+
+You've successfully used cnquery to answer your first question about your AWS account. Now you're ready to [explore your AWS environment.](/cnquery/cnquery-aws/cnquery-aws-account)
+
+---
diff --git a/docs/cnquery/cnquery-aws/cnquery-aws-account.mdx b/docs/cnquery/cnquery-aws/cnquery-aws-account.mdx
new file mode 100644
index 000000000..f834c5857
--- /dev/null
+++ b/docs/cnquery/cnquery-aws/cnquery-aws-account.mdx
@@ -0,0 +1,248 @@
+---
+title: Query an AWS Account
+id: cnquery-aws-account
+sidebar_label: Query an AWS Account
+displayed_sidebar: cnquery
+sidebar_position: 20
+description: Explore and analyze the configuration of AWS accounts
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+Once you've ensured that [cnquery can access your AWS environment](/cnquery/cnquery-aws/), you can begin exploring and analyzing your infrastructure. The method you choose depends on your goals:
+
+- To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
+- For widescale analysis of your AWS infrastructure, scan using query packs. These collections of queries work together to present a whole picture.
+
+## Explore with the cnquery shell
+
+To launch a shell into your AWS environment, enter:
+
+```bash
+cnquery shell aws
+```
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what AWS resources you can query. This command lists all the AWS resources:
+
+```coffee
+help aws
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the AWS IAM resources you can query:
+
+```coffee
+help aws.iam
+```
+
+From the resulting list, you can drill down even further. You can also learn about available AWS resources in the [Mondoo Amazon Web Services (AWS) Resource Pack Reference](/mql/resources/aws-pack/).
+
+### Answer questions in the cnquery shell
+
+Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
+
+#### Query configuration recorders
+
+This query identifies which (potentially expensive) configuration recorders are turned on:
+
+```coffee
+aws.config { recorders { * } rules { * } }
+```
+
+cnquery returns complete and detailed lists of rules and recorders:
+
+```coffee
+aws.config: {
+ rules: [
+ 0: {
+ state: "ACTIVE"
+ source: {
+ CustomPolicyDetails: null
+ Owner: "AWS"
+ SourceDetails: null
+ SourceIdentifier: "EIP_ATTACHED"
+ }
+ arn: "arn:aws:config:us-east-1:921877552404:config-rule/config-rule-eam93q"
+ }
+ ]
+ recorders: [
+ 0: {
+ recording: false
+ includeGlobalResourceTypes: false
+ name: "default"
+ allSupported: true
+ roleArn: "arn:aws:iam::921877552404:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
+ lastStatus: ""
+ region: "us-east-1"
+ }
+ 1: {
+ recording: false
+ includeGlobalResourceTypes: false
+ name: "default"
+ allSupported: true
+ roleArn: "arn:aws:iam::921877552404:role/Config-Recorder"
+ lastStatus: ""
+ region: "us-east-2"
+ }
+ ]
+}
+```
+
+#### Query credentials
+
+When we explored the help for `aws.iam`, we learned that cnquery can access your account's IAM credential report. To gather basic information from the report, enter:
+
+```coffee
+aws.iam.credentialReport
+```
+
+cnquery lists the ARNs of all users, like this:
+
+```coffee
+aws.iam.credentialReport: [
+ 0: aws.iam.usercredentialreportentry arn="arn:aws:iam::921877552404:root"
+ 1: aws.iam.usercredentialreportentry arn="arn:aws:iam::921877552404:user/shiro"
+ 2: aws.iam.usercredentialreportentry arn="arn:aws:iam::921877552404:user/hanna"
+ 3: aws.iam.usercredentialreportentry arn="arn:aws:iam::921877552404:user/abel"
+ 4: aws.iam.usercredentialreportentry arn="arn:aws:iam::921877552404:user/suki"
+ 5: aws.iam.usercredentialreportentry arn="arn:aws:iam::921877552404:user/tembe"
+
+ ...
+
+]
+```
+
+For a more detailed report, you can specify that you want all fields:
+
+```coffee
+aws.iam.credentialReport { * }
+```
+
+For every user, cnquery provides information about their IAM activity and settings:
+
+```coffee
+ {
+ accessKey1LastUsedRegion: "eu-north-1"
+ passwordNextRotation: Never
+ user: aws.iam.user arn="arn:aws:iam::921877552404:user/suki"
+ properties: {
+ access_key_1_active: "true"
+ access_key_1_last_rotated: "2021-06-15T07:11:58+00:00"
+ access_key_1_last_used_date: "2022-12-02T04:33:00+00:00"
+ access_key_1_last_used_region: "eu-north-1"
+ access_key_1_last_used_service: "ec2"
+ access_key_2_active: "false"
+ access_key_2_last_rotated: "N/A"
+ access_key_2_last_used_date: "N/A"
+ access_key_2_last_used_region: "N/A"
+ access_key_2_last_used_service: "N/A"
+ arn: "arn:aws:iam::921877552404:user/suki"
+ cert_1_active: "false"
+ cert_1_last_rotated: "N/A"
+ cert_2_active: "false"
+ cert_2_last_rotated: "N/A"
+ mfa_active: "false"
+ password_enabled: "false"
+ password_last_changed: "N/A"
+ password_last_used: "N/A"
+ password_next_rotation: "N/A"
+ user: "suki-m1"
+ user_creation_time: "2021-06-15T07:11:58+00:00"
+ }
+ cert1Active: false
+ accessKey2LastUsedRegion: "N/A"
+ passwordLastChanged: Never
+ accessKey1LastUsedService: "ec2"
+ passwordLastUsed: Never
+ accessKey1Active: true
+ cert2Active: false
+ accessKey2Active: false
+ accessKey2LastUsedService: "N/A"
+ accessKey1LastRotated: 2021-06-15 07:11:58 +0000 +0000
+ cert2LastRotated: Never
+ cert1LastRotated: Never
+ accessKey1LastUsedDate: 2022-12-02 04:33:00 +0000 +0000
+ accessKey2LastRotated: Never
+ arn: "arn:aws:iam::921877552404:user/suki"
+ mfaActive: false
+ userCreationTime: 2021-06-15 07:11:58 +0000 +0000
+ accessKey2LastUsedDate: Never
+ passwordEnabled: false
+ }
+```
+
+#### Specify fields to include in results
+
+If you're interested in only some details, specify the fields you want in braces. For example, this query asks for each user's ARN, when they last changed their password, and whether they have MFA enabled:
+
+```coffee
+aws.iam.credentialReport { arn passwordLastChanged mfaActive }
+```
+
+cnquery returns results like this:
+
+```coffee
+aws.iam.credentialReport: [
+ 0: {
+ passwordLastChanged: 2022-11-30 12:15:58 +0000 +0000
+ arn: "arn:aws:iam::921877552404:user/suki"
+ mfaActive: true
+ }
+ 1: {
+ passwordLastChanged: 2022-08-25 20:40:44 +0000 +0000
+ arn: "arn:aws:iam::921877552404:user/tembe"
+ mfaActive: true
+ }
+ 2: {
+ passwordLastChanged: 2022-12-01 20:58:11 +0000 +0000
+ arn: "arn:aws:iam::921877552404:user/amos"
+ mfaActive: true
+ }
+ 3: {
+ passwordLastChanged: Never
+ arn: "arn:aws:iam::921877552404:user/hanna"
+ mfaActive: false
+ }
+]
+```
+
+#### Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this filters results based on ARN:
+
+```coffee
+aws.iam.credentialReport.where(arn == /hanna/) { * }
+```
+
+### Exit the cnquery shell
+
+To exit the cnquery shell, either press `Ctrl + D` or type `exit`.
+
+## Analyze your environment with AWS query packs
+
+Mondoo makes these [core AWS query packs](https://github.com/mondoohq/cnquery-packs) available in GitHub:
+
+- [Mondoo AWS Asset Inventory](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-aws-inventory.mql.yaml) provides information about all your AWS assets and their configuration.
+- [Mondoo AWS Incident Response](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-aws-incident-response.mql.yaml) helps you investigate and minimize damage when a security incident occurs.
+
+To run one of these purpose-built collections of AWS-specific queries:
+
+1. In Mondoo's [cnquery-packs GitHub repo](https://github.com/mondoohq/cnquery-packs), go to the `core` directory and find the AWS query pack you want to run.
+
+2. Download the YAML file to a local directory and, in your terminal, move to that directory.
+
+3. Use the `cnquery scan` command, specifying the file and the query pack:
+
+```bash
+cnquery scan aws -f mondoo-aws-incident-response.mql.yaml --querypack mondoo-incident-response-aws
+```
+
+You can also create your own query packs to meet your specific needs. To learn more about query packs, read [Run a Query Pack](/cnquery/cnquery-run-pack/).
+
+## Next step
+
+Now that you've explored your AWS environment using the cnquery shell, you're ready to dive deeper and [query your EC2 instances](/cnquery/cnquery-aws/cnquery-aws-ec2/).
+
+---
diff --git a/docs/cnquery/cnquery-aws/cnquery-aws-ec2.mdx b/docs/cnquery/cnquery-aws/cnquery-aws-ec2.mdx
new file mode 100644
index 000000000..d911c24f0
--- /dev/null
+++ b/docs/cnquery/cnquery-aws/cnquery-aws-ec2.mdx
@@ -0,0 +1,134 @@
+---
+title: Query EC2 Instances
+id: cnquery-aws-ec2
+sidebar_label: Query AWS EC2 Instances
+displayed_sidebar: cnquery
+sidebar_position: 30
+description: Explore and analyze the configuration of AWS EC2 instances
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+Now that you have an introduction to [querying your AWS account](/cnquery/cnquery-aws/cnquery-aws-account/) with cnquery, let's dive deeper and explore EC2 instances.
+
+We'll continue working in the cnquery shell, which makes running individual queries easy. If it's not already open, enter `cnquery shell aws` in your terminal. To learn about accessing your AWS account with cnquery, read [Query AWS Infrastructure](/cnquery/cnquery-aws/).
+
+## EC2 resources
+
+cnquery provides answers to any question about your EC2 instances. To discover all the resources and fields you can query, read [aws.ec2](/mql/resources/aws-pack/aws.ec2/). You can also use the `help` command in the shell:
+
+```coffee
+help aws.ec2
+```
+
+In this tutorial we'll explore just a few of the possibilities.
+
+## Run simple queries on EC2 instances
+
+This query gathers all your EC2 instances:
+
+```coffee
+aws.ec2.instances
+```
+
+It returns each instance's ARN and current state:
+
+```coffee
+aws.ec2.instances: [
+ 0: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-06e2eaa19a4fa883e" state="stopped"
+ 1: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-0facc86d89af823af" state="stopped"
+ 2: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-0b24443c8d18fdbab" state="running"
+ 3: aws.ec2.instance arn="arn:aws:ec2:us-west-1:921877552404:instance/i-020eed3b1e4965d8d" state="running"
+ 4: aws.ec2.instance arn="arn:aws:ec2:us-west-1:921877552404:instance/i-08f2ba2424027454a" state="running"
+]
+```
+
+## Specify fields to include in results
+
+You can request specific data by including the field names. For example, this query collects the ARN and any assigned tags for each instance:
+
+```coffee
+aws.ec2.instances { arn tags }
+```
+
+It returns a list with only the information you asked for:
+
+```coffee
+aws.ec2.instances: [
+ 0: {
+ tags: {
+ Name: "k8s-operator01"
+ owner: "suki@lunalectric.com"
+ }
+ arn: "arn:aws:ec2:us-east-1:921877552404:instance/i-06e2eaa19a4fa883e"
+ }
+ 1: {
+ tags: {
+ Name: "vm-with-ebs-iam-role"
+ }
+ arn: "arn:aws:ec2:us-east-1:921877552404:instance/i-0facc86d89af823af"
+ }
+ 2: {
+ tags: {
+ Name: "amazonlinux2-for-ebs-volume-scan"
+ owner: "kembe@lunalectric.com"
+ }
+ arn: "arn:aws:ec2:us-east-1:921877552404:instance/i-0b24443c8d18fdbab"
+ }
+ 3: {
+ tags: {}
+ arn: "arn:aws:ec2:us-west-1:921877552404:instance/i-020eed3b1e4965d8d"
+ }
+ 4: {
+ tags: {
+ Name: "amos-linux"
+ }
+ arn: "arn:aws:ec2:us-west-1:921877552404:instance/i-08f2ba2424027454a"
+ }
+]
+```
+
+## Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this query requests only EC2 instances that do not have an `owner` tag:
+
+```coffee
+aws.ec2.instances.where(tags['owner'] == null)
+```
+
+It lists each instance's ARN and status:
+
+```coffee
+aws.ec2.instances.where: [
+ 0: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-06e2eaa19a4fa883e" state="stopped"
+ 1: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-0facc86d89af823af" state="stopped"
+ 2: aws.ec2.instance arn="arn:aws:ec2:us-west-1:921877552404:instance/i-020eed3b1e4965d8d" state="running"
+ 3: aws.ec2.instance arn="arn:aws:ec2:us-west-1:921877552404:instance/i-08f2ba2424027454a" state="running"
+]
+```
+
+This finds large (more expensive) EC2 instances:
+
+```coffee
+aws.ec2.instances.where(instanceType == /^.*.large$/) { arn instanceType }
+```
+
+It returns a list of all instances that have an `instanceType` with `large` in the name.
+
+This similar query finds T-type instances (such as T2, or T4g):
+
+```coffee
+aws.ec2.instances.where(instanceType == /^[t].*/) { instanceType }
+```
+
+## Learn more about querying EC2 instances
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the AWS resources and fields you can query, read [aws.ec2](/mql/resources/aws-pack/aws.ec2/).
+
+## Next step
+
+To discover more of cnquery's AWS capabilities, [query your EKS clusters](/cnquery/cnquery-aws/cnquery-aws-eks/).
+
+---
diff --git a/docs/cnquery/cnquery-aws/cnquery-aws-eks.mdx b/docs/cnquery/cnquery-aws/cnquery-aws-eks.mdx
new file mode 100644
index 000000000..c9631b269
--- /dev/null
+++ b/docs/cnquery/cnquery-aws/cnquery-aws-eks.mdx
@@ -0,0 +1,173 @@
+---
+title: Query AWS EKS Clusters
+id: cnquery-aws-eks
+sidebar_label: Query AWS EKS Clusters
+displayed_sidebar: cnquery
+sidebar_position: 40
+description: Explore and analyze the configuration of AWS EKS clusters
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+Now that you have an introduction to [querying your AWS account](/cnquery/cnquery-aws/cnquery-aws-account/) with cnquery and have explored [EC2 queries](/cnquery/cnquery-aws/cnquery-aws-ec2), let's dive deeper and explore EKS clusters.
+
+We'll continue working in the cnquery shell, which makes running individual queries easy. If it's not already open, enter `cnquery shell aws` in your terminal. To learn about accessing your AWS account with cnquery, read [Query AWS Infrastructure](/cnquery/cnquery-aws/).
+
+## EKS resources
+
+cnquery provides answers to any question about your EKS clusters. To discover all the resources and fields you can query, read [aws.eks](/mql/resources/aws-pack/aws.eks/). You can also use the `help` command in the shell:
+
+```coffee
+help aws.eks
+```
+
+In this tutorial we'll explore just a few of the possibilities.
+
+## Run simple queries on EKS clusters
+
+This query gathers all your EKS clusters:
+
+```coffee
+aws.eks.clusters
+```
+
+It returns each cluster's ARN and current state:
+
+```coffee
+aws.eks.clusters: [
+ 0: aws.eks.cluster arn="arn:aws:eks:us-east-1:177043759486:cluster/eks-cluster" version="1.22" status="FAILED"
+ 1: aws.eks.cluster arn="arn:aws:eks:us-east-2:177043759486:cluster/online-shop-eks-cluster-byh8" version="1.22" status="ACTIVE"
+]
+```
+
+For all details on a single cluster, specify the cluster's number in the output sequence and include `{ * }`:
+
+```coffee
+aws.eks.clusters[1] { * }
+```
+
+cnquery returns the cluster's version, logging, encryption, and more:
+
+```coffee
+aws.eks.clusters[1]: {
+ logging: {
+ ClusterLogging: [
+ 0: {
+ Enabled: true
+ Types: [
+ 0: "api"
+ 1: "audit"
+ 2: "authenticator"
+ ]
+ }
+ 1: {
+ Enabled: false
+ Types: [
+ 0: "controllerManager"
+ 1: "scheduler"
+ ]
+ }
+ ]
+ }
+ encryptionConfig: [
+ 0: {
+ Provider: {
+ KeyArn: "arn:aws:kms:us-east-2:177043759486:key/35f97e4d-3076-494e-bd27-9e9936c9f3ba"
+ }
+ Resources: [
+ 0: "secrets"
+ ]
+ }
+ ]
+ tags: {
+ GitHubOrg: "lunalectric"
+ GitHubRepo: "online-shop"
+ Name: "scottford-dev-online-shop-eks-byh8"
+ Terraform: "true"
+ }
+ resourcesVpcConfig: {
+ ClusterSecurityGroupId: "sg-0ad9d888e7bfba23b"
+ EndpointPrivateAccess: false
+ EndpointPublicAccess: true
+ PublicAccessCidrs: [
+ 0: "0.0.0.0/0"
+ ]
+ SecurityGroupIds: [
+ 0: "sg-0563bb225870357ef"
+ ]
+ SubnetIds: [
+ 0: "subnet-032c68d4a5e512171"
+ 1: "subnet-0fdd8fcbf1ca3f071"
+ 2: "subnet-0d87da610b71436de"
+ ]
+ VpcId: "vpc-05905b857f7424833"
+ }
+ version: "1.22"
+ name: "online-shop-eks-cluster-byh8"
+ networkConfig: {
+ IpFamily: "ipv4"
+ ServiceIpv4Cidr: "172.20.0.0/16"
+ ServiceIpv6Cidr: null
+ }
+ createdAt: 2022-10-23 23:12:54.304 +0000 UTC
+ arn: "arn:aws:eks:us-east-2:177043759486:cluster/online-shop-eks-cluster-byh8"
+ region: "us-east-2"
+ endpoint: "https://8D2087DAD267CF9F24358D00F7553B84.gr7.us-east-2.eks.amazonaws.com"
+ platformVersion: "eks.6"
+ status: "ACTIVE"
+}
+```
+
+## Specify fields to include in results
+
+You can request specific data by including the field names. For example, this query collects the ARN and any assigned tags for each cluster:
+
+```coffee
+aws.eks.clusters { arn createdAt }
+```
+
+It returns a list with only the information you asked for:
+
+```coffee
+aws.eks.clusters: [
+ 0: {
+ arn: "arn:aws:eks:us-east-1:177043759486:cluster/eks-cluster"
+ createdAt: 2022-09-08 09:41:11.26 +0000 UTC
+ }
+ 1: {
+ arn: "arn:aws:eks:us-east-2:177043759486:cluster/online-shop-eks-cluster-byh8"
+ createdAt: 2022-10-23 23:12:54.304 +0000 UTC
+ }
+]
+```
+
+## Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this query requests only EKS clusters created more than 60 days ago:
+
+```coffee
+aws.eks.clusters.where(createdAt < time.today - 60*time.day) { arn createdAt }
+```
+
+It lists each cluster's ARN and creation date:
+
+```coffee
+aws.eks.clusters.where: [
+ 0: {
+ createdAt: 2022-09-08 09:41:11.26 +0000 UTC
+ arn: "arn:aws:eks:us-east-1:177043759486:cluster/eks-cluster"
+ }
+ 1: {
+ createdAt: 2021-12-08 09:03:22.44 +0000 UTC
+ arn: "arn:aws:eks:us-west-1:177043759533:cluster/lunashop-eks-cluster"
+ }
+]
+```
+
+## Learn more about querying EKS clusters
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the AWS resources and fields you can query, read the [Mondoo Amazon Web Services (AWS) Resource Pack Reference](/mql/resources/aws-pack/).
+
+---
diff --git a/docs/cnquery/cnquery-azure/README.mdx b/docs/cnquery/cnquery-azure/README.mdx
new file mode 100644
index 000000000..c3a864de0
--- /dev/null
+++ b/docs/cnquery/cnquery-azure/README.mdx
@@ -0,0 +1,112 @@
+---
+title: Query Azure
+id: cnquery-azure-intro
+sidebar_label: Azure
+displayed_sidebar: cnquery
+sidebar_position: 1
+description: Explore and analyze your Azure infrastructure with cnquery
+image: /img/featured_img/mondoo-azure.jpg
+---
+
+With cnquery, you can explore and interrogate your entire Azure tenant. It's like having a powerful search engine for your Azure environment. For example, you can analyze databases or search for Azure Network Interface configuration details... all with a single tool.
+
+cnquery provides the answers you need about every Azure configuration. For a list of Azure resources you can query, read [Mondoo Azure Resource Pack Reference](/mql/resources/azure-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnquery with your Azure environment
+
+### Requirements
+
+To explore your Azure environment with cnquery, you must have:
+
+- [cnquery installed on your workstation](/cnquery/)
+- An [Azure subscription](https://cloud.google.com/free)
+- The [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) installed
+
+### Log into Azure
+
+Using the Azure CLI, log into your subscription:
+
+```bash
+az login
+```
+
+### Verify with an Azure query
+
+To quickly confirm that cnquery has access to your Azure environment, run this query from your terminal:
+
+```bash
+cnquery run azure -c 'azure.resources'
+```
+
+## Query an Azure project
+
+To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
+
+To launch a shell into your Azure environment, enter:
+
+```bash
+cnquery shell azure
+```
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what Azure subscription resources you can query. This command lists all the Azure subscription resources:
+
+```coffee
+help azure.subscription
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the Azure PostgreSQL resources you can query:
+
+```coffee
+help azure.subscription.postgreSql
+```
+
+From the resulting list, you can drill down even further. You can also learn about available Azure resources in the [Mondoo Azure Resource Pack Reference](/mql/resources/azure-pack/).
+
+### Query storage accounts
+
+Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
+
+This query lists all the storage accounts in the project:
+
+```coffee
+azure.subscription.storage.accounts
+```
+
+#### Request full details in results
+
+For a more detailed report, you can specify that you want all fields:
+
+```coffee
+azure.subscription.storage.accounts { * }
+```
+
+For every account, cnquery provides information about their status and settings.
+
+#### Specify fields to include in results
+
+If you're interested in only some details, specify the fields you want in braces. For example, this query asks for each user's ARN, when they last changed their password, and whether they have MFA enabled:
+
+```coffee
+azure.subscription.storage.accounts { id type properties }
+```
+
+#### Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this filters results based on status:
+
+```coffee
+azure.subscription.storage.accounts.where(kind == "BlobStorage") { id name type }
+```
+
+cnquery returns all BlobStorage accounts. It includes the ID, name and type for each one.
+
+## Learn more about querying Azure
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the Azure resources and fields you can query, read the [Mondoo Azure Resource Pack Reference](/mql/resources/azure-pack/).
+
+---
diff --git a/docs/cnquery/cnquery-gcp/README.mdx b/docs/cnquery/cnquery-gcp/README.mdx
new file mode 100644
index 000000000..baa21c980
--- /dev/null
+++ b/docs/cnquery/cnquery-gcp/README.mdx
@@ -0,0 +1,287 @@
+---
+title: Query Google Cloud
+id: cnquery-gcp-intro
+sidebar_label: Google Cloud Platform (GCP)
+displayed_sidebar: cnquery
+sidebar_position: 1
+description: Explore and analyze your Google Cloud infrastructure with cnquery
+image: /img/featured_img/mondoo-gcp.jpg
+---
+
+With cnquery, you can explore and interrogate your entire Google Cloud Platform (GCP) project, including its compute instances. It's like having a powerful search engine for your GCP environment. For example, you can analyze firewalls, search for Compute Engine instance configuration details, or find all Cloud Storage buckets that anonymous or public users can access... all with a single tool.
+
+cnquery provides the answers you need about every GCP configuration. For a list of GCP resources you can query, read [Mondoo Google Cloud Platform (GCP) Resource Pack Reference](/mql/resources/gcp-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnquery with your GCP environment
+
+### Requirements
+
+To explore your GCP environment with cnquery, you must have:
+
+- [cnquery installed on your workstation](/cnquery/)
+- A [Google Platform account](https://cloud.google.com/free)
+- [Google Cloud SDK](https://cloud.google.com/sdk/install) installed
+
+### Provide access credentials
+
+In your terminal, log into GCP with this command:
+
+```bash
+gcloud auth login --update-adc
+```
+
+### Configure the GCP project you want explore
+
+To query a GCP project, you must set up the project:
+
+```bash
+gcloud config set project PROJECTID
+```
+
+For `PROJECTID`, substitute the ID of the project you want to query.
+
+GCP confirms the setup:
+
+```bash
+Updated property [core/project].
+```
+
+To verify your configuration, enter:
+
+```bash
+gcloud config list
+```
+
+GCP returns results similar to these:
+
+```
+[core]
+account = suki@lunalectric.com
+disable_usage_reporting = True
+project = gcp-project-id
+
+Your active configuration is: [default]
+```
+
+### Verify with a quick GCP query
+
+To quickly confirm that cnquery has access to your GCP environment, run this query from your terminal:
+
+```bash
+cnquery run gcp -c gcp.project
+```
+
+cnquery returns the name of the project:
+
+```shell
+→ discover related assets for 1 asset(s)
+→ resolved assets resolved-assets=1
+gcp.project: gcp.project name="lune-edge"
+```
+
+You've successfully used cnquery to answer your first question about your GCP environment. Now you're ready to explore.
+
+## Query a Google Cloud project
+
+To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
+
+To launch a shell into your GCP environment, enter:
+
+```bash
+cnquery shell gcp
+```
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what GCP resources you can query. This command lists all the GCP resources:
+
+```coffee
+help gcp
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the GCP DNS resources you can query:
+
+```coffee
+help gcp.dns
+```
+
+From the resulting list, you can drill down even further. You can also learn about available GCP resources in the [Mondoo Google Cloud Platform (GCP) Resource Pack Reference](/mql/resources/gcp-pack/).
+
+### Query Compute Engine instances
+
+Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
+
+This query lists all the Compute Engine instances in the project:
+
+```coffee
+gcp.project.computeService.instances
+```
+
+cnquery returns a list of instances:
+
+```coffee
+gcp.project.computeService.instances: [
+ 0: gcp.project.computeService.instance name="amos-test-instance1"
+ 1: gcp.project.computeService.instance name="ansible-centos"
+ 2: gcp.project.computeService.instance name="centos7-latest"
+ 3: gcp.project.computeService.instance name="debian10"
+ 4: gcp.project.computeService.instance name="luna-dev"
+ 5: gcp.project.computeService.instance name="luna-edge"
+ 6: gcp.project.computeService.instance name="luna-service"
+
+...
+
+]
+```
+
+#### Request full details in results
+
+For a more detailed report, you can specify that you want all fields:
+
+```coffee
+gcp.project.computeService.instances { * }
+```
+
+For every instance, cnquery provides information about their status and settings:
+
+```coffee
+ 0: {
+ lastStopTimestamp: 2022-07-04 08:33:12.127 -0700 PDT
+ fingerprint: "Qls1P6_JjQE="
+ minCpuPlatform: ""
+ metadata: {}
+ status: "TERMINATED"
+ scheduling: {
+ automaticRestart: true
+ onHostMaintenance: "MIGRATE"
+ provisioningModel: "STANDARD"
+ }
+ zone: gcp.project.computeService.zone name="us-central1-a"
+ tags: []
+ id: "5894326198680570314"
+ labels: {}
+ machineType: gcp.project.computeService.machineType name="e2-medium"
+ lastSuspendedTimestamp: null
+ canIpForward: false
+ projectId: "luna-edge-262317"
+ physicalHostResourceStatus: ""
+ privateIpv6GoogleAccess: ""
+ enableVtpm: true
+ cpuPlatform: "Unknown CPU Platform"
+ serviceAccounts: [
+ 0: gcp.project.computeService.serviceaccount email="458067389847-compute@developer.gserviceaccount.com"
+ ]
+ reservationAffinity: {
+ consumeReservationType: "ANY_RESERVATION"
+ }
+ totalEgressBandwidthTier: ""
+ lastStartTimestamp: 2022-06-21 02:30:50.334 -0700 PDT
+ resourcePolicies: []
+ deletionProtection: false
+ guestAccelerators: []
+ created: 2021-01-26 03:04:05.663 -0800 PST
+ sourceMachineImage: ""
+ enableDisplay: false
+ statusMessage: ""
+ disks: [
+ 0: gcp.project.computeService.attachedDisk id = gcp.project.computeService.attachedDisk/mondoo-dev-262313/5894326198680570314/0
+ ]
+ hostname: ""
+ enableIntegrityMonitoring: true
+ startRestricted: false
+ name: "ansible-centos"
+ enableSecureBoot: false
+ description: ""
+ networkInterfaces: [
+ 0: {
+ accessConfigs: [
+ 0: {
+ kind: "compute#accessConfig"
+ name: "External NAT"
+ networkTier: "PREMIUM"
+ type: "ONE_TO_ONE_NAT"
+ }
+ ]
+ fingerprint: "3Sj4hQQO1UU="
+ kind: "compute#networkInterface"
+ name: "nic0"
+ network: "https://www.googleapis.com/compute/v1/projects/luna-edge-262317/global/networks/default"
+ networkIP: "10.128.15.215"
+ subnetwork: "https://www.googleapis.com/compute/v1/projects/luna-edge-262317/regions/us-central1/subnetworks/default"
+ }
+ ]
+ keyRevocationActionType: ""
+ }
+
+```
+
+#### Specify fields to include in results
+
+If you're interested in only some details, specify the fields you want in braces. For example, this query asks for each user's ARN, when they last changed their password, and whether they have MFA enabled:
+
+```coffee
+gcp.project.computeService.instances { name status scheduling }
+```
+
+cnquery returns results like this:
+
+```coffee
+gcp.project.computeService.instances: [
+
+...
+
+ 12: {
+ status: "TERMINATED"
+ scheduling: {
+ automaticRestart: true
+ onHostMaintenance: "MIGRATE"
+ provisioningModel: "STANDARD"
+ }
+ name: "luna-test"
+ }
+ 13: {
+ status: "RUNNING"
+ scheduling: {
+ automaticRestart: true
+ onHostMaintenance: "MIGRATE"
+ provisioningModel: "STANDARD"
+ }
+ name: "luna-edge"
+ }
+
+...
+
+]
+```
+
+#### Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this filters results based on status:
+
+```coffee
+gcp.project.computeService.instances.where(status == "RUNNING") { name lastStartTimestamp }
+```
+
+cnquery returns all running instances. It includes the name and last start for each one.
+
+```coffee
+gcp.project.computeService.instances.where: [
+ 0: {
+ name: "luna-edge"
+ lastStartTimestamp: 2022-11-17 02:58:31.254 -0800 PST
+ }
+ 1: {
+ name: "windows-gitlab"
+ lastStartTimestamp: 2021-08-05 11:39:20.217 -0700 PDT
+ }
+]
+```
+
+## Learn more about querying Google Cloud
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the GCP resources and fields you can query, read the [Mondoo Google Cloud Platform (GCP) Resource Pack Reference](/mql/resources/gcp-pack/).
+
+---
diff --git a/docs/cnquery/cnquery-k8s/README.mdx b/docs/cnquery/cnquery-k8s/README.mdx
new file mode 100644
index 000000000..87512fdc0
--- /dev/null
+++ b/docs/cnquery/cnquery-k8s/README.mdx
@@ -0,0 +1,44 @@
+---
+title: Query Kubernetes
+id: cnquery-k8s-intro
+sidebar_label: Get Started
+displayed_sidebar: cnquery
+sidebar_position: 1
+description: Explore and analyze your Kubernetes infrastructure with cnquery
+image: /img/featured_img/mondoo-Kubernetes.jpg
+---
+
+Rely on cnquery to explore and analyze your entire Kubernetes stack. You can query any type of Kubernetes deployment, whether it's local or in the cloud. cnquery lets you gather data about all aspects of your container infrastructure and their workloads.
+
+cnquery provides the answers you need about every Kubernetes configuration. For a list of Kubernetes resources you can query, read [Mondoo Kubernetes (K8s) Resource Pack Reference](/mql/resources/k8s-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnquery with your Kubernetes environment
+
+### Requirements
+
+To analyze and explore your Kubernetes environment with cnquery, you must have:
+
+- [cnquery installed on your workstation](/cnquery/).
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) installed on your workstation. To ensure that kubectl is successfully installed and you can access your Kubernetes infrastructure, run `kubectl describe nodes`.
+
+### Verify with a quick Kubernetes query
+
+To quickly confirm that cnquery has access to your Kubernetes environment, run this query from your terminal:
+
+```bash
+cnquery run k8s -c k8s.deployment
+```
+
+cnquery returns a list of found deployments:
+
+```coffee
+k8s.deployment: k8s.deployment namespace="kube-system" name="coredns" created=2022-12-14 15:17:37 -0800 PST
+k8s.deployment: k8s.deployment namespace="luna" name="luna-frontend" created=2022-12-14 15:28:23 -0800 PST
+k8s.deployment: k8s.deployment namespace="luna" name="postgres" created=2022-12-14 15:28:48 -0800 PST
+```
+
+## Next step
+
+You've successfully used cnquery to answer your first question about your Kubernetes infrastructure. Now you're ready to [explore more Kubernetes information.](/cnquery/cnquery-k8s/cnquery-k8s-cluster)
+
+---
diff --git a/docs/cnquery/cnquery-k8s/_cnquery-k8s-node.mdx b/docs/cnquery/cnquery-k8s/_cnquery-k8s-node.mdx
new file mode 100644
index 000000000..260b81bfd
--- /dev/null
+++ b/docs/cnquery/cnquery-k8s/_cnquery-k8s-node.mdx
@@ -0,0 +1,173 @@
+---
+title: Query EC2 Instances
+id: cnquery-aws-ec2
+sidebar_label: Query AWS EC2 Instances
+displayed_sidebar: cnquery
+sidebar_position: 30
+description: Explore and analyze the configuration of AWS EC2 instances
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+Now that you have an introduction to [querying your AWS account](/cnquery/cnquery-aws/cnquery-aws-account/) with cnquery, let's dive deeper and explore EC2 instances.
+
+We'll continue working in the cnquery shell, which makes running individual queries easy. If it's not already open, enter `cnquery shell aws` in your terminal. To learn about accessing your AWS account with cnquery, read [Query AWS Infrastructure](/cnquery/cnquery-aws/).
+
+## EC2 resources
+
+cnquery provides answers to any question about your EC2 instances. To discover all the resources and fields you can query, read [aws.ec2](/mql/resources/aws-pack/aws.ec2/). You can also use the `help` command in the shell:
+
+```coffee
+help aws.ec2
+```
+
+In this tutorial we'll explore just a few of the possibilities.
+
+## Run simple queries on EC2 instances
+
+This query gathers all your EC2 instances:
+
+```coffee
+aws.ec2.instances
+```
+
+It returns each instance's ARN and current state:
+
+```coffee
+aws.ec2.instances: [
+ 0: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-06e2eaa19a4fa883e" state="stopped"
+ 1: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-0facc86d89af823af" state="stopped"
+ 2: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-0b24443c8d18fdbab" state="running"
+ 3: aws.ec2.instance arn="arn:aws:ec2:us-west-1:921877552404:instance/i-020eed3b1e4965d8d" state="running"
+ 4: aws.ec2.instance arn="arn:aws:ec2:us-west-1:921877552404:instance/i-08f2ba2424027454a" state="running"
+]
+```
+
+## Specify fields to include in results
+
+You can request specific data by including the field names. For example, this query collects the ARN and any assigned tags for each instance:
+
+```coffee
+aws.ec2.instances { arn tags }
+```
+
+It returns a list with only the information you asked for:
+
+```coffee
+aws.ec2.instances: [
+ 0: {
+ tags: {
+ Name: "k8s-operator01"
+ owner: "suki@lunalectric.com"
+ }
+ arn: "arn:aws:ec2:us-east-1:921877552404:instance/i-06e2eaa19a4fa883e"
+ }
+ 1: {
+ tags: {
+ Name: "vm-with-ebs-iam-role"
+ }
+ arn: "arn:aws:ec2:us-east-1:921877552404:instance/i-0facc86d89af823af"
+ }
+ 2: {
+ tags: {
+ Name: "amazonlinux2-for-ebs-volume-scan"
+ owner: "kembe@lunalectric.com"
+ }
+ arn: "arn:aws:ec2:us-east-1:921877552404:instance/i-0b24443c8d18fdbab"
+ }
+ 3: {
+ tags: {}
+ arn: "arn:aws:ec2:us-west-1:921877552404:instance/i-020eed3b1e4965d8d"
+ }
+ 4: {
+ tags: {
+ Name: "amos-linux"
+ }
+ arn: "arn:aws:ec2:us-west-1:921877552404:instance/i-08f2ba2424027454a"
+ }
+]
+```
+
+## Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this query requests only EC2 instances that do not have an `owner` tag:
+
+```coffee
+aws.ec2.instances.where(tags['owner'] == null)
+```
+
+It lists each instance's ARN and status:
+
+```coffee
+aws.ec2.instances.where: [
+ 0: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-06e2eaa19a4fa883e" state="stopped"
+ 1: aws.ec2.instance arn="arn:aws:ec2:us-east-1:921877552404:instance/i-0facc86d89af823af" state="stopped"
+ 2: aws.ec2.instance arn="arn:aws:ec2:us-west-1:921877552404:instance/i-020eed3b1e4965d8d" state="running"
+ 3: aws.ec2.instance arn="arn:aws:ec2:us-west-1:921877552404:instance/i-08f2ba2424027454a" state="running"
+]
+```
+
+This finds large (more expensive) EC2 instances:
+
+```coffee
+aws.ec2.instances.where(instanceType == /^.*.large$/) { arn instanceType }
+```
+
+It returns a list of all instances that have an `instanceType` with `large` in the name.
+
+This similar query finds T-type instances (such as T2, or T4g):
+
+```coffee
+aws.ec2.instances.where(instanceType == /^[t].*/) { instanceType }
+```
+
+## Learn more about querying EC2 instances
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the AWS resources and fields you can query, read [aws.ec2](/mql/resources/aws-pack/aws.ec2/).
+
+## Next step
+
+To discover more of cnquery's AWS capabilities, [query your EKS clusters](/cnquery/cnquery-aws/cnquery-aws-eks/).
+
+JUST PASTING FOR Now
+
+#### Query deployments
+
+This query asks for a list of deployments in the cluster:
+
+```coffee
+k8s.deployments { id name kind created }
+```
+
+cnquery returns the requested fields for each deployment: their IDs, names, and creation dates and times:
+
+```coffee
+k8s.deployments: [
+ 0: {
+ id: "deployment:kube-system:coredns"
+ created: 2022-12-14 15:17:37 -0800 PST
+ name: "coredns"
+ }
+ 1: {
+ id: "deployment:luna:luna-frontend"
+ created: 2022-12-14 15:28:23 -0800 PST
+ name: "luna-frontend"
+ }
+ 2: {
+ id: "deployment:luna:postgresql"
+ created: 2022-12-14 15:28:48 -0800 PST
+ name: "postgresql"
+ }
+]
+```
+
+#### SOMETHING
+
+k8s.secrets.where( namespace == "default" ){ name created type manifest['data'] }
+k8s.secrets{ name created type manifest['data'] }
+
+k8s.configmaps.where( namespace == "default" ){ name data }
+
+---
diff --git a/docs/cnquery/cnquery-k8s/cnquery-k8s-cluster.mdx b/docs/cnquery/cnquery-k8s/cnquery-k8s-cluster.mdx
new file mode 100644
index 000000000..4a4e78dae
--- /dev/null
+++ b/docs/cnquery/cnquery-k8s/cnquery-k8s-cluster.mdx
@@ -0,0 +1,339 @@
+---
+title: Query Kubernetes Clusters
+id: cnquery-k8s-cluster
+sidebar_label: Query Kubernetes Clusters
+displayed_sidebar: cnquery
+sidebar_position: 20
+description: Explore and analyze the configuration of Kubernetes clusters
+image: /img/featured_img/mondoo-k8s.jpg
+---
+
+Once you've ensured that [cnquery can access your Kubernetes environment](/cnquery/cnquery-k8s/), you can begin exploring and analyzing your infrastructure. The method you choose depends on your goals:
+
+- To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
+- For widescale analysis of your Kubernetes infrastructure, scan using query packs. These collections of queries work together to present a whole picture.
+
+## Explore with the cnquery shell
+
+To launch a shell into your Kubernetes environment, enter:
+
+```bash
+cnquery shell k8s
+```
+
+cnquery automatically discovers all the Kubernetes assets available to query:
+
+```coffee
+→ resolved assets resolved-assets=20
+
+ Available assets
+
+ 8. luna/luna-frontend-7fb96c846b-2k5j7 (k8s-pod)
+ > 9. luna/luna-frontend-7fb96c846b-8b94j (k8s-pod)
+ 10. luna/luna-frontend-7fb96c846b-jglt9 (k8s-pod)
+ 11. kube-system/kube-controller-manager-minikube (k8s-pod)
+ 12. kube-system/kube-proxy-cdzrr (k8s-pod)
+ 13. kube-system/kube-scheduler-minikube (k8s-pod)
+ 14. kube-system/storage-provisioner (k8s-pod)
+
+ •••
+```
+
+Arrow through the list and select Enter to choose the asset you want to explore.
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what Kubernetes resources you can query. This command lists all the Kubernetes resources:
+
+```coffee
+help k8s
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the Kubernetes IAM resources you can query:
+
+```coffee
+help k8s.pod
+```
+
+From the resulting list, you can drill down even further. You can also learn about available Kubernetes resources in the [Mondoo Kubernetes Resource Pack Reference](/mql/resources/k8s-pack/).
+
+### Answer questions in the cnquery shell
+
+Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
+
+#### Query namespaces
+
+This query asks for a list of namespaces in the cluster:
+
+```coffee
+k8s.namespaces
+```
+
+cnquery returns a list of all the namespaces in the cluster and their creation dates.
+
+```coffee
+k8s.namespaces: [
+ 0: k8s.namespace name="default" created=2022-12-14 15:17:35 -0800 PST
+ 1: k8s.namespace name="kube-node-lease" created=2022-12-14 15:17:34 -0800 PST
+ 2: k8s.namespace name="kube-public" created=2022-12-14 15:17:34 -0800 PST
+ 3: k8s.namespace name="kube-system" created=2022-12-14 15:17:34 -0800 PST
+ 4: k8s.namespace name="luna" created=2022-12-14 15:26:38 -0800 PST
+]
+```
+
+Add `{ * }` to request a full report that includes all the data available for each namespace:
+
+```coffee
+k8s.namespaces { * }
+```
+
+cnquery groups the information by namespace:
+
+```coffee
+k8s.namespaces: [
+ 0: {
+ uid: "2cf29aad-c9cd-47fc-98fa-1fbc80b64ccb"
+ id: "namespace:default"
+ created: 2022-12-14 15:17:35 -0800 PST
+ manifest: {
+ apiVersion: "v1"
+ kind: "Namespace"
+ metadata: {
+ creationTimestamp: "2022-12-14T23:17:35Z"
+ labels: {
+ kubernetes.io/metadata.name: "default"
+ }
+ managedFields: [
+ 0: {
+ apiVersion: "v1"
+ fieldsType: "FieldsV1"
+ fieldsV1: {
+ f:metadata: {
+ f:labels: {
+ .: {}
+ f:kubernetes.io/metadata.name: {}
+ }
+ }
+ }
+ manager: "kube-apiserver"
+ operation: "Update"
+ time: "2022-12-14T23:17:35Z"
+ }
+ ]
+ name: "default"
+ resourceVersion: "192"
+ uid: "2cf29aad-c9cd-47fc-98fa-1fbc80b64ccb"
+ }
+ spec: {
+ finalizers: [
+ 0: "kubernetes"
+ ]
+ }
+ status: {
+ phase: "Active"
+ }
+ }
+ name: "default"
+ }
+ 1: {
+ uid: "d0b8a89f-42c1-43d1-88e5-976231c85e43"
+ id: "namespace:kube-node-lease"
+ created: 2022-12-14 15:17:34 -0800 PST
+ manifest: {
+ apiVersion: "v1"
+ kind: "Namespace"
+ metadata: {
+ creationTimestamp: "2022-12-14T23:17:34Z"
+ labels: {
+ kubernetes.io/metadata.name: "kube-node-lease"
+ }
+ managedFields: [
+ 0: {
+ apiVersion: "v1"
+ fieldsType: "FieldsV1"
+ fieldsV1: {
+ f:metadata: {
+ f:labels: {
+ .: {}
+ f:kubernetes.io/metadata.name: {}
+ }
+ }
+ }
+ manager: "kube-apiserver"
+ operation: "Update"
+ time: "2022-12-14T23:17:34Z"
+ }
+ ]
+ name: "kube-node-lease"
+ resourceVersion: "53"
+ uid: "d0b8a89f-42c1-43d1-88e5-976231c85e43"
+ }
+ spec: {
+ finalizers: [
+ 0: "kubernetes"
+ ]
+ }
+ status: {
+ phase: "Active"
+ }
+ }
+ name: "kube-node-lease"
+ }
+
+...
+```
+
+You can also request specific data for each namespace:
+
+```coffee
+k8s.namespaces { uid name }
+```
+
+cnquery returns only the information you requested:
+
+```coffee
+k8s.namespaces: [
+ 0: {
+ uid: "2cf29aad-c9cd-47fc-98fa-1fbc80b64ccb"
+ name: "default"
+ }
+ 1: {
+ uid: "d0b8a89f-42c1-43d1-88e5-976231c85e43"
+ name: "kube-node-lease"
+ }
+ 2: {
+ uid: "fec9c3f7-a49b-4dbd-b17d-98dd3dd4d344"
+ name: "kube-public"
+ }
+ 3: {
+ uid: "f249e61c-7a6c-4ea6-a4e0-b903ed469664"
+ name: "kube-system"
+ }
+ 4: {
+ uid: "e00334c6-7ce4-4a32-b4a7-1e64e30b70c4"
+ name: "luna"
+ }
+]
+```
+
+#### Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this filters results based on namespace:
+
+```coffee
+k8s.services.where(namespace == "luna"){
+ name
+ spec['type']
+ spec['clusterIP']
+ spec['ports']{
+ _['port']
+ }
+}
+```
+
+cnquery returns the requested details for each service in the `luna` namespace:
+
+```coffee
+k8s.services.where: [
+ 0: {
+ spec[ports]: [
+ 0: {
+ [port]: 443.000000
+ }
+ ]
+ spec[clusterIP]: "10.43.0.1"
+ spec[type]: "ClusterIP"
+ name: "kubernetes"
+ }
+ 1: {
+ spec[ports]: [
+ 0: {
+ [port]: 80.000000
+ }
+ ]
+ spec[clusterIP]: "10.43.211.176"
+ spec[type]: "ClusterIP"
+ name: "wiki"
+ }
+ 2: {
+ spec[ports]: [
+ 0: {
+ [port]: 80.000000
+ }
+ ]
+ spec[clusterIP]: "10.43.196.249"
+ spec[type]: "ClusterIP"
+ name: "wordpress"
+ }
+ 3: {
+ spec[ports]: [
+ 0: {
+ [port]: 3306.000000
+ }
+ ]
+ spec[clusterIP]: "10.43.111.72"
+ spec[type]: "ClusterIP"
+ name: "mysql"
+ }
+ 4: {
+ spec[ports]: [
+ 0: {
+ [port]: 80.000000
+ }
+ ]
+ spec[clusterIP]: "10.43.242.48"
+ spec[type]: "ClusterIP"
+ name: "webserver"
+ }
+ 5: {
+ spec[ports]: [
+ 0: {
+ [port]: 10250.000000
+ }
+ 1: {
+ [port]: 10255.000000
+ }
+ 2: {
+ [port]: 4194.000000
+ }
+ ]
+ spec[clusterIP]: "None"
+ spec[type]: "ClusterIP"
+ name: "kubelet"
+ }
+]
+```
+
+### Learn more about querying Kubernetes
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the Kubernetes resources and fields you can query, read the [Mondoo Kubernetes (K8s) Resource Pack Reference](/mql/resources/k8s-pack/).
+
+### Exit the cnquery shell
+
+To exit the cnquery shell, either press `Ctrl + D` or type `exit`.
+
+## Analyze your environment with Kubernetes query packs
+
+Mondoo makes these [core Kubernetes query packs](https://github.com/mondoohq/cnquery-packs) available in GitHub:
+
+- [Mondoo Kubernetes Cluster Inventory](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-kubernetes-inventory.mql.yaml) provides information about all your Kubernetes assets and their configuration.
+- [Mondoo Kubernetes Cluster Incident Response](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-kubernetes-incident-response.mql.yaml) helps you investigate and minimize damage when a security incident occurs.
+
+To run one of these purpose-built collections of Kubernetes-specific queries:
+
+1. In Mondoo's [cnquery-packs GitHub repo](https://github.com/mondoohq/cnquery-packs), go to the `core` directory and find the Kubernetes query pack you want to run.
+
+2. Download the YAML file to a local directory and, in your terminal, move to that directory.
+
+3. Use the `cnquery scan` command, specifying the file and the query pack:
+
+```bash
+cnquery scan k8s -f mondoo-kubernetes-incident-response.mql.yaml --querypack mondoo-incident-response-kubernetes
+```
+
+You can also create your own query packs to meet your specific needs. To learn more about query packs, read [Run a Query Pack](/cnquery/cnquery-run-pack/).
+
+---
diff --git a/docs/cnquery/cnquery-oper/cnquery-linux.mdx b/docs/cnquery/cnquery-oper/cnquery-linux.mdx
new file mode 100644
index 000000000..3c71fedce
--- /dev/null
+++ b/docs/cnquery/cnquery-oper/cnquery-linux.mdx
@@ -0,0 +1,142 @@
+---
+title: Query Linux
+id: cnquery-linux-intro
+sidebar_label: Linux
+displayed_sidebar: cnquery
+sidebar_position: 1
+description: Explore and analyze your Linux assets with cnquery
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnquery provides the answers you need about your Linux assets. For example, you can retrieve the distribution, user information, or security settings.
+
+For a list of Linux resources you can query, read [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Requirements
+
+To explore a Linux asset with cnquery, you must have:
+
+- [cnquery installed on your workstation](/cnquery/)
+- Access to the asset
+
+## Query a Linux asset
+
+To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
+
+To launch a shell into your local Linux environment, enter:
+
+```bash
+cnquery shell
+```
+
+To launch a shell into a remote Linux environment, enter:
+
+```bash
+cnquery shell ssh user@HOST
+```
+
+For `HOST`, substitute the hostname of the remote Linux asset.
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what Linux resources you can query. This command lists all the operating system resources:
+
+```coffee
+help os
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list the OS update information you can retrieve:
+
+```coffee
+help os.update
+```
+
+You can also learn about available Linux resources in the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+### Get simple answers in the shell
+
+Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
+
+This query asks the hostname:
+
+```coffee
+asset.name
+```
+
+cnquery returns the pretty hostname:
+
+```coffee
+asset.name: "luna-ubuntu-05"
+```
+
+This query asks the name of the operating system:
+
+```coffee
+asset.platform
+```
+
+### Query users
+
+To request a list of all users on a machine, enter this query in the shell:
+
+```coffee
+users
+```
+
+### Request full details in results
+
+For a more detailed report, you can specify that you want all fields:
+
+```coffee
+users { * }
+```
+
+For every user, cnquery provides information about their settings.
+
+### Specify fields to include in results
+
+If you're interested in only some details, specify the fields you want in braces. For example, this query asks for each user's name, group, and whether it's enabled:
+
+```coffee
+users { name group enabled }
+```
+
+### Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this filters results based on group name:
+
+```coffee
+users.where(group.name == "admins") { name uid }
+```
+
+cnquery returns all users in the `admins` group. It includes the name and UID for each user.
+
+## Learn more about querying Linux
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the Linux resources and fields you can query, read the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Analyze your environment with query packs
+
+Mondoo makes these [core Linux query packs](https://github.com/mondoohq/cnquery-packs) available in GitHub:
+
+- [Linux Inventory Pack](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-linux-inventory.mql.yaml) provides information about all your AWS assets and their configuration.
+- [Linux Incident Response Pack](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-linux-incident-response.mql.yaml) helps you investigate and minimize damage when a security incident occurs.
+
+To run one of these purpose-built collections of Linux-specific queries:
+
+1. In Mondoo's [cnquery-packs GitHub repo](https://github.com/mondoohq/cnquery-packs), go to the `core` directory and find the Linux query pack you want to run.
+
+2. Download the YAML file to a local directory and, in your terminal, move to that directory.
+
+3. Use the `cnquery scan` command, specifying the file and the query pack:
+
+```bash
+cnquery scan -f mondoo-linux-incident-response.mql.yaml --querypack mondoo-incident-response-linux
+```
+
+You can also create your own query packs to meet your specific needs. To learn more about query packs, read [Run a Query Pack](/cnquery/cnquery-run-pack/).
+
+---
diff --git a/docs/cnquery/cnquery-oper/cnquery-mac.mdx b/docs/cnquery/cnquery-oper/cnquery-mac.mdx
new file mode 100644
index 000000000..2612660fc
--- /dev/null
+++ b/docs/cnquery/cnquery-oper/cnquery-mac.mdx
@@ -0,0 +1,252 @@
+---
+title: Query macOS
+id: cnquery-macos-intro
+sidebar_label: macOS
+displayed_sidebar: cnquery
+sidebar_position: 2
+description: Explore and analyze your macOS assets with cnquery
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnquery provides the answers you need about every macOS configuration. For example, you can retrieve the platform version, user information, or whether remote login is enabled.
+
+For a list of macOS resources you can query, read [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Requirements
+
+To explore a macOS asset with cnquery, you must have:
+
+- [cnquery installed on your workstation](/cnquery/)
+- Access to the asset
+
+## Query a macOS asset
+
+To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
+
+To launch a shell into your local macOS environment, enter:
+
+```bash
+cnquery shell
+```
+
+To launch a shell into a remote macOS environment, enter:
+
+```bash
+cnquery shell ssh user@IP_ADDRESS
+```
+
+For `IP_ADDRESS`, substitute the IP address of the remote macOS asset.
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what macOS resources you can query. This command lists all the macOS resources:
+
+```coffee
+help macos
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the macOS machine settings you can query:
+
+```coffee
+help macos.systemsetup
+```
+
+From the resulting list, you can drill down even further. You can also learn about available macOS resources in the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+### Query macOS application layer firewall (ALF)
+
+Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
+
+This query ask whether the firewall is enabled:
+
+```coffee
+macos.alf.globalState
+```
+
+cnquery returns `0` for no and `1` for yes.
+
+### Query users
+
+To request a list of all users on a machine, enter this query in the shell:
+
+```coffee
+users
+```
+
+:::note
+
+In this query, you don't specify `macos`. That's because the `user` resource is in the [Mondoo Core Resource Pack](/mql/resources/core-pack/).
+
+:::
+
+cnquery returns a list of all users on the system:
+
+```coffee
+users.list: [
+ 0: user name="_nsurlsessiond" uid=242 gid=242
+ 1: user name="_logd" uid=272 gid=272
+ 2: user name="_mailman" uid=78 gid=78
+ 3: user name="_jabber" uid=84 gid=84
+ 4: user name="_cyrus" uid=77 gid=6
+ 5: user name="_scsd" uid=31 gid=31
+ 6: user name="_installassistant" uid=25 gid=25
+ 7: user name="_ftp" uid=98 gid=-2
+ 8: user name="_appstore" uid=33 gid=33
+ 9: user name="_installer" uid=96 gid=-2
+ 10: user name="_cvmsroot" uid=212 gid=212
+ 11: user name="_screensaver" uid=203 gid=203
+
+ ...
+
+]
+```
+
+### Request full details in results
+
+For a more detailed report, you can specify that you want all fields:
+
+```coffee
+users { * }
+```
+
+For every user, cnquery provides information about their settings:
+
+```coffee
+users.list: [
+ 0: {
+ sid: ""
+ enabled: false
+ gid: 242
+ shell: "/usr/bin/false"
+ uid: 242
+ authorizedkeys.list: stat /var/db/nsurlsessiond/.ssh/authorized_keys: permission denied
+ home: "/var/db/nsurlsessiond"
+ name: "_nsurlsessiond"
+ group: group name="_nsurlsessiond" gid=242
+ sshkeys: stat /var/db/nsurlsessiond/.ssh: permission denied
+ }
+ 1: {
+ sid: ""
+ enabled: false
+ gid: 272
+ shell: "/usr/bin/false"
+ uid: 272
+ authorizedkeys.list: []
+ home: "/var/db/diagnostics"
+ name: "_logd"
+ group: group name="_logd" gid=272
+ sshkeys: []
+ }
+ 2: {
+ sid: ""
+ enabled: false
+ gid: 78
+ shell: "/usr/bin/false"
+ uid: 78
+ authorizedkeys.list: []
+ home: "/var/empty"
+ name: "_mailman"
+ group: group name="_mailman" gid=78
+ sshkeys: []
+ }
+
+...
+
+]
+```
+
+### Specify fields to include in results
+
+If you're interested in only some details, specify the fields you want in braces. For example, this query asks for each user's name, group, and whether it's a shell user:
+
+```coffee
+users { name group shell }
+```
+
+cnquery returns results like this:
+
+```coffee
+users.list: [
+ 0: {
+ shell: "/usr/bin/false"
+ name: "_nsurlsessiond"
+ group: group name="_nsurlsessiond" gid=242
+ }
+ 1: {
+ shell: "/usr/bin/false"
+ name: "_logd"
+ group: group name="_logd" gid=272
+ }
+ 2: {
+ shell: "/usr/bin/false"
+ name: "_mailman"
+ group: group name="_mailman" gid=78
+ }
+
+...
+
+]
+```
+
+### Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this filters results based on group name:
+
+```coffee
+users.where(group.name == "nobody") { name uid home }
+```
+
+cnquery returns all users in the `nobody` group. It includes the name, UID, and home directory for each user.
+
+```coffee
+users.where.list: [
+ 0: {
+ uid: 98
+ name: "_ftp"
+ home: "/var/empty"
+ }
+ 1: {
+ uid: 96
+ name: "_installer"
+ home: "/var/empty"
+ }
+ 2: {
+ uid: 234
+ name: "_krb_anonymous"
+ home: "/var/empty"
+ }
+
+ ...
+
+]
+```
+
+## Learn more about querying macOS
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the macOS resources and fields you can query, read the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Analyze your environment with query packs
+
+Mondoo makes these [core macOS query packs](https://github.com/mondoohq/cnquery-packs) available in GitHub:
+
+- [macOS Inventory Pack](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-macos-inventory.mql.yaml) provides information about all your AWS assets and their configuration.
+- [macOS Incident Response Pack](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-macos-incident-response.mql.yaml) helps you investigate and minimize damage when a security incident occurs.
+
+To run one of these purpose-built collections of macOS-specific queries:
+
+1. In Mondoo's [cnquery-packs GitHub repo](https://github.com/mondoohq/cnquery-packs), go to the `core` directory and find the macOS query pack you want to run.
+
+2. Download the YAML file to a local directory and, in your terminal, move to that directory.
+
+3. Use the `cnquery scan` command, specifying the file and the query pack:
+
+```bash
+cnquery scan -f mondoo-linux-incident-response.mql.yaml --querypack mondoo-incident-response-macos
+```
+
+You can also create your own query packs to meet your specific needs. To learn more about query packs, read [Run a Query Pack](/cnquery/cnquery-run-pack/).
+
+---
diff --git a/docs/cnquery/cnquery-oper/cnquery-windows.mdx b/docs/cnquery/cnquery-oper/cnquery-windows.mdx
new file mode 100644
index 000000000..aeb31c19e
--- /dev/null
+++ b/docs/cnquery/cnquery-oper/cnquery-windows.mdx
@@ -0,0 +1,150 @@
+---
+title: Query Windows
+id: cnquery-windows-intro
+sidebar_label: Windows
+displayed_sidebar: cnquery
+sidebar_position: 3
+description: Explore and analyze your Windows assets with cnquery
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnquery provides the answers you need about your Windows assets. For example, you can retrieve the Windows version, user information, or security settings.
+
+For a list of Windows resources you can query, read [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Requirements
+
+To explore a Windows asset with cnquery, you must have:
+
+- [cnquery installed on your workstation](/cnquery/)
+- Access to the asset
+
+## Query a Windows asset
+
+To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
+
+To launch a shell into your local Windows environment, enter:
+
+```bash
+cnquery shell
+```
+
+To launch a shell into a remote Windows environment, enter:
+
+```bash
+cnquery shell ssh Administrator@IP_ADDRESS --ask-pass
+```
+
+For `IP_ADDRESS`, substitute the IP address of the remote Windows asset.
+
+If you prefer WinRM for remote access, enter:
+
+```bash
+cnquery shell winrm Administrator@IP_ADDRESS --ask-pass
+```
+
+For `IP_ADDRESS`, substitute the IP address of the remote Windows asset.
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what Windows resources you can query. This command lists all the operating system resources:
+
+```coffee
+help os
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list the OS update information you can retrieve:
+
+```coffee
+help os.update
+```
+
+You can also learn about available Windows resources in the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+### Get simple answers in the shell
+
+Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
+
+This query asks the device name:
+
+```coffee
+asset.name
+```
+
+cnquery returns the pretty hostname:
+
+```coffee
+asset.name: "Mwezi's demo lappy"
+```
+
+This query asks the version of the operating system:
+
+```coffee
+asset.version
+```
+
+### Query users
+
+To request a list of all users on a machine, enter this query in the shell:
+
+```coffee
+users
+```
+
+### Request full details in results
+
+For a more detailed report, you can specify that you want all fields:
+
+```coffee
+users { * }
+```
+
+For every user, cnquery provides information about their settings.
+
+### Specify fields to include in results
+
+If you're interested in only some details, specify the fields you want in braces. For example, this query asks for each user's name, group, and whether it's enabled:
+
+```coffee
+users { name group enabled }
+```
+
+### Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this filters results based on group name:
+
+```coffee
+users.where(group.name == "admins") { name uid }
+```
+
+cnquery returns all users in the `admins` group. It includes the name and UID for each user.
+
+## Learn more about querying Windows
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the Windows resources and fields you can query, read the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Analyze your environment with query packs
+
+Mondoo makes these [core Windows query packs](https://github.com/mondoohq/cnquery-packs) available in GitHub:
+
+- [Windows Asset Inventory Pack](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-windows-inventory.mql.yaml) provides information about all your Windows assets and their configuration.
+- [Windows Incident Response Pack](https://github.com/mondoohq/cnquery-packs/blob/main/core/mondoo-windows-incident-response.mql.yaml) helps you investigate and minimize damage when a security incident occurs.
+
+To run one of these purpose-built collections of Windows-specific queries:
+
+1. In Mondoo's [cnquery-packs GitHub repo](https://github.com/mondoohq/cnquery-packs), go to the `core` directory and find the Windows query pack you want to run.
+
+2. Download the YAML file to a local directory and, in your terminal, move to that directory.
+
+3. Use the `cnquery scan` command, specifying the file and the query pack:
+
+```coffee
+cnquery scan -f mondoo-windows-incident-response.mql.yaml --querypack mondoo-incident-response-windows
+```
+
+You can also create your own query packs to meet your specific needs. To learn more about query packs, read [Run a Query Pack](/cnquery/cnquery-run-pack/).
+
+---
diff --git a/docs/cnquery/cnquery-platform.mdx b/docs/cnquery/cnquery-platform.mdx
new file mode 100644
index 000000000..87d360a38
--- /dev/null
+++ b/docs/cnquery/cnquery-platform.mdx
@@ -0,0 +1,66 @@
+---
+title: Log into Mondoo Platform for More Capabilities
+id: cnquery-platform
+sidebar_label: Log into Mondoo Platform for More
+displayed_sidebar: cnquery
+sidebar_position: 4
+description: Expand your cnquery capabilities with a free Mondoo Platform account.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+You can expand your cnquery capabilities with a free Mondoo Platform account. Mondoo Platform includes a web-based UI through which you can:
+
+- See the relationships between different assets in your infrastructure
+- Continuously monitor infrastructure security and compliance
+- Save, review, search, and share scan results
+- Access over 200 free security policies, including specific compliance checks against regional and industry guidelines
+- Manage and share policies across your entire infrastructure
+- Integrate with AWS Lambda, EBS volume scans, Kubernetes controller, and more
+
+This is just a partial list of capabilities. To learn more about what you can accomplish with Mondoo Platform, visit [mondoo.com](https://mondoo.com).
+
+## Log into Mondoo Platform
+
+1. In your web browser, go to [the Mondoo signup page](https://mondoo.com/pricing).
+
+
+
+2. Register for a free trial. Mondoo sends you email with new account instructions.
+
+3. Follow the steps in the email to create your new account.
+
+## Register cnquery
+
+When you first log in, Mondoo greets you with a landing page.
+
+
+
+1. Select **Browse Integrations**.
+
+ 
+
+2. Under Workstation, select **cnquery**. Mondoo provides quick setup commands and a token for registering cnquery.
+
+ 
+
+3. Select your operating system and then copy the commands in the box below.
+
+4. In a terminal window, paste and run the copied commands.
+
+cnquery is now registered with Mondoo Platform. The next time you query your infrastructure, you can see your assets in the Mondoo console.
+
+To learn about working in the Mondoo console, see the [Mondoo Platform documentation](/platform/home/).
+
+## Specify a proxy server for communication with Mondoo
+
+You can specify a proxy server for communication between cnquery and Mondoo Platform. This is useful if your default system proxy restricts communication, or if you need to monitor different types of traffic.
+
+1. Find the Mondoo configuration file: `/etc/opt/mondoo/mondoo.yml`.
+
+2. Add this line to `mondoo.yml`:
+
+ ```yaml
+ api_proxy: https://1.1.1.1:8080
+ ```
+
+---
diff --git a/docs/cnquery/cnquery-query.md b/docs/cnquery/cnquery-query.md
new file mode 100644
index 000000000..cc2681e14
--- /dev/null
+++ b/docs/cnquery/cnquery-query.md
@@ -0,0 +1,145 @@
+---
+title: Query Your Infrastructure
+id: cnquery-query
+sidebar_label: Query Your Infrastructure
+displayed_sidebar: cnquery
+sidebar_position: 3
+description: Learn to run MQL queries from the command line and include MQL queries in automation.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+MQL is an easy, lightweight, ultra-fast query language built for searching and filtering infrastructure configuration data. Its data extraction resembles GraphQL, while its intuitive scripting approach is similar to JavaScript.
+
+MQL integrates with [hundreds of resources](/mql/resources) to retrieve information about your infrastructure.
+
+## Run standalone queries from the command line
+
+:::tip
+
+Our interactive cnquery shell, with auto-complete, is the easiest way to query your systems. [Learn more.](/cnquery/#run-queries-in-the-cnquery-shell)
+
+:::
+
+To run standalone queries from the command line, use the `cnquery run` command:
+
+```bash
+cnquery run TARGET -c QUERY
+```
+
+| For... | Substitute... |
+| -------- | ----------------------------------------------------------------------- |
+| `TARGET` | The asset to query, such as `local` or a transport to a remote machine. |
+| `QUERY` | The MQL query that specifies the information you want. |
+
+:::tip
+
+For a list of supported targets and parameters, use the `help` command:
+
+```bash
+cnquery help run
+```
+
+:::
+
+### Examples
+
+This runs a query against your local system. It returns a list of the services configured on your system along with the boolean value whether each service is running:
+
+```bash
+cnquery run local -c "services.list { name running }"
+```
+
+This query finds all AWS EC2 instances, across every enabled region within an AWS account, that are configured with a public IP address, and returns the values for the fields `instanceId`, `region`, `state`, `tags`, and `publicIp`:
+
+```coffee
+aws.ec2.instances.where( publicIp != '' ) {
+ instanceId
+ region
+ state
+ tags
+ publicIp
+}
+```
+
+This lists all users and returns the values for every field available for the `user` resource:
+
+```coffee
+users.list { * }
+```
+
+This finds all container repositories used for images in a Kubernetes cluster:
+
+```coffee
+k8s.pods {
+ name
+ containers.map( containerImage.repository.fullName )
+}
+```
+
+:::tip
+
+`.map` is a function for arrays that takes a given field and extracts it. Unlike block calls (`{ .. }`), it directly returns the given field.
+
+:::
+
+### Resources
+
+A fundamental building block for writing queries, resources let you retrieve the configuration of an asset.
+
+These are just a few examples of MQL resources for servers and endpoints on **all** the platforms that Mondoo supports:
+
+- `platform` queries the host for information about the platform, including `name`, `family`, `release`, and more.
+
+- `user` retrieves information about users, including the `name`, `UID`, `GID`, `home`, `shell`, and more.
+
+- `packages` reveals information about packages on the host, including `name`, `version`, `installed`, `outdated`, and more.
+
+MQL has resources that are platform specific as well. These are some examples:
+
+- `k8s.container` lets you explore more than a dozen Kubernetes container configuration details, including `imagePullPolicy`, `workingDir`, and whether the container should allocate a TTY for itself.
+
+- `terraform.block` queries Terraform block arguments, attributes, and more.
+
+- `windows.hotfix` exposes `installedOn` and `installedBy` dates and other information about important Windows updates.
+
+For a full list of available resources, enter the `help` command within the cnquery Shell. This returns the available resources and their descriptions. You can also run `help ` to get more information on a specific resource.
+
+### Fields
+
+Each resource has _fields_ that you use to return the value of a specific configuration associated with that resource. These are some of the fields from two resource examples above:
+
+- The fields for `platform` include `name`, `family`, `release`, and others.
+
+- The fields for `k8s.container` include `imagePullPolicy`, `workingDir`,`readinessProbe`, `tty`, and more. Start off by looking at the `platform` resource, which is common to all operating systems supported by Mondoo.
+
+### Filtering results and retrieving multiple fields
+
+You can filter results and return multiple fields at once:
+
+```
+RESOURCE {FIELD1 FIELD2 FIELD3 }
+```
+
+| For... | Substitute... |
+| ---------- | ------------------------------------------------ |
+| `RESOURCE` | The resource for the information you want. |
+| `FIELD1` | The specific field containing the data you want. |
+| `FIELD2` | Another field containing the data you want. |
+| `FIELD3` | Another field containing the data you want. |
+
+For example, this command retrieves the name of the running platform, its release number, and the architecture it's running on:
+
+```coffee
+platform { name release arch }
+```
+
+## Operators and functions
+
+For information on the MQL operators and functions you can use to write queries, read [Write Effective MQL](/mql/mql.write/).
+
+## Learn more
+
+- To explore cnquery commands, read the [CLI Reference](/cnquery/cli/cnquery).
+- To explore the capabilities of the MQL language, read the [MQL docs](/mql/resources).
+
+---
diff --git a/docs/cnquery/cnquery-run-pack.md b/docs/cnquery/cnquery-run-pack.md
new file mode 100644
index 000000000..b7e49cd83
--- /dev/null
+++ b/docs/cnquery/cnquery-run-pack.md
@@ -0,0 +1,75 @@
+---
+title: Run a Query Pack
+id: cnquery-run-pack
+sidebar_label: Run a Query Pack
+displayed_sidebar: cnquery
+sidebar_position: 5
+description: Query packs let you bundle multiple queries together to meet specific needs.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+To run multiple queries together, you can combine queries into query packs. You can find query packs in Mondoo's [cnquery-packs](https://github.com/mondoohq/cnquery-packs) GitHub repo.
+
+## Let cnquery choose the right query pack
+
+cnquery comes with query packs out of the box for most systems. You can run:
+
+```bash
+cnquery scan local
+```
+
+Without any more specifics, cnquery tries to find and run the default query pack for the given system.
+
+## Run a specific query pack
+
+To specify a query pack that you want to run, use the `-f` flag and `--querypack` argument:
+
+```bash
+cnquery scan TARGET -f YAMLFILE --querypack PACKNAME
+```
+
+| For... | Substitute... |
+| ---------- | ----------------------------------------------------------------------- |
+| `TARGET` | The asset to query, such as `local` or a transport to a remote machine. |
+| `YAMLFILE` | The query pack file, such as `mondoo-aws-incident-response.mql.yaml`. |
+| `PACKNAME` | The name of the pack to run. |
+
+For example, this command runs a query pack named incident-response:
+
+```bash
+cnquery scan local --querypack incident-response
+```
+
+## Run a single query from a pack
+
+You can also choose just one query from a query pack. Specify the query UID with the query pack:
+
+```bash
+cnquery scan TARGET --querypack PACKNAME --query-id QUERYUID
+```
+
+| For... | Substitute... |
+| ---------- | -------------------------------------------------------------------------------------------- |
+| `TARGET` | The asset to query, such as `local` or a transport to a remote machine. |
+| `PACKNAME` | The name of the pack that contains the query you want to run. |
+| `QUERYUID` | The unique identifier of the query you want to run. Find this in the query pack's YAML file. |
+
+For example, this command runs the query named `sth-01` from the pack named `incident-response`:
+
+```bash
+cnquery scan local --querypack incident-response --query-id sth-01
+```
+
+## Create custom query packs
+
+Custom query packs let you bundle queries to meet your specific needs. To help you get started, you can find simple query pack examples in the cnquery repo's [examples](https://github.com/mondoohq/cnquery/tree/main/examples) folder.
+
+## Explore your infrastructure in Mondoo Platform
+
+To more easily explore your infrastructure, sign up for a free Mondoo Platform account. Mondoo's web-based console allows you to navigate, search, and arrange all of your assets.
+
+Go to [console.mondoo.com](https://console.mondoo.com) to sign up.
+
+To learn about Mondoo Platform, read the [Mondoo Platform docs](../intro.md) or visit [mondoo.com](https://mondoo.com).
+
+---
diff --git a/docs/cnquery/cnquery-supported.md b/docs/cnquery/cnquery-supported.md
new file mode 100644
index 000000000..430dee961
--- /dev/null
+++ b/docs/cnquery/cnquery-supported.md
@@ -0,0 +1,47 @@
+---
+title: Supported Query Targets
+id: cnquery-supported
+sidebar_label: Supported Query Targets
+displayed_sidebar: cnquery
+sidebar_position: 8
+description: A list of technologies from which cnquery can request information
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnquery can request information from:
+
+| Target | Provider | Example |
+| ---------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| AWS accounts | `aws` | `cnquery shell aws` |
+| AWS EC2 instances | `ssh` | `cnquery shell ssh user@host` |
+| AWS EC2 Instance Connect | `aws ec2 instance-connect` | `cnquery shell aws ec2 instance-connect ec2-user@INSTANCEID` |
+| AWS EC2 EBS snapshot | `aws ec2 ebs snapshot` | `cnquery shell aws ec2 ebs snapshot SNAPSHOTID` |
+| AWS EC2 EBS volume | `aws ec2 ebs volume` | `cnquery shell aws ec2 ebs volume VOLUMEID` |
+| Container images | `container`, `docker` | `cnquery shell container ubuntu:latest` |
+| Container registries | `container registry` | `cnquery shell container registry index.docker.io/library/rockylinux:8 ` |
+| DNS records | `host` | `cnquery shell host mondoo.com` |
+| GitHub organizations | `github org` | `cnquery shell github org mondoohq` |
+| GitHub repositories | `github repo` | `cnquery shell github repo mondoohq/cnquery` |
+| GitLab groups | `gitlab` | `cnquery shell gitlab --group mondoohq` |
+| Google Cloud projects | `gcp` | `cnquery shell gcp` |
+| Google Workspace | `google-workspace` | `cnquery shell google-workspace --customer-id CUSTOMER_ID --impersonated-user-email EMAIL --credentials-path JSON_FILE` |
+| Kubernetes cluster nodes | `local`, `ssh` | `cnquery shell ssh user@host` |
+| Kubernetes clusters | `k8s` | `cnquery shell k8s` |
+| Kubernetes manifests | `k8s` | `cnquery shell k8s manifest.yaml ` |
+| Kubernetes workloads | `k8s` | `cnquery shell k8s --discover pods,deployments` |
+| Linux hosts | `local`, `ssh` | `cnquery shell local` or `cnquery shell ssh user@host` |
+| macOS hosts | `local`, `ssh` | `cnquery shell local` or `cnquery shell ssh user@IP_ADDRESS` |
+| Microsoft 365 accounts | `ms365` | `cnquery shell ms365 --tenant-id TENANT_ID --client-id CLIENT_ID --certificate-path PFX_FILE` |
+| Microsoft Azure accounts | `azure` | `cnquery shell azure --subscription SUBSCRIPTION_ID` |
+| Microsoft Azure instances | `ssh` | `cnquery shell ssh user@host` |
+| Okta | `okta` | `cnquery shell okta --token TOKEN --organization ORGANIZATION` |
+| Oracle Cloud Interface (OCI) | `oci` | `cnquery shell oci` |
+| Running containers | `docker` | `cnquery shell docker CONTAINER_ID` |
+| Slack | `slack` | `cnquery shell slack --token TOKEN` |
+| SSL certificates on websites | `host` | `cnquery shell host mondoo.com` |
+| Terraform HCL | `terraform` | `cnquery shell terraform HCL_FILE_OR_PATH` |
+| Terraform plan | `terraform plan` | `cnquery shell terraform plan plan.json` |
+| Terraform state | `terraform state` | `cnquery shell terraform state state.json` |
+| Vagrant virtual machines | `vagrant` | `cnquery shell vagrant HOST` |
+| VMware vSphere | `vsphere` | `cnquery shell vsphere user@domain@host --ask-pass` |
+| Windows hosts | `local`, `ssh`, `winrm` | `cnquery shell local`, `cnquery shell ssh Administrator@IP_ADDRESS --ask-pass` or `cnquery shell winrm Administrator@IP_ADDRESS --ask-pass` |
diff --git a/docs/cnquery/home.md b/docs/cnquery/home.md
new file mode 100644
index 000000000..ed6413340
--- /dev/null
+++ b/docs/cnquery/home.md
@@ -0,0 +1,53 @@
+---
+title: cnquery Docs
+hide_title: true
+sidebar_label: cnquery Docs Home
+displayed_sidebar: cnquery
+description: cnquery documentation home
+image: /img/featured_img/mondoo-feature.jpg
+hide_table_of_contents: true
+---
+
+
+
+cnquery is an open source, cloud-native tool that answers every question about your infrastructure.
+
+### [What Is cnquery?](/cnquery/cnquery-about/)
+
+Get to know cnquery and explore its capabilities.
+
+### [Install cnquery](/cnquery/)
+
+Download and install cnquery on your assets.
+
+### Get Started with:
+
+- [AWS](/cnquery/cnquery-aws/)
+
+- [Azure](/cnquery/cnquery-azure/)
+
+- [GCP](/cnquery/cnquery-gcp/)
+
+- [Kubernetes](/cnquery/cnquery-k8s/)
+
+- [Linux](/cnquery/cnquery-oper/cnquery-linux-intro)
+
+- [macOS](/cnquery/cnquery-oper/cnquery-macos-intro)
+
+- [Windows](/cnquery/cnquery-oper/cnquery-windows-intro)
+
+### [CLI Command Reference](/cnquery/cli/cnquery/)
+
+Find the commands you need to search and query your infrastructure.
+
+### See also:
+
+- To learn all the resources that you can query in your infrastructure and how to access the information, read the [MQL Reference](/mql/resources/),
+
+- To learn how to create queries, read [Write Effective MQL](/mql/mql.write).
+
+#### Can't find what you need?
+
+Join our [community discussion on GitHub](https://github.com/orgs/mondoohq/discussions).
+
+---
diff --git a/docs/cnquery/providers.mdx b/docs/cnquery/providers.mdx
new file mode 100644
index 000000000..7fa3e7976
--- /dev/null
+++ b/docs/cnquery/providers.mdx
@@ -0,0 +1,298 @@
+---
+title: Manage cnquery Providers
+sidebar_label: Manage cnquery Providers
+sidebar_position: 9
+displayed_sidebar: cnquery
+description: Learn about providers and special considerations for containers and air-gapped or limited access assets
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnquery can query and inventory dozens of different platforms, from AWS accounts to Windows hosts. _Providers_ are the components of cnquery that allow it to query specific platforms. When you download and install cnquery, you don't download or install any providers. Instead, when you run a cnquery command, cnquery automatically downloads and installs the provider(s) you need. This approach saves you download time, memory, and disk space. Each time you use cnquery, it ensures that you have the latest version of the necessary provider(s).
+
+For example, suppose you download cnquery and install it on a Linux workstation. There are no providers installed on the workstation. When you run a local query, cnquery checks and finds that the provider it needs, the operating systems (`os`) provider isn't present. cnquery automatically downloads and installs the `os` provider and then runs the scan. The `os` provider remains on your workstation for the next time you use cnquery for your operating system.
+
+Continuing the example, suppose you then run `cnquery shell aws` to run some queries against your AWS account settings. cnquery downloads and installs the `aws` provider and opens the shell. The `aws` provider remains on your workstation for the next time you use cnquery for AWS.
+
+Most users don't need to think about providers. cnquery manages them for you. However, there are some situations where you might want to manage providers yourself:
+
+- Containers
+
+- Read-only mode
+
+- Air-gapped environments
+
+## Provider considerations for containers
+
+By default, when you spin up a container with cnquery installed and run any cnquery command, cnquery retrieves the latest version of the providers it needs. When the container is destroyed, the providers are destroyed. Therefore, the next time you spin up a container based on the same image, the download and installation repeat.
+
+You can eliminate the unnecessary processing by:
+
+- Installing the provider(s) on the image. To learn how, read [Install, update, and remove providers](#install-update-and-remove-providers) below.
+
+- Turning off provider auto-update. To learn how, read [Turn off provider auto-update](#turn-off-provider-auto-update) below.
+
+## Provider considerations for read-only mode
+
+Some security situations dictate that cnquery must not be allowed to write to the machine on which it's installed. cnquery does operate in read-only mode, however, it can't download and install the providers it needs. Therefore, when you install cnquery on a machine on which cnquery won't have write access, you must also install the provider. To learn how, read [Install, update, and remove providers](#install-update-and-remove-providers) below.
+
+:::note
+
+If you install cnquery in an environment where it can't automatically update providers, you're responsible for installing provider updates.
+
+:::
+
+To prevent error messages from displaying when you run commands in read-only mode, turn off provider auto-update. To learn how, read [Turn off provider auto-update](#turn-off-provider-auto-update) below.
+
+## Provider considerations air-gapped environments
+
+In an air-gapped environment, cnquery can't download the providers needed to query or inventory the system. Therefore, when you install cnquery to an air-gapped machine, you must also install the provider. To learn how, read [Install, update, and remove providers](#install-update-and-remove-providers) below.
+
+:::note
+
+If you install cnquery in an air-gapped environment, you're responsible for installing provider updates.
+
+:::
+
+To prevent error messages from displaying when you run commands, turn off provider auto-update.
+
+## Turn off provider auto-update
+
+By default, each time you run a cnquery command, cnquery downloads and installs the latest version of the provider needed to execute the command (unless the latest version of the provider is already installed). You can change this behavior by disabling auto-update for cnquery.
+
+If you disable auto-update, cnquery doesn't check whether the latest version of the necessary provider is installed. It uses the version of the necessary provider that is currently installed. If the provider isn't installed, the command fails.
+
+### Turn off provider auto-update for all cnquery commands and Mondoo scans
+
+To never automatically update providers, set the auto-update value in the cnquery configuration file to `false`.
+
+On a Linux or macOS host, cnquery configuration is stored in one of these locations:
+
+- `/etc/opt/mondoo/mondoo.yml` configures cnquery for all user accounts.
+
+- `~/.config/mondoo/mondoo.yml` configures cnquery for a single user.
+
+On a Windows host, cnquery configuration is stored in one of these locations:
+
+- `C:\ProgramData\mondoo\mondoo.yml` configures cnquery for all users.
+
+- `C:\Users\{username}\.config\mondoo\mondoo.yml` configures cnquery for a single user.
+
+To configure cnquery to never update providers, set the configuration:
+
+```yaml
+auto-update: false
+```
+
+:::note
+
+If you disable auto-update, be sure to check regularly for new versions of providers. To learn more, read [Install, update, and remove providers](#install-update-and-remove-providers) below.
+
+:::
+
+### Turn provider auto-update on or off for a single cnquery command
+
+To skip checking for, downloading, and installing the latest provider just once (for a single cnquery command), add the '--auto-update=false' flag to the command. For example, this scans the local machine without updating to the latest provider:
+
+```bash
+cnquery scan --auto-update=false
+```
+
+The command line flag overrides the `mondoo.yml` config file setting.
+
+## Install, update, and remove providers
+
+You can download the latest versions of providers at [https://releases.mondoo.com/providers/](https://releases.mondoo.com/providers/). Past versions are always available at the same location.
+
+These are the available cnquery providers:
+
+| Provider | Target |
+| ---------------- | ----------------------------------------- |
+| arista | Arista |
+| aws | Amazon Web Services |
+| azure | Microsoft Azure |
+| equinix | Equinix |
+| gcp | Google Cloud Platform |
+| github | GitHub |
+| gitlab | GitLab |
+| google-workspace | Google Workspace |
+| ipmi | Intelligent Platform Management Interface |
+| k8s | Kubernetes |
+| ms365 | Microsoft 365 |
+| network | Hosts |
+| oci | Oracle Cloud Infrastructure |
+| okta | Okta |
+| opcua | OPC Unified Architecture |
+| os | Operating systems |
+| slack | Slack |
+| terraform | HashiCorp Terraform |
+| vcd | VMware Cloud Director |
+| vsphere | VMware vSphere |
+
+To learn what providers are installed, run:
+
+```bash
+cnquery providers
+```
+
+For help on the `providers` subcommand, run:
+
+```bash
+cnquery providers -h
+```
+
+### Manually install a provider
+
+To install a provider, run:
+
+```bash
+cnquery providers install NAME
+```
+
+For `NAME`, substitute the provider name (as shown in the table above). For example:
+
+```bash
+cnquery providers install k8s
+```
+
+For help on manual provider installation, run:
+
+```bash
+cnquery providers install -h
+```
+
+To install a provider from a file, run:
+
+```bash
+cnquery providers install -f PATH
+```
+
+For `PATH`, substitute the path and name of the provider file. For example:
+
+```bash
+cnquery providers install -f providers/os/dist/os.tar.xz
+```
+
+To install a provider from a URL, run:
+
+```bash
+cnquery providers install --url URL
+```
+
+For `URL`, substitute the location and name of the provider file. For example:
+
+```bash
+cnquery providers install --url https://releases.mondoo.com/providers/os/9.0.7/os_9.0.7_linux_arm.tar.xz
+```
+
+### Manually update providers
+
+To update to the latest version of all installed providers, run:
+
+```bash
+cnquery providers update
+```
+
+To update to the latest version of a specific provider, run:
+
+```bash
+cnquery providers update NAME
+```
+
+For `NAME`, substitute the name of the provider (as shown in the table above). For example:
+
+```bash
+cnquery providers update vsphere
+```
+
+### Remove providers
+
+To remove a provider, run:
+
+```bash
+cnquery providers remove NAME
+```
+
+For `NAME`, substitute the name of the provider you want to uninstall. For example:
+
+```bash
+cnquery providers remove terraform
+```
+
+## Custom providers
+
+You can create your own custom providers for any MQL runtime, including cnquery and cnspec. Providers can be created in any language or framework as long as they adhere to the plugin structure and API.
+
+### Provider structure
+
+Provider plugins are located by default in either the system or user location. They consist of a folder containing a set of required files. For example, for a provider `mypro` you would see the following structure:
+
+```
+./mypro/ Folder containing the provider and additional files
+├── mypro Executable used to start the provider plugin
+├── mypro.json Provider metadata
+└── mypro.resources.json Resources and fields schema
+```
+
+- **Provider folder**
+ The folder that must contain at least the binary, metadata, and schema. Additionally, providers may contain other custom files.
+
+- **Provider binary**
+ The binary is spawned when a new provider instance is created.
+
+ It must adhere to the plugin behavior defined in [go-plugin](https://github.com/hashicorp/go-plugin), i.e. it must create a blocking process that communicates via GRPC with the caller and implements the provider plugin proto API.
+
+ Due to these specifications, providers can be created in any language or stack, as long as they offer a callable binary (that is executable on the target system) and communicates via the GRPC interface.
+
+- **Provider metadata**
+ This file contains information about the provider like its name, UID, version, connections, and connectors. It is also used to build the CLI interface. The structure is defined in the [Provider struct](https://github.com/mondoohq/cnquery/blob/main/providers-sdk/v1/plugin/start.go).
+
+- **Resources and fields schema**
+ The schema contains all resources and fields that are offered by this provider. This includes version constraints for compatibility, field types, and basic documentation. It is defined in the [Schema message](https://github.com/mondoohq/cnquery/blob/main/providers-sdk/v1/resources/resources.proto) in the resources proto. Provider schemas can be auto-generated (see scaffolding below).
+
+Providers are distributed as `tar.xz` files which contain the above structure. They can be installed using these compressed archives via:
+
+```bash
+cnquery providers install -f provider.tar.xz
+```
+
+Providers can also be installed manually by creating the above structure in the user system provider location.
+
+### Provider scaffolding
+
+To ease the creation of providers, cnquery comes with a scaffolding utility.
+
+To install it:
+
+```bash
+go install apps/provider-scaffold/provider-scaffold.go
+```
+
+To create a new provider (let's call it `mypro` in this example) run:
+
+```bash
+provider-scaffold --path mypro --provider-id mypro --provider-name "My Provider" --go-package github.com/myuser/mql-provider-mypro/mypro
+```
+
+The current provider scaffolding is geared towards golang. Contributions to extend it to other stacks are very welcome.
+
+### Builtin providers
+
+If you prefer not to have separate provider binaries that are spawned, it is possible to build any MQL runtime with Go-based providers directly into the binary. This means that no additional files are installed, or update, nor processes spawned.
+
+To manually configure builtin providers, you can modify the list of [`builtinProviders`](https://github.com/mondoohq/cnquery/blob/main/providers/builtin.go). Once added, you will see it in the list of builtin providers for any binary you build, for example:
+
+```bash
+> cnquery providers
+
+→ builtin (found 3 providers)
+
+ core 9.1.3
+ mock 9.0.0 with connectors: mock
+ mypro 0.0.1 with connectors: mytarget
+
+...
+```
+
+Any MQL runtime can be built into a binary that contains these providers. Please note that they cannot be updated without creating a new build and increase the file-size of the runtime. This may still be advantageous in cases where you want an overall smaller footprint and tighter security profile.
+
+---
diff --git a/docs/cnquery/saas/github.md b/docs/cnquery/saas/github.md
new file mode 100644
index 000000000..934cea437
--- /dev/null
+++ b/docs/cnquery/saas/github.md
@@ -0,0 +1,100 @@
+---
+title: Query GitHub organizations and repositories with cnquery
+sidebar_label: GitHub
+sidebar_position: 2
+displayed_sidebar: cnquery
+description: Query GitHub configuration with cnquery
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Rely on cnquery to query and inventory your GitHub organizations and private repositories (repos) as well as public repos and open source projects your team depends on.
+
+## Give cnquery access using the GitHub API
+
+To query GitHub organizations and repos, cnquery needs access. You give cnquery the access it needs through the GitHub API. First, you create GitHub personal access token. Then you share that token with cnquery using an environment variable.
+
+### Create a GitHub personal access token
+
+cnquery needs a personal access token to query a GitHub organization, public repo, or private repo. The token's level of access determines how much information cnquery can retrieve.
+
+To learn how to create a personal access token, read [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) in the GitHub documentation.
+
+### Configure a GITHUB_TOKEN environment variable
+
+You supply your personal access token to cnquery using the `GITHUB_TOKEN` environment variable.
+
+#### Linux / macOS
+
+```bash
+export GITHUB_TOKEN=
+```
+
+#### Windows
+
+```powershell
+$Env:GITHUB_TOKEN = ""
+```
+
+## Query GitHub
+
+To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
+
+To launch a shell into your GitHub organization, enter:
+
+```bash
+cnquery shell github org YOUR-ORG
+```
+
+For `YOUR-ORG`, substitute the name of your GitHub organization.
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what GitHub resources you can query. This command lists all the GitHub resources:
+
+```coffee
+help github
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the GitHub resources you can query:
+
+```coffee
+help github.organization
+```
+
+### Example query
+
+Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
+
+This query returns the number of private repos in the organization:
+
+```coffee
+github.organization.totalPrivateRepos
+```
+
+#### Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this query asks for repo branches, and filters results to show only protected branches:
+
+```coffee
+github.repository.branches.where( protected == true )
+```
+
+### Exit the cnquery shell
+
+To exit the cnquery shell, either press `Ctrl + D` or type `exit`.## Query a GitHub organization
+
+To query the configuration of your GitHub organization, run this command:
+
+```bash
+cnquery shell github org
+```
+
+## Learn more
+
+- To learn about all the GitHub resources and properties, read the [Mondoo GitHub Resource Pack Reference](/mql/resources/github-pack/).
+
+- To learn how to write queries, read [Write Effective MQL](/mql/mql.write).
+
+---
diff --git a/docs/cnquery/saas/google_workspace.md b/docs/cnquery/saas/google_workspace.md
new file mode 100644
index 000000000..88def43a7
--- /dev/null
+++ b/docs/cnquery/saas/google_workspace.md
@@ -0,0 +1,145 @@
+---
+title: Query Google Workspace with cnquery
+sidebar_label: Google Workspace
+sidebar_position: 3
+displayed_sidebar: cnquery
+description: Query Google Workspace configuration
+---
+
+Use cnquery to inventory and query your Google Workspace environment.
+
+## Configure access to the Google Workspace API
+
+:::note
+
+These steps for configuring [Admin SDK API](https://developers.google.com/admin-sdk) access to your
+Google Workspace environment rely on Google Cloud (GCP) even if you aren't otherwise using GCP.
+
+:::
+
+1. [Create a Google Workspace service account](https://support.google.com/a/answer/7378726).
+ - In addition to the APIs that Google requires, also enable:
+ - Cloud Identity API
+ - Google Drive API
+ - After creating the service account, be sure to record the **Unique ID** on the details page. This is the Client ID to use in the next step.
+ - Be sure to download and protect the JSON credentials file.
+2. Log into the [Google Workspace Admin Portal](https://admin.google.com).
+
+3. In the left-side navigation, select **Security -> Access and data controls -> API controls**.
+
+4. Select [**Domain-wide Delegation**](https://developers.google.com/workspace/guides/create-credentials#delegate_domain-wide_authority_to_your_service_account) and then select **Add new**.
+
+5. For the **Client ID** enter the **Unique ID** of the service account you created.
+
+6. Paste this comma-delimited list to add all 17 read-only OAuth scopes:
+
+ ```text
+ https://www.googleapis.com/auth/admin.chrome.printers.readonly,https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-identity.groups.readonly
+ ```
+
+7. In the [Google Workspace Admin Portal](https://admin.google.com), navigate to **Account -> Account Settings** and record the **Customer ID**.
+
+To test proper configuration, use the cnquery shell to run a sample query:
+
+```text
+$ cnquery shell google-workspace --customer-id 5amp13iD --impersonated-user-email admin@domain.com --credentials-path /home/user/my-project-6646123456789.json
+```
+
+| For... | Substitute... |
+| --------------------------- | ----------------------------------------------------------- |
+| `--impersonated-user-email` | The email address of a user that has super admin privileges |
+| `--credentials-path` | The path to the downloaded JSON credentials file |
+
+cnquery returns results similar to these:
+
+```
+cnquery> googleworkspace.users
+googleworkspace.users: [
+ 0: {
+ primaryEmail: "alice@smith.family"
+ }
+ 1: {
+ primaryEmail: "betty@smith.family"
+ }
+ ....
+```
+
+If you prefer, you can use any of these environment variables to provide the credentials file. They're listed in order of precedence:
+
+- `GOOGLE_APPLICATION_CREDENTIALS`
+- `GOOGLEWORKSPACE_CREDENTIALS`
+- `GOOGLEWORKSPACE_CLOUD_KEYFILE_JSON`
+- `GOOGLE_CREDENTIALS`
+
+:::note
+
+If any of the variables above and the `--credentials-path` parameter are both present, the environment variable takes precedence.
+
+:::
+
+## Example queries
+
+Display details for the first user in the workspace:
+
+```coffee
+cnquery> googleworkspace.users[0]{ * }
+googleworkspace.users[0]: {
+ isMailboxSetup: true
+ familyName: "Smith"
+ suspensionReason: ""
+ recoveryEmail: ""
+ archived: false
+ aliases: []
+ isAdmin: false
+ lastLoginTime: 2023-01-03 20:45:12 +0000 UTC
+ agreedToTerms: true
+ suspended: false
+ isEnrolledIn2Sv: false
+ fullName: "Alice Smith"
+ recoveryPhone: ""
+ primaryEmail: "alice@smith.family"
+ givenName: "Alice"
+ id: "1182761XXXXXXXXX"
+ tokens: [
+ 0: googleworkspace.token displayText="iOS Account Manager"
+ 1: googleworkspace.token displayText="Facetune2"
+ 2: googleworkspace.token displayText="YouTube on TV"
+ 3: googleworkspace.token displayText="Discord"
+ 4: googleworkspace.token displayText="Google Chrome"
+ 5: googleworkspace.token displayText="Epic Games, Inc."
+ 6: googleworkspace.token displayText="the-game-awards"
+ ]
+ creationTime: 2021-11-30 04:31:25 +0000 UTC
+ isEnforcedIn2Sv: false
+ usageReport: googleworkspace.report.usage id = googleworkspace.report.usage/C013XXXXXX/118276124783XXXXXXXXX/2023-01-03
+}
+```
+
+Notice that `usageReport` is listed in this example output. This provides access to several reports with more useful user data that you can also check.
+
+For example, this retrieves the first user in the workspace's account usage data:
+
+```coffee
+cnquery> googleworkspace.users[0].usageReport.account
+googleworkspace.users[0].usageReport.account: {
+ adminSetName: "Alice Smith"
+ driveUsedQuotaInMb: 231.000000
+ gmailUsedQuotaInMb: 39.000000
+ is2SvEnforced: false
+ isDisabled: false
+ isLessSecureAppsAccessAllowed: false
+ isS2SvEnrolled: false
+ isSuperAdmin: false
+ passwordLengthCompliance: "COMPLIANT"
+ passwordStrength: "STRONG"
+ usedQuotaInMb: 270.000000
+}
+```
+
+## Learn more
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For more information, explore the complete [Mondoo Google Workspace Resource Pack Reference](/mql/resources/google-workspace-pack/).
+
+---
diff --git a/docs/cnquery/saas/ms365.md b/docs/cnquery/saas/ms365.md
new file mode 100644
index 000000000..51933bba1
--- /dev/null
+++ b/docs/cnquery/saas/ms365.md
@@ -0,0 +1,200 @@
+---
+title: Query Microsoft 365
+sidebar_label: Microsoft 365
+displayed_sidebar: cnquery
+sidebar_position: 4
+description: Use cnquery to inventory and Microsoft 365
+image: /img/featured_img/mondoo-365.jpg
+---
+
+cnquery can provide answers about your Microsoft 365 environment. It can query any aspect of your Microsoft 365 configuration. For a list of Microsoft 365 resources you can query, read [Mondoo Microsoft 365 (MS365) Resource Pack Reference](/mql/resources/ms365-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnquery with your Microsoft 365 environment
+
+### Requirements
+
+To test your Microsoft 365 environment with cnquery, you must have:
+
+- [cnquery installed on your workstation](/cnquery/).
+- A [Microsoft 365 subscription](https://www.microsoft.com/en-us/microsoft-365)
+- The [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) installed
+
+### Give cnquery access through the Microsoft 365 API
+
+To remotely scan your Microsoft 365 environment, cnquery must have API credentials with access to the subscription. Follow these steps to give cnquery access:
+
+1. Log into the Azure CLI:
+
+```bash
+az login --allow-no-subscriptions
+```
+
+2. Create a new service principal and certificate:
+
+```bash
+az ad sp create-for-rbac --name "mondoo-ms365" --create-cert
+```
+
+3. Record the `appId` and `tenant` values to use later. Copy the newly created certificate file to a safe location.
+
+4. Log into the [Azure portal](https://portal.azure.com), navigate to **App Registrations**, and select the application you just created.
+
+5. In the sidebar, select **API Permissions**.
+
+ 
+
+ By default, Microsoft grants your new application with `User.Read` permission for Microsoft Graph. It's not required for Mondoo, so you can remove it.
+
+6. Select **Add a permission**.
+
+ 
+
+7. From the list of **Commonly used Microsoft APIs**, select **Microsoft Graph**.
+
+ 
+
+8. Because Mondoo acts as a service, select **Application permissions**. Then select the API permissions:
+
+
+ Show or hide required API permissions.
+
+ | Microsoft Graph | Type | Description |
+ | --------------------------------------- | ----------- | ----------------------------------------------------------------- |
+ | Application.Read.All | Application | Read all applications |
+ | AuditLog.Read.All | Application | Read all audit log data |
+ | Calendars.Read | Application | Read calendars in all mailboxes |
+ | Device.Read.All | Application | Read all devices |
+ | DeviceManagementApps.Read.All | Application | Read Microsoft Intune apps |
+ | DeviceManagementConfiguration.Read.All | Application | Read Microsoft Intune device configuration and policies |
+ | DeviceManagementManagedDevices.Read.All | Application | Read Microsoft Intune devices |
+ | DeviceManagementRBAC.Read.All | Application | Read Microsoft Intune RBAC settings |
+ | DeviceManagementServiceConfig.Read.All | Application | Read Microsoft Intune configuration |
+ | Directory.Read.All | Application | Read directory data |
+ | Domain.Read.All | Application | Read domains |
+ | IdentityProvider.Read.All | Application | Read identity providers |
+ | IdentityRiskEvent.Read.All | Application | Read all identity risk event information |
+ | IdentityRiskyUser.Read.All | Application | Read all identity risky user information |
+ | InformationProtectionPolicy.Read.All | Application | Read all published labels and label policies for an organization. |
+ | MailboxSettings.Read | Application | Read all user mailbox settings |
+ | Organization.Read.All | Application | Read organization information |
+ | OrgContact.Read.All | Application | Read organizational contacts |
+ | Policy.Read.All | Application | Read your organization's policies |
+ | Policy.Read.ConditionalAccess | Application | Read your organization's conditional access policies |
+ | Policy.Read.PermissionGrant | Application | Read consent and permission grant policies |
+ | RoleManagement.Read.All | Application | Read role management data for all RBAC providers |
+ | SecurityActions.Read.All | Application | Read your organization's security actions |
+ | SecurityEvents.Read.All | Application | Read your organization’s security events |
+ | TeamsAppInstallation.ReadForUser.All | Application | Read all users' installed Teams apps |
+ | TeamSettings.Read.All | Application | Read all teams' settings |
+ | ThreatAssessment.Read.All | Application | Read threat assessment requests |
+ | ThreatIndicators.Read.All | Application | Read all threat indicators |
+
+
+
+9. Grant Mondoo read permissions for **Office 365 Management API**.
+
+ 
+
+ | Office 365 Management APIs | Type | Description |
+ | -------------------------- | ----------- | -------------------------------------------------------- |
+ | ActivityFeed.Read | Application | Read activity data for your organization |
+ | ActivityFeed.ReadDlp | Application | Read DLP policy events including detected sensitive data |
+ | ServiceHealth.Read | Application | Read service health information for your organization |
+
+ Confirm the selected permissions by selecting **Add permissions**.
+
+ 
+
+10. To complete the process, select **Grant admin consent for tenant**.
+
+
+
+### Verify with a quick Microsoft 365 query
+
+To quickly confirm that cnquery has access to your Microsoft 365 environment, run this check from your terminal:
+
+```bash
+cnquery run ms365 -c 'microsoft.organizations { id }'
+```
+
+cnquery lists your Microsoft organizations' IDs.
+
+You've successfully used cnquery to query your Microsoft 365 environment. Now you're ready to explore. The method you choose depends on your goals:
+
+## Query Microsoft 365
+
+To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
+
+To launch a shell into your Azure environment, enter:
+
+```bash
+cnquery shell ms365
+```
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what Microsoft 365 resources you can query. This command lists all the Microsoft 365 resources:
+
+```coffee
+help ms365
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the Microsoft domain resources you can query:
+
+```coffee
+help microsoft.domain
+```
+
+From the resulting list, you can drill down even further. You can also learn about available Azure resources in the [Mondoo Microsoft 365 (MS365) Resource Pack Reference](/mql/resources/ms365-pack/).
+
+### Query storage accounts
+
+Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
+
+This query lists all the current domains:
+
+```coffee
+microsoft.domains
+```
+
+#### Request full details in results
+
+For a more detailed report, you can specify that you want all fields:
+
+```coffee
+microsoft.domains { * }
+```
+
+For each domain, cnquery lists type, availability, supported services, and more.
+
+#### Specify fields to include in results
+
+If you're interested in only some details, specify the fields you want in braces. For example, this query asks for each domain's ID, password validity period, and whether the domain is admin managed:
+
+```coffee
+microsoft.domains { id passwordValidityPeriodInDays isAdminManaged }
+```
+
+#### Filter results
+
+You can filter results based on any fields. Specify the criteria using the `where` function and standard boolean operators.
+
+For example, this filters results to show only domains that have passwords that expire:
+
+```coffee
+microsoft.domains.where(passwordValidityPeriodInDays != 2147483647) { id availabilityStatus }
+```
+
+cnquery returns all domains with passwords that can expire. It includes the ID and availability status for each one.
+
+### Exit the cnquery shell
+
+To exit the cnquery shell, either press `Ctrl + D` or type `exit`.
+
+## Learn more about querying Microsoft 365
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For a list of all the Microsoft 365 resources and fields you can query, read the [Mondoo Microsoft 365 (MS365) Resource Pack Reference](/mql/resources/ms365-pack/).
+
+---
diff --git a/docs/cnquery/saas/okta.md b/docs/cnquery/saas/okta.md
new file mode 100644
index 000000000..fc382c9c5
--- /dev/null
+++ b/docs/cnquery/saas/okta.md
@@ -0,0 +1,150 @@
+---
+title: Query Okta with cnquery
+sidebar_label: Okta
+sidebar_position: 5
+displayed_sidebar: cnquery
+description: Query Okta configuration with cnquery
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Rely on cnquery to query and inventory your Okta domain, including users, groups, policies, rules, applications and more.
+
+## Configure access to Okta
+
+Create an Okta [API token](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/). Carefully record the API token and your Okta domain.
+
+:::note
+
+Okta API tokens have a [fixed expiration period of 30 days](https://developer.okta.com/docs/guides/create-an-api-token/main/#token-expiration).
+
+:::
+
+Test access using the cnquery shell in a terminal. If your domain includes '-admin', you must remove it when specifying the organization to cnquery. For example, if your Okta URL is 'dev-22556123-admin.okta.com', specify your organization as 'dev-22556123.okta.com'.
+
+```bash
+$ cnquery shell okta --organization dev-22556123.okta.com --token
+cnquery> okta.organization{ * }
+okta.organization: {
+ address2: ""
+ subdomain: "dev-22556123"
+ created: 2023-01-19 19:35:32 +0000 UTC
+ lastUpdated: 2023-01-19 19:35:38 +0000 UTC
+ country: ""
+ status: "ACTIVE"
+ website: "https://developer.okta.com"
+ endUserSupportHelpURL: ""
+ state: ""
+ address1: ""
+ city: ""
+ phoneNumber: ""
+ expiresAt: null
+ supportPhoneNumber: ""
+ postalCode: ""
+ companyName: "okta-dev-22556123"
+ id: ""
+}
+```
+
+You can also use the `OKTA_CLIENT_TOKEN` environment variable, which makes the `--token` parameter optional. Note that if both are present, the `OKTA_CLIENT_TOKEN` environment variable takes precedence.
+
+```bash
+export OKTA_CLIENT_TOKEN='00zr0k74_-s5mp13t0k3n'
+cnquery shell okta --organization dev-22556123.okta.com
+```
+
+:::info
+
+Want a place to experiment? Okta makes it easy to obtain Developer Accounts. Sign up at [developer.okta.com/signup](https://developer.okta.com/signup/).
+
+:::
+
+## Example queries
+
+### Query users
+
+Example query:
+
+```coffee
+okta.users{
+ profile
+ status
+ lastUpdated
+ credentials['provider']['name']
+}
+```
+
+Example shell output:
+
+```coffee
+okta.users: [
+ 0: {
+ status: "PROVISIONED"
+ profile: &map[email:suki@lunalectric.com firstName:Suki lastName:Mbeze login:suki@lunalectric.com mobilePhone: secondEmail:]
+ lastUpdated: 2023-01-20 23:49:58 +0000 UTC
+ credentials[provider][name]: "OKTA"
+ }
+ 1: {
+ status: "PROVISIONED"
+ profile: &map[email:alice@lunalectric.com firstName:Alice lastName:Freedman login:alice@lunalectric.com mobilePhone: secondEmail:]
+ lastUpdated: 2023-01-20 23:49:41 +0000 UTC
+ credentials[provider][name]: "OKTA"
+ }
+ 2: {
+ status: "RECOVERY"
+ profile: &map[email:ben@lunalectric.com firstName:Ben lastName:Pesoa login:ben@lunalectric.com mobilePhone: secondEmail:]
+ lastUpdated: 2023-01-19 20:14:53 +0000 UTC
+ credentials[provider][name]: "OKTA"
+ }
+]
+
+```
+
+### Audit applications
+
+This query requests the name, status, label, and sign-on mode for each configuration application:
+
+```coffee
+okta.applications {
+ status
+ name
+ label
+ signOnMode
+}
+```
+
+Example shell output:
+
+```coffee
+okta.applications: [
+ 0: {
+ status: "ACTIVE"
+ name: "saasure"
+ label: "Okta Admin Console"
+ signOnMode: "OPENID_CONNECT"
+ }
+ 1: {
+ status: "ACTIVE"
+ name: "okta_end_user"
+ label: "Okta Dashboard"
+ signOnMode: "OPENID_CONNECT"
+ }
+ 2: {
+ status: "ACTIVE"
+ name: "okta_browser_plugin"
+ label: "Okta Browser Plugin"
+ signOnMode: "OPENID_CONNECT"
+ }
+ 3: {
+ status: "ACTIVE"
+ name: "dev-22556257_pagerduty_1"
+ label: "PagerDuty"
+ signOnMode: "AUTO_LOGIN"
+ }
+]
+```
+
+## Learn more
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- To learn about all the Okta resources and properties you can query, read the [Mondoo Okta Resource Pack Reference](/mql/resources/okta-pack/).
diff --git a/docs/cnquery/saas/slack.md b/docs/cnquery/saas/slack.md
new file mode 100644
index 000000000..6014637ff
--- /dev/null
+++ b/docs/cnquery/saas/slack.md
@@ -0,0 +1,125 @@
+---
+title: Query Slack with cnquery
+sidebar_label: Slack
+sidebar_position: 6
+displayed_sidebar: cnquery
+description: Query your Slack workspaces
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Rely on cnquery to query and inventory your Slack workspaces. Unlock the powerful data available in the Slack API with the ease of MQL.
+
+## Configure access to a Slack organization
+
+Access to the Slack API requires an [Access Token](https://api.slack.com/authentication/token-types). We recommend using a bot token.
+
+1. As a workspace administrator, [create an app](https://api.slack.com/apps): Select the **Create an App** button and then select **From Scratch**.
+2. Specify an app name (such as **Mondoo**) and select the appropriate workspace.
+3. Select **Create App**.
+4. In the left-side navigation, select **OAuth & Permissions**.
+5. Scroll to **Scopes**. Under **User Token Scopes**, add these scopes:
+
+ - **admin**: (This permission is required to view access logs. For details, read [scopes: admin](https://api.slack.com/scopes/admin).)
+ - **channels:read**
+ - **groups:read**
+ - **im:read**
+ - **mpim:read**
+ - **team:read**
+ - **usergroups:read**
+ - **users:read**
+
+6. Scroll to **OAuth Tokens for Your Workspace** and select **Install to Workspace**. Once you authorize the app, Slack provides a token. Copy the token; you need it to retrieve data from Slack.
+
+You can now test using the cnquery shell:
+
+```bash
+$ cnquery shell slack --token
+cnquery> slack.team
+slack.team: {
+ domain: "mondoo"
+ id: "T030KKBABCDE"
+}
+```
+
+You can also use the `SLACK_TOKEN` environment variable, which makes the `--token` parameter optional. Note that if both are present, the `SLACK_TOKEN` environment variable takes precedence.
+
+```bash
+$ export SLACK_TOKEN=xoxb-3014687468594-456546543219-5ampl3.70ck3n
+$ cnquery shell slack
+cnquery> slack.team
+slack.team: {
+ domain: "mondoo"
+ id: "T030KKBABCDE"
+}
+```
+
+## Example queries
+
+### Users
+
+Here is an example of all the data available for a single user:
+
+```coffee
+> slack.users[1]{ * }
+slack.users.list[1]: {
+ profile: {
+ displayName: ""
+ displayNameNormalized: ""
+ email: "suki@lunalectric.io"
+ firstName: "Suki"
+ lastName: "Mbeze"
+ phone: ""
+ realName: "Suki Mbeze"
+ realNameNormalized: "Suki Mbeze"
+ skype: ""
+ statusExpiration: "1969-12-31T16:00:00-08:00"
+ team: "T030KKBUGHG"
+ title: ""
+ }
+ timeZoneOffset: -28800
+ isBot: false
+ isInvitedUser: false
+ deleted: false
+ name: "suki"
+ enterpriseUser: null
+ isUltraRestricted: false
+ id: "U030KL5BMDH"
+ presence: ""
+ hasFiles: false
+ timeZone: "America/Los_Angeles"
+ teamId: "T030KKBUGHG"
+ isAdmin: true
+ has2FA: false
+ locale: "en-US"
+ realName: "Suki Mbeze"
+ isStranger: false
+ isAppUser: false
+ isOwner: true
+ isRestricted: false
+ timeZoneLabel: "Pacific Standard Time"
+ isPrimaryOwner: true
+ color: "9f69e7"
+}
+```
+
+You can find which users have 2FA enabled:
+
+```coffee
+slack.users.where{ has2FA == true }
+```
+
+### Conversations (channels)
+
+The `conversations` resource lets you inspect channels and direct message metadata.
+
+This query asks the purpose of each channel:
+
+```coffee
+slack.conversations.where( isChannel == true ) { name purpose }
+```
+
+## Learn more
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- Explore the complete [Mondoo Slack Resource Pack Reference](/mql/resources/slack-pack/) for complete details.
diff --git a/docs/cnspec/README.mdx b/docs/cnspec/README.mdx
new file mode 100644
index 000000000..98093bf84
--- /dev/null
+++ b/docs/cnspec/README.mdx
@@ -0,0 +1,139 @@
+---
+title: Get Started with cnspec
+id: cnspec-get-started
+sidebar_label: Get Started
+displayed_sidebar: cnspec
+sidebar_position: 2
+description: Install and use cnspec, an open source, cloud-native tool for securing your full stack
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Welcome to cnspec, an open source project created by [Mondoo](https://mondoo.com)!
+
+:::note Learn about cnspec
+
+To discover cnspec's capabilities, read [What Is cnspec?](/cnspec/cnspec-about)
+
+:::
+
+import Partial from "./_include-install.mdx";
+
+{" "}
+
+## Scan locally
+
+Use the `cnspec scan` subcommand to check local and remote targets for misconfigurations and vulnerabilities. cnspec detects the target platform and runs policy checks specific to that system.
+
+This command evaluates the security of your local machine:
+
+```
+cnspec scan local
+```
+
+This (truncated) sample result shows the individual checks that cnspec performs according to the policy. It includes a summary of the scan with a letter grade:
+
+```
+Checks:
+✓ Pass: Disable Media Sharing
+✓ Pass: Do not enable the "root" account
+✓ Pass: Disable Bluetooth Sharing
+✕ Fail: Enable security auditing
+✓ Pass: Enable Firewall
+...
+✕ Fail: Ensure Firewall is configured to log
+✓ Pass: Ensure nfs server is not running.
+✓ Pass: Disable Content Caching
+✕ Fail: Ensure AirDrop Is Disabled
+✓ Pass: Control access to audit records
+
+
+Summary
+========================
+
+Target: user-macbook-pro
+Score: A 80/100 (100% completed)
+✓ Passed: ███████████ 70% (21)
+✕ Failed: ███ 17% (5)
+! Errors: ██ 13% (4)
+» Skipped: 0% (0)
+
+Policies:
+A 80 macOS Security by Mondoo
+
+
+Scanned 1 assets
+
+macOS
+ B Stella.home
+
+For detailed output, run this scan with "-o full".
+```
+
+## Scan remote targets
+
+You can also specify remote targets to scan.
+
+This example scans a docker image:
+
+```
+cnspec scan docker image ubuntu:22.04
+```
+
+This scans an aws account using the local AWS config:
+
+```
+cnspec scan aws
+```
+
+This scans a Kubernetes cluster using your local kubectl config:
+
+```
+cnspec scan k8s
+```
+
+This scans a GitHub repository:
+
+```
+export GITHUB_TOKEN=
+cnspec scan github repo
+```
+
+## Create a JSON report
+
+To save the results of your scan to a JSON file, append your scan command with the `-o` flag:
+
+```
+-o json > FILENAME.json
+```
+
+For `FILENAME`, substitute the name you want to give the file. For example, this scans a Kubernetes cluster and reports the results to a file named `k8s-test-results.json`:
+
+```
+cnspec scan k8s -o json > k8s-test-results.json
+```
+
+## Save, review, and share reports with Mondoo Platform
+
+To save, review, and share reports, sign up for a free Mondoo account. [Mondoo's web-based console](https://console.mondoo.com/) allows you to navigate, search, and inspect all of your reports.
+
+To learn about more of Mondoo Platform's capabilities, visit [mondoo.com](https://mondoo.com/).
+
+To learn how to sign up for a free Mondoo account and register cnspec, read [Log into Mondoo Platform for More Capabilities](/cnspec/cnspec-platform/).
+
+## Learn more
+
+- To get started with AWS, read [Assess AWS Security](/cnspec/cnspec-aws/).
+
+- To get started with Google Cloud, read [Assess Google Cloud Security](/cnspec/cnspec-gcp/).
+
+- To get started with Kubernetes, read [Assess Kubernetes Security](/cnspec/cnspec-k8s/).
+
+- To explore cnspec commands, read the [CLI Reference](/cnspec/cli/cnspec).
+
+- To learn more about policies, read [Manage Policies](/cnspec/cnspec-policies).
+
+- To learn how to structure and build your own policies, read the Mondoo [Policy Authoring Guide](/cnspec/cnspec-policies/write/).
+
+- To learn what technologies cnspec integrates with, read [Supported Scan Targets](/cnspec/cnspec-supported).
+
+---
diff --git a/docs/cnspec/_include-install.mdx b/docs/cnspec/_include-install.mdx
new file mode 100644
index 000000000..f03836ab9
--- /dev/null
+++ b/docs/cnspec/_include-install.mdx
@@ -0,0 +1,28 @@
+## Download and install cnspec
+
+Install cnspec with our installation script:
+
+### Linux and macOS
+
+```bash
+bash -c "$(curl -sSL https://install.mondoo.com/sh)"
+```
+
+(You can read the [Linux/macOS installation script](https://install.mondoo.com/sh).)
+
+### Windows
+
+```powershell
+Set-ExecutionPolicy Unrestricted -Scope Process -Force;
+[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
+iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1/cnspec'));
+Install-Mondoo -Product cnspec;
+```
+
+(You can read the [Windows installation script](https://install.mondoo.com/ps1/cnspec).)
+
+### Installation options
+
+Manual installation packages are available on [GitHub releases](https://github.com/mondoohq/cnspec/releases/latest).
+
+To learn about other installation methods, versioning, and other considerations, read [Extended Installation Options for cnspec](/cnspec/cnspec-adv-install/overview/).
diff --git a/docs/cnspec/cli/_category_.json b/docs/cnspec/cli/_category_.json
new file mode 100644
index 000000000..41757f5f1
--- /dev/null
+++ b/docs/cnspec/cli/_category_.json
@@ -0,0 +1,3 @@
+{
+ "label": "CLI Commands"
+}
diff --git a/docs/cnspec/cli/cnspec.md b/docs/cnspec/cli/cnspec.md
new file mode 100644
index 000000000..8e94f20e3
--- /dev/null
+++ b/docs/cnspec/cli/cnspec.md
@@ -0,0 +1,34 @@
+---
+id: cnspec
+title: cnspec
+---
+
+cnspec CLI
+
+### Synopsis
+
+cnspec is a cloud-native security testing tool for your entire infrastructure
+
+### Options
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ -h, --help help for cnspec
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec login](cnspec_login.md) - Register with Mondoo Platform
+- [cnspec logout](cnspec_logout.md) - Log out from Mondoo Platform
+- [cnspec migrate](cnspec_migrate.md) - Migrate cnspec CLI configuration to the latest version
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
+- [cnspec providers](cnspec_providers.md) - Providers add connectivity to all assets
+- [cnspec run](cnspec_run.md) - Run an MQL query
+- [cnspec serve](cnspec_serve.md) - Start cnspec in background mode
+- [cnspec status](cnspec_status.md) - Verify access to Mondoo Platform
+- [cnspec vault](cnspec_vault.md) - Manage vault environments
+- [cnspec version](cnspec_version.md) - Display the cnspec version
diff --git a/docs/cnspec/cli/cnspec_login.md b/docs/cnspec/cli/cnspec_login.md
new file mode 100644
index 000000000..4700d433b
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_login.md
@@ -0,0 +1,47 @@
+---
+id: cnspec_login
+title: cnspec login
+---
+
+Register with Mondoo Platform
+
+### Synopsis
+
+Log in to Mondoo Platform using a registration token. To pass in the token, use
+the '--token' flag.
+
+You can generate a new registration token on the Mondoo Dashboard. Go to
+https://console.mondoo.com -> Space -> Settings -> Registration Token. Copy the token and pass it in
+using the '--token' argument.
+
+You remain logged in until you explicitly log out using the 'logout' subcommand.
+
+```
+cnspec login [flags]
+```
+
+### Options
+
+```
+ --annotation stringToString Set the client annotations. (default [])
+ --api-endpoint string Set the Mondoo API endpoint.
+ -h, --help help for login
+ --name string Set asset name.
+ --splay int Randomize the timer by up to this many minutes.
+ --timer int Set the scan interval in minutes.
+ -t, --token string Set a client registration token.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cli/cnspec_logout.md b/docs/cnspec/cli/cnspec_logout.md
new file mode 100644
index 000000000..a425fd1ee
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_logout.md
@@ -0,0 +1,36 @@
+---
+id: cnspec_logout
+title: cnspec logout
+---
+
+Log out from Mondoo Platform
+
+### Synopsis
+
+This process also revokes the Mondoo Platform service account to
+ensure the credentials cannot be used in the future.
+
+```
+cnspec logout [flags]
+```
+
+### Options
+
+```
+ --force Force re-authentication
+ -h, --help help for logout
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cli/cnspec_migrate.md b/docs/cnspec/cli/cnspec_migrate.md
new file mode 100644
index 000000000..698c974f1
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_migrate.md
@@ -0,0 +1,30 @@
+---
+id: cnspec_migrate
+title: cnspec migrate
+---
+
+Migrate cnspec CLI configuration to the latest version
+
+```
+cnspec migrate [flags]
+```
+
+### Options
+
+```
+ -h, --help help for migrate
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cli/cnspec_policy.md b/docs/cnspec/cli/cnspec_policy.md
new file mode 100644
index 000000000..4b2aa2056
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy.md
@@ -0,0 +1,36 @@
+---
+id: cnspec_policy
+title: cnspec policy
+---
+
+Manage local and upstream policies
+
+### Options
+
+```
+ -h, --help help for policy
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
+- [cnspec policy delete](cnspec_policy_delete.md) - Delete a policy from the connected space
+- [cnspec policy disable](cnspec_policy_disable.md) - Disables a policy in the connected space
+- [cnspec policy download](cnspec_policy_download.md) - download a policy to a local bundle file
+- [cnspec policy enable](cnspec_policy_enable.md) - Enables a policy in the connected space
+- [cnspec policy format](cnspec_policy_format.md) - Apply style formatting to one or more policy bundles
+- [cnspec policy info](cnspec_policy_info.md) - Show more info about a policy from the connected space
+- [cnspec policy init](cnspec_policy_init.md) - Create an example policy bundle
+- [cnspec policy lint](cnspec_policy_lint.md) - Lint a policy bundle
+- [cnspec policy list](cnspec_policy_list.md) - List enabled policies in the connected space
+- [cnspec policy upload](cnspec_policy_upload.md) - Upload a policy to the connected space
diff --git a/docs/cnspec/cli/cnspec_policy_delete.md b/docs/cnspec/cli/cnspec_policy_delete.md
new file mode 100644
index 000000000..d1f75bcb6
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_delete.md
@@ -0,0 +1,30 @@
+---
+id: cnspec_policy_delete
+title: cnspec policy delete
+---
+
+Delete a policy from the connected space
+
+```
+cnspec policy delete UID/MRN [flags]
+```
+
+### Options
+
+```
+ -h, --help help for delete
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_policy_disable.md b/docs/cnspec/cli/cnspec_policy_disable.md
new file mode 100644
index 000000000..e1df3a2b2
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_disable.md
@@ -0,0 +1,30 @@
+---
+id: cnspec_policy_disable
+title: cnspec policy disable
+---
+
+Disables a policy in the connected space
+
+```
+cnspec policy disable UID/MRN [flags]
+```
+
+### Options
+
+```
+ -h, --help help for disable
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_policy_download.md b/docs/cnspec/cli/cnspec_policy_download.md
new file mode 100644
index 000000000..9b12d29f6
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_download.md
@@ -0,0 +1,31 @@
+---
+id: cnspec_policy_download
+title: cnspec policy download
+---
+
+download a policy to a local bundle file
+
+```
+cnspec policy download UID/MRN [flags]
+```
+
+### Options
+
+```
+ -f, --file string output file
+ -h, --help help for download
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_policy_enable.md b/docs/cnspec/cli/cnspec_policy_enable.md
new file mode 100644
index 000000000..35b512fac
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_enable.md
@@ -0,0 +1,30 @@
+---
+id: cnspec_policy_enable
+title: cnspec policy enable
+---
+
+Enables a policy in the connected space
+
+```
+cnspec policy enable UID/MRN [flags]
+```
+
+### Options
+
+```
+ -h, --help help for enable
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_policy_format.md b/docs/cnspec/cli/cnspec_policy_format.md
new file mode 100644
index 000000000..8a5a0ecdb
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_format.md
@@ -0,0 +1,31 @@
+---
+id: cnspec_policy_format
+title: cnspec policy format
+---
+
+Apply style formatting to one or more policy bundles
+
+```
+cnspec policy format [path] [flags]
+```
+
+### Options
+
+```
+ -h, --help help for format
+ --sort sort the bundle.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_policy_info.md b/docs/cnspec/cli/cnspec_policy_info.md
new file mode 100644
index 000000000..1b237d5e2
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_info.md
@@ -0,0 +1,31 @@
+---
+id: cnspec_policy_info
+title: cnspec policy info
+---
+
+Show more info about a policy from the connected space
+
+```
+cnspec policy info UID/MRN [flags]
+```
+
+### Options
+
+```
+ -f, --file string a local bundle file
+ -h, --help help for info
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_policy_init.md b/docs/cnspec/cli/cnspec_policy_init.md
new file mode 100644
index 000000000..c4f757d1f
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_init.md
@@ -0,0 +1,34 @@
+---
+id: cnspec_policy_init
+title: cnspec policy init
+---
+
+Create an example policy bundle
+
+### Synopsis
+
+Create an example policy bundle that you can use as a starting point. If you don't provide a filename, cnspec uses `example-policy.mql.yml`.
+
+```
+cnspec policy init [path] [flags]
+```
+
+### Options
+
+```
+ -h, --help help for init
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_policy_lint.md b/docs/cnspec/cli/cnspec_policy_lint.md
new file mode 100644
index 000000000..11d394373
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_lint.md
@@ -0,0 +1,32 @@
+---
+id: cnspec_policy_lint
+title: cnspec policy lint
+---
+
+Lint a policy bundle
+
+```
+cnspec policy lint [path] [flags]
+```
+
+### Options
+
+```
+ -h, --help help for lint
+ -o, --output string Set output format: compact, sarif (default "cli")
+ --output-file string Set output file
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_policy_list.md b/docs/cnspec/cli/cnspec_policy_list.md
new file mode 100644
index 000000000..0f32defa9
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_list.md
@@ -0,0 +1,32 @@
+---
+id: cnspec_policy_list
+title: cnspec policy list
+---
+
+List enabled policies in the connected space
+
+```
+cnspec policy list [-f bundle] [flags]
+```
+
+### Options
+
+```
+ -a, --all list all policies, not only the enabled ones (applicable only for upstream)
+ -f, --file string a local bundle file
+ -h, --help help for list
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_policy_upload.md b/docs/cnspec/cli/cnspec_policy_upload.md
new file mode 100644
index 000000000..96e327690
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_policy_upload.md
@@ -0,0 +1,32 @@
+---
+id: cnspec_policy_upload
+title: cnspec policy upload
+---
+
+Upload a policy to the connected space
+
+```
+cnspec policy upload my.mql.yaml [flags]
+```
+
+### Options
+
+```
+ -h, --help help for upload
+ --no-lint Disable linting of the bundle before publishing.
+ --policy-version string Override the version of each policy in the bundle.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec policy](cnspec_policy.md) - Manage local and upstream policies
diff --git a/docs/cnspec/cli/cnspec_providers.md b/docs/cnspec/cli/cnspec_providers.md
new file mode 100644
index 000000000..20600dd5f
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_providers.md
@@ -0,0 +1,36 @@
+---
+id: cnspec_providers
+title: cnspec providers
+---
+
+Providers add connectivity to all assets
+
+### Synopsis
+
+Manage your providers. List and install new ones or update existing ones.
+
+```
+cnspec providers [flags]
+```
+
+### Options
+
+```
+ -h, --help help for providers
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
+- [cnspec providers install](cnspec_providers_install.md) - Install or update a provider.
+- [cnspec providers list](cnspec_providers_list.md) - List all providers on the system.
diff --git a/docs/cnspec/cli/cnspec_providers_install.md b/docs/cnspec/cli/cnspec_providers_install.md
new file mode 100644
index 000000000..dfc2baa21
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_providers_install.md
@@ -0,0 +1,32 @@
+---
+id: cnspec_providers_install
+title: cnspec providers install
+---
+
+Install or update a provider.
+
+```
+cnspec providers install [flags]
+```
+
+### Options
+
+```
+ -f, --file string install a provider via a file
+ -h, --help help for install
+ --url string install a provider via URL
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec providers](cnspec_providers.md) - Providers add connectivity to all assets
diff --git a/docs/cnspec/cli/cnspec_providers_list.md b/docs/cnspec/cli/cnspec_providers_list.md
new file mode 100644
index 000000000..fbf6bddbc
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_providers_list.md
@@ -0,0 +1,30 @@
+---
+id: cnspec_providers_list
+title: cnspec providers list
+---
+
+List all providers on the system.
+
+```
+cnspec providers list [flags]
+```
+
+### Options
+
+```
+ -h, --help help for list
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec providers](cnspec_providers.md) - Providers add connectivity to all assets
diff --git a/docs/cnspec/cli/cnspec_run.md b/docs/cnspec/cli/cnspec_run.md
new file mode 100644
index 000000000..ced58b514
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_run.md
@@ -0,0 +1,40 @@
+---
+id: cnspec_run
+title: cnspec run
+---
+
+Run an MQL query
+
+### Synopsis
+
+Run an MQL query on the CLI and displays its results.
+
+```
+cnspec run [flags]
+```
+
+### Options
+
+```
+ --ast Parse the query and return the abstract syntax tree (AST).
+ -c, --command string MQL query to executed in the shell.
+ -h, --help help for run
+ --info Parse the query and provide information about it.
+ -j, --json Run the query and return the object in a JSON structure.
+ --parse Parse the query and return the logical structure.
+ --platform-id string Select a specific target asset by providing its platform ID.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cli/cnspec_scan.md b/docs/cnspec/cli/cnspec_scan.md
new file mode 100644
index 000000000..7724c2b72
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_scan.md
@@ -0,0 +1,103 @@
+---
+id: cnspec_scan
+title: cnspec scan
+---
+
+Scan assets with one or more policies.
+
+### Synopsis
+
+This command triggers a new policy scan for an asset. By default, cnspec scans the local
+system with its pre-configured policies:
+
+ $ cnspec scan local
+
+You can also manually select a local policy to execute and run it without
+storing results in the server:
+
+ $ cnspec scan local --policy-bundle policyfile.yaml --incognito
+
+In addition, cnspec can scan assets remotely via SSH. By default, cnspec uses the operating system
+SSH agent and SSH config to retrieve the credentials:
+
+ $ cnspec scan ssh ec2-user@52.51.185.215
+ $ cnspec scan ssh ec2-user@52.51.185.215:2222
+
+cnspec supports scanning AWS, Azure, and GCP accounts and instances.
+Find out more in each sub-commands help menu. Here are a few examples:
+
+ $ cnspec scan aws --region us-east-1
+ $ cnspec scan azure --subscription ID --group NAME
+ $ cnspec scan gcp project ID
+
+You can also access Docker containers and images. cnspec supports local containers
+and images as well as images in Docker registries:
+
+ $ cnspec scan docker container b62b276baab6
+ $ cnspec scan docker image ubuntu:latest
+
+Additionally, you can quickly scan a container registry:
+
+ $ cnspec scan container registry harbor.lunalectric.com
+ $ cnspec scan container registry 123456789.dkr.ecr.us-east-1.amazonaws.com/repository
+
+cnspec also supports GCP's container registry, GCR:
+
+ $ cnspec scan gcp gcr PROJECT_ID
+
+Vagrant is supported as well:
+
+ $ cnspec scan vagrant HOST
+
+You can also use an inventory file:
+
+ $ cnspec scan --inventory-file inventory.yml
+
+This scan uses an existing Ansible inventory:
+
+ $ ansible-inventory -i hosts.ini --list | cnspec scan --inventory-ansible
+
+To learn more, read the [cnspec docs](/cnspec/home/).
+
+```
+cnspec scan [flags]
+```
+
+### Options
+
+```
+ --annotation stringToString Add an annotation to the asset. (default [])
+ --asset-name string User-override for the asset name
+ --detect-cicd Try to detect CI/CD environments. If detected, set the asset category to 'cicd'. (default true)
+ --discover strings Enable the discovery of nested assets. Supports: all,auto,container,container-images
+ -h, --help help for scan
+ --incognito Run in incognito mode. Do not report scan results to Mondoo Platform.
+ --inventory-ansible Set the inventory format to Ansible.
+ --inventory-domainlist Set the inventory format to domain list.
+ --inventory-file string Set the path to the inventory file.
+ -j, --json Run the query and return the object in a JSON structure.
+ -o, --output string Set output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")
+ --output-target string Set output target to which the asset report will be sent. Currently only supports AWS SQS topic URLs and local files
+ --platform-id string Select a specific target asset by providing its platform ID.
+ --policy strings Lists policies to execute. This requires --policy-bundle. You can pass multiple policies using --policy POLICY.
+ -f, --policy-bundle strings Path to local policy file
+ --props stringToString Custom values for properties (default [])
+ --record string Record all resource calls and use resources in the recording
+ --score-threshold int If any score falls below the threshold, exit 1.
+ --sudo Elevate privileges with sudo.
+ --use-recording string Use a recording to inject resource data (read-only)
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cli/cnspec_serve.md b/docs/cnspec/cli/cnspec_serve.md
new file mode 100644
index 000000000..f4e97ca98
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_serve.md
@@ -0,0 +1,33 @@
+---
+id: cnspec_serve
+title: cnspec serve
+---
+
+Start cnspec in background mode
+
+```
+cnspec serve [flags]
+```
+
+### Options
+
+```
+ -h, --help help for serve
+ --inventory-file string Set the path to the inventory file
+ --splay int randomize the timer by up to this many minutes (default 60)
+ --timer int scan interval in minutes (default 60)
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cli/cnspec_shell.md b/docs/cnspec/cli/cnspec_shell.md
new file mode 100644
index 000000000..d45e78182
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_shell.md
@@ -0,0 +1,40 @@
+---
+id: cnspec_shell
+title: cnspec shell
+---
+
+Interactive query shell for MQL.
+
+### Synopsis
+
+Run an interactive shell in which you can explore MQL queries.
+
+```
+cnspec shell [flags]
+```
+
+### Options
+
+```
+ -c, --command string MQL query to executed in the shell.
+ --discover strings Enable the discovery of nested assets. Supports: all,auto,container,container-images
+ -h, --help help for shell
+ --platform-id string Select a specific target asset by providing its platform ID.
+ --record string Record all resource calls and use resources in the recording
+ --sudo Elevate privileges with sudo.
+ --use-recording string Use a recording to inject resource data (read-only)
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cli/cnspec_status.md b/docs/cnspec/cli/cnspec_status.md
new file mode 100644
index 000000000..c2294938d
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_status.md
@@ -0,0 +1,35 @@
+---
+id: cnspec_status
+title: cnspec status
+---
+
+Verify access to Mondoo Platform
+
+### Synopsis
+
+Status sends a ping to Mondoo Platform to verify the credentials.
+
+```
+cnspec status [flags]
+```
+
+### Options
+
+```
+ -h, --help help for status
+ -o, --output string Set output format. Accepts json or yaml.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cli/cnspec_vault.md b/docs/cnspec/cli/cnspec_vault.md
new file mode 100644
index 000000000..b9f962e9c
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_vault.md
@@ -0,0 +1,28 @@
+---
+id: cnspec_vault
+title: cnspec vault
+---
+
+Manage vault environments
+
+### Options
+
+```
+ -h, --help help for vault
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
+- [cnspec vault add-secret](cnspec_vault_add-secret.md) - Store a secret in a vault
+- [cnspec vault configure](cnspec_vault_configure.md) - Configure a vault environment
diff --git a/docs/cnspec/cli/cnspec_vault_add-secret.md b/docs/cnspec/cli/cnspec_vault_add-secret.md
new file mode 100644
index 000000000..73589f265
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_vault_add-secret.md
@@ -0,0 +1,31 @@
+---
+id: cnspec_vault_add-secret
+title: cnspec vault add-secret
+---
+
+Store a secret in a vault
+
+```
+cnspec vault add-secret SECRETID SECRETVALUE [flags]
+```
+
+### Options
+
+```
+ -h, --help help for add-secret
+ --inventory-file string Set the path to the inventory file.
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec vault](cnspec_vault.md) - Manage vault environments
diff --git a/docs/cnspec/cli/cnspec_vault_configure.md b/docs/cnspec/cli/cnspec_vault_configure.md
new file mode 100644
index 000000000..a5fc59baf
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_vault_configure.md
@@ -0,0 +1,37 @@
+---
+id: cnspec_vault_configure
+title: cnspec vault configure
+---
+
+Configure a vault environment
+
+### Synopsis
+
+cnquery vault configure mondoo-client-vault --type linux-kernel-keyring
+
+```
+cnspec vault configure VAULTNAME [flags]
+```
+
+### Options
+
+```
+ -h, --help help for configure
+ --inventory-file string Set the path to the inventory file.
+ --option stringToString addition vault connection options, multiple options via --option key=value (default [])
+ --type string possible values: keyring | linux-kernel-keyring | encrypted-file | hashicorp-vault | gcp-secret-manager | aws-parameter-store | memory | none | aws-secrets-manager | gcp-berglas
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec vault](cnspec_vault.md) - Manage vault environments
diff --git a/docs/cnspec/cli/cnspec_version.md b/docs/cnspec/cli/cnspec_version.md
new file mode 100644
index 000000000..4cca8a318
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_version.md
@@ -0,0 +1,30 @@
+---
+id: cnspec_version
+title: cnspec version
+---
+
+Display the cnspec version
+
+```
+cnspec version [flags]
+```
+
+### Options
+
+```
+ -h, --help help for version
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cli/cnspec_vuln.md b/docs/cnspec/cli/cnspec_vuln.md
new file mode 100644
index 000000000..ab6c64ed7
--- /dev/null
+++ b/docs/cnspec/cli/cnspec_vuln.md
@@ -0,0 +1,42 @@
+---
+id: cnspec_vuln
+title: cnspec vuln
+---
+
+Scans a target for Vulnerabilities.
+
+```
+cnspec vuln [flags]
+```
+
+### Options
+
+```
+ --asset-name string User-override for the asset name
+ --discover strings Enable the discovery of nested assets. Supports: all,auto,container,container-images
+ -h, --help help for vuln
+ --inventory-ansible Set the inventory format to Ansible.
+ --inventory-domainlist Set the inventory format to domain list.
+ --inventory-file string Set the path to the inventory file.
+ -j, --json Run the query and return the object in a JSON structure.
+ -o, --output string Set output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")
+ --platform-id string Select a specific target asset by providing its platform ID.
+ --props stringToString Custom values for properties (default [])
+ --record string Record all resource calls and use resources in the recording
+ --sudo Elevate privileges with sudo.
+ --use-recording string Use a recording to inject resource data (read-only)
+```
+
+### Options inherited from parent commands
+
+```
+ --api-proxy string Set proxy for communications with Mondoo API
+ --auto-update Enable automatic provider installation and update (default true)
+ --config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
+ --log-level string Set log level: error, warn, info, debug, trace (default "info")
+ -v, --verbose Enable verbose output
+```
+
+### SEE ALSO
+
+- [cnspec](cnspec.md) - cnspec CLI
diff --git a/docs/cnspec/cnspec-about.mdx b/docs/cnspec/cnspec-about.mdx
new file mode 100644
index 000000000..55158cefd
--- /dev/null
+++ b/docs/cnspec/cnspec-about.mdx
@@ -0,0 +1,37 @@
+---
+title: What Is cnspec?
+id: cnspec-about
+sidebar_label: What Is cnspec?
+displayed_sidebar: cnspec
+sidebar_position: 1
+description: An introduction to cnspec, an open source, cloud-native tool for securing your full stack
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+-> To install and get up and running quickly, read [Get Started with cnspec](/cnspec/).
+
+cnspec is an open source, cloud-native tool that assesses the security of your entire infrastructure. It scans everything and tells you where there are gaps that hackers can use to breach your systems.
+
+Attackers rely on misconfigurations and deprioritized vulnerabilities; all they need is one entry point to compromise your entire infrastructure. cnspec finds all the security issues that welcome ransomware, data theft, and other attacks.
+
+Security policies written in high-level code are the basis for cnspec scans. Each policy is a collection of checks against the target system. For example, a policy's checks might include:
+
+- The system must use a secure SSL/TLS configuration.
+- Multi-factor authentication must be required.
+- User data must not include any secrets.
+
+Each policy is based on standards set by the Center for Internet Security (CIS) and other industry best practices. It's easy to extend or modify a policy to fit your unique needs. To learn how to write your own policies, read the Mondoo [Policy Authoring Guide](/cnspec/cnspec-policies/write/).
+
+You can export scan results in human-readable formats, or export them to machine-friendly formats like junit or JSON. This opens up endless possibilities for automation, to make security scanning a part of your development process or your production monitoring.
+
+You can also automatically save and share reports using the [free Mondoo Platform](https://console.mondoo.com). Mondoo's web-based console allows you to explore your infrastructure data and identify issues.
+
+To learn about more of Mondoo Platform's capabilities, visit [mondoo.com](https://mondoo.com).
+
+To learn how to sign up for a free Mondoo account and register cnspec, read [Log into Mondoo Platform for More Capabilities](/cnspec/cnspec-platform/).
+
+## Learn more
+
+- To learn what technologies cnspec integrates with, read [Supported Scan Targets](/cnspec/cnspec-supported).
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/_category_.json b/docs/cnspec/cnspec-adv-install/_category_.json
new file mode 100644
index 000000000..8021aa3dc
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "AWS",
+ "position": 2
+}
diff --git a/docs/cnspec/cnspec-adv-install/_providers-note.mdx b/docs/cnspec/cnspec-adv-install/_providers-note.mdx
new file mode 100644
index 000000000..05665482d
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/_providers-note.mdx
@@ -0,0 +1,5 @@
+:::note
+
+If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read [Manage cnspec Providers](/cnspec/cnspec-adv-install/providers/).
+
+:::
diff --git a/docs/cnspec/cnspec-adv-install/binary.mdx b/docs/cnspec/cnspec-adv-install/binary.mdx
new file mode 100644
index 000000000..32cd5e34d
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/binary.mdx
@@ -0,0 +1,22 @@
+---
+title: Install the cnspec Standalone Binary
+sidebar_label: Standalone Binary
+sidebar_position: 6
+displayed_sidebar: cnspec
+description: This page provides details on manually installing and configuring cnspec.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Mondoo provides standalone binary builds of cnspec. The standalone binary is primarily for use on operating systems where there is no packaged installer available, or for automation use cases where a packaged installer would be superfluous.
+
+:::note
+We recommend that, if possible, you use a [package-based installation](/cnspec/) so you can benefit from easy cnspec upgrades.
+:::
+
+## Install using the cnspec binary
+
+To download the cnspec binary, visit the [Release Page](https://releases.mondoo.com/cnspec/latest). Archive files are available for all supported architectures and operating systems.
+
+Archives for UNIX-based systems are packaged as `.tar.gz` files. Archives for Windows systems are packaged as `.zip` files.
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/linux.mdx b/docs/cnspec/cnspec-adv-install/linux.mdx
new file mode 100644
index 000000000..bc4fe17c0
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/linux.mdx
@@ -0,0 +1,291 @@
+---
+title: Install cnspec on Linux
+sidebar_label: Linux
+sidebar_position: 3
+displayed_sidebar: cnspec
+description: This page provides details on installing and configuring cnspec on Linux.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+## Prerequisites
+
+Before you install cnspec or integrate Linux systems with Mondoo, you must:
+
+- Confirm access to the internet using the terminal
+
+- Confirm access to Mondoo systems using the terminal
+
+- Synchronize your system clock
+
+import Partial from "./_providers-note.mdx";
+
+{" "}
+
+### Confirm access to the internet using the terminal
+
+Check internet connectivity from the terminal:
+
+```powershell
+curl -I https://mondoo.com
+
+```
+
+If you get the status **200 OK** and the website’s headers, you internet connection is working.
+
+If you have a proxy setting in your environment, you _might_ need to configure it in the terminal:
+
+```
+export http_proxy='http://proxyServerAddress:proxyPort'
+export https_proxy='https://proxyServerAddress:proxyPort'
+```
+
+To make this configuration permanent, you can set the proxy in system-wide configuration files or user-based files like `/etc/bashrc`, `/etc/profile/`, and `/etc/profile.d/` based on your distribution.
+
+### Confirm Mondoo systems access using the terminal
+
+Be sure you have access to these systems from the terminal:
+
+```powershell
+install.mondoo.com Port 443/https
+releases.mondoo.com Port 443/https
+eu.api.mondoo.com Port 443/https
+us.api.mondoo.com Port 443/https
+registry.api.mondoo.com Port 443/https
+```
+
+If your organization's [region](/platform/start/organize/regions/) (in the Mondoo Console) is US, you must be able to access us.api.mondoo.com. If your region is EU, you must be able to access eu.api.mondoo.com.
+
+To check the connectivity, follow the approach in the previous section using the `curl` command.
+
+### Synchronize your system clock
+
+Make sure your system clock is in sync with your NTP or internet time:
+
+```
+ntpq -p
+```
+
+## Install cnspec on Linux
+
+There are two ways of installing Mondoo on Linux:
+
+### Option A: Install using the automated install script
+
+The environment variable `MONDOO_REGISTRATION_TOKEN` allows you to pass a registration token to the installation package. If you provide this value, the agent automatically registers during the installation and creates mondoo.yml, the configuration file for Mondoo.
+
+We recommend that you create an integration and retrieve a token from Mondoo:
+
+1. Log into [the Mondoo Console](https://console.mondoo.com).
+
+2. Create a new integration for your Linux machine:
+
+ - If this is your first time logging in, select the **BROWSE INTEGRATIONS** button.
+
+ - If you've accessed the console before, in the side navigation bar, under INTEGRATIONS, select Add New Integration. Under **Server and Endpoint Security**, select your operating system.
+
+3. Copy the MONDOO_REGISTRATION_TOKEN value.
+
+4. In your terminal, enter:
+
+```bash
+export MONDOO_REGISTRATION_TOKEN=""
+```
+
+5. In your terminal, enter:
+
+```bash title="Automated installation script"
+bash -c "$(curl -sSL https://install.mondoo.com/sh)"
+```
+
+:::note
+
+You can also register and create a configuration file after installation using this command:
+
+```bash title="Automated installation script"
+cnspec login --token $MONDOO_REGISTRATION_TOKEN --config /etc/opt/mondoo/mondoo.yml
+```
+
+:::
+
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
+### Option B: Install manually using a package manager
+
+
+
+
+```bash title="Add the YUM repository"
+curl --silent --location https://releases.mondoo.com/rpm/mondoo.repo | tee /etc/yum.repos.d/mondoo.repo
+```
+
+```bash title="Install mondoo package with yum"
+# export MONDOO_REGISTRATION_TOKEN=""
+yum install -y mondoo
+```
+
+
+
+
+```bash title="Add the YUM repository"
+curl --silent --location https://releases.mondoo.com/rpm/mondoo.repo | tee /etc/yum.repos.d/mondoo.repo
+```
+
+```bash title="Install mondoo package with yum"
+# export MONDOO_REGISTRATION_TOKEN=""
+yum install -y mondoo
+```
+
+
+
+
+```bash title="Add the YUM repository"
+curl --silent --location https://releases.mondoo.com/rpm/mondoo.repo | tee /etc/zypp/repos.d/mondoo.repo
+```
+
+```bash title="Install mondoo package with zypper"
+# export MONDOO_REGISTRATION_TOKEN=""
+zypper -n --gpg-auto-import-keys install mondoo
+```
+
+
+
+
+```bash title="Add the signed apt repository"
+curl --retry 3 --retry-delay 10 -sSL https://releases.mondoo.com/debian/pubkey.gpg | gpg --dearmor --output /usr/share/keyrings/mondoo-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/mondoo-archive-keyring.gpg] https://releases.mondoo.com/debian/ stable main" | tee /etc/apt/sources.list.d/mondoo.list
+```
+
+```bash title="Install mondoo package with apt"
+# export MONDOO_REGISTRATION_TOKEN=""
+apt update && apt install mondoo
+```
+
+
+
+
+## Understand the installation: binaries and files
+
+When you complete the installation, you should have these three binaries on the machine:
+
+- cnspec
+- cnquery
+
+To learn the location, run one of these commands:
+
+```
+which cnspec
+which cnquery
+```
+
+Depending on your Linux distribution, the files can be in different locations, such as/usr/bin/ in Debian/Ubuntu or /bin/ in Red Hat/Fedora.
+
+Note the location of the cnspec binary.
+
+The installation also creates mondoo.yml, a configuration file that contains important data about the certificate, private key, API endpoint, and space address. These values come from the token (a JSON web token or JWT). You can check the content of the JWT using this command:
+
+```bash
+jq -R 'split(".") | .[1] | @base64d | fromjson' <<< ""
+```
+
+By default, the installation creates the mondoo.yml file here:
+
+```bash
+/etc/opt/mondoo/
+```
+
+It is important to check the cnspec status, configuration file, and registration status by running:
+
+```bash
+cnspec status
+```
+
+In new Linux distributions, the installation creates a systemd cnspec service, which you can see in:
+
+```bash
+/etc/systemd/system/cnspec.service
+```
+
+If you encounter an issue with the token, you can re-register cnspec with the new token:
+
+```bash
+cnspec login --token $MONDOO_REGISTRATION_TOKEN --config /etc/opt/mondoo/mondoo.yml
+```
+
+OR:
+
+```bash
+cnspec register --token $MONDOO_REGISTRATION_TOKEN --config /etc/opt/mondoo/mondoo.yml
+```
+
+## Enable and start cnspec as a service:
+
+```bash
+systemctl enable cnspec.service
+systemctl start cnspec.service
+systemctl daemon-reload
+```
+
+Each time the service starts, it runs a local scan based on the selected policies and sends the results to this machine's space in Mondoo Platform. You can then [view the results](/platform/security/posture/monitor/) in the Mondoo Console.
+
+To force cnspec to continuously scan the machine, the binary runs with a option called **serve**, which runs cnspec as a daemon every hour.
+See this in the cnspec.service:
+
+```bash
+[Unit]
+Description=cnspec Service
+After=network-online.target
+
+[Service]
+Type=simple
+WorkingDirectory=/etc/opt/mondoo/
+ExecStart=/usr/bin/cnspec --config /etc/opt/mondoo/mondoo.yml serve
+KillMode=process
+Restart=on-failure
+RestartSec=90
+RestartPreventExitStatus=78
+
+[Install]
+```
+
+To run the scan yourself and see the results as well, you can use this command:
+
+```bash
+cnspec scan local
+```
+
+During the scan, if cnspec finds a configuration file (mondoo.yml), it loads the policies enabled for this machine's space in Mondoo Platform. If cnspec doesn't find a configuration file, it scans based on Mondoo's free, open source policies. cnspec loads the policies into memory and runs the scan.
+
+## Proxy configuration in cnspec
+
+You can also set the proxy settings from within cnspec during registration or add them to the mondoo.yml configuration file.
+
+During the registration:
+
+```powershell title="Set Proxy via cnspec command"
+cnspec login --token 'YOUR_TOKEN_HERE' --api-proxy 'http://1.1.1.1:8080' --config '/etc/opt/mondoo/mondoo.yml'
+```
+
+Add to the mondoo.yml file:
+
+1. Navigate to the cnspec configuration file located at `/etc/opt/mondoo/mondoo.yml`.
+2. Add this line:
+
+```yaml title="Set Proxy via cnspec configuration file"
+api_proxy: http://1.1.1.1:8080
+```
+
+## Learn more
+
+- [Register cnspec](/cnspec/cnspec-adv-install/registration)
+- [Run cnspec as a service](/cnspec/cnspec-adv-install/service)
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/macos.mdx b/docs/cnspec/cnspec-adv-install/macos.mdx
new file mode 100644
index 000000000..63af36914
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/macos.mdx
@@ -0,0 +1,62 @@
+---
+title: Install cnspec on macOS
+sidebar_label: macOS
+sidebar_position: 4
+displayed_sidebar: cnspec
+description: This page provides details on installing and configuring cnspec on macOS.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+:::info
+The environment variable `MONDOO_REGISTRATION_TOKEN` allows you to pass a registration token to the installation package. If provided, the client will register automatically during the installation.
+:::
+
+import Partial from "./_providers-note.mdx";
+
+{" "}
+
+## Install using the automated install script
+
+The Mondoo automated installation script installs the mondoo package using either the [Homebrew](https://brew.sh) package manager or a `.pkg` installer if Homebrew is unavailable.
+
+```bash
+# export MONDOO_REGISTRATION_TOKEN=""
+bash -c "$(curl -sSL https://install.mondoo.com/sh)"
+```
+
+## Install directly via Homebrew
+
+Mondoo supports installation using the [Homebrew](https://brew.sh) package manager on macOS.
+
+```bash title="Add the Mondoo tap"
+brew tap mondoohq/mondoo
+```
+
+```bash title="Install mondoo package with brew"
+brew install mondoo
+```
+
+```bash title="Upgrade mondoo package with brew"
+brew upgrade mondoo
+```
+
+## Install using the universal binary package
+
+Mondoo releases a signed and notarized universal binary package (`.pkg`) for Intel & ARM (M1/M2) platforms available at [releases.mondoo.com](https://releases.mondoo.com/mondoo/latest) that installs cnspec on hosts.
+
+Additionally, the package installs, but does not start or enable, a `launchd` configuration for running cnspec continuously as a service for endpoint security. This package is ideal for deployment by MDM solutions.
+
+For more information on running Mondoo as a service on macOS, see [Running Mondoo as a service](/cnspec/cnspec-adv-install/service).
+
+To install the PKG non-interactively use the _installer_ utility in a Terminal:
+
+```bash
+installer -pkg ./mondoo_(version)_darwin_universal.pkg -target /Library
+```
+
+## Learn more
+
+- [Register cnspec](/cnspec/cnspec-adv-install/registration)
+- [Run cnspec as a service](/cnspec/cnspec-adv-install/service)
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/overview.mdx b/docs/cnspec/cnspec-adv-install/overview.mdx
new file mode 100644
index 000000000..4b3fa69de
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/overview.mdx
@@ -0,0 +1,50 @@
+---
+title: Extended Installation Options for cnspec
+sidebar_label: Overview
+sidebar_position: 1
+displayed_sidebar: cnspec
+description: Install and register assets with Mondoo, distribute cnspec across your infrastructure, run cnspec as a service, and other installation options
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+#### Basic installation instructions
+
+- [Install cnspec](/cnspec/)
+
+#### Register with Mondoo
+
+- [Register a cnspec installation with Mondoo](/cnspec/cnspec-adv-install/registration/)
+
+#### More installation and distribution considerations
+
+- [Manage cnspec providers](/cnspec/cnspec-adv-install/providers)
+
+- [Register a cnspec installation with Mondoo using a credentials file](/cnspec/cnspec-adv-install/registration-keys/)
+
+- [Run cnspec as a service](/cnspec/cnspec-adv-install/service/)
+
+- [Linux installation options](/cnspec/cnspec-adv-install/linux/)
+
+- [macOS installation options](/cnspec/cnspec-adv-install/macos/)
+
+- [Windows installation options](/cnspec/cnspec-adv-install/windows/)
+
+- [Install with a standalone binary](/cnspec/#installation-options)
+
+- [Update cnspec](/cnspec/cnspec-adv-install/update/)
+
+#### Secure deployment automation
+
+- [Ansible](/platform/infra/opsys/automation/ansible/)
+
+- [Chef Infra](/platform/infra/opsys/automation/chef/)
+
+- [cloud-init](/platform/infra/opsys/automation/cloudinit/)
+
+- [Secrets Management](/platform/infra/opsys/automation/vault/)
+
+#### Get help
+
+Can't find what you need? Join our community Slack channel to chat with us and other Mondoo users.
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/providers.mdx b/docs/cnspec/cnspec-adv-install/providers.mdx
new file mode 100644
index 000000000..7391103cd
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/providers.mdx
@@ -0,0 +1,221 @@
+---
+title: Manage cnspec Providers
+sidebar_label: Manage cnspec Providers
+sidebar_position: 9
+displayed_sidebar: cnspec
+description: Learn about providers and special considerations for containers and air-gapped or limited access assets
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnspec can assess the security of dozens of different platforms, from AWS to Windows hosts. _Providers_ are the components of cnspec that allow it to evaluate specific platforms. When you download and install cnspec, you don't download or install any providers. Instead, when you run a cnspec command, cnspec automatically downloads and installs the provider(s) you need. This approach saves you download time, memory, and disk space. Each time you use cnspec, it ensures that you have the latest version of the necessary provider(s).
+
+For example, suppose you download cnspec and install it on a Linux workstation. There are no providers installed on the workstation. When you run `cnspec scan` to assess local security, cnspec checks and finds that the provider it needs, the operating systems (`os`) provider isn't present. cnspec automatically downloads and installs the `os` provider and then runs the scan. The `os` provider remains on your workstation for the next time you use cnspec for your operating system.
+
+Continuing the example, suppose you then run `cnspec shell aws` to run some checks against your AWS account settings. cnspec downloads and installs the `aws` provider and opens the shell. The `aws` provider remains on your workstation for the next time you use cnspec for AWS.
+
+Most users don't need to think about providers. cnspec manages them for you. However, there are some situations where you might want to manage providers yourself:
+
+- Containers
+
+- Read-only mode
+
+- Air-gapped environments
+
+## Provider considerations for containers
+
+By default, when you spin up a container with cnspec installed and run any cnspec command, cnspec retrieves the latest version of the providers it needs. When the container is destroyed, the providers are destroyed. Therefore, the next time you spin up a container based on the same image, the download and installation repeat.
+
+You can eliminate the unnecessary processing by:
+
+- Installing the provider(s) on the image. To learn how, read [Install, update, and remove providers](#install-update-and-remove-providers) below.
+
+- Turning off provider auto-update. To learn how, read [Turn off provider auto-update](#turn-off-provider-auto-update) below.
+
+## Provider considerations for read-only mode
+
+Some security situations dictate that cnspec must not be allowed to write to the machine on which it's installed. cnspec does operate in read-only mode, however, it can't download and install the providers it needs. Therefore, when you install cnspec on a machine on which cnspec won't have write access, you must also install the provider. To learn how, read [Install, update, and remove providers](#install-update-and-remove-providers) below.
+
+:::note
+
+If you install cnspec in an environment where it can't automatically update providers, you're responsible for installing provider updates.
+
+:::
+
+To prevent error messages from displaying when you run commands in read-only mode, turn off provider auto-update. To learn how, read [Turn off provider auto-update](#turn-off-provider-auto-update) below.
+
+## Provider considerations air-gapped environments
+
+In an air-gapped environment, cnspec can't download the providers needed to scan or test the system. Therefore, when you install cnspec to an air-gapped machine, you must also install the provider. To learn how, read [Install, update, and remove providers](#install-update-and-remove-providers) below.
+
+:::note
+
+If you install cnspec in an air-gapped environment, you're responsible for installing provider updates.
+
+:::
+
+To prevent error messages from displaying when you run commands, turn off provider auto-update.
+
+## Turn off provider auto-update
+
+By default, each time you run a cnspec command, cnspec downloads and installs the latest version of the provider needed to execute the command (unless the latest version of the provider is already installed). You can change this behavior by disabling auto-update for cnspec.
+
+If you disable auto-update, cnspec doesn't check whether the latest version of the necessary provider is installed. It uses the version of the necessary provider that is currently installed. If the provider isn't installed, the command fails.
+
+### Turn off provider auto-update for all cnspec commands and Mondoo scans
+
+To never automatically update providers, set the auto-update value in the cnspec configuration file to `false`.
+
+On a Linux or macOS host, cnspec configuration is stored in one of these locations:
+
+- `/etc/opt/mondoo/mondoo.yml` configures cnspec for all user accounts.
+
+- `~/.config/mondoo/mondoo.yml` configures cnspec for a single user.
+
+On a Windows host, cnspec configuration is stored in one of these locations:
+
+- `C:\ProgramData\mondoo\mondoo.yml` configures cnspec for all users.
+
+- `C:\Users\{username}\.config\mondoo\mondoo.yml` configures cnspec for a single user.
+
+To configure cnspec to never update providers, set the configuration:
+
+```yaml
+auto-update: false
+```
+
+:::note
+
+If you disable auto-update, be sure to check regularly for new versions of providers. To learn more, read [Install, update, and remove providers](#install-update-and-remove-providers) below.
+
+:::
+
+### Turn provider auto-update on or off for a single cnspec command
+
+To skip checking for, downloading, and installing the latest provider just once (for a single cnspec command), add the '--auto-update=false' flag to the command. For example, this scans the local machine without updating to the latest provider:
+
+```bash
+cnspec scan --auto-update=false
+```
+
+The command line flag overrides the `mondoo.yml` config file setting.
+
+## Install, update, and remove providers
+
+You can download the latest versions of providers at [https://releases.mondoo.com/providers/](https://releases.mondoo.com/providers/). Past versions are always available at the same location.
+
+These are the available cnspec providers:
+
+| Provider | Target |
+| ---------------- | ----------------------------------------- |
+| arista | Arista |
+| aws | Amazon Web Services |
+| azure | Microsoft Azure |
+| equinix | Equinix |
+| gcp | Google Cloud Platform |
+| github | GitHub |
+| gitlab | GitLab |
+| google-workspace | Google Workspace |
+| ipmi | Intelligent Platform Management Interface |
+| k8s | Kubernetes |
+| ms365 | Microsoft 365 |
+| network | Hosts |
+| oci | Oracle Cloud Infrastructure |
+| okta | Okta |
+| opcua | OPC Unified Architecture |
+| os | Operating systems |
+| slack | Slack |
+| terraform | HashiCorp Terraform |
+| vcd | VMware Cloud Director |
+| vsphere | VMware vSphere |
+
+To learn what providers are installed, run:
+
+```bash
+cnspec providers
+```
+
+For help on the `providers` subcommand, run:
+
+```bash
+cnspec providers -h
+```
+
+### Manually install a provider
+
+To install a provider, run:
+
+```bash
+cnspec providers install NAME
+```
+
+For `NAME`, substitute the provider name (as shown in the table above). For example:
+
+```bash
+cnspec providers install k8s
+```
+
+For help on manual provider installation, run:
+
+```bash
+cnquery providers install -h
+```
+
+To install a provider from a file, run:
+
+```bash
+cnspec providers install -f PATH
+```
+
+For `PATH`, substitute the path and name of the provider file. For example:
+
+```bash
+cnspec providers install -f providers/os/dist/os.tar.xz
+```
+
+To install a provider from a URL, run:
+
+```bash
+cnspec providers install --url URL
+```
+
+For `URL`, substitute the location and name of the provider file. For example:
+
+```bash
+cnspec providers install --url https://releases.mondoo.com/providers/os/9.0.7/os_9.0.7_linux_arm.tar.xz
+```
+
+### Manually update providers
+
+To update to the latest version of all installed providers, run:
+
+```bash
+cnspec providers update
+```
+
+To update to the latest version of a specific provider, run:
+
+```bash
+cnspec providers update NAME
+```
+
+For `NAME`, substitute the name of the provider (as shown in the table above). For example:
+
+```bash
+cnspec providers update vsphere
+```
+
+### Remove providers
+
+To remove a provider, run:
+
+```bash
+cnspec providers remove NAME
+```
+
+For `NAME`, substitute the name of the provider you want to uninstall. For example:
+
+```bash
+cnspec providers remove terraform
+```
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/registration-keys.md b/docs/cnspec/cnspec-adv-install/registration-keys.md
new file mode 100644
index 000000000..b5c421e96
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/registration-keys.md
@@ -0,0 +1,93 @@
+---
+title: Register cnspec Using a Credentials File
+sidebar_label: Register cnspec Using a Credentials File
+sidebar_position: 8
+displayed_sidebar: cnspec
+description: This page provides details on registering cnspec with Mondoo Platform using a credentials file.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnspec must be registered with Mondoo Platform in order to download policies and report results. Typically you [register cnspec using a temporary token](registration.md). However, to ease automation, you can use a client credentials file instead. A common example is when you're integrating cnspec into your CI/CD pipeline.
+
+:::caution
+
+The credentials file includes a private key. Keep this credential safe!
+
+:::
+
+1. Open the [Mondoo Console](https://console.mondoo.com).
+
+2. [Navigate](/platform/start/navigate/) to the space where you want to view results.
+
+3. In the left navigation, under **Integrations**, select **Add New Integration**.
+
+4. Under **Supply Chain**, select **Generate Long-Lived Credentials**.
+
+5. Select the **GENERATE NEW CREDENTIALS** button.
+
+6. Copy the JSON string and save it in a .json file.
+
+## Validate registration
+
+The `cnspec status` command validates cnspec registration and ensures that communication with Mondoo Platform is successful.
+
+```bash title="Unregistered cnspec"
+cnspec status
+→ Time: 2023-01-13T16:12:44-08:00
+→ Version: 7.12.1 (API Version: 7)
+→ API ConnectionConfig: https://us.api.mondoo.com
+→ API Status: SERVING
+→ API Time: 2023-01-14T00:12:45Z
+→ API Version: 7
+→ Space:
+x client is not registered
+x could not connect to mondoo platform
+```
+
+```bash title="Correctly registered client"
+cnspec status
+→ Time: 2023-01-13T16:12:44-08:00
+→ Version: 7.12.1 (API Version: 7)
+→ API ConnectionConfig: https://us.api.mondoo.com
+→ API Status: SERVING
+→ API Time: 2023-01-14T00:11:18Z
+→ API Version: 7
+→ Space: //captain.api.mondoo.app/spaces/lunalectric-prod-eks
+→ Client: //agents.api.mondoo.app/spaces/lunalectric-prod-eks/agents/1N9EGTzvlizF1n7vPtz21y7XFA3
+→ Service Account: //agents.api.mondoo.app/spaces/lunalectric-prod-eks/serviceaccounts/1N9EGTzvlizF1n7vPtz21y7XFA3
+→ client is registered
+→ client authenticated successfully
+```
+
+```bash title="Invalid cnspec registration"
+cnspec status
+→ Time: 2023-01-13T16:17:50-08:00
+→ Version: 7.12.1 (API Version: 7)
+→ API ConnectionConfig: https://us.api.mondoo.com
+→ API Status: SERVING
+→ API Time: 2023-01-14T00:17:50Z
+→ API Version: 7
+→ Space: //captain.api.mondoo.app/spaces/lunalectric-prod-eks
+→ Client: //agents.api.mondoo.app/spaces/lunalectric-prod-eks/agents/1N9EGTzvlizF1n7vPtz21y7XFA3
+→ Service Account: //agents.api.mondoo.app/spaces/lunalectric-prod-eks/serviceaccounts/1N9EGTzvlizF1n7vPtz21y7XFA3
+→ client is registered
+x could not connect to mondoo platform error="rpc error: code = Unauthenticated desc = request permission unauthenticated"permission unauthenticated"
+```
+
+```bash title="No current system time (clock skew detected)"
+cnspec status
+→ Time: 2023-01-10T16:19:39-08:00
+→ Version: 7.12.1 (API Version: 7)
+→ API ConnectionConfig: https://us.api.mondoo.com
+→ API Status: SERVING
+→ API Time: 2023-01-14T00:19:46Z
+→ API Version: 7
+→ Space: //captain.api.mondoo.app/spaces/lunalectric-prod-eks
+→ Client: //agents.api.mondoo.app/spaces/lunalectric-prod-eks/agents/1N9EGTzvlizF1n7vPtz21y7XFA3
+→ Service Account: //agents.api.mondoo.app/spaces/lunalectric-prod-eks/serviceaccounts/1N9EGTzvlizF1n7vPtz21y7XFA3
+→ client is registered
+→ client authenticated successfully
+! possible clock skew detected: 72h0m6.277868s
+```
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/registration.md b/docs/cnspec/cnspec-adv-install/registration.md
new file mode 100644
index 000000000..a92b13be5
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/registration.md
@@ -0,0 +1,199 @@
+---
+title: Register cnspec
+sidebar_label: Register cnspec with Mondoo
+sidebar_position: 7
+displayed_sidebar: cnspec
+description: This page provides details on registering cnspec with Mondoo Platform.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+If you install cnspec on an asset using a system package instead of Mondoo’s automated installation script, you must register the asset manually.
+
+:::note
+
+If you need to _automate_ registering cnspec, read [Registering cnspec Using a Credentials File](registration-keys.md).
+
+:::
+
+1. Log into the [Mondoo Console](https://console.mondoo.com).
+
+2. [Navigate](/platform/start/navigate/) to the [region](/docs/platform/start/organize/regions.md), [organization](/docs/platform/start/organize/organizations.md), and [space](/docs/platform/start/organize/spaces.md) where you want to see the new asset's scan results.
+
+3. In the left navigation, under **Integrations**, select **Add New Integration**.
+
+4. Select your operating system and copy the registration token.
+
+5. Open a terminal and run this command:
+
+ ```bash title="Register cnspec"
+ cnspec login --token ""
+ ```
+
+ This command uses the token to create a service account that lets cnspec report results to Mondoo Platform.
+
+:::note IMPORTANT
+
+For cnspec to continuously transmit results to the Mondoo Platform, the Mondoo configuration must be stored in a specific location. To do this, use the cnspec `--config` parameter:
+
+- Windows:
+ `cnspec login --token "" --config "C:\ProgramData\Mondoo\mondoo.yml"`
+- Linux:
+ `cnspec login --token "" --config "/etc/opt/mondoo/mondoo.yml"`
+
+:::
+
+:::info
+
+Communication with Mondoo Platform is encrypted using HTTPS. The payload is signed to ensure it has not been tampered with.
+
+:::
+
+## Validate registration
+
+The `cnspec status` command validates cnspec registration and ensures that communication with Mondoo Platform is successful.
+
+```bash title="Unregistered cnspec"
+cnspec status
+→ loaded configuration from /Users/stella/.config/mondoo/mondoo.yml using source default
+→ Platform: macos
+→ Version: 13.4.1
+→ Hostname: stella.home
+→ IP: 192.168.254.21
+→ Time: 2024-02-27T12:07:41-08:00
+→ Version: 10.5.0 (API Version: 10)
+→ Latest Version: 10.5.0
+→ Installed Providers: core | mock | os
+→ API ConnectionConfig: https://api.edge.mondoo.com
+→ API Status: SERVING
+→ API Time: 2024-02-27T20:07:42Z
+→ API Version: 10
+x client is not registered
+x could not connect to mondoo platform
+```
+
+```bash title="Correctly registered client"
+cnspec status
+→ loaded configuration from /Users/mwezi/.config/mondoo/mondoo.yml using source default
+→ Platform: macos
+→ Version: 13.4.1
+→ Hostname: mwezi.home
+→ IP: 192.168.254.21
+→ Time: 2024-02-27T12:07:41-08:00
+→ Version: 10.5.0 (API Version: 10)
+→ Latest Version: 10.5.0
+→ Installed Providers: arista | aws | azure | core | mock | os
+→ API ConnectionConfig: https://api.edge.mondoo.com
+→ API Status: SERVING
+→ API Time: 2024-02-27T20:07:42Z
+→ API Version: 10
+→ Owner: //captain.api.mondoo.app/spaces/lunalectric-team-workstations
+→ Client: //agents.api.mondoo.app/spaces/lunalectric-team-workstations/agents/2SARlZgQnFLAzj7jfiS1Fx2HBz8
+→ Service Account: //agents.api.mondoo.app/spaces/lunalectric-team-workstations/serviceaccounts/2bMtksUk9EjrI5MC3tTf6UmhNC2
+→ client is registered
+→ client authenticated successfully
+```
+
+```bash title="Invalid cnspec registration"
+cnspec status
+→ loaded configuration from /Users/cosmo/.config/mondoo/mondoo.yml using source default
+→ Platform: macos
+→ Version: 13.4.1
+→ Hostname: cosmo.home
+→ IP: 192.168.254.21
+→ Time: 2024-02-27T12:07:41-08:00
+→ Version: 10.5.0 (API Version: 10)
+→ Latest Version: 10.5.0
+→ Installed Providers: arista | aws | azure | core | mock | os
+→ API ConnectionConfig: https://api.edge.mondoo.com
+→ API Status: SERVING
+→ API Time: 2024-02-27T20:07:42Z
+→ API Version: 10
+→ Owner: //captain.api.mondoo.app/spaces/lunalectric-team-workstations
+→ Client: //agents.api.mondoo.app/spaces/lunalectric-team-workstations/agents/2SARlZgQnFLAzj7jfiS1Fx2HBz8
+→ Service Account: //agents.api.mondoo.app/spaces/lunalectric-team-workstations/serviceaccounts/2bMtksUk9EjrI5MC3tTf6UmhNC2
+→ client is registered
+x could not connect to mondoo platform error="rpc error: code = Unauthenticated desc = request permission unauthenticated"permission unauthenticated"
+```
+
+```bash title="No current system time (clock skew detected)"
+cnspec status
+cnspec status
+→ loaded configuration from /Users/cosmo/.config/mondoo/mondoo.yml using source default
+→ Platform: macos
+→ Version: 13.4.1
+→ Hostname: tsuki.home
+→ IP: 192.168.254.21
+→ Time: 2024-02-27T12:07:41-08:00
+→ Version: 10.5.0 (API Version: 10)
+→ Latest Version: 10.5.0
+→ Installed Providers: aws | azure | core | mock | os
+→ API ConnectionConfig: https://api.edge.mondoo.com
+→ API Status: SERVING
+→ API Time: 2024-02-27T20:07:42Z
+→ API Version: 10
+→ Owner: //captain.api.mondoo.app/spaces/lunalectric-team-workstations
+→ Client: //agents.api.mondoo.app/spaces/lunalectric-team-workstations/agents/2SARlZgQnFLAzj7jfiS1Fx2HBz8
+→ Service Account: //agents.api.mondoo.app/spaces/lunalectric-team-workstations/serviceaccounts/2bMtksUk9EjrI5MC3tTf6UmhNC2
+→ client is registered
+→ client authenticated successfully
+! possible clock skew detected: 72h0m6.277868s
+```
+
+## Annotate (tag) an asset during registration
+
+Use Mondoo annotations to add metadata to an asset. Annotations are key-value pairs that let you identify, tag, or categorize your assets. Add whatever metadata you need. Some examples are:
+
+| Example key | Example value |
+| ----------- | --------------------- |
+| owner | cosmo@lunalectric.com |
+| build | terraform |
+| asset-tag | luna000262 |
+| team | 01research |
+
+You can reuse key-value pairs or you can reuse only the key and give each asset a unique value.
+
+For example, suppose you're matching annotations to the physical asset tags on your company's workstations. You'd give every workstation in your infrastructure an `asset tag` key, but give each workstation a unique value to match the unique physical tags.
+
+As another example, you might assign the key `build` and the value `terraform` to every asset in your infrastructure that is built using Terraform.
+
+To include an annotation when you register an asset, include the `--annotation` flag in the `cnspec login` command and provide the key and value:
+
+```bash
+cnspec login --token "PASTE_YOUR_TOKEN_HERE" --annotation KEY=VALUE --config "/etc/opt/mondoo/mondoo.yml"
+```
+
+For example:
+
+```bash
+cnspec login --token 'eyJh9vLmFwcC9zcGFjZXMvdGhpcnN0eS1tZWl0bmVyLTU5OTIyNSIsInNwYWNlIjoiLy9jYXB0YWluLmFwaS5tb25kb28uYXBwL3NwYWNlcy90aGlyc3R5LW1laXRuZXItNTk5MjI1Iiwic3ViIjoiLy9jYXB0YWluLmFwaS5tb25kb28uYXBwL3VzZXJzLzI3ZkVlc2hzMHNyT0ZzdWExWTY0ajRoblFmWiJ9.le5xx5sp5Qb7WoK0vWUS1wpeSOgpWR8cNjCBYqFfImDxRh_m2KpMFx3MN4K4Gv2DeEKfj4S4wWWEsoDLkenBGhgF2cZlPG7kidguLqcNOFxoRRQoMUgX-78DH8sUaTpi' --annotation owner=cosmo@lunalectric.org --config "/etc/opt/mondoo/mondoo.yml"
+```
+
+:::tip
+
+You can also add an annotation when you scan an asset. Include the `--annotation` flag in the `cnspec scan` command and provide the key and value:
+
+```bash
+cnspec scan local --annotation KEY=VALUE
+```
+
+For example:
+
+```bash
+cnspec scan local --annotation asset-tag=luna0003644
+```
+
+:::
+
+## Specify a proxy server for communication with Mondoo
+
+You can specify a proxy server for communication between cnspec and Mondoo Platform. This is useful if your default system proxy restricts communication, or if you need to monitor different types of traffic.
+
+1. Find the Mondoo configuration file: `/etc/opt/mondoo/mondoo.yml`.
+
+2. Add this line to `mondoo.yml`:
+
+ ```yaml
+ api_proxy: https://1.1.1.1:8080
+ ```
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/service.mdx b/docs/cnspec/cnspec-adv-install/service.mdx
new file mode 100644
index 000000000..6621f10cd
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/service.mdx
@@ -0,0 +1,447 @@
+---
+title: Run cnspec as a service
+sidebar_label: Run cnspec as a service
+sidebar_position: 9
+displayed_sidebar: cnspec
+description: This page provides details on running cnspec as a service on supported hosts.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+This document covers how to run cnspec as a service on hosts in your environment.
+
+## Configure cnspec to run as a service
+
+When configured as a service, cnspec continuously assesses hosts by running policies configured in Mondoo Platform. By default, every 60 minutes, cnspec service:
+
+1. Connects to your account in the platform
+
+2. Retrieves and validates the latest policies enabled for it.
+
+3. Scans the host.
+
+4. Reports scan results back to the platform.
+
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
+
+
+
+The installation places a systemd unit file at `/etc/systemd/system/cnspec.service`. However, it does not register or enable the service.
+
+:::info
+
+Before starting cnspec as a service, you should have already [registered the host](./registration.md) with your Mondoo Platform account.
+
+:::
+
+#### Enable and start cnspec as a service
+
+```bash title="1. Reload systemd daemon and load the cnspec.service unit file"
+sudo systemctl daemon-reload
+```
+
+```bash title="2. Enable cnspec to run during startup"
+sudo systemctl enable cnspec
+```
+
+```bash title="3. Start cnspec service"
+sudo systemctl start cnspec
+```
+
+```bash title="4. Check the status of cnspec"
+sudo systemctl status cnspec
+```
+
+#### cnspec service logging
+
+cnspec service writes log events to the system logs. You can use this command to tail cnspec service logs on Linux hosts:
+
+```bash title="Tail cnspec service logs"
+sudo journalctl -u cnspec -f
+```
+
+The default log level is `info` but can be configured as defined in [cnspec Configuration options](#cnspec-configuration-options) below
+
+
+
+
+When installed on Windows, the mondoo package automatically registers with the Service Control Manager in Windows, but sets the default **Startup Type** to **Manual** and does not start the service.
+
+
+
+#### Running as a service
+
+Launch a PowerShell terminal as an administrator and run these commands:
+
+:::info
+
+Before starting cnspec as a service, you should have already [registered the host](./registration.md) with your Mondoo Platform account.
+
+:::
+
+```powershell title="1. Set mondoo service to run automatically at startup"
+Set-Service -Name mondoo -StartupType Automatic
+```
+
+```powershell title="2. Start mondoo service"
+Set-Service -Name mondoo -Status Running
+```
+
+```powershell title="3. Validate mondoo is running as a service"
+Get-Service mondoo | Select-Object -Property Name, StartType, Status
+```
+
+
+
+#### Mondoo service logging
+
+Mondoo service writes logging events to the Windows Event Viewer Application logs. To view logs:
+
+
+
+1. Select the **Start Menu** and launch **Event Viewer**
+2. Expand **Windows Logs**
+3. Select **Application** to view application logs
+4. Use **Find...** to search for "cnspec"
+
+
+
+If you installed cnspec using the PKG installer, a launchd service is created automatically. If you installed cnspec using Homebrew, you can manually create the service plist file at /Library/LaunchDaemons/com.mondoo.client.plist:
+
+```xml title="Create the com.mondoo.client.plist file"
+
+
+
+
+ Label
+ com.mondoo.client
+ ProgramArguments
+
+ /path/to/cnspec
+ serve
+ -t
+ 60
+ --config
+ /etc/opt/mondoo/mondoo.yml
+
+ RunAtLoad
+
+
+
+```
+
+You must replace "/path/to/cnspec" with the path to cnspec on your host. You can validate this by opening a terminal and running `which cnspec`. Also, ensure you specify the correct path to Mondoo Platform config ("/etc/opt/mondoo/mondoo.yml" in the example above), which can be validated by opening a terminal and running `cnspec status`. Additionally, you can adjust the scan frequency (60 minutes by default).
+
+```bash title="Load the Launchd Service"
+sudo launchctl load /Library/LaunchDaemons/com.mondoo.client.plist
+```
+
+To start, stop or check the status of the service, use the _launchctl_ tool:
+
+```bash
+$ sudo launchctl start com.mondoo.client
+$ sudo launchctl list | grep cnspec
+- 1 com.mondoo.client
+```
+
+
+
+
+## cnspec serve
+
+In addition to leveraging the platform service management system, cnspec includes the `cnspec serve` command, which you can use on any supported platform (Linux, Windows, macOS) to continuously run assessments of hosts.
+
+:::info
+
+cnspec serve leverages the default configuration of the host if already [registered](./registration.md).
+
+:::
+
+### Set a custom scan interval
+
+Use the `--timer` flag to set a scan interval in minutes. The default is 60. For example, this runs a scan with `cnspec serve` every 15 minutes:
+
+```bash
+cnspec serve --timer 15
+```
+
+## cnspec configuration options
+
+cnspec configuration is stored on the host at this location:
+
+- **Linux** - `/etc/opt/mondoo/mondoo.yml`
+- **Windows** - `C:\ProgramData\Mondoo\mondoo.yml`
+
+Common cnspec service configuration options:
+
+| Name | Description |
+| -------------- | --------------------------------------------------------------------------- |
+| `agent_mrn` | Agent Mondoo resource name, identifies the client |
+| `api_endpoint` | The URL of Mondoo Platform (`https://us.api.mondoo.com` is the default) |
+| `certificate` | Client's public certificate |
+| `loglevel` | Service log level: error, warn, info, debug, trace (default is info) |
+| `mrn` | Service Account Mondoo resource name, which identifies the service account |
+| `private_key` | Client's private key used to sign requests sent to Mondoo Platform |
+| `space_mrn` | Space Mondoo resource name, identifies the space that the client belongs to |
+| `annotations` | Annotations that display in the Mondoo Console `condole.mondoo.com` |
+
+```yaml title=mondoo.yml
+# service account mrn
+mrn: //agents.api.mondoo.app/spaces/spacex/serviceaccounts/1utIs5XUQ8XayfB6yiQNTLOqPlD
+# agent mrn
+agent_mrn: //agents.api.mondoo.app/spaces/spacex/agents/1utIqsjg3YSAF8hMMIhg8tBsTPP
+# space mrn
+space_mrn: //captain.api.mondoo.app/spaces/spacex
+# api endpoint
+api_endpoint: https://us.api.mondoo.com
+# pem-encoded certificate
+certificate: |
+ -----BEGIN CERTIFICATE-----
+ ...
+ -----END CERTIFICATE-----
+# pem-encoded private key
+private_key: |
+ -----BEGIN PRIVATE KEY-----
+ ...
+ -----END PRIVATE KEY-----
+# log level: error, warn, info, debug, trace
+loglevel: info
+# tags
+annotations:
+ - key1: value1
+ - key2: value2
+```
+
+## cnspec inventory
+
+cnspec inventory configuration defines a list of targets for cnspec to scan. This example contains an ssh-based scan with annotations:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: cnspec-ssh-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ # linux with password authentication
+ - id: linux-ssh-with-password
+ connections:
+ - host: 192.168.5.89
+ type: ssh
+ credentials:
+ - type: password
+ user: mondoo
+ password: mondoo
+ annotations:
+ key: value
+```
+
+This example scans the local machine and all running containers:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: mondoo-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - id: docker-container
+ connections:
+ - type: local
+ discover:
+ targets:
+ - "container"
+```
+
+This example scans the local machine and all container images:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: mondoo-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - id: docker-container
+ connections:
+ - type: local
+ discover:
+ targets:
+ - "container-images"
+```
+
+This example scans the vSphere environment with embedded credentials:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: mondoo-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - name: vsphere
+ connections:
+ - type: vsphere
+ host: 192.168.5.24
+ credentials:
+ - type: password
+ user: mondoo-read@vsphere.local
+ password: test
+ discover:
+ targets:
+ - host-machines
+```
+
+This example scans the vSphere environment with extracted credentials and reference:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: mondoo-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - name: vsphere
+ connections:
+ - type: vsphere
+ host: 192.168.5.24
+ credentials:
+ - secret_id: my-secret
+ discover:
+ targets:
+ - host-machines
+ credentials:
+ my-secret:
+ type: password
+ user: mondoo-read@vsphere.local
+ password: test
+```
+
+This example scans the vSphere environment with credentials from HashiCorp Vault:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: mondoo-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - name:
+ connections:
+ - type: vsphere
+ host: 192.168.5.24
+ insecure: true
+ credentials:
+ - secret_id: vcenter/mondoo-read
+ discover:
+ targets:
+ - auto
+ annotations:
+ Owner: patrick@mondoo.com
+ vault:
+ name: cnspec-hashivault
+ type: hashicorp-vault
+ options:
+ url: http://127.0.0.1:8200
+ token: XXXXXXXX
+```
+
+Example to scan a Microsoft 365 account:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: mondoo-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - connections:
+ - type: ms365
+ credentials:
+ - type: pkcs12
+ private_key_path: "/Users/atomic111/Projects/presales/m365-scanning/certificate.combo.pem"
+ options:
+ client-id: c4b89770-5ed2-4367-b4f6-ff05ffcb3406
+ organization: ""
+ sharepoint-url: ""
+ tenant-id: d9abc6fc-fd88-4480-a931-2f7939adbac2
+ discover:
+ targets:
+ - auto
+```
+
+Example to scan an Azure tenant including all subscriptions:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: mondoo-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - connections:
+ - type: azure
+ credentials:
+ - type: pkcs12
+ private_key_path: ""
+ options:
+ client-id: 9f51cb-66c3-4gg9-b525-fbd717384d96
+ lun: "0"
+ tenant-id: f115cf8c-a2d4-51ef-1234-56f7ed7e18ec
+ discover:
+ targets:
+ - auto
+```
+
+Example to scan a Google Workspace account:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: mondoo-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - connections:
+ - type: google-workspace
+ credentials:
+ - type: json
+ secret:
+ options:
+ customer-id: D34dr1r
+ impersonated-user-email: user@lunalectric.com
+```
+
+To execute cnspec with the inventory file, run this command:
+
+```bash
+cnquery scan --inventory-file ./inventory.yml
+```
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/update.mdx b/docs/cnspec/cnspec-adv-install/update.mdx
new file mode 100644
index 000000000..bea5def58
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/update.mdx
@@ -0,0 +1,59 @@
+---
+title: Update cnspec
+sidebar_label: Update cnspec
+sidebar_position: 10
+displayed_sidebar: cnspec
+description: Upgrade cnspec to a new version and understand how versioning works
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnspec is a versioned binary. To identify the currently installed version of cnspec, run:
+
+```
+cnspec version
+```
+
+To learn about cnspec provider versioning, read [Manage cnspec Providers](/cnspec/cnspec-adv-install/providers/).
+
+## How cnspec versioning works
+
+Mondoo's versioning policy is _based on_ the semantic versioning standard. For example, in version 6.3.2, 6 is the major version, 3 is the minor version, and 2 is the patch. When we release a new version, we increment one of these three version components depending on the type of changes we introduce.
+
+### Breaking changes policy
+
+Major version releases of cnspec contain _soft-breaking_ changes. These may require you to update your policies, or automation scripts in order to avoid disruption, but you have a long time to make those updates. We provide advanced warning before we make these changes, and they don't become _hard-breaking_ changes until the next major release.
+
+## Update cnspec
+
+To update cnspec to the latest version, you can use your preferred package manager, such as Homebrew or Chocolatey, or simply re-run the installation script.
+
+:::tip
+
+Integrations that run on Mondoo Platform as well as the Kubernetes operator and the AWS Lambda-based integration, automatically update to the latest version; there's no need to manually update.
+
+:::
+
+### Update cnspec on Linux or macOS
+
+```bash
+bash -c "$(curl -sSL https://install.mondoo.com/sh)"
+```
+
+### Update cnspec on Windows
+
+```powershell
+Set-ExecutionPolicy Unrestricted -Scope Process -Force;
+[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
+iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1/cnspec'));
+Install-Mondoo -Product cnspec;
+```
+
+## Learn more
+
+- For installation and deployment options, read [Extended Installation Options for cnspec](/cnspec/cnspec-adv-install/overview/).
+
+- To learn about cnspec provider versioning, read [Manage cnspec Providers](/cnspec/cnspec-adv-install/providers/).
+
+Can't find what you need? Join our community Slack channel to chat with us and other Mondoo users.
+
+---
diff --git a/docs/cnspec/cnspec-adv-install/windows.mdx b/docs/cnspec/cnspec-adv-install/windows.mdx
new file mode 100644
index 000000000..e9f06511d
--- /dev/null
+++ b/docs/cnspec/cnspec-adv-install/windows.mdx
@@ -0,0 +1,222 @@
+---
+title: Install cnspec on Windows
+sidebar_label: Windows
+sidebar_position: 5
+displayed_sidebar: cnspec
+description: This page provides details on installing and configuring cnspec on Windows.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+:::info
+The msi package `REGISTRATIONTOKEN` argument allows you to pass in a temporary registration token to the MSI installer. If the argument is provided, cnspec will be registered automatically during installation.
+:::
+
+## Prerequisites
+
+Before you integrate Microsoft Windows with Mondoo:
+
+- Confirm access to the internet using PowerShell or CMD Terminal
+
+- Confirm access to Mondoo systems using PowerShell or CMD Terminal
+
+- Synchronize your system clock
+
+import Partial from "./_providers-note.mdx";
+
+{" "}
+
+### Access to the internet using PowerShell or CMD Terminal
+
+:::info
+
+If your organization's [region](/platform/start/organize/regions/) (in the Mondoo Console) is US, you must be able to access to us.api.mondoo.com. If your region is EU, you must be able to access to eu.api.mondoo.com.
+
+:::
+
+```powershell title="Check internet connectivity"
+# from PowerShell
+Test-NetConnection mondoo.com -Port 443
+
+# from CMD terminal (activate telnet client if not already activated)
+Telnet google.com 443
+```
+
+If you have a proxy setting in your environment, you _might_ need to configure it in the PowerShell and CMD Terminal:
+
+```
+netsh winhttp show proxy
+```
+
+### Systems access
+
+Be sure you have access to these systems from PowerShell or CMD Terminal:
+
+```powershell title="Check the Internet connectivity"
+install.mondoo.com Port 443/https
+releases.mondoo.com Port 443/https
+eu.api.mondoo.com Port 443/https
+us.api.mondoo.com Port 443/https
+registry.api.mondoo.com Port 443/https
+```
+
+To check connectivity, follow the approach in the previous section.
+
+### System clock sync
+
+Make sure your system clock is in sync with your NTP or internet time:
+
+```
+w32tm /query /status
+w32tm /query /peers
+w32tm /resync
+```
+
+## Install cnspec on Windows
+
+There are two ways of installing Mondoo on Windows:
+
+### Option A: Install using the automated install script in PowerShell
+
+Make sure TLS 1.2 is enabled (it's enabled by default in modern Windows systems):
+
+```powershell title="TLS version"
+# To check
+[Net.ServicePointManager]::SecurityProtocol
+
+# If it is not enabled, enable it:
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+```
+
+Install cnspec by downloading a PowerShell script to memory and running it:
+
+If you wish later the scan happens by loading the configured Policy from your Mondoo Console space, you need to register by having a Registration Token which will be given to you during Integration from https://console.mondoo.com/.
+
+Without RegistrationToken, the policies will be automatically loaded from our Registry (https://mondoo.com/registry). It is only included the Open Source policies.
+
+```powershell title="Automated installation script"
+# $MONDOO_REGISTRATION_TOKEN="YOUR_TOKEN_HERE"
+iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'))
+Install-Mondoo # -RegistrationToken $MONDOO_REGISTRATION_TOKEN
+```
+
+The installation creates one or two directories:
+
+- The `C:\Program Files\Mondoo` directory contains binaries.
+
+````
+
+- The `C:\ProgramData\Mondoo` directory is only created if the registration token is used. It contains the `mondoo.yml` configuration file.
+
+
+## Option B: Install manually (Mondoo package including cnspec)
+
+1. Download the [Mondoo Windows installer](https://releases.mondoo.com/mondoo/latest).
+2. Execute the installer as administrator.
+
+ Example:
+
+```powershell title="manual installation"
+# PowerShell
+Start-Process -Wait msiexec -ArgumentList ' /i mondoo_8.9.1_windows_amd64.msi'
+
+# CMD Terminal
+start /wait msiexec /i mondoo_8.9.1_windows_amd64.msi
+````
+
+3. Follow the steps and agree to the license agreement.
+4. (Optional) Register cnspec with your Mondoo Platform account.
+
+If you enter a registration token during the installation wizard, cnspec registers automatically.
+
+You can also register by token later if needed:
+
+```powershell title="CMD Terminal"
+start /wait msiexec /i mondoo_8.9.1_windows_amd64.msi REGISTRATIONTOKEN="XXXXXXXXXXXXXXXXX"
+```
+
+## Test and troubleshoot
+
+Make sure the service is running and that it runs automatically at startup:
+
+```powershell title="PowerShell"
+Set-Service -Name mondoo -Status Running -StartupType Automatic
+```
+
+Validate that the service is running:
+
+```
+# PowerShell
+Get-Service mondoo
+
+# CMD terminal
+sc query mondoo
+```
+
+Check the cnspec status:
+
+```
+cnspec status
+```
+
+If cnspec is already registered, you should see this line in the status:
+
+```
+loaded configuration from C:\ProgramData\Mondoo\mondoo.yml using source default
+```
+
+The `mondoo.yaml` file has the certificate, private key, and the api endpoint.
+
+Scan the local system:
+
+```
+cnspec scan local
+```
+
+Here the cnspec will automatically load the policies from Mondoo Console spaces provided you have registered the mondoo with the Token. Otherwise, the policies will be loaded from our Registry.
+
+You can also force the cnspec to load the policies only from registry:
+
+```
+cnspec scan local --incognito
+```
+
+Delete and reinstall:
+
+In some situations, you might need to remove the services and install again.
+
+```
+sc stop mondoo
+sc delete mondoo
+rmdir "C:\Program Files\Mondoo"
+rmdir "C:\ProgramData\Mondoo"
+```
+
+## Proxy configuration
+
+cnspec also works behind a forward proxy, such as Squid.
+
+```powershell title="Set https_proxy environment variable"
+$env:https_proxy = ":"
+```
+
+To set the proxy configuration for cnspec permanently, add the proxy configuration during cnspec registration:
+
+```powershell title="Set Proxy via cnspec command"
+cnspec login --token 'YOUR_TOKEN_HERE' --api-proxy 'http://1.1.1.1' --config 'C:\ProgramData\Mondoo\mondoo.yml'
+```
+
+Or add it to the cnspec configuration directly, follow these steps:
+
+1. Navigate to the cnspec configuration file under `C:\ProgramData\Mondoo\mondoo.yml`
+2. Add this line:
+
+```yaml title="Set Proxy via cnspec configuration file"
+api_proxy: http://1.1.1.1
+```
+
+## Learn more
+
+- [Register cnspec](/cnspec/cnspec-adv-install/registration)
+- [Run cnspec as a service](/cnspec/cnspec-adv-install/service)
+
+---
diff --git a/docs/cnspec/cnspec-aws/README.mdx b/docs/cnspec/cnspec-aws/README.mdx
new file mode 100644
index 000000000..cd920caca
--- /dev/null
+++ b/docs/cnspec/cnspec-aws/README.mdx
@@ -0,0 +1,46 @@
+---
+title: Assess AWS Security with cnspec
+id: cnspec-aws-intro
+sidebar_label: Get Started
+displayed_sidebar: cnspec
+sidebar_position: 1
+description: Learn how cnspec can assess the security of your AWS infrastructure
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+cnspec assesses your full AWS environment for misconfigurations that put your organization at risk. You can scan your AWS account for compliance with security policies created by Mondoo or the community, or [create your own policies](/cnspec/cnspec-policies/write/). You also can write individual tests to run on the fly or include in automated tasks.
+
+cnspec can test any aspect of your AWS configuration. For a list of AWS resources you can test, read [Mondoo Amazon Web Services (AWS) Resource Pack Reference](/mql/resources/aws-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnspec with your AWS environment
+
+### Requirements
+
+To analyze and explore your AWS environment with cnspec, you must have:
+
+- [cnspec installed on your workstation](/cnspec/).
+- [An AWS account](https://aws.amazon.com/free/).
+- Your AWS credentials. To learn about creating a new access key pair, read [Creating new access keys for an IAM user](https://docs.aws.amazon.com/keyspaces/latest/devguide/access.credentials.html#create.keypair) in the AWS documentation.
+- Your `AWS_REGION` configured. To learn how to set your region, read [How to set environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-set) in the AWS documentation.
+
+### Verify with a quick AWS check
+
+To quickly confirm that cnspec has access to your AWS environment, run this test from your terminal:
+
+```bash
+cnspec run aws -c 'aws.account.id!="foo"'
+```
+
+It asserts that your AWS account ID value is not `foo`.
+
+cnspec returns `[ok]` to indicate that the test passed, and includes the actual value of the AWS account ID:
+
+```coffee
+[ok] value: "123456789000"
+```
+
+## Next step
+
+You've successfully used cnspec to run your first check against your AWS account. Now you're ready to [assess your AWS environment.](/cnspec/cnspec-aws/cnspec-aws-account)
+
+---
diff --git a/docs/cnspec/cnspec-aws/_cnspec-aws-codebuild.mdx b/docs/cnspec/cnspec-aws/_cnspec-aws-codebuild.mdx
new file mode 100644
index 000000000..74638082b
--- /dev/null
+++ b/docs/cnspec/cnspec-aws/_cnspec-aws-codebuild.mdx
@@ -0,0 +1,13 @@
+---
+title: write me codebuild
+id: cnspec-aws-codebuild
+sidebar_label: write me codebuild
+displayed_sidebar: cnspec
+sidebar_position: 5
+description: write me codebuild
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+Write me!
+
+---
diff --git a/docs/cnspec/cnspec-aws/cnspec-aws-account.mdx b/docs/cnspec/cnspec-aws/cnspec-aws-account.mdx
new file mode 100644
index 000000000..83472d9ce
--- /dev/null
+++ b/docs/cnspec/cnspec-aws/cnspec-aws-account.mdx
@@ -0,0 +1,194 @@
+---
+title: Assess an AWS Account
+id: cnspec-aws-account
+sidebar_label: Assess an AWS Account
+displayed_sidebar: cnspec
+sidebar_position: 20
+description: Assess the security and compliance of an AWS account configuration
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+Once you've ensured that [cnspec can access your AWS environment](/cnspec/cnspec-aws/), you can begin testing. The method you choose depends on your goals:
+
+- For widescale assessment of your AWS infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your AWS security posture.
+- To run ad hoc checks against your AWS environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
+
+## Assess AWS security with policy-based scanning
+
+The AWS Security by Mondoo policy is available to all in Mondoo's [cnspec-policies GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core). This collection of tests evaluates how well your environment follows fundamental AWS security best practices. It checks for misconfigurations across your entire AWS infrastructure.
+
+To scan using the AWS Security by Mondoo policy, run:
+
+```bash
+cnspec scan aws
+```
+
+cnspec finds the default policy for AWS and runs a scan based on that policy. It returns a report summarizing the scan results:
+
+```coffee
+→ discover related assets for 1 asset(s)
+→ resolved assets resolved-assets=1
+→ connecting to asset AWS Account lunalectric-management (177043759486) (api)
+
+██████████████████████████████████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 60% AWS Account lunalectric-management (177043759486)
+
+
+Asset: AWS Account lunalectric-management (177043759486)
+========================================================
+Checks:
+✕ Fail: Ensure IAM Users Receive Permissions Only Through Groups
+✕ Fail: D 20 Checks whether the instance metadata version is configured with IMDSv2 (http tokens required)
+✓ Pass: Ensure MFA is enabled for the "root user" account
+✕ Fail: D 20 Ensure the default security group of every VPC restricts all traffic
+✕ Fail: B 70 Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge (default 90)
+✓ Pass: Ensure there is only one active access key available for any single IAM user
+✓ Pass: Ensure no root user account access key exists
+✓ Pass: Checks if the required S3 public access block settings are configured from the account level
+✕ Fail: B 70 Ensure VPC flow logging is enabled in all VPCs
+! Error: Checks whether the account password policy for IAM users meets the specified requirements
+✕ Fail: F 5 Checks whether the AWS IAM users have multi-factor authentication (MFA) enabled
+✓ Pass: Checks if Amazon Simple Storage Service (S3) has bucket-level public access restrictions at the bucket level.
+✕ Fail: D 20 Ensures no instances have a public IP
+✕ Fail: B 70 Ensure EBS volume encryption is enabled by default
+✓ Pass: Checks whether IAM groups have at least one IAM user
+
+
+Summary (1 assets)
+==================
+
+Target: AWS Account lunalectric-management (177043759486)
+Score: F 0/100 (100% completed)
+✓ Passed: ██████ 40% (6)
+✕ Failed: ████████ 53% (8)
+! Errors: █ 7% (1)
+» Skipped: 0% (0)
+```
+
+:::tip
+
+To examine scan results in detail, run:
+
+```bash
+cnspec scan aws -o full
+```
+
+:::
+
+You can also create your own policies to meet your specific needs. To learn more about policies, read [Policies](/cnspec/cnspec-policies/).
+
+### Scan using an assumed role
+
+To assess AWS resources that you don't normally have access to, you can use an [assumed role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html):
+
+```bash
+cnspec scan aws --option role-arn=ROLEARN
+```
+
+For `ROLEARN`, substitute the role's Amazon resource name (ARN).
+
+cnspec supports assumed roles with [external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html):
+
+```bash
+cnspec scan aws --option role-arn=ROLEARN --option external-id=EXTERNALID
+```
+
+For `ROLEARN`, substitute the role's Amazon resource name (ARN). For `EXTERNALID`, substitute the external ID for the assumed role.
+
+## Test AWS with the cnspec shell
+
+The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
+
+To launch a shell into your AWS environment, enter:
+
+```bash
+cnspec shell aws
+```
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what AWS resources you can test. This command lists all the AWS resources:
+
+```bash
+help aws
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the AWS IAM resources you can test:
+
+```bash
+help aws.iam
+```
+
+From the resulting list, you can drill down even further. You can also learn about available AWS resources in the [Mondoo Amazon Web Services (AWS) Resource Pack Reference](/mql/resources/aws-pack/).
+
+### Run tests in the cnspec shell
+
+Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
+
+#### Assess CloudTrail encryption
+
+This test assures that every CloudTrail has a KMS key:
+
+```bash
+aws.cloudtrail.trails.all(kmsKey != null)
+```
+
+If the test passes (all CloudTrails have KMS keys) then cnspec returns `ok`:
+
+```coffee
+[ok] value: true
+```
+
+If the test fails, (one or more CloudTrails do not have KMS keys) then cnspec provides details about the failure:
+
+```coffee
+[failed] [].all()
+ actual: [
+ 0: aws.cloudtrail.trail id = arn:aws:cloudtrail:us-east-1:921877552404:trail/s3-events
+ ]
+```
+
+The sample results above show that the account's single CloudTrail is not using encryption.
+
+#### Assess IAM
+
+When we explored the help for `aws.iam`, we saw that cnspec can run checks against your account's IAM credential report. For example, this test asserts that all users have MFA enabled:
+
+```bash
+aws.iam.credentialReport.all ( mfaActive == true )
+```
+
+If one or more users aren't using MFA, cnspec lists them:
+
+```coffee
+[failed] [].all()
+ actual: [
+ 0: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/abel
+ 1: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/coco
+ 2: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/ecs-deploy
+ 3: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/gitlab-migration-user
+ ]
+```
+
+#### Specify fields to include in results
+
+If you're interested in only some details, specify the fields you want in braces. For example, this is the same test as above, but also asks for each user's ARN, when they last changed their password, and whether they have MFA enabled:
+
+```bash
+aws.iam.credentialReport { mfaActive == true arn passwordLastChanged mfaActive }
+```
+
+### Exit the cnspec shell
+
+To exit the cnspec shell, either press `Ctrl + D` or type `exit`.
+
+## Learn more
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- Explore the complete [Mondoo AWS Resource Pack Reference](/mql/resources/aws-pack/).
+
+## Next step
+
+Now that you've scanned your AWS environment and run tests using the cnquery shell, you're ready to dive deeper and [test your EC2 instances](/cnspec/cnspec-aws/cnspec-aws-ec2/).
+
+---
diff --git a/docs/cnspec/cnspec-aws/cnspec-aws-cloudshell.md b/docs/cnspec/cnspec-aws/cnspec-aws-cloudshell.md
new file mode 100644
index 000000000..a11006532
--- /dev/null
+++ b/docs/cnspec/cnspec-aws/cnspec-aws-cloudshell.md
@@ -0,0 +1,99 @@
+---
+title: Assess AWS Security from AWS CloudShell
+description: Learn how to install and configure cnspec in AWS CloudShell to run security scans against your AWS account.
+displayed_sidebar: cnspec
+id: cnspec-aws-cloudshell
+sidebar_label: Assess AWS from CloudShell
+sidebar_position: 50
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+If you prefer to work in AWS's browser-based CloudShell, you don't have to switch to a different interface to scan your AWS infrastructure. You can interact with cnspec within CloudShell.
+
+To learn about CloudShell, read the [AWS documentation](https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html).
+
+## Set up cnspec in CloudShell
+
+To set up cnspec in CloudShell, [sign up for a free Mondoo account](/platform/start/plat-start-acct). In the Mondoo Console you'll find a guide that helps you install cnspec in AWS CloudShell and run your first security assessment of AWS.
+
+### Step 1: Launch the Mondoo AWS CloudShell Setup Guide
+
+
+
+1. Open the AWS Guide.
+
+2. Select **Let's do this!**
+
+
+
+3. On the **Choose your cloud service** step, select **Amazon AWS** and choose **Next step**.
+
+### Step 2: Launch CloudShell
+
+
+
+1. Select **Open CloudShell** to open AWS CloudShell in a new browser tab.
+
+2. Once CloudShell finishes launching, return to the browser tab containing the **Mondoo AWS Guide**.
+
+3. Select **Next step**.
+
+### Step 3: Install cnspec in CloudShell and register with Mondoo Platform
+
+
+
+1. This next step contains a temporary registration token and a one-line install script to install cnspec in CloudShell. Select the copy icon in the command window, and then select **Continue**.
+
+2. Return to the browser tab with AWS CloudShell and paste the contents of the clipboard with the installation command.
+
+3. When you paste the command, AWS CloudShell shows a warning about external code. Select **Paste**
+
+4. Press **Enter** to install cnspec.
+
+:::info
+
+The cnspec install script is open source. You can find it in Mondoo's [GitHub organization](https://github.com/mondoohq/installer)
+
+:::
+
+## Step 4: Scan
+
+The `cnspec scan` command checks your assets against policies. `cnspec scan aws` executes policies against your aws account.
+
+:::tip
+
+cnspec provides a `--help` command. For instance, `cnspec scan --help` returns detailed information on using cnspec to scan various assets.
+
+:::
+
+### How AWS scans work
+
+When an AWS CloudShell session starts, cnspec relies on your AWS credentials (which you used to log into the AWS console) to run policies against the account. This pre-authentication lets you skip configuring credentials for AWS services with cnspec.
+
+By running `cnspec scan aws`, cnspec authenticates with Mondoo Platform to find the policies configured for AWS in your account. After syncing policies, cnspec authenticates against the AWS API using the configured credentials in AWS CloudShell and then runs the policies against your account.
+
+:::info
+
+Mondoo Platform comes with a default set of policies activated in the registry to get you started.
+
+:::
+
+### Scan AWS from CloudShell
+
+1. Open the Mondoo AWS Setup Guide where you left off in your browser and copy the `cnspec scan aws` command to your clipboard.
+
+```bash
+cnspec scan aws
+```
+
+2. Paste the `cnspec scan aws` command into AWS CloudShell and press **Enter** to start the scan.
+
+The scan takes only a few minutes to complete.
+
+After the scan completes, cnspec returns the results to `STDOUT`and also sends the scan results to the Mondoo Platform. To view results:
+
+1. Return to the browser tab containing the **Mondoo AWS Guide** and select **Next Step**. Mondoo Platform locates the results from the AWS scan.
+
+2. Select **Explore Mondoo** to see the results from the scan.
+
+---
diff --git a/docs/cnspec/cnspec-aws/cnspec-aws-ec2.mdx b/docs/cnspec/cnspec-aws/cnspec-aws-ec2.mdx
new file mode 100644
index 000000000..7dbce9201
--- /dev/null
+++ b/docs/cnspec/cnspec-aws/cnspec-aws-ec2.mdx
@@ -0,0 +1,72 @@
+---
+title: Assess an AWS EC2 Instance
+id: cnspec-aws-ec2
+sidebar_label: Assess an AWS EC2 Instance
+displayed_sidebar: cnspec
+sidebar_position: 30
+description: Assess the security and compliance of an AWS EC2 instance
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+Now that you have an introduction to [assessing your AWS security](/cnspec/cnspec-aws/cnspec-aws-account/) with cnspec, let's dive deeper and test EC2 instances.
+
+We'll continue working in the cnspec shell, which makes running individual queries easy. If it's not already open, enter `cnspec shell aws` in your terminal. To learn about accessing your AWS account with cnspec, read [Assess AWS Security](/cnspec/cnspec-aws/).
+
+## EC2 resources
+
+cnspec lets you test any configuration detail of your EC2 instances. To discover all the resources and fields you can query, read [aws.ec2](/mql/resources/aws-pack/aws.ec2/). You can also use the `help` command in the shell:
+
+```bash
+help aws.ec2
+```
+
+## Run tests on EC2 instances
+
+### No public IPs
+
+This test assesses whether any running EC2 instances have a public IP:
+
+```bash
+aws.ec2.instances.all( state = "running" && publicIp != "" )
+```
+
+If the test passes (no running instances have a public IP) then cnspec returns `ok`:
+
+```coffee
+[ok] value: true`
+```
+
+If the test fails, (one or more running instances have a public IP) then cnspec provides details about the failure:
+
+```coffee
+[failed] [].all()
+ actual: [
+ 0: aws.ec2.instance id = arn:aws:ec2:us-east-1:177043751234:instance/i-0fde6c8e0210b7i26
+ 1: aws.ec2.instance id = arn:aws:ec2:us-east-1:177043751234:instance/i-01d9ac4d064722qa4
+ ]
+```
+
+### More examples
+
+This test verifies that all EC2 instances require HTTP tokens:
+
+```
+aws.ec2.instances.all(httpTokens == "required")
+```
+
+This test ensures that no EBS snapshots are publicly restorable:
+
+```bash
+aws.ec2.snapshots.all(createVolumePermission.none(_['Group'] == "all" ))
+```
+
+## Learn more about testing EC2 instances
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the AWS resources and fields you can query, read [aws.ec2](/mql/resources/aws-pack/aws.ec2/).
+
+## Next step
+
+To discover more of cnspec's AWS capabilities, [test your EKS clusters](/cnspec/cnspec-aws/cnspec-aws-eks/).
+
+---
diff --git a/docs/cnspec/cnspec-aws/cnspec-aws-eks.mdx b/docs/cnspec/cnspec-aws/cnspec-aws-eks.mdx
new file mode 100644
index 000000000..5f71bddee
--- /dev/null
+++ b/docs/cnspec/cnspec-aws/cnspec-aws-eks.mdx
@@ -0,0 +1,53 @@
+---
+title: Assess an AWS EKS Cluster
+id: cnspec-aws-eks
+sidebar_label: Assess an AWS EKS Cluster
+displayed_sidebar: cnspec
+sidebar_position: 40
+description: Assess the security and compliance of an AWS EKS cluster
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+Now that you have an introduction to [assessing your AWS account](/cnspec/cnspec-aws/cnspec-aws-account/) with cnspec and have tried an [EC2 test](/cnspec/cnspec-aws/cnspec-aws-ec2), let's dive deeper and test EKS clusters.
+
+We'll continue working in the cnspec shell, which makes running individual queries easy. If it's not already open, enter `cnspec shell aws` in your terminal. To learn about accessing your AWS account with cnspec, read [Assess AWS Security](/cnspec/cnspec-aws/).
+
+## EKS resources
+
+cnspec provides answers to any question about your EKS clusters. To discover all the resources and fields you can query, read [aws.eks](/mql/resources/aws-pack/aws.eks/). You can also use the `help` command in the shell:
+
+```bash
+help aws.eks
+```
+
+## Run a simple test on EKS clusters
+
+This test ensures that all EKS clusters use encryption:
+
+```bash
+aws.eks.clusters.all( encryptionConfig != null )
+```
+
+If the test passes (all EKS clusters use encryption) then cnspec returns `ok`:
+
+```coffee
+[ok] value: true`
+```
+
+If the test fails (one or more EKS clusters do not use encryption) then cnspec provides details about the failure:
+
+```coffee
+[failed] [].all()
+ actual: [
+ 0: aws.ec2.instance id = arn:aws:ec2:us-east-1:177043751234:instance/i-0fde6c8e0210b7i26
+ 1: aws.ec2.instance id = arn:aws:ec2:us-east-1:177043751234:instance/i-01d9ac4d064722qa4
+ ]
+```
+
+## Learn more about querying EKS clusters
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the AWS resources and fields you can query, read the [Mondoo Amazon Web Services (AWS) Resource Pack Reference](/mql/resources/aws-pack/).
+- For a list of all the Kubernetes resources and fields you can query, read the [Mondoo Kubernetes (K8s) Resource Pack Reference](/mql/resources/k8s-pack/).
+
+---
diff --git a/docs/cnspec/cnspec-aws/cnspec-aws-packer.mdx b/docs/cnspec/cnspec-aws/cnspec-aws-packer.mdx
new file mode 100644
index 000000000..072e5094a
--- /dev/null
+++ b/docs/cnspec/cnspec-aws/cnspec-aws-packer.mdx
@@ -0,0 +1,309 @@
+---
+title: Build Secure AMIs with cnspec and HashiCorp Packer
+id: cnspec-aws-packer
+sidebar_label: Build Secure AMIs with Packer
+displayed_sidebar: cnspec
+sidebar_position: 60
+description: Learn how to build secure Amazon AMIs with HashiCorp Packer and cnspec
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+You can run security scans during HashiCorp Packer builds using [Packer plugin cnspec by Mondoo](https://github.com/mondoohq/packer-plugin-cnspec). This tutorial includes instructions for using the plugin both with and without an account on Mondoo Platform.
+
+:::caution
+
+This tutorial provisions resources that qualify under the AWS Free Tier. If your account doesn't qualify under the AWS Free Tier, Mondoo is not responsible for charges that you incur.
+
+:::
+
+### Prerequisites
+
+Before you begin, be sure you have:
+
+- An [AWS Account](https://aws.amazon.com/free/)
+- The [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+- The latest [HashiCorp Packer](https://developer.hashicorp.com/packer/tutorials/docker-get-started/get-started-install-cli) version installed
+
+## Packer plugin cnspec by Mondoo
+
+[Packer plugin cnspec by Mondoo](https://github.com/mondoohq/packer-plugin-cnspec) scans Linux and Windows [HashiCorp Packer](https://www.packer.io) builds for vulnerabilities and security misconfigurations. The plugin is designed to work with any of the supported Packer builders, including containers.
+
+### Plugin modes
+
+Packer plugin cnspec is designed to work in one of two modes:
+
+- **Unregistered** - In unregistered mode, the plugin works without being registered to Mondoo Platform, and is designed to provide baseline security scanning with minimal configuration. The plugin runs either the [Linux Security by Mondoo](https://github.com/mondoohq/cnspec-policies/blob/main/core/mondoo-linux-security.mql.yaml) policy on Linux builds, or the [Windows Security by Mondoo](https://github.com/mondoohq/cnspec-policies/blob/main/core/mondoo-windows-security.mql.yaml) policy on Windows builds. Each of these policies provides security hardening checks based off of industry standards for Linux and Windows. Scan results are shown in STDOUT during the Packer run.
+- **Registered** - In registered mode, the plugin is registered to your account in Mondoo Platform using a service account. Registered mode allows you to configure and customize any of the policies in Mondoo Platform including CIS benchmarks and more. Scan results are shown in STDOUT and sent back to Mondoo Platform for your records.
+
+:::info
+
+To scan for vulnerabilities, you must register cnspec with Mondoo Platform. [Sign up for a free account](https://mondoo.com/pricing) today.
+
+:::
+
+### AWS authentication
+
+Before you can run Packer, you must configure AWS credentials with appropriate permissions to build AMIs. For more information see [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) in the AWS documentation.
+
+For a full list of IAM permissions required to run the amazon-ebs builder, refer to the [Packer Amazon AMI Builder documentation](https://developer.hashicorp.com/packer/integrations/hashicorp/amazon#authentication#authentication).
+
+:::tip
+If you don't have access to IAM user credentials, use another authentication method described in the [Packer Amazon AMI Builder documentation](https://developer.hashicorp.com/packer/integrations/hashicorp/amazon#authentication#authentication).
+:::
+
+### Plugin configuration
+
+Packer plugin cnspec provides this configuration:
+
+- `score_threshold` - This configuration sets an `int` score threshold for security scans. If the scan produces a score that falls below the threshold, the build will fail.
+- `on_failure = "continue"` - This configuration ensures that the Packer build will not fail even if the scan produces a score that falls below the `score_threshold`.
+- `sudo` - Some of the security configuration checks require elevated permissions to scan a given resource such as the `sshd_config`. Setting the `sudo` option to `active = true` configures the plugin to run in `sudo` mode.
+- `asset_name` - Override the asset name on Mondoo Platform. This configuration is only used in registered mode.
+- `annotations` - Custom annotations can be applied to Packer build assets to provide additional metadata for asset tracking. This configuration is only used in registered mode.
+
+### Register with Mondoo Platform
+
+To configure the plugin to work in registered mode, you must first create a Base64-encoded service account. If you do not wish to use custom policies and store results on Mondoo Platform you can skip this step.
+
+To create a Base64-encoded service account:
+
+1. Navigate to the space you want to create a service account in.
+2. Select **Settings** followed by **Service Accounts**.
+3. Select **ADD ACCOUNT**.
+4. Check the **Base64-encoded** box to Base64-encode the credentials.
+5. Select **GENERATE NEW CREDENTIALS**.
+6. Copy the Base64-encoded credentials to the clipboard.
+7. Open a terminal and run:
+
+```bash
+export MONDOO_CONFIG_BASE64=
+```
+
+## Run Packer
+
+With Packer configured, you are ready to run your first build.
+
+### Amazon Linux 2 template
+
+Create a new directory named `mondoo_packer`, and change to that directory.
+
+```bash
+mkdir mondoo_packer
+cd mondoo_packer
+```
+
+Create a new file called `aws-amazon2.pkr.hcl`, and then copy/paste this code snippet into that file.
+
+```bash
+packer {
+ required_plugins {
+ amazon = {
+ version = ">= 1.1.0"
+ source = "github.com/hashicorp/amazon"
+ }
+ cnspec = {
+ version = ">= 6.1.3"
+ source = "github.com/mondoohq/cnspec"
+ }
+ }
+}
+
+variable "aws_region" {
+ default = "us-east-1"
+ type = string
+}
+
+variable "image_prefix" {
+ type = string
+ description = "Prefix to be applied to image name"
+ default = "cnspec-tested-amazon-linux-2"
+}
+
+locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
+
+source "amazon-ebs" "amazon2" {
+ ami_name = "${var.image_prefix}-${local.timestamp}"
+ instance_type = "t2.micro"
+ region = var.aws_region
+ source_ami_filter {
+ filters = {
+ name = "amzn2-ami-kernel-5.*-x86_64-gp2"
+ root-device-type = "ebs"
+ virtualization-type = "hvm"
+ }
+ most_recent = true
+ owners = ["137112412989"]
+ }
+ ssh_username = "ec2-user"
+ tags = {
+ Base_AMI_Name = "{{ .SourceAMIName }}"
+ Name = "${var.image_prefix}-${local.timestamp}"
+ Source_AMI = "{{ .SourceAMI }}"
+ Creation_Date = "{{ .SourceAMICreationDate }}"
+ }
+}
+
+build {
+ name = "${var.image_prefix}-${local.timestamp}"
+
+ sources = [
+ "source.amazon-ebs.amazon2"
+ ]
+
+ provisioner "shell" {
+ inline = [
+ "sudo hostnamectl set-hostname ${var.image_prefix}-${local.timestamp}",
+ "sudo yum update -y",
+ "sudo yum upgrade -y"]
+ }
+
+ provisioner "cnspec" {
+ score_threshold = 80
+ on_failure = "continue"
+ sudo {
+ active = true
+ }
+ }
+}
+```
+
+This is a complete Packer template that you will use to build an AWS Amazon 2 Linux AMI in the `us-east-1` region. In these sections, you will review each block of this template in more detail.
+
+### Configure template variables
+
+The template provides a `variables` section used to configure the builds.
+
+:::info
+
+To learn about the various options to override variables set in the Packer template, see [Setting Variables](https://developer.hashicorp.com/packer/docs/templates/legacy_json_templates/user-variables#setting-variables) in the HashiCorp Packer documentation.
+
+:::
+
+**AWS region**
+
+When building AMIs, you must specify which region to build the AMI in. The default region for the template is `us-east-1`:
+
+```bash
+variable "aws_region" {
+ default = "us-east-1"
+ type = string
+}
+```
+
+:::tip
+
+Use the optional [`ami_regions`](https://developer.hashicorp.com/packer/integrations/hashicorp/amazon#authentication/ebs#ami_regions) to configure a list of regions to copy the AMI to. Tags and attributes are copied along with the AMI.
+
+:::
+
+**Image prefix**
+
+By default the template will create the AMI using a default naming prefix of `cnspec-tested-amazon-linux-2`. You can override this with the `image_prefix` variable:
+
+```bash
+variable "image_prefix" {
+ type = string
+ description = "Prefix to be applied to image name"
+ default = "cnspec-tested-amazon-linux-2"
+}
+```
+
+### Initialize the Packer configuration
+
+Initialize your Packer configuration.
+
+```bash
+packer init aws-amazon2.pkr.hcl
+```
+
+Executing `packer init` instructs Packer to download the plugins defined in the `required_plugins` section in the template. Plugins are typically downloaded to the `~/.packer.d/plugins`directory. You can run `packer init` as many times as you'd like. If you already have the plugins you need, Packer exits without output.
+
+### Build the AMI
+
+Build the image with the `packer build aws-amazon2.pkr.hcl` command. Packer prints output similar to what is shown below.
+
+```bash
+packer build aws-amazon2.pkr.hcl
+.amazon-ebs.amazon2: output will be in this color.
+
+==> .amazon-ebs.amazon2: Prevalidating any provided VPC information
+==> .amazon-ebs.amazon2: Prevalidating AMI Name:
+ .amazon-ebs.amazon2: Found Image ID: ami-0b0dcb5067f052a63
+==> .amazon-ebs.amazon2: Creating temporary keypair: packer_6382573a-e356-c04a-958f-c1ece4083785
+==> .amazon-ebs.amazon2: Creating temporary security group for this instance: packer_6382573d-6f07-acc1-f218-df04593a22f1
+...
+==> .amazon-ebs.amazon2: Running cnspec packer provisioner by Mondoo (Version: 0.6.0, Build: dev)
+ .amazon-ebs.amazon2: activated sudo
+ .amazon-ebs.amazon2: detected packer build via ssh
+ .amazon-ebs.amazon2: scan packer build
+ .amazon-ebs.amazon2: scan completed successfully
+...
+
+ .amazon-ebs.amazon2: ✕ Fail: D 20 Ensure sudo logging is enabled
+ .amazon-ebs.amazon2: ✕ Fail: D 20 Ensure kernel module loading and unloading is collected
+ .amazon-ebs.amazon2: ✓ Pass: Ensure no duplicate UIDs exist
+ .amazon-ebs.amazon2: ✕ Fail: D 20 Ensure unsuccessful unauthorized file access attempts are collected
+ .amazon-ebs.amazon2: ✓ Pass: Ensure prelink is disabled
+ .amazon-ebs.amazon2: ✕ Fail: F 0 Ensure that strong Key Exchange algorithms are used
+ .amazon-ebs.amazon2: ✓ Pass: Ensure Samba is stopped and not enabled
+ .amazon-ebs.amazon2:
+ .amazon-ebs.amazon2: Vulnerabilities:
+ .amazon-ebs.amazon2: ■ No advisories found (passed)
+ .amazon-ebs.amazon2:
+ .amazon-ebs.amazon2: Overall CVSS score: 0.0
+ .amazon-ebs.amazon2:
+ .amazon-ebs.amazon2:
+ .amazon-ebs.amazon2: Summary (1 assets)
+ .amazon-ebs.amazon2: ==================
+ .amazon-ebs.amazon2:
+ .amazon-ebs.amazon2: Target: i-0dd30e6f234216dd1
+ .amazon-ebs.amazon2: Score: C 50/100 (100% completed)
+ .amazon-ebs.amazon2: ✓ Passed: ████████ 52% (55)
+ .amazon-ebs.amazon2: ✕ Failed: ███████ 44% (46)
+ .amazon-ebs.amazon2: ! Errors: 3% (3)
+ .amazon-ebs.amazon2: » Skipped: 1% (1)
+ .amazon-ebs.amazon2:
+ .amazon-ebs.amazon2: Policies:
+ .amazon-ebs.amazon2: F 0 Linux Security by Mondoo
+ .amazon-ebs.amazon2: A 100 Platform Vulnerability Policy by Mondoo
+...
+==> Wait completed after 10 minutes 7 seconds
+
+==> Builds finished. The artifacts of successful builds are:
+--> .amazon-ebs.amazon2: AMIs were created:
+us-east-1: ami-0b3e9a14e02dd8f37
+```
+
+### View the scan report in Mondoo Platform (registered mode only)
+
+To view the scan report in the Mondoo Console, go to **INVENTORY** and find the report. You might need to refresh your browser.
+
+
+
+### View the control details
+
+Select the Controls tab.
+
+
+
+Expand any of the checks in the policies that ran against your build to show additional documentation, audit, and remediation steps:
+
+
+
+## View the image AWS Management Console
+
+
+
+After running the above example, you can navigate to the [AMIs section](https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#Images:visibility=owned-by-me) of AWS Management Console.
+
+### Remove the image
+
+You can remove the AMI by first deregistering it on the [AWS AMI management page](https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#Images:visibility=owned-by-me). Next, delete the associated snapshot on the [AWS snapshot management page](https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#Snapshots:).
+
+## Next steps
+
+In this tutorial, you built an Amazon AMI and scanned it for vulnerabilities and security misconfigurations with cnspec.
+
+The GitHub repository for Packer plugin cnspec contains [additional templates](https://github.com/mondoohq/packer-plugin-cnspec/tree/main/examples) for building Ubuntu and Windows images.
+
+---
diff --git a/docs/cnspec/cnspec-azure/README.mdx b/docs/cnspec/cnspec-azure/README.mdx
new file mode 100644
index 000000000..01809b2b7
--- /dev/null
+++ b/docs/cnspec/cnspec-azure/README.mdx
@@ -0,0 +1,213 @@
+---
+title: Assess Azure Security with cnspec
+id: cnspec-azure-intro
+sidebar_label: Azure
+displayed_sidebar: cnspec
+sidebar_position: 1
+description: Assess Azure Security with cnspec
+image: /img/featured_img/mondoo-azure.jpg
+---
+
+cnspec assesses your full Microsoft Azure environment for misconfigurations that put your organization at risk. You can scan your Azure tenant for compliance with security policies created by Mondoo or the community, or [create your own policies](/cnspec/cnspec-policies/write/). You also can write individual tests to run on the fly or include in automated tasks.
+
+cnspec can test any aspect of your Azure configuration. For a list of Azure resources you can test, read [Mondoo Azure Resource Pack Reference](/mql/resources/azure-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnspec with your Azure environment
+
+### Requirements
+
+To test your Azure environment with cnspec, you must have:
+
+- [cnspec installed on your workstation](/cnspec/).
+- An [Azure account](https://azure.microsoft.com/en-us/free/)
+- The [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) installed
+
+### Log into Azure
+
+Using the Azure CLI, log into your subscription:
+
+```bash
+az login
+```
+
+### Verify with a quick Azure check
+
+To quickly confirm that cnspec has access to your Azure environment, run this check from your terminal:
+
+```bash
+cnspec run azure -c 'azure.subscription.resources { id!="foo" }'
+```
+
+It asserts that none of your Azure resources have the ID `foo`.
+
+cnspec lists your resources and indicates that the check is true, none of them has `foo` as its ID:
+
+```coffee
+azure.subscription.resources: [
+ 0: {
+ id != "foo": true
+ }
+ 1: {
+ id != "foo": true
+ }
+ 2: {
+ id != "foo": true
+ }
+ 3: {
+ id != "foo": true
+ }
+ 4: {
+ id != "foo": true
+ }
+]
+```
+
+You've successfully used cnspec to run your first check on your Azure environment. Now you're ready to explore. The method you choose depends on your goals:
+
+- For widescale assessment of your Azure infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your Azure security posture.
+
+- To run ad hoc checks against your Azure environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
+
+## Assess Azure security with policy-based scanning
+
+The Azure Security by Mondoo policy is available to all in Mondoo's [cnspec-policies GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core). This collection of tests evaluates how well your environment follows fundamental Azure security best practices. It checks for misconfigurations across your entire Azure infrastructure.
+
+To scan using the Azure Security by Mondoo policy, run:
+
+```bash
+cnspec scan azure
+```
+
+This scans all the subscriptions available under your account when you're logged in using `az login`. You can also scan a specific subscription. For ID, substitute your subscription ID:
+
+```bash
+cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID
+```
+
+cnspec follows these steps to load policies on which it bases the scan:
+
+- cnspec tries to read a config file, mondoo.yml, which includes the certificate and private key for authenticating with Mondoo Platform. If it finds the config, it loads the policies enabled for the Azure integration in the Mondoo space this Azure environment belongs to. You can enter `cnspec status` to see if the config file exists and cnspec is registered.
+
+2. If there is no config file (you have not registered cnspec or you've removed the mondoo.yml file), then cnspec loads Mondoo's open source policies and scans based on those.
+
+:::info
+
+If cnspec is registered but you want to use the open source policies (and not share results with Mondoo Platform), you can scan in incognito mode:
+
+```bash
+cnspec scan azure --incognito
+```
+
+:::
+
+You can also specify a particular policy bundle. cnspec uses only the bundle you specify:
+
+```bash
+cnspec scan azure --policy-bundle mondoo-azure-security.mql.yaml
+```
+
+You can download open source policy bundles from the [GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core).
+
+It is also possible to scan the Azure environment through an Azure registered app and fully control what resources the cnspec has permission to scan. To learn how to register and configure the app, read [Continuously Scan with an Azure Integration](/platform/infra/cloud/azure/azure-integration-scan-subscription/).
+
+After you register the app, you can use either of these commands to scan, depending on how you configured the app to authenticate with the Azure portal:
+
+```bash
+cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --certificate-path certificate.combo.pem --policy-bundle mondoo-azure-security.mql.yaml
+```
+
+OR:
+
+```bash
+cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --client-secret YOUR-CLIENT-SECRET-VALUE --policy-bundle mondoo-azure-security.mql.yaml
+```
+
+### Assess the security of Azure VM instances, snapshots, and disks
+
+Use cnspec to evaluate the security of your Azure virtual machines. You can scan managed disks, instances, and snapshots.
+
+To scan an Azure VM instance, run this command, substituting the instance name, client ID, tenant ID, and client secret:
+
+```bash
+cnspec scan azure compute instance NAME --client-id YOUR-CLIENT-ID --tenant-id YOUR-TENANT-ID --client-secret YOUR-CLIENT-SECRET-VALUE
+```
+
+To scan an Azure compute snapshot, run this command, substituting the snapshot name, client ID, tenant ID, and client secret:
+
+```bash
+cnspec scan azure compute snapshot NAME --client-id YOUR-CLIENT-ID --tenant-id YOUR-TENANT-ID --client-secret YOUR-CLIENT-SECRET-VALUE
+```
+
+To scan an Azure compute disk, run this command, substituting the snapshot name, client ID, tenant ID, and client secret:
+
+```bash
+cnspec scan azure compute disk NAME --client-id YOUR-CLIENT-ID --tenant-id YOUR-TENANT-ID --client-secret YOUR-CLIENT-SECRET-VALUE
+```
+
+## Test Azure with the cnspec shell
+
+The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
+
+To launch a shell into your Azure environment, enter:
+
+```bash
+cnspec shell azure
+```
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what Azure resources you can test. This command lists all the Azure resources:
+
+```bash
+help azure
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the Azure Compute resources you can test:
+
+```bash
+help azure.subscription.compute
+```
+
+From the resulting list, you can drill down even further. You can also learn about available Azure resources in the [Mondoo Azure Resource Pack Reference](/mql/resources/azure-pack/).
+
+### Run tests in the cnspec shell
+
+Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
+
+#### Assess SQL server auditing
+
+This test assures that auditing is turned on for your SQL servers:
+
+```bash
+azure.subscription.sql.servers { auditingPolicy['state'] == "Enabled" }
+```
+
+If the test passes (all SQL servers have auditing enabled) then cnspec returns `ok`:
+
+```coffee
+[ok] value: true
+```
+
+If the test fails, (one or more Cloud Storage buckets don't use uniform bucket-level access) then cnspec provides details about the failure.
+
+#### Assess public access to storage
+
+This test asserts that no storage accounts allow public access:
+
+```bash
+azure.subscription.storage.accounts { containers { properties['publicAccess'] == "None" } }
+```
+
+If one or more storage accounts allow public access, cnspec lists them. Otherwise, cnspec indicates that the test passed.
+
+### Exit the cnspec shell
+
+To exit the cnspec shell, either press `Ctrl + D` or type `exit`.
+
+## Learn more about querying Azure
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For a list of all the Azure resources and fields you can query, read the [Mondoo Azure Resource Pack Reference](/mql/resources/azure-pack/).
+
+---
diff --git a/docs/cnspec/cnspec-gcp/README.mdx b/docs/cnspec/cnspec-gcp/README.mdx
new file mode 100644
index 000000000..43f0478a7
--- /dev/null
+++ b/docs/cnspec/cnspec-gcp/README.mdx
@@ -0,0 +1,278 @@
+---
+title: Assess Google Cloud Security with cnspec
+id: cnspec-gcp-intro
+sidebar_label: Get Started
+displayed_sidebar: cnspec
+sidebar_position: 1
+description: Assess Google Cloud Security with cnspec
+image: /img/featured_img/mondoo-gcp.jpg
+---
+
+cnspec assesses your full GCP environment for misconfigurations that put your organization at risk. You can scan your GCP account for compliance with security policies created by Mondoo or the community, or [create your own policies](/cnspec/cnspec-policies/write/). You also can write individual tests to run on the fly or include in automated tasks.
+
+cnspec can test any aspect of your GCP configuration. For a list of GCP resources you can test, read [Mondoo Google Cloud Platform (GCP) Resource Pack Reference](/mql/resources/gcp-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+:::info
+
+You can also use cnspec with HashiCorp Packer to [build secure VM images in Google Cloud](/cnspec/cnspec-gcp/cnspec-gcp-packer/).
+
+:::
+
+## Connect cnspec with your GCP environment
+
+### Requirements
+
+To test your GCP environment with cnspec, you must have:
+
+- [cnspec installed on your workstation](/cnspec/)
+- A [Google Platform account](https://cloud.google.com/free)
+- [Google Cloud SDK](https://cloud.google.com/sdk/install) installed
+- [Cloud Resource Manager API](https://console.cloud.google.com/marketplace/product/google/cloudresourcemanager.googleapis.com) enabled
+
+### Provide access credentials
+
+In your terminal, log into GCP with this command:
+
+```bash
+gcloud auth login --update-adc
+```
+
+### Configure the GCP project you want assess
+
+To test a GCP project, you must set up the project:
+
+```bash
+gcloud config set project PROJECTID
+```
+
+For `PROJECTID`, substitute the ID of the project you want to assess.
+
+GCP confirms the setup:
+
+```bash
+Updated property [core/project].
+```
+
+To verify your configuration, enter:
+
+```shell
+gcloud config list
+```
+
+GCP returns results similar to these:
+
+```ini
+[core]
+account = suki@lunalectric.com
+disable_usage_reporting = True
+project = gcp-project-id
+
+Your active configuration is: [default]
+```
+
+### Verify with a quick GCP check
+
+To quickly confirm that cnspec has access to your GCP environment, run this check from your terminal:
+
+```bash
+cnspec run gcp project PROJECT-ID -c 'gcp.project.id!="foo"'
+```
+
+For `PROJECT-ID`, substitute your GCP project ID.
+
+It asserts that your GCP project ID value is not `foo`.
+
+cnspec returns `[ok]` to indicate that the test passed, and includes the actual value of the GCP project ID, similar to this:
+
+```coffee
+[ok] value: "luna-dev-262317"
+```
+
+You've successfully used cnspec to run your first check on your GCP environment. Now you're ready to explore.
+
+Once you've ensured that [cnspec can access your GCP environment](/cnspec/cnspec-gcp/), you can begin testing. The method you choose depends on your goals:
+
+- For widescale assessment of your GCP infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your GCP security posture.
+- To run ad hoc checks against your GCP environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
+
+## Assess GCP security with policy-based scanning
+
+The Google Cloud (GCP) Security by Mondoo policy is available to all in Mondoo's [cnspec-policies GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core). This collection of tests evaluates how well your environment follows fundamental GCP security best practices. It checks for misconfigurations across your entire GCP infrastructure.
+
+To scan an organization using the Google Cloud (GCP) Security by Mondoo policy, run:
+
+```bash
+cnspec scan gcp org ORGANIZATION-ID
+```
+
+For `ORGANIZATION-ID`, substitute the ID of the organization you want to scan.
+
+To scan a project using the Google Cloud (GCP) Security by Mondoo policy, run:
+
+```bash
+cnspec scan gcp project PROJECT-ID
+```
+
+For `PROJECT-ID`, substitute the ID of the project you want to scan.
+
+To scan a folder using the Google Cloud (GCP) Security by Mondoo policy, run:
+
+```bash
+cnspec scan gcp folder FOLDER-ID
+```
+
+For `FOLDER-ID`, substitute the ID of the folder you want to scan.
+
+cnspec finds the default policy for GCP and runs a scan based on that policy. It returns a report summarizing the scan results.:
+
+```text
+→ loaded configuration from /Users/suki/.config/mondoo/mondoo.yml using source default
+→ using service account credentials
+→ discover related assets for 1 asset(s)
+→ resolved assets resolved-assets=1
+
+ GCP project luna-dev-262317 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: A
+
+
+Asset: GCP project luna-dev-262317
+----------------------------------
+Data queries:
+gcp.project.iamPolicy.where: [
+ 0: gcp.resourcemanager.binding id = luna-dev-262317
+]
+gcp.project.labels: {}
+gcp.project.gke.clusters: []
+gcp.compute.instances.where: []
+gcp.compute.networks.length: 1
+
+...
+
+Checks:
+✓ Pass: A 100 Ensure oslogin is enabled for compute instances
+✓ Pass: A 100 Ensure that Cloud Storage buckets are not anonymously or publicly accessible
+✓ Pass: A 100 Ensure "Block Project-wide SSH keys" is enabled for VM instances
+✓ Pass: A 100 Ensure that Cloud Storage buckets have uniform bucket-level access enabled
+✓ Pass: A 100 Ensure that instances are not configured to use the default service account
+✓ Pass: A 100 Ensure instances are not configured to use the default service account with full access to all Cloud APIs
+
+Scanned 1 assets
+
+GCP Project
+ A GCP project luna-dev-262317
+```
+
+You can also create your own policies to meet your specific needs. To learn more about policies, read [Policies](/cnspec/cnspec-policies/).
+
+## Test GCP with the cnspec shell
+
+The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
+
+To launch a shell into your GCP environment to run queries and checks, run:
+
+```bash
+cnspec shell gcp org ORGANIZATION-ID
+```
+
+For `PROJECT-ID`, substitute the ID of the project you want to explore.
+
+To launch a shell into your GCP environment on the project level, substitute PROJECT-ID with the ID of the project you want to access and run the following command:
+
+```bash
+cnspec shell gcp project PROJECT-ID
+```
+
+To launch a shell into your GCP environment on the folder level, substitute FOLDER-ID with the ID of the folder you want to access and run the following command:
+
+```bash
+cnspec shell gcp folder FOLDER-ID
+```
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what GCP resources you can test. This command lists all the GCP resources:
+
+```bash
+help gcp
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the GCP service resources you can test:
+
+```bash
+help gcp.service
+```
+
+From the resulting list, you can drill down even further. You can also learn about available GCP resources in the [Mondoo Google Cloud Platform (GCP) Resource Pack Reference](/mql/resources/gcp-pack/).
+
+### Run tests in the cnspec shell
+
+Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
+
+#### Assess Cloud Storage bucket access
+
+This test assures that all Cloud Storage buckets have uniform bucket-level access enabled:
+
+```coffee
+gcp.project.storageService.buckets.all( iamConfiguration['UniformBucketLevelAccess']['Enabled'] == true )
+```
+
+If the test passes (all Cloud Storage buckets have uniform bucket-level access enabled) then cnspec returns `ok`:
+
+```coffee
+[ok] value: true
+```
+
+If the test fails, (one or more Cloud Storage buckets don't use uniform bucket-level access) then cnspec provides details about the failure:
+
+```coffee
+[failed] [].all()
+ actual: [
+ 0: gcp.project.storageService.bucket id = luna-bucket-3
+ ]
+```
+
+The sample results above show that the `luna-bucket-3` storage bucket doesn't use uniform bucket-level access.
+
+#### Assess Compute Engine access
+
+This test asserts that all Compute Engine instances have OS Login enabled:
+
+```coffee
+gcp.project.computeService.instances.all( metadata['enable-oslogin'] == true )
+```
+
+If one or more instance aren't using OS Login, cnspec lists them:
+
+```coffee
+[failed] [].all()
+ actual: [
+ 0: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5894326198680570314
+ 1: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/7160119628481766684
+ 2: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5917688252380140477
+ 3: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3877422285743886958
+ 4: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3907771157037563687
+ 5: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/4114342986437780688
+ 6: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/9121791747047534080
+ 7: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/2350609386795184202
+ 8: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3078531271735985553
+ 9: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/1236920519697087164
+ 10: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/6674678823862797263
+ 11: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3498829478465908910
+ ]
+
+```
+
+### Exit the cnspec shell
+
+To exit the cnspec shell, either press `Ctrl + D` or type `exit`.
+
+## Learn more about securing Google Cloud
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For a list of all the GCP resources and fields you can query, read the [Mondoo Google Cloud Platform (GCP) Resource Pack Reference](/mql/resources/gcp-pack/).
+
+## Next step
+
+Learn how to use [snapshot scanning](/cnspec/cnspec-gcp/gcp-snapshot/) to assess GCP instances without affecting your production workload.
+
+---
diff --git a/docs/cnspec/cnspec-gcp/cnspec-gcp-packer.mdx b/docs/cnspec/cnspec-gcp/cnspec-gcp-packer.mdx
new file mode 100644
index 000000000..848e90d01
--- /dev/null
+++ b/docs/cnspec/cnspec-gcp/cnspec-gcp-packer.mdx
@@ -0,0 +1,337 @@
+---
+title: Build Secure VM Images in Google Cloud with cnspec and HashiCorp Packer
+id: cnspec-gcp-packer
+sidebar_label: Build Secure VMs with Packer
+displayed_sidebar: cnspec
+sidebar_position: 3
+image: /img/featured_img/mondoo-gcp.jpg
+description: Learn how to build secure machine images in Google Cloud with cnspec and HashiCorp Packer.
+---
+
+[Packer plugin cnspec by Mondoo](https://github.com/mondoohq/packer-plugin-cnspec) lets you run security scans during HashiCorp Packer builds of [Google Cloud VM images](https://cloud.google.com/build/docs/building/build-vm-images-with-packer). This ensures that new VM images meet your security standards before they even reach production.
+
+:::caution
+
+This tutorial provisions resources in your Google Cloud project. Mondoo is not responsible for charges that you incur.
+
+:::
+
+### Requirements
+
+You must have:
+
+- [A Google Platform Account](https://cloud.google.com/free)
+- [The Google Cloud SDK](https://cloud.google.com/sdk/install)
+- [Packer v1.8.1 or later](https://developer.hashicorp.com/packer/tutorials/docker-get-started/get-started-install-cli) installed
+- (Recommended) A code editor such as [Visual Studio Code](https://code.visualstudio.com/)
+
+## Packer Plugin cnspec by Mondoo
+
+[Packer Plugin cnspec by Mondoo](https://github.com/mondoohq/packer-plugin-cnspec) scans Linux and Windows [HashiCorp Packer](https://www.packer.io) builds for vulnerabilities and security misconfigurations. The plugin is designed to work with any of the supported Packer builders, including containers.
+
+### Plugin modes
+
+Packer plugin cnspec is designed to work in one of two modes:
+
+- **Unregistered** - In unregistered mode, the plugin works without being registered to Mondoo Platform, and is designed to provide baseline security scanning with minimal configuration. The plugin runs either the [Linux Security by Mondoo](https://github.com/mondoohq/cnspec-policies/blob/main/core/mondoo-linux-security.mql.yaml) policy on Linux builds, or the [Windows Security by Mondoo](https://github.com/mondoohq/cnspec-policies/blob/main/core/mondoo-windows-security.mql.yaml) policy on Windows builds. Each of these policies provides security hardening checks based off of industry standards for Linux and Windows. Scan results are shown in STDOUT during the Packer run.
+- **Registered** - In registered mode, the plugin is registered to your account in Mondoo Platform using a service account. Registered mode allows you to configure and customize any of the policies in Mondoo Platform including CIS benchmarks and more. Scan results are shown in STDOUT and sent back to Mondoo Platform for your records.
+
+:::info
+
+To scan for vulnerabilities, you must register cnspec with Mondoo Platform. [Sign up for a free account](https://mondoo.com/pricing) today.
+
+:::
+
+### Plugin configuration
+
+Packer plugin cnspec provides this configuration:
+
+- `score_threshold` - This configuration sets an `int` score threshold for security scans. If the scan produces a score that falls below the threshold, the build will fail.
+- `on_failure = "continue"` - This configuration ensures that the Packer build will not fail even if the scan produces a score that falls below the `score_threshold`.
+- `sudo` - Some of the security configuration checks require elevated permissions to scan a given resource such as the `sshd_config`. Setting the `sudo` option to `active = true` configures the plugin to run in `sudo` mode.
+- `asset_name` - Override the asset name on Mondoo Platform. This configuration is only used in registered mode.
+- `annotations` - Custom annotations can be applied to Packer build assets to provide additional metadata for asset tracking. This configuration is only used in registered mode.
+
+### Register with Mondoo Platform
+
+To configure the plugin to work in registered mode, you must first create a Base64-encoded service account. If you do not wish to use custom policies and store results on Mondoo Platform you can skip this step.
+
+To create a Base64-encoded service account:
+
+1. Navigate to the space you want to create a service account in.
+2. Select **Settings** followed by **Service Accounts**.
+3. Select **ADD ACCOUNT**.
+4. Check the **Base64-encoded** box to Base64-encode the credentials.
+5. Select **GENERATE NEW CREDENTIALS**.
+6. Copy the Base64-encoded credentials to the clipboard.
+7. Open a terminal and run:
+
+```bash
+export MONDOO_CONFIG_BASE64=
+```
+
+## Google Cloud setup
+
+Before building an image, you must install the [Google Cloud SDK](https://cloud.google.com/sdk/docs/install) and authenticate using [User Application Default Credentials](https://cloud.google.com/sdk/gcloud/reference/auth/application-default). You don't need to specify an account file if you are using this method. The user or service account must have these roles:
+
+- [`roles/iam.serviceAccountUser`](https://cloud.google.com/compute/docs/access/iam#iam.serviceAccountUser) (Service Account User)
+- [`roles/compute.instanceAdmin.v1`](https://cloud.google.com/compute/docs/access/iam#compute.instanceAdmin.v1) (Compute Instance Admin v1)
+
+To learn more about creating service accounts, read [Create and manage service accounts](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-console) in the Google Cloud documentation.
+
+:::tip
+
+You can find more authentication methods for the `googlecompute` builder in the [Packer documentation](https://developer.hashicorp.com/packer/integrations/hashicorp/googlecompute/latest/components/builder/googlecompute).
+
+:::
+
+### Configure the Google Cloud project
+
+You must create machine images within a Google Cloud project. Run `gcloud projects list` to get a list of the projects you have access to, or run `gcloud projects create` to create a new project to build your images in.
+
+### Enable the required APIs
+
+Enable these APIs in the project:
+
+```bash
+gcloud services enable sourcerepo.googleapis.com
+gcloud services enable compute.googleapis.com
+gcloud services enable servicemanagement.googleapis.com
+gcloud services enable storage-api.googleapis.com
+```
+
+## Run Packer
+
+A Packer template is a configuration file that defines the image you want to build and how to build it. Packer templates use the HashiCorp Configuration Language (HCL).
+
+Create a new directory named `mondoo_packer`. This directory will contain your Packer template for this tutorial.
+
+```bash
+mkdir mondoo_packer
+```
+
+Navigate into the directory.
+
+```bash
+cd mondoo_packer
+```
+
+### Ubuntu 2004 Packer Template
+
+Create a file `gcp-ubuntu2004.pkr.hcl`, add this HCL block to it, and save the file.
+
+```bash
+packer {
+ required_plugins {
+ googlecompute = {
+ version = ">= 1.0.0"
+ source = "github.com/hashicorp/googlecompute"
+ }
+ cnspec = {
+ version = ">= 6.1.3"
+ source = "github.com/mondoohq/cnspec"
+ }
+ }
+}
+
+variable "zone" {
+ default = "us-east5-a"
+ description = "GCP zone to build the image in"
+}
+
+variable "project_id" {
+ type = string
+ description = "GCP Project ID to build the image in"
+}
+
+variable "image_prefix" {
+ type = string
+ description = "Prefix to be applied to image name"
+ default = "cnspec-tested-ubuntu-2004"
+}
+
+locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
+
+source "googlecompute" "ubuntu2004" {
+ image_name = "${var.image_prefix}-${local.timestamp}"
+ machine_type = "e2-small"
+ source_image = "ubuntu-pro-2004-focal-v20220627a"
+ ssh_username = "packer"
+ temporary_key_pair_type = "rsa"
+ temporary_key_pair_bits = 2048
+ zone = var.zone
+ project_id = var.project_id
+}
+
+build {
+ sources = ["source.googlecompute.ubuntu2004"]
+ provisioner "shell" {
+ inline = [
+ "echo Hello From ${source.type} ${source.name}"
+ ]
+ }
+
+ provisioner "cnspec" {
+ score_threshold = 80
+ on_failure = "continue"
+ sudo {
+ active = true
+ }
+ }
+}
+```
+
+This is a complete Packer template that you will use to build an Ubuntu 20.04 image in the `us-east5-a` zone. In these sections, you will review each block of this template in more detail.
+
+### Configure template variables
+
+The template provides a `variables` section used to configure the builds.
+
+:::info
+
+To learn about the various options to override variables set in the Packer template, see [Setting Variables](https://developer.hashicorp.com/packer/docs/templates/legacy_json_templates/user-variables#setting-variables) in the HashiCorp Packer documentation.
+
+:::
+
+**Zone**
+
+By default the template will build the image in GCP's us-east5-a zone:
+
+```
+variable "zone" {
+ default = "us-east5-a"
+ description = "GCP zone to build the image in"
+}
+```
+
+**Project ID**
+
+You must set the `project_id` variable with the ID of the project from your GCP account:
+
+```
+variable "project_id" {
+ type = string
+ description = "GCP Project ID to build the image in"
+}
+```
+
+**Image prefix**
+
+By default the template will create the VM image using a default naming prefix of `cnspec-tested-ubuntu-2004`. You can override this with the `image_prefix` variable:
+
+```bash
+variable "image_prefix" {
+ type = string
+ description = "Prefix to be applied to image name"
+ default = "cnspec-tested-ubuntu-2004"
+}
+```
+
+### Initialize the Packer configuration
+
+Initialize your Packer configuration.
+
+```bash
+packer init gcp-ubuntu2004.pkr.hcl
+```
+
+Executing `packer init` instructs Packer to download the plugins defined in the `required_plugins` section in the template. Plugins are typically downloaded to the `~/.packer.d/plugins`directory. You can run `packer init` as many times as you'd like. If you already have the plugins you need, Packer will exit without an output.
+
+## Build the Packer image
+
+Build the image with the `packer build gcp-ubuntu2004.pkr.hcl` command. Packer prints output similar to what is shown below.
+
+```bash
+packer build gcp-ubuntu2004.pkr.hcl
+: output will be in this color.
+
+==> : Checking image does not exist...
+==> : Creating temporary RSA SSH key for instance...
+==> : Using image: ubuntu-pro-2004-focal-v20220627a
+==> : Creating instance...
+ : Loading zone: us-east5-a
+ : Loading machine type: e2-small
+ : Requesting instance creation...
+ : Waiting for creation operation to complete...
+ : Instance has been created!
+==> : Waiting for the instance to become running...
+ : IP: 34.162.0.117
+==> : Using SSH communicator to connect: 34.162.0.117
+==> : Waiting for SSH to become available...
+...
+ :
+ :
+ : Summary
+ : ========================
+ :
+ : Target: cnspec-tested-ubuntu-2004-20220630154951
+ : Score: A 86/100 (100% completed)
+ : ✓ Passed: ███████ 49% (80)
+ : ✕ Failed: ██████ 37% (61)
+ : ! Errors: ██ 14% (23)
+ : » Skipped: 0% (0)
+ :
+ : Policies:
+ : A 100 Platform End-of-Life Policy by Mondoo
+ : A 100 Platform Vulnerability Policy by Mondoo
+ :
+ : Report URL: https://console.mondoo.com/space/inventory/
+==> : Deleting instance...
+ : Instance has been deleted!
+==> : Creating image...
+==> : Deleting disk...
+ : Disk has been deleted!
+Build '' finished after 5 minutes 46 seconds.
+```
+
+## View the scan results in STDOUT
+
+During the build process you will see scan results similar to this:
+
+```bash
+: Summary
+: ========================
+:
+: Target: cnspec-tested-ubuntu-2004-20220630154951
+: Score: A 86/100 (100% completed)
+: ✓ Passed: ███████ 49% (80)
+: ✕ Failed: ██████ 37% (61)
+: ! Errors: ██ 14% (23)
+: » Skipped: 0% (0)
+:
+: Policies:
+: A 100 Platform End-of-Life Policy by Mondoo
+: A 100 Platform Vulnerability Policy by Mondoo
+:
+: Report URL: https://console.mondoo.com/space/inventory/
+```
+
+### View the report in Mondoo Platform
+
+Packer Plugin Mondoo sends the scan results to your account in Mondoo Platform. To view the scan report in the Mondoo Console, go to **INVENTORY** and find the report. You might need to refresh your browser.
+
+
+
+### View the control details
+
+Select the Controls tab.
+
+
+
+Expand any of the checks in the policies that ran against your build to show additional documentation, audit, and remediation steps:
+
+
+
+## View the image Google Cloud Console
+
+
+
+After running the above example, you can navigate to the [Storage Images](https://console.cloud.google.com/compute/images) of Google Cloud Console.
+
+## Next steps
+
+In this tutorial, you built a Google Cloud machine image and scanned it for vulnerabilities and misconfigurations with cnspec. Although we ran the one policy, you should now have a general idea of how Packer Plugin Mondoo works, and you should be ready to add any additional policies for your builds.
+
+The GitHub repository for Packer plugin cnspec contains [additional templates](https://github.com/mondoohq/packer-plugin-cnspec/tree/main/examples) for other platforms and cloud environments.
+
+---
diff --git a/docs/cnspec/cnspec-gcp/gcp-snapshot.mdx b/docs/cnspec/cnspec-gcp/gcp-snapshot.mdx
new file mode 100644
index 000000000..1224cc62a
--- /dev/null
+++ b/docs/cnspec/cnspec-gcp/gcp-snapshot.mdx
@@ -0,0 +1,88 @@
+---
+title: Scan GCP Instances Using Snapshots
+id: gcp-snapshot
+sidebar_label: Scan Instance Snapshots
+displayed_sidebar: cnspec
+sidebar_position: 2
+image: /img/featured_img/mondoo-gcp.jpg
+description: Learn how to scan GCP instances with no impact to your production workload.
+---
+
+cnspec can assess the security of a GCP instance without affecting your production workload. It creates a snapshot of the instance, scans that snapshot, and then removes it.
+
+To snapshot scan a GCP instance, you create a VM instance and scan from that VM. The VM instance from which you scan must have adequate permissions.
+
+## Set up permissions for snapshot scanning
+
+To create and scan a snapshot of a GCP instance, you must create a service account for the VM instance from which you execute the snapshot scan. The service account you create needs specific permissions, which you provide using a custom role.
+
+1. In the [Google Cloud console](https://console.cloud.google.com/iam-admin/roles), create a new role named **cnspec-snapshot-scanner** with these permissions:
+
+ - compute.disks.create
+ - compute.disks.createSnapshot
+ - compute.disks.delete
+ - compute.disks.get
+ - compute.disks.setLabels
+ - compute.disks.use
+ - compute.disks.useReadOnly
+ - compute.instances.attachDisk
+ - compute.instances.detachDisk
+ - compute.instances.get
+ - compute.snapshots.create
+ - compute.snapshots.get
+ - compute.snapshots.list
+ - compute.snapshots.useReadOnly
+ - compute.zoneOperations.get
+
+ To learn how, read [Grant an IAM role by using the Google Cloud console](https://cloud.google.com/iam/docs/grant-role-console) in the GCP documentation.
+
+2. In the [Google Cloud console](https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts), create a new service account and assign it these roles:
+
+ - cnspec-snapshot-scanner
+ - Service Account User
+
+ To learn how, read [Create service accounts](https://cloud.google.com/iam/docs/service-accounts-create) in the GCP documentation.
+
+## Create a VM from which to run a cnspec snapshot scan
+
+In the [Google Cloud console](https://console.cloud.google.com/compute/instances), create a new VM instance using the service account you created in the previous steps. To learn how, read [Create a VM that uses a user-managed service account](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances) in the GCP documentation.
+
+:::tip
+
+You can create a VM instance template to make it easier to spin up VM instances for snapshot scanning. To learn how, read [Create instance templates](https://cloud.google.com/compute/docs/instance-templates/create-instance-templates) in the GCP documentation.
+
+:::
+
+## Create, scan, and destroy a snapshot
+
+Connect to the VM instance you created in the steps above and then run:
+
+```bash
+cnspec scan gcp instance INSTANCE-NAME --project-id PROJECT-ID --zone INSTANCE-ZONE
+```
+
+Example:
+
+```bash
+cnspec scan gcp instance lunalectric-rover --project-id rover-123 --zone us-central1-a
+```
+
+## Scan an existing snapshot
+
+cnspec lets you scan a specific, existing snapshot. This gives you insight into the instance's state at a particular point in time. You can also use the data to assess change over a span of time.
+
+To scan an existing snapshot, you must be logged into the instance.
+
+```bash
+cnspec scan gcp snapshot SNAPSHOT-NAME --project-id PROJECT-ID
+```
+
+Example:
+
+```bash
+cnquery scan gcp snapshot suse12 --project-id rover-123
+```
+
+## Next step
+
+Learn how you can [Build Secure VM Images in Google Cloud with cnspec and HashiCorp Packer](/cnspec/cnspec-gcp/cnspec-gcp-packer/).
diff --git a/docs/cnspec/cnspec-k8s/README.mdx b/docs/cnspec/cnspec-k8s/README.mdx
new file mode 100644
index 000000000..6cb63275f
--- /dev/null
+++ b/docs/cnspec/cnspec-k8s/README.mdx
@@ -0,0 +1,50 @@
+---
+title: Assess Kubernetes Security with cnspec
+id: cnspec-k8s-intro
+sidebar_label: Get Started
+displayed_sidebar: cnspec
+sidebar_position: 1
+description: Learn how cnspec can assess the security of your Kubernetes infrastructure
+image: /img/featured_img/mondoo-k8s.jpg
+---
+
+cnspec assesses your full Kubernetes environment for misconfigurations that put your organization at risk. You can scan your Kubernetes clusters for compliance with security policies created by Mondoo or the community, or [create your own policies](/cnspec/cnspec-policies/write/). You also can write individual tests to run on the fly or include in automated tasks.
+
+You can also scan Kubernetes manifests to catch misconfigurations. Integrating manifest scanning in your development process can eliminate risks before they reach production.
+
+For a list of Kubernetes resources you can test, read [Mondoo Kubernetes (k8s) Resource Pack Reference](/mql/resources/k8s-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnspec with your Kubernetes environment
+
+### Requirements
+
+To test your Kubernetes environment with cnspec, you must have:
+
+- [cnspec installed on your workstation](/cnspec/).
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) installed on your workstation. To ensure that kubectl is successfully installed and you can access your Kubernetes infrastructure, run `kubectl describe nodes`.
+
+### Verify with a quick Kubernetes check
+
+To quickly confirm that cnspec has access to your Kubernetes environment, run this check from your terminal:
+
+```bash
+cnspec run k8s -c 'k8s.deployment.uid != "foo"'
+```
+
+This asserts that none of your deployments are named `foo`. cnspec returns a report listing your deployments. For each, it indicates whether the deployment meets the requirement (not named `foo`):
+
+```coffee
+[passed] k8s.deployment.uid != "foo"
+
+[ok] value: "057e7351-5738-4d3b-bd5f-46d86403c563"
+
+[ok] value: "8038b1f4-020d-4f3f-a1da-8ec86044b9d7"
+
+[ok] value: "aadd280e-4498-4071-8fd0-1fad781a2d07"
+```
+
+## Next step
+
+You've successfully used cnspec to run your first check against your Kubernetes infrastructure. Now you're ready to [explore more Kubernetes information.](/cnspec/cnspec-k8s/cnspec-k8s-cluster)
+
+---
diff --git a/docs/cnspec/cnspec-k8s/cnspec-k8s-cluster.mdx b/docs/cnspec/cnspec-k8s/cnspec-k8s-cluster.mdx
new file mode 100644
index 000000000..e56c525e7
--- /dev/null
+++ b/docs/cnspec/cnspec-k8s/cnspec-k8s-cluster.mdx
@@ -0,0 +1,1054 @@
+---
+title: Assess a Kubernetes Cluster
+id: cnspec-k8s-cluster
+sidebar_label: Assess a Kubernetes Cluster
+displayed_sidebar: cnspec
+sidebar_position: 20
+description: Assess the security and compliance of a Kubernetes cluster
+image: /img/featured_img/mondoo-k8s.jpg
+---
+
+Once you've ensured that [cnspec can access your Kubernetes environment](/cnspec/cnspec-k8s/), you can begin testing. The method you choose depends on your goals:
+
+- For widescale assessment of your Kubernetes infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your Kubernetes security posture.
+- To run ad hoc checks against your Kubernetes environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
+
+## Assess Kubernetes security with policy-based scanning
+
+The Kubernetes Security by Mondoo policy is available to all in Mondoo's [cnspec-policies GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core). This collection of tests evaluates how well your environment follows fundamental Kubernetes security best practices. It checks for misconfigurations across your entire Kubernetes infrastructure.
+
+To scan using the Kubernetes Security by Mondoo policy, run:
+
+```bash
+cnspec scan k8s
+```
+
+cnspec finds the default policy for Kubernetes and runs a scan based on that policy. It returns a report summarizing the scan results:
+
+
+Show or hide example scan results.
+
+```coffee
+→ loaded configuration from /Users/user/.config/mondoo/mondoo.yml using source default
+→ using service account credentials
+→ discover related assets for 1 asset(s)
+→ use cluster name from kube config cluster-name=minikube
+→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
+→ resolved assets resolved-assets=20
+→ connecting to asset K8s Cluster minikube (api)
+
+███████████████████████████████████████████████████████████████████████████ 100% K8s Cluster minikube
+→ connecting to asset kube-system/coredns (k8s-object)
+
+███████████████████████████████████████████████████████████████████████████ 100% kube-system/coredns
+→ connecting to asset luna/luna-frontend (k8s-object)
+
+███████████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend
+→ connecting to asset luna/postgres (k8s-object)
+
+███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
+→ connecting to asset kube-system/coredns-565d847f94-zxkk2 (k8s-object)
+
+████████████████████████████████████████████████████████████████ 100% kube-system/coredns-565d847f94-zxkk2
+→ connecting to asset kube-system/etcd-minikube (k8s-object)
+
+███████████████████████████████████████████████████████████████████████████ 100% kube-system/etcd-minikube
+→ connecting to asset kube-system/kube-apiserver-minikube (k8s-object)
+
+█████████████████████████████████████████████████████████████████ 100% kube-system/kube-apiserver-minikube
+→ connecting to asset kube-system/kube-controller-manager-minikube (k8s-object)
+
+████████████████████████████████████████████████████████ 100% kube-system/kube-controller-manager-minikube
+→ connecting to asset kube-system/kube-proxy-cdzrr (k8s-object)
+
+████████████████████████████████████████████████████████████████████████ 100% kube-system/kube-proxy-cdzrr
+→ connecting to asset kube-system/kube-scheduler-minikube (k8s-object)
+
+█████████████████████████████████████████████████████████████████ 100% kube-system/kube-scheduler-minikube
+→ connecting to asset kube-system/storage-provisioner (k8s-object)
+
+█████████████████████████████████████████████████████████████████████ 100% kube-system/storage-provisioner
+→ connecting to asset luna/luna-frontend-7fb96c846b-2k5j7 (k8s-object)
+
+█████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b-2k5j7
+→ connecting to asset luna/luna-frontend-7fb96c846b-8b94j (k8s-object)
+
+█████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b-8b94j
+→ connecting to asset luna/luna-frontend-7fb96c846b-jglt9 (k8s-object)
+
+█████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b-jglt9
+→ connecting to asset luna/postgresql-655d75f54b-btbzv (k8s-object)
+
+██████████████████████████████████████████████████████████████████████ 100% luna/postgresql-655d75f54b-btbzv
+→ connecting to asset luna/postgresql-655d75f54b-qhhxv (k8s-object)
+
+██████████████████████████████████████████████████████████████████████ 100% luna/postgresql-655d75f54b-qhhxv
+→ connecting to asset kube-system/kube-proxy (k8s-object)
+
+███████████████████████████████████████████████████████████████████████████ 100% kube-system/kube-proxy
+→ connecting to asset kube-system/coredns-565d847f94 (k8s-object)
+
+██████████████████████████████████████████████████████████████████████ 100% kube-system/coredns-565d847f94
+→ connecting to asset luna/luna-frontend-7fb96c846b (k8s-object)
+
+███████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b
+→ connecting to asset luna/postgresql-655d75f54b (k8s-object)
+
+███████████████████████████████████████████████████████████████████████████ 100% luna/postgresql-655d75f54b
+
+
+Asset: K8s Cluster minikube
+===========================
+Data queries:
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+mondoo.version: "8.11.0"
+platform.title: "Kubernetes Cluster"
+platform.arch: "linux/arm64"
+platform.release: "v1.25.3"
+
+Checks:
+
+Asset: kube-system/coredns
+==========================
+Data queries:
+platform.arch: ""
+platform.title: "Kubernetes Deployment, Kubernetes Cluster"
+platform.release: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+mondoo.version: "8.11.0"
+
+Checks:
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Deployments should not bind to a host port
+✓ Pass: Deployments should not run with NET_RAW capability
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Container should request memory
+✓ Pass: Deployments should not run in the default namespace
+✓ Pass: Container should configure a livenessProbe
+. Unknown: Pods should not run Kubernetes dashboard
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Container should configure a readinessProbe
+✓ Pass: Container should request CPU
+✓ Pass: Pod should not define hostAliases
+✕ Fail: C 40 Container image pull should be consistent
+✓ Pass: Container should not mount the containerd socket
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Pod should not run with the default service account
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: Deployments should mount any host path volumes as read-only
+✓ Pass: Deployments should not run Tiller (Helm v2)
+✓ Pass: Container should use an immutable root filesystem
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Deployments should not run with SYS_ADMIN capability
+✓ Pass: Pod should not run with hostNetwork
+
+Asset: kube-system/coredns-565d847f94
+=====================================
+Data queries:
+platform.title: "Kubernetes ReplicaSet, Kubernetes Cluster"
+platform.release: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+mondoo.version: "8.11.0"
+platform.arch: ""
+
+Checks:
+✓ Pass: Container should request CPU
+✓ Pass: Container should configure a readinessProbe
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Pod should not run with hostNetwork
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Container should configure a livenessProbe
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: ReplicaSets should not bind to a host port
+✓ Pass: ReplicaSets should not run with NET_RAW capability
+✓ Pass: Container should have a memory limit
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: ReplicaSets should mount any host path volumes as read-only
+✓ Pass: Container should use an immutable root filesystem
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Pod should not run with the default service account
+✓ Pass: Pod should not run with hostPID
+✕ Fail: C 40 Container image pull should be consistent
+✓ Pass: ReplicaSets should not run in the default namespace
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Container should request memory
+✓ Pass: ReplicaSets should not run with SYS_ADMIN capability
+✕ Fail: A 80 Container should have a CPU limit
+
+Asset: kube-system/coredns-565d847f94-zxkk2
+===========================================
+Data queries:
+platform.arch: ""
+mondoo.version: "8.11.0"
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.release: ""
+
+Checks:
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Pods should have an owner
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Workloads should not run in default namespace
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Pods should not run Kubernetes dashboard
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Container should configure a readinessProbe
+✓ Pass: Container should use an immutable root filesystem
+✕ Fail: F 0 Container should not run as root
+✕ Fail: C 40 Container image pull should be consistent
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Pod should not run with the default service account
+✓ Pass: Pods should not run Tiller (Helm v2)
+✓ Pass: Container should request CPU
+✓ Pass: Container should configure a livenessProbe
+✓ Pass: Container should have a memory limit
+✓ Pass: Pods should not run with NET_RAW capability
+✓ Pass: Pod should not run with hostNetwork
+✓ Pass: Pods should mount any host path volumes as read-only
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Container should request memory
+
+Asset: kube-system/etcd-minikube
+================================
+Data queries:
+platform.arch: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+platform.release: ""
+mondoo.version: "8.11.0"
+
+Checks:
+✕ Fail: F 0 Container should not run as root
+✕ Fail: D 20 Pods should mount any host path volumes as read-only
+✓ Pass: Container should request memory
+✓ Pass: Pod should not define hostAliases
+✕ Fail: D 20 Pod should not run with hostNetwork
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Pod should not run with hostIPC
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Container should configure a livenessProbe
+✓ Pass: Pod should not run with the default service account
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Pods should have an owner
+✓ Pass: Container should request CPU
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: Workloads should not run in default namespace
+✕ Fail: A 80 Container should have a CPU limit
+. Unknown: Pods should not run Kubernetes dashboard
+. Unknown: Pods should not run Tiller (Helm v2)
+✓ Pass: Pods should not bind to a host port
+✕ Fail: A 80 Container should configure a readinessProbe
+
+Asset: kube-system/kube-apiserver-minikube
+==========================================
+Data queries:
+platform.arch: ""
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+platform.release: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+mondoo.version: "8.11.0"
+
+Checks:
+. Unknown: Pods should not run Kubernetes dashboard
+✕ Fail: A 80 Container should request memory
+✓ Pass: Workloads should not run in default namespace
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Pod should not run with hostIPC
+✕ Fail: C 40 Container image pull should be consistent
+✓ Pass: Container should configure a livenessProbe
+✓ Pass: Container should request CPU
+✓ Pass: Container should configure a readinessProbe
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Pods should have an owner
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✓ Pass: Container should not mount the containerd socket
+✕ Fail: D 20 Pod should not run with hostNetwork
+✕ Fail: F 0 Container should not run as root
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: Pods should mount any host path volumes as read-only
+. Unknown: Pods should not run Tiller (Helm v2)
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Pod should not run with the default service account
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+✓ Pass: Container should not mount the CRI-O socket
+✕ Fail: D 20 Container should use an immutable root filesystem
+
+Asset: kube-system/kube-controller-manager-minikube
+===================================================
+Data queries:
+platform.arch: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.release: ""
+mondoo.version: "8.11.0"
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+
+Checks:
+✓ Pass: Pods should not bind to a host port
+✕ Fail: D 20 Pods should mount any host path volumes as read-only
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Workloads should not run in default namespace
+✓ Pass: Pod should not run with the default service account
+✕ Fail: A 80 Container should request memory
+. Unknown: Pods should not run Tiller (Helm v2)
+✓ Pass: Pod should not run with hostIPC
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Container should configure a livenessProbe
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: A 80 Container should configure a readinessProbe
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Pods should not bind to a host port
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+. Unknown: Pods should not run Kubernetes dashboard
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✓ Pass: Container should not mount the Docker socket
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Pods should have an owner
+✓ Pass: Container should request CPU
+✕ Fail: D 20 Pod should not run with hostNetwork
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: Pod should not define hostAliases
+
+Asset: kube-system/kube-proxy
+=============================
+Data queries:
+platform.arch: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+mondoo.version: "8.11.0"
+platform.title: "Kubernetes DaemonSet, Kubernetes Cluster"
+platform.release: ""
+
+Checks:
+✓ Pass: Pod should not run with hostIPC
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Container should not mount the containerd socket
+✕ Fail: F 0 Container should not run as root
+✓ Pass: DaemonSets should not run with SYS_ADMIN capability
+✕ Fail: A 80 Container should configure a livenessProbe
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: D 20 Pod should not run with hostNetwork
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Pod should not run with the default service account
+✕ Fail: A 80 Container should configure a readinessProbe
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: DaemonSets should not run in the default namespace
+✓ Pass: Pod should not define hostAliases
+✕ Fail: D 20 DaemonSets should not run with NET_RAW capability
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Container should not mount the Docker socket
+✕ Fail: A 80 Container should request CPU
+✕ Fail: D 20 DaemonSets should mount any host path volumes as read-only
+✕ Fail: F 0 Container should not run as a privileged container
+✕ Fail: A 80 Container should request memory
+✓ Pass: DaemonSets should not bind to a host port
+
+Asset: kube-system/kube-proxy-cdzrr
+===================================
+Data queries:
+platform.arch: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+mondoo.version: "8.11.0"
+platform.release: ""
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+
+Checks:
+✓ Pass: Pod should not run with the default service account
+. Unknown: Pods should not run Tiller (Helm v2)
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: D 20 Pods should mount any host path volumes as read-only
+✕ Fail: A 80 Container should configure a livenessProbe
+✓ Pass: Pod should not run with hostPID
+✕ Fail: A 80 Container should request memory
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Pods should not bind to a host port
+. Unknown: Pods should not run Kubernetes dashboard
+✕ Fail: D 20 Container should use an immutable root filesystem
+✕ Fail: A 80 Container should request CPU
+✓ Pass: Pod should not define hostAliases
+✕ Fail: D 20 Pod should not run with hostNetwork
+✓ Pass: Container should not allow privilege escalation
+✕ Fail: A 80 Container should configure a readinessProbe
+✓ Pass: Container should not mount the containerd socket
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+✓ Pass: Pods should have an owner
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Pod should not run with hostIPC
+✕ Fail: F 0 Container should not run as root
+✕ Fail: A 80 Container should have a CPU limit
+✕ Fail: F 0 Container should not run as a privileged container
+✓ Pass: Workloads should not run in default namespace
+
+Asset: kube-system/kube-scheduler-minikube
+==========================================
+Data queries:
+platform.release: ""
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.arch: ""
+mondoo.version: "8.11.0"
+
+Checks:
+✕ Fail: A 80 Container should have a CPU limit
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Pods should not bind to a host port
+✕ Fail: D 20 Pod should not run with hostNetwork
+✓ Pass: Pod should not run with the default service account
+✓ Pass: Workloads should not run in default namespace
+✕ Fail: C 40 Container image pull should be consistent
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Pods should mount any host path volumes as read-only
+✓ Pass: Container should request CPU
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Pod should not run with hostPID
+✕ Fail: A 80 Container should configure a readinessProbe
+. Unknown: Pods should not run Kubernetes dashboard
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Pods should have an owner
+. Unknown: Pods should not run Tiller (Helm v2)
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Container should not allow privilege escalation
+✕ Fail: A 80 Container should request memory
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Container should configure a livenessProbe
+✕ Fail: F 0 Container should not run as root
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Pod should not run with hostIPC
+
+Asset: kube-system/storage-provisioner
+======================================
+Data queries:
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+platform.arch: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+mondoo.version: "8.11.0"
+platform.release: ""
+
+Checks:
+✓ Pass: Pods should not run with SYS_ADMIN capability
+. Unknown: Pods should not run Tiller (Helm v2)
+. Unknown: Pods should not run Kubernetes dashboard
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Pods should not bind to a host port
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: A 80 Container should have a CPU limit
+✕ Fail: D 20 Pods should mount any host path volumes as read-only
+. Skipped: Container should configure a readinessProbe
+✕ Fail: D 20 Container should use an immutable root filesystem
+✕ Fail: D 20 Pod should not run with hostNetwork
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Container should not mount the Docker socket
+. Skipped: Container should configure a livenessProbe
+✓ Pass: Pod should not define hostAliases
+✕ Fail: A 80 Container should request CPU
+✕ Fail: A 80 Container should request memory
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: Workloads should not run in default namespace
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Pod should not run with the default service account
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: Pod should not run with hostPID
+✕ Fail: C 50 Pods should have an owner
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Container should not mount the containerd socket
+
+Asset: luna/luna-frontend
+=========================
+Data queries:
+platform.arch: ""
+platform.release: ""
+platform.title: "Kubernetes Deployment, Kubernetes Cluster"
+mondoo.version: "8.11.0"
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+
+Checks:
+✓ Pass: Pod should not run with hostNetwork
+✕ Fail: A 80 Container should request CPU
+✓ Pass: Deployments should not run in the default namespace
+✕ Fail: A 80 Container should request memory
+✕ Fail: A 80 Container should configure a readinessProbe
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Container should not mount the Docker socket
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Pod should not run with the default service account
+. Unknown: Pods should not run Kubernetes dashboard
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: Deployments should not bind to a host port
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Pod should not run with hostPID
+✕ Fail: D 20 Container should use an immutable root filesystem
+✕ Fail: D 20 Deployments should not run with NET_RAW capability
+✕ Fail: A 80 Container should configure a livenessProbe
+✓ Pass: Container should not allow privilege escalation
+. Unknown: Deployments should not run Tiller (Helm v2)
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Deployments should mount any host path volumes as read-only
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Deployments should not run with SYS_ADMIN capability
+
+Asset: luna/luna-frontend-7fb96c846b
+====================================
+Data queries:
+mondoo.version: "8.11.0"
+platform.arch: ""
+platform.release: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.title: "Kubernetes ReplicaSet, Kubernetes Cluster"
+
+Checks:
+✕ Fail: A 80 Container should have a memory limit
+✕ Fail: A 80 Container should request CPU
+✓ Pass: Pod should not run with hostPID
+✕ Fail: D 20 ReplicaSets should not run with NET_RAW capability
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Container should not mount the CRI-O socket
+✕ Fail: A 80 Container should configure a readinessProbe
+✓ Pass: ReplicaSets should not run in the default namespace
+✕ Fail: A 80 Container should request memory
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: ReplicaSets should not run with SYS_ADMIN capability
+✕ Fail: A 80 Container should configure a livenessProbe
+✓ Pass: Container should not allow privilege escalation
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Pod should not run with the default service account
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Pod should not run with hostNetwork
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: ReplicaSets should mount any host path volumes as read-only
+✓ Pass: ReplicaSets should not bind to a host port
+✕ Fail: C 40 Container image pull should be consistent
+✓ Pass: Container should not run as a privileged container
+
+Asset: luna/luna-frontend-7fb96c846b-2k5j7
+==========================================
+Data queries:
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.release: ""
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+platform.arch: ""
+mondoo.version: "8.11.0"
+
+Checks:
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: Workloads should not run in default namespace
+. Unknown: Pods should not run Tiller (Helm v2)
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✓ Pass: Pod should not run with hostNetwork
+✕ Fail: A 80 Container should have a memory limit
+✕ Fail: F 0 Container should not run as root
+✕ Fail: C 40 Container image pull should be consistent
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Pods should mount any host path volumes as read-only
+✕ Fail: A 80 Container should configure a livenessProbe
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Container should not mount the CRI-O socket
+✕ Fail: A 80 Container should request CPU
+✓ Pass: Container should not run as a privileged container
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+✕ Fail: A 80 Container should configure a readinessProbe
+✓ Pass: Pod should not define hostAliases
+✕ Fail: A 80 Container should have a CPU limit
+✕ Fail: A 80 Container should request memory
+✓ Pass: Pods should not bind to a host port
+✕ Fail: B 70 Pod should not run with the default service account
+. Unknown: Pods should not run Kubernetes dashboard
+✓ Pass: Pods should have an owner
+
+Asset: luna/luna-frontend-7fb96c846b-8b94j
+==========================================
+Data queries:
+mondoo.version: "8.11.0"
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.arch: ""
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+platform.release: ""
+
+Checks:
+✓ Pass: Pods should not bind to a host port
+✕ Fail: A 80 Container should have a memory limit
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: B 70 Pod should not run with the default service account
+✓ Pass: Pod should not run with hostNetwork
+✕ Fail: A 80 Container should configure a livenessProbe
+✓ Pass: Container should not allow privilege escalation
+. Unknown: Pods should not run Kubernetes dashboard
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Container should not mount the CRI-O socket
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+. Unknown: Pods should not run Tiller (Helm v2)
+✕ Fail: A 80 Container should configure a readinessProbe
+✓ Pass: Pods should not bind to a host port
+✕ Fail: A 80 Container should request memory
+✓ Pass: Pods should have an owner
+✓ Pass: Workloads should not run in default namespace
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Pod should not run with hostPID
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✓ Pass: Pods should mount any host path volumes as read-only
+✕ Fail: A 80 Container should request CPU
+✓ Pass: Pod should not define hostAliases
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Container should not run as a privileged container
+✕ Fail: A 80 Container should have a CPU limit
+
+Asset: luna/luna-frontend-7fb96c846b-jglt9
+==========================================
+Data queries:
+platform.arch: ""
+platform.release: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+mondoo.version: "8.11.0"
+
+Checks:
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+✕ Fail: A 80 Container should configure a livenessProbe
+✕ Fail: A 80 Container should request memory
+. Unknown: Pods should not run Kubernetes dashboard
+✓ Pass: Container should not mount the Docker socket
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Pods should have an owner
+. Unknown: Pods should not run Tiller (Helm v2)
+✓ Pass: Pod should not define hostAliases
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Pod should not run with hostNetwork
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: A 80 Container should have a memory limit
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✕ Fail: B 70 Pod should not run with the default service account
+✓ Pass: Pod should not run with hostIPC
+✕ Fail: A 80 Container should configure a readinessProbe
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Pods should not bind to a host port
+✕ Fail: A 80 Container should request CPU
+✓ Pass: Pods should mount any host path volumes as read-only
+✓ Pass: Container should not allow privilege escalation
+✓ Pass: Pods should not bind to a host port
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Workloads should not run in default namespace
+✓ Pass: Pod should not run with hostPID
+
+Asset: luna/postgresql
+======================
+Data queries:
+platform.arch: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.title: "Kubernetes Deployment, Kubernetes Cluster"
+mondoo.version: "8.11.0"
+platform.release: ""
+
+Checks:
+✓ Pass: Deployments should not bind to a host port
+✕ Fail: A 80 Container should request memory
+✓ Pass: Pod should not run with hostNetwork
+✓ Pass: Pod should not define hostAliases
+. Unknown: Deployments should not run Tiller (Helm v2)
+✓ Pass: Deployments should mount any host path volumes as read-only
+✓ Pass: Deployments should not run with SYS_ADMIN capability
+✓ Pass: Deployments should not run in the default namespace
+✓ Pass: Container should not mount the CRI-O socket
+✕ Fail: F 0 Container should not run as root
+✕ Fail: D 20 Deployments should not run with NET_RAW capability
+✕ Fail: A 80 Container should have a memory limit
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Container should not mount the Docker socket
+✕ Fail: A 80 Container should request CPU
+. Unknown: Pods should not run Kubernetes dashboard
+✓ Pass: Pod should not run with hostIPC
+✕ Fail: C 40 Container image pull should be consistent
+✓ Pass: Container should not mount the containerd socket
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Container should not allow privilege escalation
+✕ Fail: A 80 Container should configure a livenessProbe
+✓ Pass: Pod should not run with the default service account
+✕ Fail: A 80 Container should configure a readinessProbe
+
+Asset: luna/postgresql-655d75f54b
+=================================
+Data queries:
+mondoo.version: "8.11.0"
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.arch: ""
+platform.title: "Kubernetes ReplicaSet, Kubernetes Cluster"
+platform.release: ""
+
+Checks:
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Pod should not run with hostPID
+✕ Fail: A 80 Container should request memory
+✕ Fail: A 80 Container should configure a readinessProbe
+✓ Pass: Pod should not define hostAliases
+✓ Pass: ReplicaSets should not bind to a host port
+✓ Pass: Pod should not run with hostNetwork
+✓ Pass: ReplicaSets should mount any host path volumes as read-only
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: ReplicaSets should not run with SYS_ADMIN capability
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: A 80 Container should have a CPU limit
+✕ Fail: D 20 Container should use an immutable root filesystem
+✕ Fail: D 20 ReplicaSets should not run with NET_RAW capability
+✓ Pass: ReplicaSets should not run in the default namespace
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Container should not allow privilege escalation
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Container should not mount the Docker socket
+✕ Fail: A 80 Container should request CPU
+✕ Fail: A 80 Container should configure a livenessProbe
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Pod should not run with the default service account
+
+Asset: luna/postgresql-655d75f54b-btbzv
+=======================================
+Data queries:
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+mondoo.version: "8.11.0"
+platform.release: ""
+platform.arch: ""
+
+Checks:
+✕ Fail: C 40 Container image pull should be consistent
+. Unknown: Pods should not run Kubernetes dashboard
+✓ Pass: Pods should mount any host path volumes as read-only
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Pods should have an owner
+. Unknown: Pods should not run Tiller (Helm v2)
+✕ Fail: A 80 Container should request memory
+✓ Pass: Pods should not bind to a host port
+✕ Fail: A 80 Container should configure a livenessProbe
+✕ Fail: B 70 Pod should not run with the default service account
+✓ Pass: Container should not mount the Docker socket
+✕ Fail: A 80 Container should configure a readinessProbe
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+✓ Pass: Pod should not run with hostNetwork
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Container should not mount the containerd socket
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Container should not allow privilege escalation
+✕ Fail: A 80 Container should request CPU
+✓ Pass: Pods should not bind to a host port
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Workloads should not run in default namespace
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: Container should not mount the CRI-O socket
+✕ Fail: D 20 Container should use an immutable root filesystem
+
+Asset: luna/postgresql-655d75f54b-qhhxv
+=======================================
+Data queries:
+platform.release: ""
+mondoo.version: "8.11.0"
+platform.title: "Kubernetes Pod, Kubernetes Cluster"
+platform.arch: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+
+Checks:
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Pods should not bind to a host port
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Pod should not run with hostNetwork
+✓ Pass: Pods should not run with SYS_ADMIN capability
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Pods should mount any host path volumes as read-only
+✓ Pass: Container should not mount the Docker socket
+✕ Fail: C 40 Container image pull should be consistent
+. Unknown: Pods should not run Tiller (Helm v2)
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Pod should not run with hostIPC
+. Unknown: Pods should not run Kubernetes dashboard
+✕ Fail: A 80 Container should configure a readinessProbe
+✕ Fail: A 80 Container should configure a livenessProbe
+✕ Fail: A 80 Container should request memory
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Workloads should not run in default namespace
+✓ Pass: Pods should not bind to a host port
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Pods should have an owner
+✓ Pass: Container should not allow privilege escalation
+✕ Fail: B 70 Pod should not run with the default service account
+✕ Fail: A 80 Container should request CPU
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Container should not mount the CRI-O socket
+✕ Fail: D 20 Pods should not run with NET_RAW capability
+```
+
+
+
+:::tip
+
+To see scan results in full detail, run:
+
+```bash
+cnspec scan k8s -o full
+```
+
+:::
+
+You can also create your own policies to meet your specific needs. To learn more about policies, read [Policies](/cnspec/cnspec-policies/).
+
+## Test Kubernetes with the cnspec shell
+
+The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
+
+To launch a shell into your Kubernetes environment, enter:
+
+```bash
+cnspec shell k8s
+```
+
+cnquery automatically discovers all the Kubernetes assets available to query:
+
+```text
+→ resolved assets resolved-assets=20
+
+ Available assets
+
+ 8. luna/luna-frontend-7fb96c846b-2k5j7 (k8s-pod)
+ > 9. luna/luna-frontend-7fb96c846b-8b94j (k8s-pod)
+ 10. luna/luna-frontend-7fb96c846b-jglt9 (k8s-pod)
+ 11. kube-system/kube-controller-manager-minikube (k8s-pod)
+ 12. kube-system/kube-proxy-cdzrr (k8s-pod)
+ 13. kube-system/kube-scheduler-minikube (k8s-pod)
+ 14. kube-system/storage-provisioner (k8s-pod)
+
+ •••
+```
+
+Arrow through the list and select Enter to choose the asset you want to explore.
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what Kubernetes resources you can test. This command lists all the Kubernetes resources:
+
+```coffee
+help k8s
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the Kubernetes service resources you can test:
+
+```coffee
+help k8s.service
+```
+
+From the resulting list, you can drill down even further. You can also learn about available Kubernetes resources in the [Mondoo Kubernetes (K8s) Resource Pack Reference](/mql/resources/k8s-pack/).
+
+### Run tests in the cnspec shell
+
+Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
+
+#### Ensure that Pods aren't managed by HostAliases
+
+This test assures that DNS entries aren't managed locally using `/etc/hosts` within Pods:
+
+```coffee
+k8s.pod { podSpec['hostAliases'] == null }
+```
+
+If the test passes (no Pods are managed using HostAliases) then cnspec returns `ok`. If the test fails, (one or more Pods are managed using HostAliases) then cnspec provides details about the failure.
+
+#### Test workload management
+
+This test asserts that you don't run any workloads in the default namespace:
+
+```coffee
+k8s.pods { namespace != "default" }
+```
+
+cnspec lists the individual Pod results:
+
+```coffee
+k8s.pods: [
+ 0: {
+ namespace != "default": false
+ }
+ 1: {
+ namespace != "default": true
+ }
+ 2: {
+ namespace != "default": true
+ }
+ 3: {
+ namespace != "default": true
+ }
+
+...
+
+]
+```
+
+#### Specify fields to include in results
+
+If you need more information in the results, specify the fields you want in braces. For example, this is the same test as above, but also asks for each Pod's ID, name, date created, and namespace:
+
+```coffee
+k8s.pods { namespace != "default" id name created namespace }
+```
+
+cnspec returns detailed results like this:
+
+```coffee
+k8s.pods: [
+ 0: {
+ namespace: "default"
+ name: "coredns-565d847f94-zxkk2"
+ created: 2022-12-14 15:17:51 -0800 PST
+ id: "pod:kube-system:coredns-565d847f94-zxkk2"
+ namespace != "default": false
+ }
+ 1: {
+ namespace: "luna"
+ name: "luna-frontend-7fb96c846b-2k5j7"
+ created: 2022-12-14 15:28:23 -0800 PST
+ id: "pod:luna:luna-frontend-7fb96c846b-2k5j7"
+ namespace != "default": true
+ }
+ 2: {
+ namespace: "luna"
+ name: "luna-frontend-7fb96c846b-8b94j"
+ created: 2022-12-14 15:28:23 -0800 PST
+ id: "pod:luna:luna-frontend-7fb96c846b-8b94j"
+ namespace != "default": true
+ }
+ 3: {
+ namespace: "luna"
+ name: "luna-frontend-7fb96c846b-jglt9"
+ created: 2022-12-14 15:28:23 -0800 PST
+ id: "pod:luna:luna-frontend-7fb96c846b-jglt9"
+ namespace != "default": true
+ }
+
+...
+
+]
+```
+
+### Learn more about writing tests against Kubernetes clusters
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+- For a list of all the Kubernetes resources and fields you can query, read the [Mondoo Kubernetes (K8s) Resource Pack Reference](/mql/resources/k8s-pack/).
+
+### Exit the cnspec shell
+
+To exit the cnspec shell, either press `Ctrl + D` or type `exit`.
+
+## Next step
+
+Now that you've scanned your Kubernetes environment and run tests using the cnquery shell, you're ready to dive deeper and [test Kubernetes manifests](/cnspec/cnspec-k8s/cnspec-k8s-manifest/).
+
+---
diff --git a/docs/cnspec/cnspec-k8s/cnspec-k8s-manifest.mdx b/docs/cnspec/cnspec-k8s/cnspec-k8s-manifest.mdx
new file mode 100644
index 000000000..3620e9646
--- /dev/null
+++ b/docs/cnspec/cnspec-k8s/cnspec-k8s-manifest.mdx
@@ -0,0 +1,163 @@
+---
+title: Assess a Kubernetes Manifest
+id: cnspec-k8s-manifest
+sidebar_label: Assess a Kubernetes Manifest
+displayed_sidebar: cnspec
+sidebar_position: 30
+description: Assess the security and compliance of a Kubernetes Manifest
+image: /img/featured_img/mondoo-k8s.jpg
+---
+
+Use cnspec to scan Kubernetes manifests for security and best practices. You can assess manifests using the same policies that you rely on for testing your live clusters.
+
+To scan a Kubernetes manifest, you need a Kubernetes policy. If you haven't already [downloaded the Kubernetes Security by Mondoo policy](/cnspec/cnspec-k8s/cnspec-k8s-cluster/#assess-kubernetes-security-with-policy-based-scanning), do so now.
+
+From the directory where you downloaded the policy, run:
+
+```bash
+cnspec scan k8s MANIFESTFILE
+```
+
+For MANIFESTFILE, substitute the path to the manifest file you want to scan. For example, run:
+
+```bash
+cnspec scan k8s luna-postgres.yml
+```
+
+cnspec returns a report summarizing the scan results.
+
+
+Show or hide example scan results.
+
+```
+→ loaded configuration from /Users/user/.config/mondoo/mondoo.yml using source default
+→ using service account credentials
+→ discover related assets for 1 asset(s)
+→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
+→ resolved assets resolved-assets=3
+→ connecting to asset K8s Manifest luna-postgres (code)
+
+██████████████████████████████████████████████████████████████████████████ 100% K8s Manifest luna-postgres
+→ connecting to asset luna/postgresql (k8s-object)
+
+███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
+→ connecting to asset luna/postgresql-secondary (k8s-object)
+
+███████████████████████████████████████████████████████████████████████████ 100% luna/postgresql-secondary
+
+
+Asset: K8s Manifest luna-postgresql
+===================================
+Data queries:
+mondoo.version: "8.11.0"
+platform.title: "Kubernetes Manifest"
+platform.release: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.arch: ""
+
+Checks:
+
+Asset: luna/postgresql
+======================
+Data queries:
+platform.arch: ""
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.title: "Kubernetes Deployment, Kubernetes Manifest File"
+mondoo.version: "8.11.0"
+platform.release: ""
+
+Checks:
+✓ Pass: Pod should not run with hostNetwork
+✓ Pass: Deployments should not run in the default namespace
+✕ Fail: A 80 Container should configure a livenessProbe
+. Unknown: Pods should not run Kubernetes dashboard
+✕ Fail: F 0 Container should not run as root
+✓ Pass: Container should not allow privilege escalation
+✕ Fail: C 40 Container image pull should be consistent
+✕ Fail: A 80 Container should have a memory limit
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Pod should not run with hostIPC
+✕ Fail: A 80 Container should configure a readinessProbe
+✕ Fail: D 20 Deployments should not run with NET_RAW capability
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Deployments should not run with SYS_ADMIN capability
+✓ Pass: Deployments should mount any host path volumes as read-only
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Deployments should not bind to a host port
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Container should not mount the Docker socket
+✕ Fail: A 80 Container should request memory
+. Unknown: Deployments should not run Tiller (Helm v2)
+✓ Pass: Container should not run as a privileged container
+✓ Pass: Container should not mount the containerd socket
+✕ Fail: A 80 Container should request CPU
+✓ Pass: Pod should not run with hostPID
+✓ Pass: Pod should not run with the default service account
+
+Asset: luna/postgresql-secondary
+================================
+Data queries:
+mondoo.version: "8.11.0"
+mondoo.jobEnvironment: {
+ id: "client.mondoo.com"
+ name: "Mondoo Client"
+}
+platform.arch: ""
+platform.title: "Kubernetes Deployment, Kubernetes Manifest File"
+platform.release: ""
+
+Checks:
+✓ Pass: Deployments should not run with SYS_ADMIN capability
+✕ Fail: F 0 Container should not run as root
+✕ Fail: A 80 Container should request memory
+✓ Pass: Pod should not run with hostPID
+✕ Fail: A 80 Container should have a memory limit
+✓ Pass: Pod should not run with hostNetwork
+✓ Pass: Container should not mount the CRI-O socket
+✓ Pass: Container should not run as a privileged container
+. Unknown: Pods should not run Kubernetes dashboard
+✓ Pass: Pod should not run with the default service account
+✕ Fail: D 20 Container should use an immutable root filesystem
+✓ Pass: Deployments should mount any host path volumes as read-only
+. Unknown: Deployments should not run Tiller (Helm v2)
+✕ Fail: A 80 Container should configure a readinessProbe
+✕ Fail: A 80 Container should have a CPU limit
+✓ Pass: Container should not allow privilege escalation
+✕ Fail: D 20 Deployments should not run with NET_RAW capability
+✕ Fail: C 40 Container image pull should be consistent
+✓ Pass: Deployments should not bind to a host port
+✕ Fail: A 80 Container should configure a livenessProbe
+✕ Fail: A 80 Container should request CPU
+✓ Pass: Deployments should not run in the default namespace
+✓ Pass: Container should not mount the containerd socket
+✓ Pass: Pod should not run with hostIPC
+✓ Pass: Pod should not define hostAliases
+✓ Pass: Container should not mount the Docker socket
+
+```
+
+
+
+:::tip
+
+To see scan results in full detail, run:
+
+```bash
+cnspec scan k8s -o full
+```
+
+:::
+
+## Learn more about testing Kubernetes
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For a list of all the Kubernetes resources and fields you can query, read the [Mondoo Kubernetes (K8s) Resource Pack Reference](/mql/resources/k8s-pack/).
+
+---
diff --git a/docs/cnspec/cnspec-oci/README.mdx b/docs/cnspec/cnspec-oci/README.mdx
new file mode 100644
index 000000000..c0e403932
--- /dev/null
+++ b/docs/cnspec/cnspec-oci/README.mdx
@@ -0,0 +1,202 @@
+---
+title: Assess Oracle Cloud Infrastructure (OCI) Security with cnspec
+id: cnspec-oci-intro
+sidebar_label: OCI
+displayed_sidebar: cnspec
+sidebar_position: 1
+description: Assess Oracle Cloud Infrastructure (OCI) Security with cnspec
+image: /img/featured_img/mondoo-oci.jpg
+---
+
+cnspec assesses your full Oracle Cloud Infrastructure (OCI) environment for misconfigurations that put your organization at risk. You can scan your OCI tenancy for compliance with security policies created by Mondoo or the community, or [create your own policies](/cnspec/cnspec-policies/write/). You also can write individual tests to run on the fly or include in automated tasks.
+
+cnspec can test any aspect of your OCI configuration. For a list of OCI resources you can test, read [Mondoo Oracle Cloud Infrastructure (OCI) Resource Pack Reference](/mql/resources/oci-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnspec with your OCI environment
+
+### Requirements
+
+To test your OCI environment with cnspec, you must have:
+
+- [cnspec installed on your workstation](/cnspec/).
+
+- Access to an [OCI tenancy](https://docs.oracle.com/en/cloud/foundation/cloud_architecture/governance/tenancy.html#what-is-a-tenancy)
+
+### Configure command-line access to OCI
+
+For cnspec to communicate with your OCI tenancy, you need to configure secure access from the command line. You download a private API key and create a config file to automatically authenticate you with Oracle.
+
+1. In the top-right corner of the Oracle Cloud Infrastructure Console, select your profile icon and select **My profile**.
+
+ 
+
+2. Under Resources, select **API keys**.
+
+ 
+
+3. Select the **Add API key** button.
+
+ 
+
+4. Leave **Generate API key pair** selected and select the **Download private key** button.
+
+5. Create a new directory on your workstation, `~/.oci/`, and move the downloaded private key file into the new directory.
+
+6. Select the **Add** button. OCI generates a config file for you. Copy the contents of the **Configuration file preview** box.
+
+ 
+
+7. In the new directory, create a file named `config` and paste the content you copied in step 6. Replace the `key_file` placeholder on the last line with the path and file name of your private key file.
+
+ ```text
+ [DEFAULT]
+ user=ocid1.user.oc1..aaaaaaaavixjk7guncl6q7jf663vyeygprgjtgg5yiesxpwx4i6m6r23xmna
+ fingerprint=c9:1d:c8:e1:54:26:b7:82:2c:7d:b5:be:0a:62:b7:b8
+ tenancy=ocid1.tenancy.oc1..aaaaaaaabnjfuyr73mmvv6ep7heu57576abelhju5ni333c6rrfqiu6q6joq
+ region=us-ashburn-1
+ key_file=/Users/stella/.oci/stella@lunalectric.com_2023-05-31T22_43_19.044Z.pem
+ ```
+
+### Verify with a quick OCI check
+
+To quickly confirm that cnspec has access to your OCI environment, run this check from your terminal:
+
+```bash
+cnspec run oci -c 'oci.tenancy { id!="foo" }'
+```
+
+It asserts that your tenancy does not have the ID `foo`.
+
+cnspec indicates that the check is true, that your tenancy is not named `foo`:
+
+```coffee
+oci.tenancy: {
+ id != "foo": true
+}
+```
+
+You've successfully used cnspec to run your first check on your OCI environment. Now you're ready to explore. The method you choose depends on your goals:
+
+- For widescale assessment of your OCI infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your OCI security posture.
+
+- To run ad hoc checks against your OCI environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
+
+## Assess OCI security with policy-based scanning
+
+The CIS Oracle Cloud Infrastructure Foundation Benchmark policy is available to all in Mondoo's [cnspec-policies GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core). This collection of tests evaluates how well your environment follows fundamental OCI security best practices. It checks for misconfigurations across your entire OCI infrastructure.
+
+To scan using the OCI Security by Mondoo policy, run:
+
+```bash
+cnspec scan oci
+```
+
+This scans the tenancy to which your OCI account gives you access.
+
+cnspec follows these steps to load policies on which it bases the scan:
+
+- cnspec tries to read a config file, mondoo.yml, which includes the certificate and private key for authenticating with Mondoo Platform. If it finds the config, it loads the policies enabled for the OCI integration in the Mondoo space this OCI environment belongs to. You can enter `cnspec status` to see if the config file exists and cnspec is registered.
+
+2. If there is no config file (you have not registered cnspec or you've removed the mondoo.yml file), then cnspec loads Mondoo's open source policies and scans based on those.
+
+:::info
+
+If cnspec is registered but you want to use the open source policies (and not share results with Mondoo Platform), you can scan in incognito mode:
+
+```bash
+cnspec scan oci --incognito
+```
+
+:::
+
+You can also specify a particular policy bundle. cnspec uses only the bundle you specify:
+
+```bash
+cnspec scan oci --policy mondoohq/oracle-cloud-infrastructure-foundation-level-1
+```
+
+You can also create your own policies to meet your specific needs. To learn more about policies, read [Policies](/cnspec/cnspec-policies/).
+
+## Test OCI with the cnspec shell
+
+The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
+
+To launch a shell into your OCI environment, enter:
+
+```bash
+cnspec shell oci
+```
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what OCI resources you can test. This command lists all the OCI resources:
+
+```bash
+help oci
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the OCI Object Storage resources you can test:
+
+```bash
+help oci.objectStorage
+```
+
+From the resulting list, you can drill down even further. You can also learn about available OCI resources in the [Mondoo OCI Resource Pack Reference](/mql/resources/oci-pack/).
+
+### Run tests in the cnspec shell
+
+Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
+
+#### Assess MFA for console users
+
+This test assures that multi-factor authentication (MFA) is enabled for all users with console access:
+
+```bash
+oci.identity.users.all( mfaActivated )
+```
+
+If the test passes, that means all users have MFA enabled. If the test fails, cnspec lists all the user accounts that don't have MFA enabled.
+
+```coffee
+[failed] [].all()
+ actual: [
+ 0: oci.identity.user {
+ name: "mwezi@lunalectric.com"
+ mfaActivated: false
+ }
+ 1: oci.identity.user {
+ name: "stella@lunalectric.com"
+ mfaActivated: false
+ }
+ 2: oci.identity.user {
+ name: "tsuki@lunalectric.com"
+ mfaActivated: false
+ }
+ 3: oci.identity.user {
+ name: "cosmo@lunalectric.com"
+ mfaActivated: false
+ }
+ ]
+```
+
+#### Assess audit log retention
+
+This test asserts that audit logs remain in storage for 365 days:
+
+```bash
+oci.tenancy.retentionPeriod == 365 * time.day
+```
+
+cnspec returns `ok` or `failed` and the actual retention time.
+
+### Exit the cnspec shell
+
+To exit the cnspec shell, either press `Ctrl + D` or type `exit`.
+
+## Learn more about querying OCI
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For a list of all the OCI resources and fields you can query, read the [Mondoo OCI Resource Pack Reference](/mql/resources/oci-pack/).
+
+---
diff --git a/docs/cnspec/cnspec-oper/cnspec-linux.mdx b/docs/cnspec/cnspec-oper/cnspec-linux.mdx
new file mode 100644
index 000000000..db8d550f4
--- /dev/null
+++ b/docs/cnspec/cnspec-oper/cnspec-linux.mdx
@@ -0,0 +1,64 @@
+---
+title: Assess Linux Security with cnspec
+id: cnspec-linux-intro
+sidebar_label: Linux
+displayed_sidebar: cnspec
+sidebar_position: 1
+description: Assess Linux Security with cnspec
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnspec assesses your Linux assets for misconfigurations that put your organization at risk. You can evaluate a Linux asset for compliance with security policies created by Mondoo or the community, or [create your own policies](/cnspec/cnspec-policies/). You also can write individual tests to run on the fly or include in automated tasks.
+
+For a list of Linux resources you can test, read [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Requirements
+
+To test a Linux asset with cnspec, you must have:
+
+- [cnspec installed on your workstation](/cnspec/)
+- Access to the asset
+
+## Assess Linux security with policy-based scanning
+
+The Linux Security by Mondoo policy is available to all in Mondoo's [cnspec-policies GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core). This collection of tests evaluates how well your environment follows fundamental Linux security best practices.
+
+To scan a local machine using the Linux Security by Mondoo policy, run:
+
+```bash
+cnspec scan
+```
+
+To scan a remote machine using the Linux Security by Mondoo policy, run:
+
+```bash
+cnspec scan ssh user@HOST
+```
+
+For `HOST`, substitute the hostname of the remote Linux asset.
+
+cnspec finds the default policy for Linux and runs a scan based on that policy. It returns a report summarizing the scan results.
+
+To learn more about the command, read [cnspec scan](/cnspec/cli/cnspec_scan/).
+
+You can also create your own policies to meet your specific needs. To learn more about policies, read [Policies](/cnspec/cnspec-policies/).
+
+## Learn more
+
+cnspec also provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It's also a great way to interact with both local and remote targets on the fly. To learn more, read [Create Checks in cnspec Shell](/cnspec/cnspec-scan/).
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For a list of all the operating system resources and fields you can query, read the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/).
+
+- To learn about cnspec commands, read:
+
+ - [cnspec scan](/cnspec/cli/cnspec_scan/)
+
+ - [cnspec shell](/cnspec/cli/cnspec_shell/)
+
+ - [cnspec run](/cnspec/cli/cnspec_run/)
+
+ - [cnspec vuln](/cnspec/cli/cnspec_vuln/)
+
+---
diff --git a/docs/cnspec/cnspec-oper/cnspec-mac.mdx b/docs/cnspec/cnspec-oper/cnspec-mac.mdx
new file mode 100644
index 000000000..dffacde03
--- /dev/null
+++ b/docs/cnspec/cnspec-oper/cnspec-mac.mdx
@@ -0,0 +1,64 @@
+---
+title: Assess macOS Security with cnspec
+id: cnspec-macos-intro
+sidebar_label: macOS
+displayed_sidebar: cnspec
+sidebar_position: 2
+description: Assess macOS Security with cnspec
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnspec assesses your macOS assets for misconfigurations that put your organization at risk. You can evaluate a macOS asset for compliance with security policies created by Mondoo or the community, or [create your own policies](/cnspec/cnspec-policies/write/). You also can write individual tests to run on the fly or include in automated tasks.
+
+For a list of macOS resources you can test, read [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Requirements
+
+To test a macOS asset with cnspec, you must have:
+
+- [cnspec installed on your workstation](/cnspec/)
+- Access to the asset
+
+## Assess macOS security with policy-based scanning
+
+The macOS Security by Mondoo policy is available to all in Mondoo's [cnspec-policies GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core). This collection of tests evaluates how well your environment follows fundamental macOS security best practices.
+
+To scan a local machine using the macOS Security by Mondoo policy, run:
+
+```bash
+cnspec scan
+```
+
+To scan a remote machine using the macOS Security by Mondoo policy, run:
+
+```bash
+cnspec scan ssh user@IP_ADDRESS
+```
+
+For `IP_ADDRESS`, substitute the IP address of the remote macOS asset.
+
+cnspec finds the default policy for macOS and runs a scan based on that policy. It returns a report summarizing the scan results.
+
+To learn more about the command, read [cnspec scan](/cnspec/cli/cnspec_scan/).
+
+You can also create your own policies to meet your specific needs. To learn more about policies, read [Policies](/cnspec/cnspec-policies/).
+
+## Learn more
+
+cnspec also provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It’s also a great way to interact with both local and remote targets on the fly. To learn more, read [Create Checks in cnspec Shell](/cnspec/cnspec-scan/).
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For a list of all the operating system resources and fields you can query, read the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/).
+
+- To learn about cnspec commands, read:
+
+ - [cnspec scan](/cnspec/cli/cnspec_scan/)
+
+ - [cnspec shell](/cnspec/cli/cnspec_shell/)
+
+ - [cnspec run](/cnspec/cli/cnspec_run/)
+
+ - [cnspec vuln](/cnspec/cli/cnspec_vuln/)
+
+---
diff --git a/docs/cnspec/cnspec-oper/cnspec-windows.mdx b/docs/cnspec/cnspec-oper/cnspec-windows.mdx
new file mode 100644
index 000000000..d1fac67b2
--- /dev/null
+++ b/docs/cnspec/cnspec-oper/cnspec-windows.mdx
@@ -0,0 +1,72 @@
+---
+title: Assess Windows Security with cnspec
+id: cnspec-windows-intro
+sidebar_label: Windows
+displayed_sidebar: cnspec
+sidebar_position: 3
+description: Assess Windows Security with cnspec
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnspec assesses your Windows assets for misconfigurations that put your organization at risk. You can evaluate a Windows asset for compliance with security policies created by Mondoo or the community, or [create your own policies](/cnspec/cnspec-policies/write/). You also can write individual tests to run on the fly or include in automated tasks.
+
+For a list of Windows resources you can test, read [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Requirements
+
+To test a Windows asset with cnspec, you must have:
+
+- [cnspec installed on your workstation](/cnspec/)
+- Access to the asset
+
+## Assess Windows security with policy-based scanning
+
+The Windows Security by Mondoo policy is available to all in Mondoo's [cnspec-policies GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core). This collection of tests evaluates how well your environment follows fundamental Windows security best practices.
+
+To scan a local machine using the Windows Security by Mondoo policy, run:
+
+```bash
+cnspec scan
+```
+
+To scan a remote machine using the Windows Security by Mondoo policy, run:
+
+```bash
+cnspec scan ssh user@IP_ADDRESS
+```
+
+For `IP_ADDRESS`, substitute the IP address of the remote Windows asset.
+
+If you prefer WinRM for remote access, enter:
+
+```bash
+cnspec scan winrm Administrator@IP_ADDRESS --ask-pass
+```
+
+For `IP_ADDRESS`, substitute the IP address of the remote Windows asset.
+
+cnspec finds the default policy for Windows and runs a scan based on that policy. It returns a report summarizing the scan results.
+
+To learn more about the command, read [cnspec scan](/cnspec/cli/cnspec_scan/).
+
+You can also create your own policies to meet your specific needs. To learn more about policies, read [Policies](/cnspec/cnspec-policies/).
+
+## Learn more
+
+cnspec also provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It’s also a great way to interact with both local and remote targets on the fly. To learn more, read [Create Checks in cnspec Shell](/cnspec/cnspec-scan/).
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For a list of all the operating system resources and fields you can query, read the [Mondoo Operating Systems (OS) Resource Pack Reference](/mql/resources/os-pack/).
+
+- To learn about cnspec commands, read:
+
+ - [cnspec scan](/cnspec/cli/cnspec_scan/)
+
+ - [cnspec shell](/cnspec/cli/cnspec_shell/)
+
+ - [cnspec run](/cnspec/cli/cnspec_run/)
+
+ - [cnspec vuln](/cnspec/cli/cnspec_vuln/)
+
+---
diff --git a/docs/cnspec/cnspec-platform.mdx b/docs/cnspec/cnspec-platform.mdx
new file mode 100644
index 000000000..d540a0453
--- /dev/null
+++ b/docs/cnspec/cnspec-platform.mdx
@@ -0,0 +1,66 @@
+---
+title: Log into Mondoo Platform for More Capabilities
+id: cnspec-platform
+sidebar_label: Log into Mondoo Platform for More
+displayed_sidebar: cnspec
+sidebar_position: 3
+description: Expand your cnspec capabilities with a free Mondoo Platform account.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+You can expand your cnspec capabilities with a free Mondoo Platform account. Mondoo Platform includes a web-based UI through which you can:
+
+- Continuously monitor infrastructure security and compliance
+- Save, review, search, and share scan results
+- Access over 200 free security policies, including specific compliance checks against regional and industry guidelines
+- Manage and share policies across your entire infrastructure
+- See the relationships between different assets in your infrastructure
+- Integrate with AWS Lambda, EBS volume scans, Kubernetes controller, and more
+
+This is just a partial list of capabilities. To learn more about what you can accomplish with Mondoo Platform, visit [mondoo.com](https://mondoo.com).
+
+## Log into Mondoo Platform
+
+1. In your web browser, go to [the Mondoo signup page](https://mondoo.com/pricing).
+
+
+
+2. Register for a free trial. Mondoo sends you email with new account instructions.
+
+3. Follow the steps in the email to create your new account.
+
+## Register cnspec
+
+When you first log in, Mondoo greets you with a landing page.
+
+
+
+1. Select **Browse Integrations**.
+
+
+
+2. Under Workstation, select **cnspec**. Mondoo provides quick setup commands and a token for registering cnspec.
+
+
+
+3. Select your operating system and then copy the commands in the box below.
+
+4. In a terminal window, paste and run the copied commands.
+
+cnspec is now registered with Mondoo Platform. The next time you scan your infrastructure with cnspec, you can see the results in the Mondoo console.
+
+To learn about working in the Mondoo console, see the [Mondoo Platform documentation](/platform/home/).
+
+## Specify a proxy server for communication with Mondoo
+
+You can specify a proxy server for communication between cnspec and Mondoo Platform. This is useful if your default system proxy restricts communication, or if you need to monitor different types of traffic.
+
+1. Find the Mondoo configuration file: `/etc/opt/mondoo/mondoo.yml`.
+
+2. Add this line to `mondoo.yml`:
+
+ ```yaml
+ api_proxy: https://1.1.1.1:8080
+ ```
+
+---
diff --git a/docs/cnspec/cnspec-policies/README.md b/docs/cnspec/cnspec-policies/README.md
new file mode 100644
index 000000000..3683ef83f
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/README.md
@@ -0,0 +1,59 @@
+---
+title: About Policies
+id: cnspec-policies
+sidebar_label: About Policies
+displayed_sidebar: cnspec
+sidebar_position: 1
+description: Retrieve, store, customize, and create cnquery policies
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Policies are the specifications that cnspec uses when it scans a system. Think of a policy as a checklist that cnspec relies on to ensure that a system is secure. In Mondoo and cnspec, these collections of security requirements are expressed as highly readable code.
+
+## Policy as code
+
+Security policies and compliance frameworks typically are documents. Text describes each guideline and its rationale, and sometimes the consequences of not complying.
+
+But documents don't check your environments. The work to verify that your infrastructure follows security standards is often manual, time intensive, and error prone. For example, if you need to manually demonstrate compliance for an audit, it can take weeks just to provide a snapshot of a single moment in time.
+
+_Policy as code_ lets you automate compliance using security benchmarks and best practices. The code serves two purposes: It documents the security guidelines and it tests your systems to ensure they follow those guidelines.
+
+## cnspec policies and policy bundles
+
+Each cnspec policy is codified as a collection of checks that test for certain configuration settings. For example, the _Mondoo Linux Security - Users and Groups_ policy includes these checks:
+
+- There are no users in the root group.
+- No duplicate user names exist.
+- All system accounts are non-login.
+
+_Policy bundles_ are YAML files that contain at least one policy. They group related policies. For example, the _Mondoo Linux Security_ policy bundle contains a _Configure SSH Server_ policy that is specific to Linux, a _Logging_ policy that is specific to Linux, and other policies that define secure Linux practices.
+
+Find policy bundles in Mondoo's [cnspec-policies](https://github.com/mondoohq/cnspec-policies) GitHub repo.
+
+## How cnspec uses policies
+
+When cnspec scans a target for compliance with security and other best practices, it refers to policies to learn what checks to make against the target.
+
+For example, when you run this command, cnspec automatically detects the local platform and scans using the applicable policy or policies:
+
+```bash
+cnspec scan local
+```
+
+For example, if the local system is Windows, cnspec finds all policy bundles that apply to Windows. It runs all the checks in the policies in the Windows policy bundles.
+
+This scan command specifies the policy bundle to use:
+
+```bash
+cnspec scan local --policy-bundle luna.mql.yaml
+```
+
+Instead of detecting the local system and finding appropriate policy bundles, cnspec refers to `luna.mql.yaml`, a custom policy bundle, to find the checks to run against the local system.
+
+## Learn more
+
+- To learn how to modify existing policies or write your own, read the [Policy Authoring Guide](/cnspec/cnspec-policies/write/).
+
+- To learn about applying policies across your infrastructure and storing your own policies, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies)
+
+---
diff --git a/docs/cnspec/cnspec-policies/cnspec-manage-policies.mdx b/docs/cnspec/cnspec-policies/cnspec-manage-policies.mdx
new file mode 100644
index 000000000..c61eacc5d
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/cnspec-manage-policies.mdx
@@ -0,0 +1,57 @@
+---
+title: Manage Policies
+id: cnspec-manage-policies
+sidebar_label: Manage Policies
+displayed_sidebar: cnspec
+sidebar_position: 2
+description: Scale policies across your infrastructure and store your own policies
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+If you customize or build your own policies, you can store and share access to them using Mondoo Platform.
+
+## Scale cnspec across your infrastructure
+
+The easiest way to scale cnspec across your infrastructure is to have all of your infrastructure pull policies from a central location. One simple approach is to sign up for a free account on [Mondoo Platform](/platform/start/plat-what-is/). The platform is designed for multi-tenancy and provides a secure, private environment that keeps data about your assets in your own account. With Mondoo Platform, all assets can report on policies and you can define custom exceptions for your infrastructure.
+
+To use cnspec with Mondoo Platform, run:
+
+```bash
+cnspec login
+```
+
+Once authenticated, you can scan any target:
+
+```bash
+cnspec scan
+```
+
+cnspec returns the results from the scan to STDOUT and to Mondoo Platform.
+
+## Upload policies to your account
+
+With an account on Mondoo Platform, you can upload policies:
+
+```bash
+cnspec policy upload mypolicy.mql.yaml
+```
+
+## Create a policy bundle
+
+To learn about policies and policy bundles, read [Policies](/cnspec/cnspec-policies/).
+
+To set up a new policy bundle:
+
+```bash
+cnspec bundle init example.mql.yaml
+```
+
+## Validate a policy bundle
+
+Validate a policy bundle to ensure that the bundle compiles and that all queries and references work:
+
+```bash
+cnspec bundle validate example.mql.yaml
+```
+
+---
diff --git a/docs/cnspec/cnspec-policies/open-registry.mdx b/docs/cnspec/cnspec-policies/open-registry.mdx
new file mode 100644
index 000000000..f92ec32d1
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/open-registry.mdx
@@ -0,0 +1,14 @@
+---
+title: Discover New Policies in GitHub
+sidebar_label: Discover New Policies
+displayed_sidebar: cnspec
+sidebar_position: 3
+description: Explore open source security policies by Mondoo and the Mondoo community.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Mondoo's [cnspec-policies](https://github.com/mondoohq/cnspec-policies) GitHub repository is a free source of security, best practices, and compliance policy bundles created by Mondoo and the Mondoo community. You can download any of these policy bundles and use them to scan your assets with cnspec.
+
+The `core` directory contains copies of the policy bundles that cnspec uses by default, so there's no need to download those policies.
+
+---
diff --git a/docs/cnspec/cnspec-policies/write/README.md b/docs/cnspec/cnspec-policies/write/README.md
new file mode 100644
index 000000000..88fd15d2e
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/README.md
@@ -0,0 +1,36 @@
+---
+title: Policy Authoring Guide
+sidebar_label: Policy Authoring Guide
+displayed_sidebar: cnspec
+sidebar_position: 1
+description: Learn how to write custom security policies to meet the special needs of your organization
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Policies are the specifications that cnspec uses when it scans an asset. cnspec compares your asset's configuration against the standards set in policies, and calculates a score based on the comparison. Scores tell you how secure your different assets are and allow you to see your progress as you improve your security posture.
+
+Mondoo provides dozens of free policy bundles (collections of policies) that cover the most common types of assets—and Mondoo Platform has over 200! If your organization has unique needs that these policy bundles don't meet, you can create custom policy bundles.
+
+Read these topics to learn how to build your own policies:
+
+1. [Write Custom Policies](/cnspec/cnspec-policies/write/simple)
+
+2. [Score Policies](/cnspec/cnspec-policies/write/policy-scoring)
+
+3. [Reuse Queries and Checks](/cnspec/cnspec-policies/write/reuse)
+
+4. [Break up a Policy into Groups / Chapters](/cnspec/cnspec-policies/write/chapters)
+
+5. [Limit Target Assets with Filters](/cnspec/cnspec-policies/write/filters)
+
+6. [Define Properties](/cnspec/cnspec-policies/write/properties)
+
+7. [Make Policies Flexible with Variants](/cnspec/cnspec-policies/write/variants)
+
+The queries and checks that policies use to retrieve information from your infrastructure are written in Mondoo's GraphQL-based query language, MQL.
+
+- Learn how to [write MQL queries and checks](/mql/mql.write)
+
+- Read about all the different [resources](/mql/resources/) from which MQL can retrieve information
+
+---
diff --git a/docs/cnspec/cnspec-policies/write/_category_.json b/docs/cnspec/cnspec-policies/write/_category_.json
new file mode 100644
index 000000000..91ea83a14
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Policy Authoring Guide",
+ "position": 10
+}
diff --git a/docs/cnspec/cnspec-policies/write/_exceptions.mdx b/docs/cnspec/cnspec-policies/write/_exceptions.mdx
new file mode 100644
index 000000000..9ceb6308d
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/_exceptions.mdx
@@ -0,0 +1,76 @@
+---
+title: Policy Authoring Guide | Exceptions
+sidebar_label: Something about Exceptions
+displayed_sidebar: cnspec
+sidebar_position: 8
+description: Description something write me
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+** IGNORE. THIS DOESN'T GET COMPILED. **
+
+Now that you've learned how to [combine policies in a bundle and make more efficient policies by reusing queries and checks](/cnspec/cnspec-policies/write/reuse/), you can learn how to arrange a policy into chapters.
+
+A _group_ is a collection of related checks and queries in a policy. Groups provide a way to organize your policy. One type of group is a _chapter_. These are an arbitrary way of breaking up a policy into more manageable sections.
+
+A common way to use groups is to match the chapters in a written benchmark, policy, or other compliance document. For each chapter in the document, you can create a group in the policy.
+
+Here's another simple example of a policy bundle containing one policy:
+
+```yaml showLineNumbers
+policies:
+ - uid: example-with-chapters
+ name: Simple example with chapters
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ groups:
+ - type: chapter
+ title: SSH
+ checks:
+ - uid: sshd-01
+ title: Ensure the port is set to 22
+ mql: sshd.config.params["Port"] == 22
+ impact: 30
+
+ - uid: sshd-02
+ title: Prevent weaker CBC ciphers from being used
+ mql: sshd.config.ciphers.none( /cbc/ )
+ impact: 60
+ queries:
+ - uid: sshd-d-1
+ title: Gather SSH config params
+ mql: sshd.config.params
+ - type: chapter
+
+ type: chapter
+ title: Packages
+ checks:
+ - uid: pkg-01
+ title: Ensure AIDE is installed
+ mql: package("aide").installed
+ impact: 70
+
+ - uid: pkg-02
+ title: Ensure prelink is disabled
+ mql: package("prelink").installed == false
+ impact: 70
+```
+
+The policy contains two chapters:
+
+- The `SSH` chapter begins on line 10. It has two checks and one query, all concerning SSH parameters.
+
+- The `Packages`chapter begins on line 28. It has two checks, both of which concern installed packages.
+
+A policy can have as many chapters as you need.
+
+## Next steps
+
+- To learn about controlling the types of assets a policy applies to, read [Limit Target Assets with Filters](/cnspec/cnspec-policies/write/filters/).
+
+- If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies/).
+
+---
diff --git a/docs/cnspec/cnspec-policies/write/_import.mdx b/docs/cnspec/cnspec-policies/write/_import.mdx
new file mode 100644
index 000000000..19073b554
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/_import.mdx
@@ -0,0 +1,106 @@
+---
+title: Policy Authoring Guide | Import Policies
+sidebar_label: Import Policies
+displayed_sidebar: cnspec
+sidebar_position: 6
+description: Import a policy from one bundle into another bundle
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+THIS TOPIC IS NOT VISIBLE TO READERS
+
+Now that you've learned how to [break policies into chapters](/cnspec/cnspec-policies/write/chapters/), you can learn how to import policies into a policy bundle.
+
+Importing policies is another organizational tactic that can also save time. You can import a policy from a Mondoo policy bundle or from another one of your own policy bundles.
+
+Here's a simple example of a policy bundle containing one policy:
+
+```yaml showLineNumbers
+policies:
+ - uid: simple-example1
+ mrn: //policies/simple-example1
+ name: Simple example policy 1
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ groups:
+ - checks:
+ - uid: sshd-01
+ title: Ensure the port is set to 22
+ mql: sshd.config.params["Port"] == 22
+ impact: 30
+
+ - uid: sshd-02
+ title: Prevent weaker CBC ciphers from being used
+ mql: sshd.config.ciphers.none( /cbc/ )
+ impact: 60
+
+ queries:
+ - uid: sshd-d-1
+ title: Gather SSH config params
+ mql: sshd.config.params
+```
+
+Notice the `mrn` on line 3. This value allows you to import the policy into other policies or policy bundles.
+
+Here's an example of a policy that imports `Simple example policy 1`.
+
+```yaml showLineNumbers
+policies:
+ - uid: example-with-chapters
+ name: Simple example with chapters
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ groups:
+ - type: chapter
+ title: SSH
+ checks:
+ - uid: sshd-01
+ title: Ensure the port is set to 22
+ mql: sshd.config.params["Port"] == 22
+ impact: 30
+
+ - uid: sshd-02
+ title: Prevent weaker CBC ciphers from being used
+ mql: sshd.config.ciphers.none( /cbc/ )
+ impact: 60
+ queries:
+ - uid: sshd-d-1
+ title: Gather SSH config params
+ mql: sshd.config.params
+ - type: chapter
+
+ type: chapter
+ title: Packages
+ checks:
+ - uid: pkg-01
+ title: Ensure AIDE is installed
+ mql: package("aide").installed
+ impact: 70
+
+ - uid: pkg-02
+ title: Ensure prelink is disabled
+ mql: package("prelink").installed == false
+ impact: 70
+```
+
+The policy contains two chapters:
+
+- The `SSH` chapter begins on line 10. It has two checks and one query, all concerning SSH parameters.
+
+- The `Packages`chapter begins on line 28. It has two checks, both of which concern installed packages.
+
+A policy can have as many chapters as you need.
+
+## Next steps
+
+- To learn about controlling the types of assets a policy applies to, read [Limit Target Assets with Filters](/cnspec/cnspec-policies/write/filters/).
+
+- If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies/).
+
+---
diff --git a/docs/cnspec/cnspec-policies/write/_include-lint.mdx b/docs/cnspec/cnspec-policies/write/_include-lint.mdx
new file mode 100644
index 000000000..e94ffbd6e
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/_include-lint.mdx
@@ -0,0 +1,5 @@
+:::tip
+
+To check for errors in the policy bundles you write, run `cnspec bundle lint BUNDLE-NAME.mql.yaml`. For BUNDLE-NAME, substitute the name of your file.
+
+:::
diff --git a/docs/cnspec/cnspec-policies/write/chapters.mdx b/docs/cnspec/cnspec-policies/write/chapters.mdx
new file mode 100644
index 000000000..81201588e
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/chapters.mdx
@@ -0,0 +1,73 @@
+---
+title: Policy Authoring Guide | Break up a Policy into Groups / Chapters
+sidebar_label: Break up a Policy into Groups
+displayed_sidebar: cnspec
+sidebar_position: 4
+description: Use groups to separate your policy into chapters
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+A _group_ is a collection of related checks and queries in a policy. Groups are a way of breaking up a policy into more manageable sections.
+
+A common way to use groups is to match the chapters in a written benchmark, policy, or other compliance document. For each chapter in the document, you can create a group in the policy.
+
+Here's another simple example of a policy bundle containing one policy:
+
+```yaml showLineNumbers
+policies:
+ - uid: example-with-chapters
+ name: Simple example with chapters
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ groups:
+ - title: SSH
+ checks:
+ - uid: sshd-01
+ title: Ensure the port is set to 22
+ mql: sshd.config.params["Port"] == 22
+ impact: 30
+
+ - uid: sshd-02
+ title: Prevent weaker CBC ciphers from being used
+ mql: sshd.config.ciphers.none( /cbc/ )
+ impact: 60
+ queries:
+ - uid: sshd-d-1
+ title: Gather SSH config params
+ mql: sshd.config.params
+
+ - title: Packages
+ checks:
+ - uid: pkg-01
+ title: Ensure AIDE is installed
+ mql: package("aide").installed
+ impact: 70
+
+ - uid: pkg-02
+ title: Ensure prelink is disabled
+ mql: package("prelink").installed == false
+ impact: 70
+```
+
+The policy contains two groups:
+
+- The `SSH` group begins on line 10. It has two checks and one query, all concerning SSH parameters.
+
+- The `Packages` group begins on line 26. It has two checks, both of which concern installed packages.
+
+A policy can have as many groups as you need.
+
+import Partial from "./_include-lint.mdx";
+
+{" "}
+
+## Next steps
+
+- To learn about controlling the types of assets a policy applies to, read [Limit Target Assets with Filters](/cnspec/cnspec-policies/write/filters/).
+
+- If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies/).
+
+---
diff --git a/docs/cnspec/cnspec-policies/write/filters.mdx b/docs/cnspec/cnspec-policies/write/filters.mdx
new file mode 100644
index 000000000..4585a540d
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/filters.mdx
@@ -0,0 +1,123 @@
+---
+title: Policy Authoring Guide | Limit Target Assets with Filters
+sidebar_label: Limit Target Assets with Filters
+displayed_sidebar: cnspec
+sidebar_position: 6
+description: Add policy filters to limit what types of target assets a policy or part of a policy applies to
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Filters can specify what target assets a policy, group, check, or query can run against. A filter is simply a condition, written in [MQL](/mql/mql.write/), that must be met. Any fields you can query about any [resources](/mql/resources/) can be the basis for a filter.
+
+The most common basis for filters is platform information. For example, you can add a filter that tells cnspec to run a policy only on AWS EKS clusters. Or you can add a filter that tells cnspec to run a check only on certain versions of an operating system.
+
+:::info
+
+Filters are an essential part of creating variants. To learn about variants, read [Make Policies Flexible with Variants](/cnspec/cnspec-policies/write/variants).
+
+:::
+
+## Apply a filter to a check or query
+
+Add `filters` information to a check or query to apply a filter to it.
+
+This is an example of a check with a filter:
+
+```yaml
+- uid: ssh-root-login-is-disabled
+ title: Ensure SSH root login is disabled
+ filters: package('openssh-server').installed
+ impact: 90
+ mql: sshd.config.params["PermitRootLogin"] == "no"
+```
+
+The filter in the `ssh-root-login-is-disabled` check tells cnspec to run the check only on assets that have the SSH Server package installed. When scanning an asset without SSH Server, cnspec skips this check.
+
+## Apply a filter to a chapter or group
+
+Add `filters` information to a group to apply a filter to it.
+
+This is an example of a [chapter](/cnspec/cnspec-policies/write/chapters) type of group with two filters:
+
+```yaml
+groups:
+ - title: AWS Compute Services
+ type: chapter
+ filters: |
+ asset.name == "aws"
+ asset.kind == "api"
+ checks:
+
+ ...
+
+```
+
+Unless the asset is an AWS compute service, cnspec skips all the checks and queries in this group when scanning the asset.
+
+## Apply a filter to a policy
+
+The policy in this bundle has a filter:
+
+
+```yaml showLineNumbers
+policies:
+ - uid: ssh-with-filter
+ name: SSH policy that uses a filter
+
+...
+
+ groups:
+ - title: my-group
+ checks:
+ - uid: sshd-01
+ title: Ensure the port is set to 22
+ mql: sshd.config.params["Port"] == 22
+ impact: 30
+
+ - uid: sshd-02
+ title: Prevent weaker CBC ciphers from being used
+ mql: sshd.config.ciphers.none( /cbc/ )
+ impact: 60
+
+ queries:
+ - uid: sshd-d-1
+ title: Gather SSH config params
+ mql: sshd.config.params
+
+ filters:
+ - mql: asset.family.contains('unix')
+```
+
+
+This bundle contains only one policy, `ssh-with-filter`. The section beginning on line 24 defines _filters_ for the policy. In this case, cnspec uses the policy to scan only assets that are based on UNIX (Linux distributions and macOS).
+
+import Partial from "./_include-lint.mdx";
+
+{" "}
+
+## More examples of filters
+
+This filter limits scans to only GCP projects:
+
+```coffee
+asset.platform == "gcp-project"
+```
+
+This filter limits scans to only kubelets:
+
+```coffee
+asset.family.contains('linux')
+processes.where( executable == /kubelet/ ).list != []
+```
+
+To learn how to write your own filters, read [Write Effective MQL](/mql/mql.write/) and the [MQL Reference](/mql/resources/).
+
+## Next steps
+
+- To learn an efficient way to define the ideal values that policies check against, read [Define Properties](/cnspec/cnspec-policies/write/properties/).
+
+- You can find many examples of policy bundles in Mondoo's [cnspec-policies](https://github.com/mondoohq/cnspec-policies) GitHub repo.
+
+- To learn how to set up, validate, and store policy bundles, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies/).
+
+---
diff --git a/docs/cnspec/cnspec-policies/write/policy-scoring.mdx b/docs/cnspec/cnspec-policies/write/policy-scoring.mdx
new file mode 100644
index 000000000..c5b4fe7fe
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/policy-scoring.mdx
@@ -0,0 +1,113 @@
+---
+title: Policy Authoring Guide | Score Policies
+sidebar_label: Score Policies
+displayed_sidebar: cnspec
+sidebar_position: 3
+description: Choose how a Mondoo scores assets based on a policy
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Now that you've [explored the very basic elements of a policy and a policy bundle](/cnspec/cnspec-policies/write/simple/), you can decide how to calculate asset security based on this policy.
+
+Each scanned target receives a graded score that summarizes how well it compares to the checks in the policy:
+
+```text
+ 80 .. 100 A (100 A+ 95 A 85 A- 80)
+ 60 .. 79 B ( 79 B+ 75 B 65 B- 60)
+ 30 .. 59 C ( 59 C+ 50 C 40 C- 30)
+ 10 .. 29 D ( 29 D+ 25 D 15 D- 10)
+ 0 .. 9 F
+```
+
+The score is based on the number of checks that return a `true` value (pass) compared to how many return a `false` value (fail).
+
+When assessing the overall security of an asset, some checks may be more important than others. For example, suppose a strong cipher is more important to your organization than SSH using port 22. You can use the `impact` attribute to give more importance to one check and less importance to another check. The `Ensure the port is set to 22` check has an impact of `30` (on line 18) and the `Prevent weaker CBC ciphers from being used` check has an impact of `60` (on line 23):
+
+```yaml showLineNumbers
+policies:
+ - uid: simple-example1
+ name: Simple example policy 1
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ docs:
+ desc: |-
+ Descriptive documentation about this policy
+ groups:
+ - title: group1
+ checks:
+ - uid: sshd-01
+ title: Ensure the port is set to 22
+ mql: sshd.config.params["Port"] == 22
+ impact: 30
+
+ - uid: sshd-02
+ title: Prevent weaker CBC ciphers from being used
+ mql: sshd.config.ciphers.none( /cbc/ )
+ impact: 60
+
+ queries:
+ - uid: sshd-d-1
+ title: Gather SSH config params
+ mql: sshd.config.params
+```
+
+How Mondoo uses these values to calculate an asset's score depends on the `scoring_system` setting (line 5). You can choose the `average` scoring system or the `highest impact` scoring system:
+
+#### Average scoring system
+
+The `average` scoring system considers impact before averaging check scores. Failed checks with higher impact _lower_ an overall score _more_ than checks with lower impact. This is how the `average` scoring system calculates the overall score:
+
+- If a check passes (returns `true`), the asset receives a 100 for that check.
+
+- If a check fails (returns `false`), the asset receives (100-impact) for that check. For example, if an asset fails a check with an impact of 10, it receives a 90 for that check.
+
+Here are possible results of our simple example query, which has a port check and a cipher check:
+
+| Port (impact 30) | Cipher (impact 60) | Overall score |
+| -------------------- | -------------------- | ----------------------------------- |
+| Pass (100) | Pass (100) | (100 + 100) / 2 = **100** or **A+** |
+| Pass (100) | Fail (100 - 60 = 40) | (100 + 40) / 2 = **70** or **B** |
+| Fail (100 - 30 = 70) | Pass (100) | (100 + 70) / 2 = **85** or **A** |
+| Fail (100 - 30 = 70) | Fail (100 - 60 = 40) | (70 + 40) / 2 = **55** or **C** |
+
+To use the average scoring system, set the `scoring system` value to `average`:
+
+```yaml
+policies:
+ - uid: simple-example1
+ name: Simple example policy 1
+ version: "1.0.0"
+ scoring_system: average
+```
+
+#### Highest (failed) impact scoring system
+
+The `highest impact` scoring system only considers the highest impact check in the policy. It relies on the same method of subtraction as the `average` scoring system: It subtracts the `impact` value from 100 if a check fails. However, unlike the `average` scoring system, it doesn't average all the check scores to calculate the overall score. Instead, it just takes the score of the highest-impact **failed** check and makes that the overall score.
+
+Here are possible results of our simple example query, which has a port check and a cipher check:
+
+| Port (impact 30) | Cipher (impact 60) | Overall score |
+| --------------------- | --------------------- | ----------------- |
+| True (100) | True (100) | **100** or **A+** |
+| True (100) | False (100 - 60 = 40) | **40** or **C** |
+| False (100 - 30 = 70) | True (100) | **70** or **B** |
+| False (100 - 30 = 70) | False (100 - 60 = 40) | **40** or **C** |
+
+To use the highest impact scoring system, set the `scoring system` value to `highest impact`:
+
+```yaml
+policies:
+ - uid: simple-example1
+ name: Simple example policy 1
+ version: "1.0.0"
+ scoring_system: highest impact
+```
+
+## Next steps
+
+- To learn how to write more powerful policies, read [Reuse Queries and Checks](/cnspec/cnspec-policies/write/reuse/).
+
+- If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies/).
diff --git a/docs/cnspec/cnspec-policies/write/properties.mdx b/docs/cnspec/cnspec-policies/write/properties.mdx
new file mode 100644
index 000000000..c3aa79006
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/properties.mdx
@@ -0,0 +1,106 @@
+---
+title: Policy Authoring Guide | Define Properties
+sidebar_label: Define Properties
+displayed_sidebar: cnspec
+sidebar_position: 7
+description: Use properties to define the values for settings that policies check against.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Properties are an optional method of defining the ideal values for [checks](/cnspec/cnspec-policies/write/simple/#checks). Instead of defining a value in the check itself, you can define it in a property and reference that property in the check. Multiple checks in a policy can share a single property.
+
+This policy does not use properties. It checks that you have strong IAM policies in AWS:
+
+```yaml showLineNumbers
+policies:
+ - uid: no-properties-example
+ name: Example policy without properties
+ version: "1.0.0"
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ groups:
+ - title: group01
+ checks:
+ - uid: aws-iam-01
+ title: Require long passwords
+ mql: aws.iam.accountPasswordPolicy['MinimumPasswordLength'] >= 8
+
+ - uid: aws-iam-02
+ title: Require uppercase characters
+ mql: aws.iam.accountPasswordPolicy['RequireUppercaseCharacters'] == true
+
+ - uid: aws-iam-03
+ title: Limit password age
+ mql: aws.iam.accountPasswordPolicy['MaxPasswordAge'] <= 90
+```
+
+The `no-properties-example` policy above performs three checks:
+
+- Line 13 checks whether the minimum password length is set to 8 or higher.
+
+- Line 17 checks whether uppercase letters are required in passwords.
+
+- Line 21 checks whether passwords expire after 90 or fewer days.
+
+In each of these lines, the ideal value that the policy checks against is in the check itself.
+
+An alternate way to structure these checks is to put all the ideal values in properties. You define properties separately from the checks themselves—similar to defining variables in code.
+
+This policy shows how you can use properties to achieve the same results as the `no-properties-example` policy:
+
+```yaml showLineNumbers
+policies:
+ - uid: example-with-properties
+ name: Example policy using properties
+ version: "1.0.0"
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ groups:
+ - title: group01
+ checks:
+ - uid: aws-iam-01
+ title: Require long passwords
+ mql: aws.iam.accountPasswordPolicy['MinimumPasswordLength'] >= props.passwordMinLength
+
+ - uid: aws-iam-02
+ title: Require uppercase character
+ mql: aws.iam.accountPasswordPolicy['RequireUppercaseCharacters'] == props.passwordUppercase
+
+ - uid: aws-iam-03
+ title: Require password rotation
+ mql: aws.iam.accountPasswordPolicy['MaxPasswordAge'] <= props.passwordMaxAge
+props:
+ - uid: passwordMinLength
+ title: Minimum password length
+ mql: "8"
+
+ - uid: props.passwordUppercase
+ title: Whether to require at least one uppercase character in passwords
+ mql: "true"
+
+ - uid: props.passwordMaxAge
+ title: Maximum time that a user can go without changing their password
+ mql: "90"
+```
+
+In the `example-with-properties` policy above, the three checks refer to properties for the ideal values to check against. The `props` sections of the policy (beginning on line 21) assigns a value to each of the three properties.
+
+import Partial from "./_include-lint.mdx";
+
+{" "}
+
+## Use one property for multiple checks
+
+Multiple checks in a policy can share a single property. This can make updates easier when your organization's requirements change.
+
+As a simple example, suppose you create a policy that checks IAM best practices across multiple platforms. Even though the platforms are different, your company's minimum password length requirement is the same. If you create password length checks for each different platform, you don't need to define the minimum password length value multiple times. Instead, all of the password length checks can point to a single property. That way, there's only one value to change when your company's minimum password length requirement changes.
+
+## Next steps
+
+- To learn about changing what a policy checks based on different conditions, read [Make Policies Flexible with Variants](/cnspec/cnspec-policies/write/variants).
+
+- If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies/).
+
+---
diff --git a/docs/cnspec/cnspec-policies/write/reuse.mdx b/docs/cnspec/cnspec-policies/write/reuse.mdx
new file mode 100644
index 000000000..16fb27a8c
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/reuse.mdx
@@ -0,0 +1,96 @@
+---
+title: Policy Authoring Guide | Reuse Queries and Checks
+sidebar_label: Reuse Queries and Checks
+displayed_sidebar: cnspec
+sidebar_position: 4
+description: Learn how to combine policies in a bundle and make more efficient policies by reusing queries and checks
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Now that you've [explored the very basic elements of a policy and a policy bundle](/cnspec/cnspec-policies/write/simple/) and defined [policy scoring](/cnspec/cnspec-policies/write/policy-scoring/), you can learn how to include multiple policies in a bundle and reuse queries and checks among them.
+
+Here's another simple example of a policy bundle:
+
+```yaml showLineNumbers
+policies:
+ - uid: luna1
+ name: Lunalectric policy 1
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ docs:
+ desc: |-
+ Descriptive documentation about this policy
+ groups:
+ - title: test
+ checks:
+ - uid: sshd-01
+ title: Ensure the port is set to 22
+ mql: sshd.config.params["Port"] == 22
+ impact: 30
+
+ - uid: sshd-02
+ title: Prevent weaker CBC ciphers from being used
+ mql: sshd.config.ciphers.none( /cbc/ )
+ impact: 60
+
+ - uid: shared1
+
+ queries:
+ - uid: sshd-d-1
+ title: Gather SSH config params
+ mql: sshd.config.params
+
+ - uid: luna2
+ name: Luna policy 2
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ groups:
+ - title: test2
+ checks:
+ - uid: sshd-03
+ title: Ensure SSH protocol is set to 2
+ mql: sshd.config.params["Protocol"] == 2
+ impact: 50
+
+ - uid: shared1
+
+queries:
+ - uid: shared1
+ title: Enable strict mode
+ mql: sshd.config.params["StrictModes"] == "yes"
+ impact: 70
+```
+
+## Multiple policies in a bundle
+
+Policy bundles can contain any number of policies. You write them in the `policies` section of the bundle. The example above has two policies: `Luna policy 1` (lines 2-25) and `Luna policy 2` (lines 27-42). To learn the basic elements of a policy, read [Write Custom Policies](/cnspec/cnspec-policies/write/simple/).
+
+## Reusing queries and checks
+
+Notice that the example policy bundle above has a main section at the end named `queries`. It's at the same level in the hierarchy as the `policies` section. This is the _shared_ queries and checks section, intended for items you'll use more than once. Here you can put queries and checks that you want to include in multiple policies. Instead of writing the same query or check twice or ten times in many policies, you can write it once, store it in this shared `queries` section, and simply _reference_ it in any policy you want to include it in.
+
+In the example policy bundle above, there's one shared item in the shared `queries` section: `Enable strict mode`. Line 45 defines the shared item's UID as `shared1`. Both policies reference it (include it in their checks) using its that `shared1` UID (on lines 21 and 42).
+
+:::info
+
+The shared `queries` main section of a policy bundle can contain _both_ queries that only collect information _and_ checks (queries that make assertions and produce scores when the scan runs).
+
+:::
+
+import Partial from "./_include-lint.mdx";
+
+{" "}
+
+## Next steps
+
+- To learn how to organize a policy into sections, read [Break up a Policy into Groups](/cnspec/cnspec-policies/write/chapters/).
+
+- If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies/).
+
+---
diff --git a/docs/cnspec/cnspec-policies/write/simple.mdx b/docs/cnspec/cnspec-policies/write/simple.mdx
new file mode 100644
index 000000000..a83a57a1f
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/simple.mdx
@@ -0,0 +1,115 @@
+---
+title: Policy Authoring Guide | Write Custom Policies
+sidebar_label: Write Custom Policies
+displayed_sidebar: cnspec
+sidebar_position: 2
+description: Create your own policies for cnspec and Mondoo to scan your infrastructure
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Policies are the specifications that cnspec uses when it scans an asset. cnspec compares your asset's configuration against the standards set in policies, and calculates a score based on the comparison.
+
+Mondoo provides dozens of free policy bundles (collections of policies) with cnspec that cover the most common types of assets—and Mondoo Platform has even more. If your organization has unique needs that these policy bundles don't meet, you can create custom policy bundles.
+
+## A very simple policy bundle
+
+All cnspec policies are stored in YAML files. These files are called bundles because they bundle policies together. Their filename ends in `.mql.yaml`. To learn more about policies and policy bundles, read [About Policies](/cnspec/cnspec-policies/).
+
+Here's a very simple example of a policy bundle. It contains only one policy, `Simple example policy 1`:
+
+```yaml showLineNumbers
+policies:
+ - uid: simple-example1
+ name: Simple example policy 1
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+ docs:
+ desc: |-
+ Descriptive documentation about this policy
+ groups:
+ - title: group1
+ checks:
+ - uid: sshd-01
+ title: Ensure the port is set to 22
+ mql: sshd.config.params["Port"] == 22
+ impact: 30
+
+ - uid: sshd-02
+ title: Prevent weaker CBC ciphers from being used
+ mql: sshd.config.ciphers.none( /cbc/ )
+ impact: 60
+
+ queries:
+ - uid: sshd-d-1
+ title: Gather SSH config params
+ mql: sshd.config.params
+```
+
+We'll use this simple policy bundle example to explore how to write a policy.
+
+## Basic policy attributes
+
+| The attribute... | On line... | Defines... |
+| ---------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| uid | 2 | A unique identifier for the policy |
+| name | 3 | A descriptive name for the policy |
+| version | 4 | The current version of the policy. We recommend using semantic versioning to keep track of major and minor policy changes. |
+| scoring_system | 5 | How Mondoo calculates the score for an asset: `average` or `highest impact`. To learn more, read [Score Policies](/cnspec/cnspec-policies/write/policy-scoring/). |
+| authors | 6-7 | The person or entity to credit for writing the policy, and email where they can be reached. |
+| docs | 9-11 | Optional documentation section for describing the policy's purpose and makeup. |
+
+The `groups` section of the policy defines the checks and queries that define how to assess and report on asset security. To learn more, read [Break up a Policy into Groups / Chapters](/cnspec/cnspec-policies/write/chapters/).
+
+## Queries
+
+A _query_ is an [MQL](/mql/mql.write/) inquiry that requests information about an asset. For example, a query can ask what version of an OS is running on a container or request the UIDs, names, and statuses are of all users in an application.
+
+Queries in a policy add helpful insights to scan report output. (They're also the bases for checks, which are described below.)
+
+The simple example policy bundle above contains one query (on lines 26-28). It requests the configuration values of the SSH server scanned. This information is included in the scan report output.
+
+| The attribute... | On line... | Defines... |
+| ---------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------- |
+| uid | 26 | A unique identifier for the query |
+| title | 27 | A descriptive name for the query |
+| mql | 28 | The [MQL](/mql/mql.write/) query that requests information, such as the number of root accounts or the state of a port |
+
+To learn how to create MQL queries, read [Write Effective MQL](/mql/mql.write/).
+
+### Checks
+
+An [MQL](/mql/mql.write/) query that also makes an assertion and produces a score is called a _check_. Checks retrieve a value just like any query. For example, a check can ask _What OS version is running?_ How they differ from other queries is that they compare the retrieved value to a _desired_ value and create a score based on that comparison. For example, a check can assert that the value should be 8.3.1 or higher. All checks return a Boolean `true` or `false`. In our example, if the current OS version on the scanned asset is 8.2, the check returns `false`. If the current OS version is 8.3.1 or 8.3.5, the check returns `true`.
+
+Checks are the building blocks of policies. A typical policy identifies a number of desired configurations (such as _MFA is enabled_ and _no ports are publicly accessible_) and instructs Mondoo to compare that to the actual configuration on the scan target. This is a collection of checks.
+
+The simple example policy bundle above contains two checks:
+
+- The check defined in lines 15-18 ensures the SSH port is set to 22.
+
+- The check defined in lines 20-23 ensures that SSH uses a strong cipher.
+
+Each check has its own attributes:
+
+| The attribute... | On lines... | Defines... |
+| ---------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| uid | 15 & 20 | A unique identifier for the check |
+| title | 16 & 21 | A descriptive name for the check that's useful in report output |
+| mql | 17 & 22 | The [MQL](/mql/mql.write/) assertion that identifies the desired condition or configuration, such as logging is enabled or encryption is required |
+| impact | 18 & 23 | How important (on a scale from 0 to 100) the check is in the scope of the entire policy. The impact and result of each check determine the asset's score on the policy. To learn more, read [Score Policies](/cnspec/cnspec-policies/write/policy-scoring/). |
+
+To learn how to create MQL queries and checks, read [Write Effective MQL](/mql/mql.write/).
+
+import Partial from "./_include-lint.mdx";
+
+{" "}
+
+## Next steps
+
+- To learn how scoring works in Mondoo policies, read [Score Policies](/cnspec/cnspec-policies/write/policy-scoring/).
+
+- If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies/).
+
+---
diff --git a/docs/cnspec/cnspec-policies/write/variants.mdx b/docs/cnspec/cnspec-policies/write/variants.mdx
new file mode 100644
index 000000000..4312e237c
--- /dev/null
+++ b/docs/cnspec/cnspec-policies/write/variants.mdx
@@ -0,0 +1,150 @@
+---
+title: Policy Authoring Guide | Make Policies Flexible with Variants
+sidebar_label: Make Policies Flexible with Variants
+displayed_sidebar: cnspec
+sidebar_position: 8
+description: Use variants to change what a policy checks based on different conditions
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Variants are checks that behave differently based on conditions you define. They're alternative versions of checks.
+
+For example, suppose you want to ensure that Remote Desktop Protocol (RDP) is restricted from the internet. You want to perform this check both in GCP projects and in Terraform files. You can do this by creating one variant for GCP projects and another for Terraform files:
+
+- The GCP variant queries if the asset is a GCP project and checks RDP access using the GCP resource.
+
+- The Terraform variant queries if the asset is a Terraform file and checks RDP access using the Terraform resource.
+
+- If the asset is neither a GCP project nor a Terraform file, cnspec doesn't execute an RDP check.
+
+## Filters
+
+cnspec relies on _filters_ to determine which variant to run against an asset. A filter is a condition written in [MQL](/mql/mql.write/). Any fields you can query about any [resources](/mql/resources/) can be the basis for a filter.
+
+To learn more about filters, read [Limit Target Assets with Filters](/cnspec/cnspec-policies/write/filters/).
+
+## Create variants
+
+To create variants for a check, you define the variants in a `variants` section of the check. This tells cnspec that the check is made up of variants, and what those variants are.
+
+```yml showLineNumbers
+policies:
+ - uid: okta-security-example-with-variants
+ name: Example of a policy that uses variants
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+checks:
+ - uid: password-minimum-length
+ title: Minimum password length
+ impact: 30
+ variants:
+ - uid: password-minimum-length-runtime
+ - uid: password-minimum-length-terraform-hcl
+ - uid: password-minimum-length-terraform-plan
+ - uid: password-minimum-length-terraform-state
+ - uid: password-minimum-length-runtime
+ title: Minimum password length - runtime variant
+ filters: asset.platform == "okta-org"
+ impact: 30
+ mql: |
+ okta.policies.password.all( settings['password']['complexity']['minLength'] >= 15 )
+ - uid: password-minimum-length-terraform-hcl
+ title: Minimum password length - Terraform HCL variant
+ filters: asset.platform == "terraform-hcl" && terraform.providers.one( nameLabel == "okta" )
+ impact: 30
+ mql: |
+ terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_min_length'] == /var/ || arguments['password_min_length'] >= 15 )
+ - uid: password-minimum-length-terraform-plan
+ title: Minimum password length - Terraform plan variant
+ filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
+ impact: 30
+ mql: |
+ terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_min_length'] >= 15 )
+ - uid: password-minimum-length-terraform-state
+ title: Minimum password length - Terraform state variant
+ filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
+ impact: 30
+ mql: |
+ terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_min_length'] >= 15 )
+```
+
+Lines 13-17 in the `okta-security-example-with-variants` policy establish the variants for the `password-minimum-length` check. These are the four variants:
+
+- Lines 18-23 define the `password-minimum-length-runtime` variant. The filter on line 20 tells cnspec to run this variant only on one condition: The asset is an Okta organization. Line 23 is the check to run if that condition is true.
+
+- Lines 24-29 define the `password-minimum-terraform-hcl` variant. The filter on line 26 tells cnspec to run this variant only on one condition: The asset is an Okta Terraform HCL file. Line 29 is the check to run if that condition is true.
+
+- Lines 30-35 define the `password-minimum-terraform-plan` variant. The filter on line 32 tells cnspec to run this variant only on one condition: The asset is an Okta Terraform plan. Line 35 is the check to run if that condition is true.
+
+- Lines 36-41 define the `password-minimum-terraform-state` variant. The filter on line 38 tells cnspec to run this variant only on one condition: The asset is an Okta Terraform state. Line 41 is the check to run if that condition is true.
+
+## Use one property for multiple variants
+
+Often you use variants to ensure that different types of assets have one common [property](/cnspec/cnspec-policies/write/properties), as in the example above. All of the variants in the `okta-security-example-with-variants` policy check that the minimum password length is `15`; they just check the value using different resources for different assets.
+
+For efficiency and easier maintenance, you can write all four variants to use one property instead of defining `15` multiple times:
+
+```yml showLineNumbers
+policies:
+ - uid: okta-security-example-with-variants
+ name: Example of a policy that uses variants
+ version: "1.0.0"
+ scoring_system: highest impact
+ authors:
+ - name: Lunalectric
+ email: security@lunalectric.com
+checks:
+ - uid: password-minimum-length
+ title: Minimum password length
+ impact: 30
+ variants:
+ - uid: password-minimum-length-runtime
+ - uid: password-minimum-length-terraform-hcl
+ - uid: password-minimum-length-terraform-plan
+ - uid: password-minimum-length-terraform-state
+ - uid: password-minimum-length-runtime
+ title: Minimum password length - runtime variant
+ filters: asset.platform == "okta-org"
+ impact: 30
+ mql: |
+ okta.policies.password.all( settings['password']['complexity']['minLength'] >= props.minPass )
+ - uid: password-minimum-length-terraform-hcl
+ title: Minimum password length - Terraform HCL variant
+ filters: asset.platform == "terraform-hcl" && terraform.providers.one( nameLabel == "okta" )
+ impact: 30
+ mql: |
+ terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_min_length'] == /var/ || arguments['password_min_length'] >= props.minPass )
+ - uid: password-minimum-length-terraform-plan
+ title: Minimum password length - Terraform plan variant
+ filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
+ impact: 30
+ mql: |
+ terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_min_length'] >= props.minPass )
+ - uid: password-minimum-length-terraform-state
+ title: Minimum password length - Terraform state variant
+ filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
+ impact: 30
+ mql: |
+ terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_min_length'] >= props.minPass )
+Props:
+ - uid: minPass
+ title: Minimum password length
+ mql: "15"
+```
+
+import Partial from "./_include-lint.mdx";
+
+{" "}
+
+To learn more about properties, read [Define Properties](/cnspec/cnspec-policies/write/properties).
+
+## Next steps
+
+- If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read [Manage Policies](/cnspec/cnspec-policies/cnspec-manage-policies/).
+
+- Learn how to [write MQL queries and checks](/mql/mql.write).
+
+- Read about all the different [resources](/mql/resources/) from which MQL can retrieve information.
diff --git a/docs/cnspec/cnspec-scan.md b/docs/cnspec/cnspec-scan.md
new file mode 100644
index 000000000..beda026f0
--- /dev/null
+++ b/docs/cnspec/cnspec-scan.md
@@ -0,0 +1,53 @@
+---
+title: Create Checks in cnspec Shell
+id: cnspec-scan
+sidebar_label: Create Checks in cnspec Shell
+displayed_sidebar: cnspec
+sidebar_position: 5
+description: Use cnquery's interactive shell to learn about checks
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnspec provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It’s also a great way to interact with both local and remote targets on the fly.
+
+Run the shell:
+
+```bash
+cnspec shell local
+```
+
+The shell provides a `help` command to get information on the resources that power cnspec. Running help without any arguments lists all of the available MQL resources and their fields. You can also run `help RESOURCE` to get more information on a specific resource. For `RESOURCE`, substitute the name of the resource you want to learn about. For example, this command:
+
+```
+cnspec> help ports
+```
+
+Returns this help:
+
+```
+ports: TCP/IP ports on the system
+ list []port: TCP/IP ports on the system
+ listening []port: All listening ports
+```
+
+The shell features auto-complete, which makes it easy to explore.
+
+Once inside the shell, you can enter MQL checks like this:
+
+```coffee
+ports.listening.none( port == 23 )
+```
+
+To clear the terminal, type `clear`.
+
+To exit cnspec shell, press `CTRL + D` or type `exit`.
+
+## Learn more
+
+- To explore cnspec commands, read the [CLI Reference](/cnspec/cli/cnspec/).
+
+- To explore MQL resources, read the [MQL Reference](/mql/resources/).
+
+- To learn about scanning systems using policies, read [Get Started](/cnspec/).
+
+---
diff --git a/docs/cnspec/cnspec-supported.md b/docs/cnspec/cnspec-supported.md
new file mode 100644
index 000000000..20e5b3fe5
--- /dev/null
+++ b/docs/cnspec/cnspec-supported.md
@@ -0,0 +1,47 @@
+---
+title: Supported Scan Targets
+id: cnspec-supported
+sidebar_label: Supported Scan Targets
+displayed_sidebar: cnspec
+sidebar_position: 6
+description: A list of technologies that cnspec can scan
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnquery can request information from:
+
+| Target | Provider | Example |
+| ---------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
+| AWS accounts | `aws` | `cnspec scan aws` |
+| AWS EC2 instances | `ssh` | `cnspec scan ssh user@host` |
+| AWS EC2 Instance Connect | `aws ec2 instance-connect` | `cnspec scan aws ec2 instance-connect ec2-user@INSTANCEID` |
+| AWS EC2 EBS snapshot | `aws ec2 ebs snapshot` | `cnspec scan aws ec2 ebs snapshot SNAPSHOTID` |
+| AWS EC2 EBS volume | `aws ec2 ebs volume` | `cnspec scan aws ec2 ebs volume VOLUMEID` |
+| Container images | `container`, `docker` | `cnspec scan container ubuntu:latest` |
+| Container registries | `container registry` | `cnspec scan container registry index.docker.io/library/rockylinux:8 ` |
+| DNS records | `host` | `cnspec scan host mondoo.com` |
+| GitHub organizations | `github org` | `cnspec scan github org mondoohq` |
+| GitHub repositories | `github repo` | `cnspec scan github repo mondoohq/cnspec` |
+| GitLab groups | `gitlab` | `cnspec scan gitlab --group mondoohq` |
+| Google Cloud projects | `gcp` | `cnspec scan gcp` |
+| Google Workspace | `google-workspace` | `cnspec shell google-workspace --customer-id CUSTOMER_ID --impersonated-user-email EMAIL --credentials-path JSON_FILE` |
+| Kubernetes cluster nodes | `local`, `ssh` | `cnspec scan ssh user@host` |
+| Kubernetes clusters | `k8s` | `cnspec scan k8s` |
+| Kubernetes manifests | `k8s` | `cnspec scan k8s manifest.yaml ` |
+| Kubernetes workloads | `k8s` | `cnspec scan k8s --discover pods,deployments` |
+| Linux hosts | `local`, `ssh` | `cnspec scan local` or `cnspec scan ssh user@host` |
+| macOS hosts | `local`, `ssh` | `cnspec scan local` or `cnspec scan ssh user@IP_ADDRESS` |
+| Microsoft 365 accounts | `ms365` | `cnspec scan ms365 --tenant-id TENANT_ID --client-id CLIENT_ID --certificate-path PFX_FILE` |
+| Microsoft Azure accounts | `azure` | `cnspec scan azure --subscription SUBSCRIPTION_ID` |
+| Microsoft Azure instances | `ssh` | `cnspec scan ssh user@host` |
+| Okta | `okta` | `cnspec shell okta --token TOKEN --organization ORGANIZATION` |
+| Oracle Cloud Interface (OCI) | `oci` | `cnspec shell oci` |
+| Running containers | `docker` | `cnspec scan docker CONTAINER_ID` |
+| Slack | `slack` | `cnspec shell slack --token TOKEN` |
+| SSL certificates on websites | `host` | `cnspec scan host mondoo.com` |
+| Terraform HCL | `terraform` | `cnspec scan terraform HCL_FILE_OR_PATH` |
+| Terraform plan | `terraform plan` | `cnspec scan terraform plan plan.json` |
+| Terraform state | `terraform state` | `cnspec scan terraform state state.json` |
+| Vagrant virtual machines | `vagrant` | `cnspec scan vagrant HOST` |
+| VMware vSphere | `vsphere` | `cnspec scan vsphere user@domain@host --ask-pass` |
+| Windows hosts | `local`, `ssh`, `winrm` | `cnspec scan local`, `cnspec scan ssh Administrator@IP_ADDRESS --ask-pass` or `cnspec scan winrm Administrator@IP_ADDRESS --ask-pass` |
diff --git a/docs/cnspec/home.md b/docs/cnspec/home.md
new file mode 100644
index 000000000..b96a35c7e
--- /dev/null
+++ b/docs/cnspec/home.md
@@ -0,0 +1,55 @@
+---
+title: cnspec Docs
+hide_title: true
+sidebar_label: cnspec Docs Home
+displayed_sidebar: cnspec
+description: cnspec documentation home
+image: /img/featured_img/mondoo-feature.jpg
+hide_table_of_contents: true
+---
+
+
+
+cnspec is an open source, cloud-native tool that evaluates the security of your entire infrastructure. It's also a core component of the [Mondoo Platform](/platform/start/plat-what-is/), serving as both a CLI and an agent for scanning.
+
+### [What Is cnspec?](/cnspec/cnspec-about/)
+
+Get to know cnspec and explore its capabilities.
+
+### [Install cnspec](/cnspec/)
+
+Download and install cnspec on your assets.
+
+### Get Started with:
+
+- [AWS](/cnspec/cnspec-aws/)
+
+- [Azure](/cnspec/cnspec-azure/)
+
+- [GCP](/cnspec/cnspec-gcp/)
+
+- [Kubernetes](/cnspec/cnspec-k8s/)
+
+- [Linux](/cnspec/cnspec-oper/cnspec-linux-intro)
+
+- [macOS](/cnspec/cnspec-oper/cnspec-macos-intro)
+
+- [Windows](/cnspec/cnspec-oper/cnspec-windows-intro)
+
+### [CLI Command Reference](/cnspec/cli/cnspec/)
+
+Find the commands you need to scan and make checks.
+
+### See also:
+
+- To learn all the resources that you can query in your infrastructure and how to access the information, read the [MQL Reference](/mql/resources/),
+
+- To learn how to create queries and checks, read [Write Effective MQL](/mql/mql.write).
+
+- To learn how to structure and build your own policies, read the Mondoo [Policy Authoring Guide](/cnspec/cnspec-policies/write/).
+
+#### Can't find what you need?
+
+Join our [community discussion on GitHub](https://github.com/orgs/mondoohq/discussions).
+
+---
diff --git a/docs/cnspec/report.mdx b/docs/cnspec/report.mdx
new file mode 100644
index 000000000..0b14b13be
--- /dev/null
+++ b/docs/cnspec/report.mdx
@@ -0,0 +1,16 @@
+---
+title: View and Share a Scan Report in a Web Browser
+id: report
+sidebar_label: View and Share a Scan Report in a Web Browser
+displayed_sidebar: cnspec
+description: Install and use cnspec, an open source, cloud-native tool for securing your full stack
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+This feature is deprecated.
+
+To learn how to create a report of scan results, read [Report Results](/cnspec/results).
+
+For far more capabilities, more policies, and easy, browser-based management, log into [Mondoo Platform](/cnspec/cnspec-platform/).
+
+---
diff --git a/docs/cnspec/results.mdx b/docs/cnspec/results.mdx
new file mode 100644
index 000000000..cc4a62fbb
--- /dev/null
+++ b/docs/cnspec/results.mdx
@@ -0,0 +1,39 @@
+---
+title: Report Results
+sidebar_label: Report Results
+displayed_sidebar: cnspec
+description: Install and use cnspec, an open source, cloud-native tool for securing your full stack
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+cnspec supports different ways of reporting scan results. You can generate a JSON report or view and print results in the Mondoo Console.
+
+## Create a JSON report from the command line
+
+To save the results of your scan to a JSON file, append your scan command with the `-o` flag:
+
+```
+-o json > FILENAME.json
+```
+
+For `FILENAME`, substitute the name you want to give the file. For example, this scans a Kubernetes cluster and reports the results to a file named `k8s-test-results.json`:
+
+```
+cnspec scan k8s -o json > k8s-test-results.json
+```
+
+## View and print results in the Mondoo Console
+
+When cnspec completes a scan, it provides a link to the Mondoo Console, where you can view graphical results.
+
+:::note
+
+You must register cnspec to see results in the Mondoo Console. To learn how, read [Log into Mondoo Platform for More Capabilities](/cnspec/cnspec-platform/).
+
+:::
+
+
+
+To open printer-friendly results in a new browser tab, select the print icon near the top-right corner of the Mondoo Console.
+
+---
diff --git a/docs/cnspec/saas/_overview.mdx b/docs/cnspec/saas/_overview.mdx
new file mode 100644
index 000000000..4e6a8bd17
--- /dev/null
+++ b/docs/cnspec/saas/_overview.mdx
@@ -0,0 +1,24 @@
+---
+title: Assess SaaS Security with cnspec
+sidebar_label: Overview
+displayed_sidebar: cnspec
+description: Secure your SaaS infrastructure with cnspec
+---
+
+Rely on Mondoo to secure your business-critical SaaS platforms:
+
+- **[GitHub](/cnspec/saas/github/)**
+
+- **[Google Workspace](/cnspec/saas/google_workspace/)**
+
+- **[Microsoft 365](/cnspec/saas/ms365/)**
+
+- **[Okta](/cnspec/saas/okta/)**
+
+- **[Slack](/cnspec/saas/slack/)**
+
+#### Get help
+
+Join our [community discussion on GitHub](https://github.com/orgs/mondoohq/discussions).
+
+---
diff --git a/docs/cnspec/saas/github.md b/docs/cnspec/saas/github.md
new file mode 100644
index 000000000..ce2dbb83c
--- /dev/null
+++ b/docs/cnspec/saas/github.md
@@ -0,0 +1,118 @@
+---
+title: Assess the configuration of GitHub organizations and repositories with cnspec
+sidebar_label: GitHub
+sidebar_position: 2
+displayed_sidebar: cnspec
+description: Secure and enforce policy for GitHub
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Rely on cnspec to ensure your GitHub organizations and private repositories (repos) follow recommended security and operational best practices.
+
+You can also use cnspec to assess public repos and open source projects your team depends on. cnspec evaluates the risk a project poses to your business.
+
+:::tip
+
+Open source projects that don't adhere to GitHub's recommended security best practices pose a higher risk of introducing malicious code into your environments.
+
+:::
+
+## Give cnspec access using the GitHub API
+
+To scan GitHub organizations and repos, cnspec needs access. You give cnspec the access it needs through the GitHub API. First, you create GitHub personal access token. Then you share that token with cnspec using an environment variable.
+
+### Create a GitHub personal access token
+
+cnspec needs a personal access token to scan a GitHub organization, public repo, or private repo. The token's level of access determines how much information cnspec can retrieve.
+
+To learn how to create a personal access token, read [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) in the GitHub documentation.
+
+### Configure a GITHUB_TOKEN environment variable
+
+You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable.
+
+#### Linux / macOS
+
+```bash
+export GITHUB_TOKEN=
+```
+
+#### Windows
+
+```powershell
+$Env:GITHUB_TOKEN = ""
+```
+
+## Scan a GitHub organization
+
+To scan the configuration of your GitHub organization and all repos within it, run this command:
+
+```bash
+cnspec scan github org
+```
+
+:::caution
+
+Scanning large GitHub organizations and all repositories may exceed GitHub API rate limits. To learn more, read [About rate limits](https://docs.github.com/en/rest/rate-limit?apiVersion=2022-11-28#about-rate-limits) in the GitHub documentation.
+
+:::
+
+### Scan a GitHub organization but not its repos
+
+Use the `--discover organization` flag to scan your GitHub organization and discover and scan all of the repos within it:
+
+```bash
+cnspec scan github org --discover organization
+```
+
+### Scan GitHub repos
+
+To scan the configuration of a GitHub repo:
+
+```bash
+cnspec scan github repo
+```
+
+## Example checks
+
+Run `cnspec shell` to open the cnspec interactive shell. From there you can make checks like the examples below.
+
+Ensure two-factor authentication is enabled for GitHub organizations:
+
+```coffee
+cnspec> github.organization.twoFactorRequirementEnabled
+[failed] github.organization.twoFactorRequirementEnabled
+ expected: == true
+ actual: false
+```
+
+Ensure the GitHub organization domain is verified:
+
+```coffee
+cnspec> github.organization.isVerified
+[failed] github.organization.isVerified
+ expected: == true
+ actual: false
+```
+
+Ensure the GitHub organization default permissions is set to _read_:
+
+```coffee
+cnspec> github.organization.defaultRepositoryPermission == "read"
+[ok] value: "read"
+```
+
+Ensure the default branch is configured with branch protection:
+
+```coffee
+cnspec> github.repository.branches.where( isDefault == true ).all( protected == true )
+[ok] value: true
+```
+
+## Learn more
+
+- To learn about all the GitHub resources and properties, read the [Mondoo GitHub Resource Pack Reference](/mql/resources/github-pack/).
+
+- To learn how to write checks, read [Write Effective MQL](/mql/mql.write).
+
+---
diff --git a/docs/cnspec/saas/google_workspace.md b/docs/cnspec/saas/google_workspace.md
new file mode 100644
index 000000000..4244a72a6
--- /dev/null
+++ b/docs/cnspec/saas/google_workspace.md
@@ -0,0 +1,195 @@
+---
+title: Assess Google Workspace Security with cnspec
+sidebar_label: Google Workspace
+sidebar_position: 3
+displayed_sidebar: cnspec
+description: Set up cnspec to perform security scans of Google Workspace
+---
+
+Rely on cnspec to audit and enforce policy for your Google Workspace environment.
+
+## Configure access to the Google Workspace API
+
+:::note
+
+These steps for configuring [Admin SDK API](https://developers.google.com/admin-sdk) access to your
+Google Workspace environment rely on Google Cloud (GCP) even if you aren't otherwise using GCP.
+
+:::
+
+1. [Create a Google Workspace service account](https://support.google.com/a/answer/7378726).
+ - In addition to the APIs that Google requires, also enable:
+ - Cloud Identity API
+ - Google Drive API
+ - After creating the service account, be sure to record the **Unique ID** on the details page. This is the Client ID to use in the next step.
+ - Be sure to download and protect the JSON credentials file.
+2. Log into the [Google Workspace Admin Portal](https://admin.google.com).
+
+3. In the left-side navigation, select **Security -> Access and data controls -> API controls**.
+
+4. Select [**Domain-wide Delegation**](https://developers.google.com/workspace/guides/create-credentials#delegate_domain-wide_authority_to_your_service_account) and then select **Add new**.
+
+5. For the **Client ID** enter the **Unique ID** of the service account you created.
+
+6. Paste this comma-delimited list to add all 16 read-only OAuth scopes:
+
+ ```text
+ https://www.googleapis.com/auth/admin.chrome.printers.readonly,https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-identity.groups.readonly
+ ```
+
+7. In the [Google Workspace Admin Portal](https://admin.google.com), navigate to **Account -> Account Settings** and record the **Customer ID**.
+
+To test proper configuration, use the cnspec shell to run a sample query:
+
+```text
+cnspec shell google-workspace --customer-id 5amp13iD --impersonated-user-email admin@domain.com --credentials-path /home/user/my-project-6646123456789.json
+```
+
+| For... | Substitute... |
+| --------------------------- | ----------------------------------------------------------- |
+| `--impersonated-user-email` | The email address of a user that has super admin privileges |
+| `--credentials-path` | The path to the downloaded JSON credentials file |
+
+cnspec returns results similar to these:
+
+```coffee
+cnspec> googleworkspace.users
+googleworkspace.users: [
+ 0: {
+ primaryEmail: "alice@smith.family"
+ }
+ 1: {
+ primaryEmail: "betty@smith.family"
+ }
+ ....
+```
+
+If you prefer, you can use any of these environment variables to provide the credentials file. They're listed in order of precedence:
+
+- `GOOGLE_APPLICATION_CREDENTIALS`
+- `GOOGLEWORKSPACE_CREDENTIALS`
+- `GOOGLEWORKSPACE_CLOUD_KEYFILE_JSON`
+- `GOOGLE_CREDENTIALS`
+
+:::note
+
+If any of the variables above and the `--credentials-path` parameter are both present, the environment variable takes precedence.
+
+:::
+
+```text
+$ export GOOGLEWORKSPACE_CLOUD_KEYFILE_JSON=/home/user/my-project-6646123456789.json
+$ cnspec shell google-workspace --customer-id 5amp13iD --impersonated-user-email admin@domain.com
+ ___ _ __ ___ _ __ ___ ___
+ / __| '_ \/ __| '_ \ / _ \/ __|
+| (__| | | \__ \ |_) | __/ (__
+ \___|_| |_|___/ .__/ \___|\___|
+ mondoo™ |_|
+cnspec> googleworkspace.users
+googleworkspace.users: [
+ 0: {
+ primaryEmail: "alice@smith.family"
+ }
+ 1: {
+ primaryEmail: "betty@smith.family"
+ }
+ ....
+```
+
+## Example queries and checks
+
+Display details for the first user in the workspace:
+
+```coffee
+cnspec> googleworkspace.users[0]{ * }
+googleworkspace.users[0]: {
+ isMailboxSetup: true
+ familyName: "Smith"
+ suspensionReason: ""
+ recoveryEmail: ""
+ archived: false
+ aliases: []
+ isAdmin: false
+ lastLoginTime: 2023-01-03 20:45:12 +0000 UTC
+ agreedToTerms: true
+ suspended: false
+ isEnrolledIn2Sv: false
+ fullName: "Alice Smith"
+ recoveryPhone: ""
+ primaryEmail: "alice@smith.family"
+ givenName: "Alice"
+ id: "1182761XXXXXXXXX"
+ tokens: [
+ 0: googleworkspace.token displayText="iOS Account Manager"
+ 1: googleworkspace.token displayText="Facetune2"
+ 2: googleworkspace.token displayText="YouTube on TV"
+ 3: googleworkspace.token displayText="Discord"
+ 4: googleworkspace.token displayText="Google Chrome"
+ 5: googleworkspace.token displayText="Epic Games, Inc."
+ 6: googleworkspace.token displayText="the-game-awards"
+ ]
+ creationTime: 2021-11-30 04:31:25 +0000 UTC
+ isEnforcedIn2Sv: false
+ usageReport: googleworkspace.report.usage id = googleworkspace.report.usage/C013XXXXXX/118276124783XXXXXXXXX/2023-01-03
+}
+```
+
+Notice that `usageReport` is listed in this example output. This provides access to several reports with more useful user data that you can also check.
+
+For example, this retrieves the first user in the workspace's account usage data:
+
+```coffee
+cnspec> googleworkspace.users[0].usageReport.account
+googleworkspace.users[0].usageReport.account: {
+ adminSetName: "Alice Smith"
+ driveUsedQuotaInMb: 231.000000
+ gmailUsedQuotaInMb: 39.000000
+ is2SvEnforced: false
+ isDisabled: false
+ isLessSecureAppsAccessAllowed: false
+ isS2SvEnrolled: false
+ isSuperAdmin: false
+ passwordLengthCompliance: "COMPLIANT"
+ passwordStrength: "STRONG"
+ usedQuotaInMb: 270.000000
+}
+```
+
+You can also create checks against the Google Workspace data.
+
+This checks assures all users have passwords that Google considers strong and compliant:
+
+```coffee
+googleworkspace.users{
+ usageReport.account {
+ _['passwordStrength'] == "STRONG"
+ _['passwordLengthCompliance'] == "COMPLIANT"
+ }
+}
+```
+
+Example response data:
+
+```coffee
+googleworkspace.users: [
+ 0: {
+ usageReport.account: {
+ [passwordLengthCompliance] == "COMPLIANT": true
+ [passwordStrength] == "STRONG": true
+ }
+ }
+ 1: {
+ usageReport.account: {
+ [passwordLengthCompliance] == "COMPLIANT": true
+ [passwordStrength] == "STRONG": true
+ }
+ }
+```
+
+## Learn more
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For more information, explore the complete [Mondoo Google Workspace Resource Pack Reference](/mql/resources/google-workspace-pack/).
+
+---
diff --git a/docs/cnspec/saas/ms365.md b/docs/cnspec/saas/ms365.md
new file mode 100644
index 000000000..b6a4aee3d
--- /dev/null
+++ b/docs/cnspec/saas/ms365.md
@@ -0,0 +1,144 @@
+---
+title: Assess Microsoft 365 Security with cnspec
+sidebar_label: Microsoft 365
+displayed_sidebar: cnspec
+sidebar_position: 4
+description: Use cnspec to assess Microsoft 365 for security misconfigurations
+image: /img/featured_img/mondoo-365.jpg
+---
+
+cnspec assesses your Microsoft 365 environment for misconfigurations that put your organization at risk. You can scan your Microsoft 365 organization for compliance with security policies created by Mondoo or the community, or [create your own policies](/cnspec/cnspec-policies/write/). You also can write individual tests to run on the fly or include in automated tasks.
+
+cnspec can test any aspect of your Microsoft 365 configuration. For a list of Microsoft 365 resources you can test, read [Mondoo Microsoft 365 (MS365) Resource Pack Reference](/mql/resources/ms365-pack/) and [Mondoo Core Resource Pack Reference](/mql/resources/core-pack/).
+
+## Connect cnspec with your Microsoft 365 environment
+
+### Requirements
+
+To test your Microsoft 365 environment with cnspec, you must have:
+
+- [cnspec installed on your workstation](/cnspec/).
+- A [Microsoft 365 subscription](https://www.microsoft.com/en-us/microsoft-365)
+
+### Log into Microsoft 365
+
+cnspec relies on the Microsoft Graph API to collect the data it needs. To give cnspec permission to access this data, you must create a registered app in Azure. To learn how to register and configure the app, read [Secure Microsoft 365 with Mondoo](Register an Azure app: /platform/infra/saas/ms365/ms365-auto/).
+
+After registering the App, the method you choose for scanning depends on your goals:
+
+- For widescale assessment of your Microsoft 365 infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your Microsoft 365 security posture.
+- To run ad hoc checks against your Microsoft 365 environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
+
+## Assess Microsoft 365 security with policy-based scanning
+
+The Microsoft 365 Security by Mondoo policy is available to all in Mondoo's [cnspec-policies GitHub repo](https://github.com/mondoohq/cnspec-policies/tree/main/core). This collection of tests evaluates how well your environment follows fundamental Microsoft 365 security best practices. It checks for misconfigurations across your entire Microsoft 365 infrastructure.
+
+:::note
+
+In all commands, if you have a secret key but not a certificate, you can just provide the client secret:
+
+```bash
+--client-secret 'SECRET'
+```
+
+instead of providing a PEM certificate.
+
+:::
+
+To scan your infrastructure based on a single policy:
+
+```bash
+cnspec run ms365 -c 'microsoft.policies.identitySecurityDefaultsEnforcementPolicy["isEnabled"] == false' --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID
+```
+
+To scan the entire directory using the available default policies:
+
+```bash
+cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID
+```
+
+cnspec follows these steps to load policies on which it bases the scan:
+
+- cnspec tries to read a config file, mondoo.yml, which includes the certificate and private key for authenticating with Mondoo Platform. If it finds the config, it loads the policies enabled for the Microsoft 365 integration in the Mondoo space this environment belongs to. You can enter `cnspec status` to see if the config file exists and cnspec is registered.
+
+- If there is no config file (you have not registered cnspec or you've removed the mondoo.yml file), then cnspec loads Mondoo's open source policies and scans based on those.
+
+:::info
+
+If cnspec is registered but you want to use the open source policies (and not share results with Mondoo Platform), you can scan in incognito mode:
+
+```bash
+cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --incognito
+```
+
+:::
+
+You can also specify a particular policy bundle. cnspec uses only the bundle you specify:
+
+```bash
+cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --policy-bundle mondoo-ms365-security.mql.yaml
+```
+
+You can also create your own policies to meet your specific needs. To learn more about policies, read [Policies](/cnspec/cnspec-policies/).
+
+## Test Microsoft 365 with the cnspec shell
+
+The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
+
+To launch a shell into your Microsoft 365 environment, enter:
+
+```bash
+cnspec shell ms365 --certificate-path certificate.combo.pem --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID
+```
+
+### Discover capabilities with the `help` command
+
+Once inside the shell, use the `help` command to learn what Microsoft 365 resources you can test. This command lists all the Microsoft 365 resources:
+
+```coffee
+help ms365
+```
+
+To list all general Microsoft resources (not specific to Microsoft 365), enter:
+
+```coffee
+help microsoft
+```
+
+From the resulting list, you can drill down further. For example, enter this command to list all the Microsoft group resources you can test:
+
+```coffee
+help microsoft.group
+```
+
+From the resulting list, you can drill down even further. You can also learn about available Microsoft 365 resources in the [Mondoo Microsoft 365 (MS365) Resource Pack Reference](/mql/resources/ms365-pack/).
+
+### Example checks in cnspec shell
+
+Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
+
+This test assures that auditing security defaults are disabled:
+
+```coffee
+microsoft.policies.identitySecurityDefaultsEnforcementPolicy["isEnabled"] == false
+```
+
+This test checks that no third party integrated applications can connect to your services:
+
+```coffee
+microsoft.policies.authorizationPolicy {
+ _['defaultUserRolePermissions']['allowedToCreateApps'] == false
+}
+```
+
+### Exit the cnspec shell
+
+To exit the cnspec shell, either press `Ctrl + D` or type `exit`.
+
+## Learn more about querying Microsoft 365
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- For a list of all the Microsoft 365 resources and fields you can query, read the [Mondoo Microsoft 365 (MS365) Resource Pack Reference](/mql/resources/ms365-pack/).
+
+---
diff --git a/docs/cnspec/saas/okta.md b/docs/cnspec/saas/okta.md
new file mode 100644
index 000000000..ef5bd3072
--- /dev/null
+++ b/docs/cnspec/saas/okta.md
@@ -0,0 +1,203 @@
+---
+title: Assess Okta Security with cnspec
+sidebar_label: Okta
+sidebar_position: 5
+displayed_sidebar: cnspec
+description: Secure and enforce policy for Okta
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Rely on cnspec to enforce policy for your Okta domain, including users, groups, policies, rules, applications and more.
+
+## Configure access to Okta
+
+Create an Okta [API token](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/). Carefully record the API token and your Okta domain.
+
+:::note
+
+Okta API tokens have a [fixed expiration period of 30 days](https://developer.okta.com/docs/guides/create-an-api-token/main/#token-expiration).
+
+:::
+
+Test access using the cnspec shell in a terminal. If your domain includes '-admin', you must remove it when specifying the organization to cnspec. For example, if your Okta URL is 'dev-22556123-admin.okta.com', specify your organization as 'dev-22556123.okta.com'.
+
+```bash
+$ cnspec shell okta --organization dev-22556123.okta.com --token
+ ___ _ __ ___ _ __ ___ ___
+ / __| '_ \/ __| '_ \ / _ \/ __|
+| (__| | | \__ \ |_) | __/ (__
+ \___|_| |_|___/ .__/ \___|\___|
+ mondoo™ |_|
+...
+cnspec> okta.organization{ * }
+okta.organization: {
+ address2: ""
+ subdomain: "dev-22556123"
+ created: 2023-01-19 19:35:32 +0000 UTC
+ lastUpdated: 2023-01-19 19:35:38 +0000 UTC
+ country: ""
+ status: "ACTIVE"
+ website: "https://developer.okta.com"
+ endUserSupportHelpURL: ""
+ state: ""
+ address1: ""
+ city: ""
+ phoneNumber: ""
+ expiresAt: null
+ supportPhoneNumber: ""
+ postalCode: ""
+ companyName: "okta-dev-22556123"
+ id: ""
+}
+```
+
+You can also use the `OKTA_CLIENT_TOKEN` environment variable, which makes the `--token` parameter optional. Note that if both are present, the `OKTA_CLIENT_TOKEN` environment variable takes precedence.
+
+```bash
+$ export OKTA_CLIENT_TOKEN='00zr0k74_-s5mp13t0k3n'
+$ cnspec shell okta --organization dev-22556123.okta.com
+```
+
+:::info
+
+Want a place to experiment? Okta makes it easy to obtain Developer Accounts. Sign up at [developer.okta.com/signup](https://developer.okta.com/signup/).
+
+:::
+
+## Example queries and checks
+
+### Query users
+
+Example query:
+
+```coffee
+okta.users{
+ profile
+ status
+ lastUpdated
+ credentials['provider']['name']
+}
+```
+
+Example shell output:
+
+```coffee
+okta.users: [
+ 0: {
+ status: "PROVISIONED"
+ profile: &map[email:suki@lunalectric.com firstName:Suki lastName:Mbeze login:suki@lunalectric.com mobilePhone: secondEmail:]
+ lastUpdated: 2023-01-20 23:49:58 +0000 UTC
+ credentials[provider][name]: "OKTA"
+ }
+ 1: {
+ status: "PROVISIONED"
+ profile: &map[email:alice@lunalectric.com firstName:Alice lastName:Freedman login:alice@lunalectric.com mobilePhone: secondEmail:]
+ lastUpdated: 2023-01-20 23:49:41 +0000 UTC
+ credentials[provider][name]: "OKTA"
+ }
+ 2: {
+ status: "RECOVERY"
+ profile: &map[email:ben@lunalectric.com firstName:Ben lastName:Pesoa login:ben@lunalectric.com mobilePhone: secondEmail:]
+ lastUpdated: 2023-01-19 20:14:53 +0000 UTC
+ credentials[provider][name]: "OKTA"
+ }
+]
+
+```
+
+### Audit applications
+
+This query will output the name, status, label, and sign-on mode for each configuration application:
+
+```coffee
+okta.applications {
+ status
+ name
+ label
+ signOnMode
+}
+```
+
+Example shell output:
+
+```coffee
+okta.applications: [
+ 0: {
+ status: "ACTIVE"
+ name: "saasure"
+ label: "Okta Admin Console"
+ signOnMode: "OPENID_CONNECT"
+ }
+ 1: {
+ status: "ACTIVE"
+ name: "okta_end_user"
+ label: "Okta Dashboard"
+ signOnMode: "OPENID_CONNECT"
+ }
+ 2: {
+ status: "ACTIVE"
+ name: "okta_browser_plugin"
+ label: "Okta Browser Plugin"
+ signOnMode: "OPENID_CONNECT"
+ }
+ 3: {
+ status: "ACTIVE"
+ name: "dev-22556257_pagerduty_1"
+ label: "PagerDuty"
+ signOnMode: "AUTO_LOGIN"
+ }
+]
+```
+
+### Audit all access policies to ensure they're active
+
+This query finds all access policies. For each access policy found, cnquery returns the name, priority, and status. It asserts that each rule's status should be active:
+
+```coffee
+okta.policies{
+ accessPolicy {
+ name
+ priority
+ status
+ rules {
+ status == "ACTIVE"
+ }
+ }
+}
+```
+
+Example output:
+
+```coffee
+okta.policies: {
+ accessPolicy: [
+ 0: {
+ status: "ACTIVE"
+ rules: [
+ 0: {
+ status == "ACTIVE": true
+ }
+ ]
+ name: "Okta Admin Console"
+ priority: 1
+ }
+ 1: {
+ status: "ACTIVE"
+ rules: [
+ 0: {
+ status == "ACTIVE": true
+ }
+ ]
+ name: "Default Policy"
+ priority: 1
+ }
+....
+```
+
+## Learn more
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- To learn about all the Okta resources and properties you can query, read the [Mondoo Okta Resource Pack Reference](/mql/resources/okta-pack/).
+
+---
diff --git a/docs/cnspec/saas/slack.md b/docs/cnspec/saas/slack.md
new file mode 100644
index 000000000..08310352f
--- /dev/null
+++ b/docs/cnspec/saas/slack.md
@@ -0,0 +1,175 @@
+---
+title: Asses Slack Security with cnspec
+sidebar_label: Slack
+sidebar_position: 6
+displayed_sidebar: cnspec
+description: Secure and enforce policy for your Slack workspaces
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Rely on cnspec to secure and enforce policy for your Slack workspaces. Unlock the powerful data available in the Slack API with the ease of MQL.
+
+## Configure access to a Slack organization
+
+Access to the Slack API requires an [Access Token](https://api.slack.com/authentication/token-types). We recommend using a bot token.
+
+1. As a workspace administrator, [create an app](https://api.slack.com/apps): Select the **Create an App** button and then select **From Scratch**.
+2. Specify an app name (we recommend **Mondoo**) and select the appropriate workspace.
+3. Select **Create App**.
+4. In the left-side navigation, select **OAuth & Permissions**.
+5. Scroll to **Scopes**. Under **User Token Scopes**, add these scopes:
+
+ - **admin**: (This permission is required to view access logs. For details, read [scopes: admin](https://api.slack.com/scopes/admin).)
+ - **channels:read**
+ - **groups:read**
+ - **im:read**
+ - **mpim:read**
+ - **team:read**
+ - **usergroups:read**
+ - **users:read**
+
+6. Scroll to **OAuth Tokens for Your Workspace** and select **Install to Workspace**. Once you authorize the app, Slack provides a token. Copy the token; you need it to retrieve data from Slack.
+
+Now you can test using the cnspec shell:
+
+```bash
+$ cnspec shell slack --token
+ ___ _ __ ___ _ __ ___ ___
+ / __| '_ \/ __| '_ \ / _ \/ __|
+| (__| | | \__ \ |_) | __/ (__
+ \___|_| |_|___/ .__/ \___|\___|
+ mondoo™ |_|
+cnspec> slack.team
+slack.team: {
+ domain: "mondoo"
+ id: "T030KKBABCDE"
+}
+
+```
+
+You can also use the `SLACK_TOKEN` environment variable, which makes the `--token` parameter optional. Note that if both are present, the `SLACK_TOKEN` environment variable takes precedence.
+
+```bash
+$ export SLACK_TOKEN=xoxb-3014687468594-456546543219-5ampl3.70ck3n
+$ cnspec shell slack
+ ___ _ __ ___ _ __ ___ ___
+ / __| '_ \/ __| '_ \ / _ \/ __|
+| (__| | | \__ \ |_) | __/ (__
+ \___|_| |_|___/ .__/ \___|\___|
+ mondoo™ |_|
+cnspec> slack.team
+slack.team: {
+ domain: "mondoo"
+ id: "T030KKBABCDE"
+}
+
+```
+
+## Example queries and checks
+
+### Users
+
+Here is an example of all the data available for a single user:
+
+```coffee
+> slack.users[1]{ \* }
+> slack.users.list[1]: {
+> profile: {
+
+ displayName: ""
+ displayNameNormalized: ""
+ email: "suki@lunalectric.io"
+ firstName: "Suki"
+ lastName: "Mbeze"
+ phone: ""
+ realName: "Suki Mbeze"
+ realNameNormalized: "Suki Mbeze"
+ skype: ""
+ statusExpiration: "1969-12-31T16:00:00-08:00"
+ team: "T030KKBUGHG"
+ title: ""
+
+}
+timeZoneOffset: -28800
+isBot: false
+isInvitedUser: false
+deleted: false
+name: "suki"
+enterpriseUser: null
+isUltraRestricted: false
+id: "U030KL5BMDH"
+presence: ""
+hasFiles: false
+timeZone: "America/Los_Angeles"
+teamId: "T030KKBUGHG"
+isAdmin: true
+has2FA: false
+locale: "en-US"
+realName: "Suki Mbeze"
+isStranger: false
+isAppUser: false
+isOwner: true
+isRestricted: false
+timeZoneLabel: "Pacific Standard Time"
+isPrimaryOwner: true
+color: "9f69e7"
+}
+```
+
+You can create a policy to ensure that all users have 2FA enabled:
+
+```coffee
+slack.users{
+ has2FA == true
+}
+```
+
+You can also return the user's `realName` in the results if the `has2FA` value is not true.
+
+```coffee
+slack.users{
+ if ( has2FA != true ){
+ has2FA == true
+ realName
+ }
+}
+```
+
+### Conversations (channels)
+
+The `conversations` resource lets you inspect channels and direct message metadata.
+
+Suppose you want to ensure all channels have a set purpose. You can write this policy:
+
+```coffee
+slack.conversations.where( isChannel == true ){
+ name
+ purpose['value'] != ""
+}
+```
+
+Example result:
+
+```coffee
+slack.conversations.where: [
+ 0: {
+ name: "general"
+ purpose[value] != null: true
+ }
+ 1: {
+ name: "introductions"
+ purpose[value] != null: true
+ }
+ 2: {
+ name: "announcements"
+ purpose[value] != null: false
+ }
+```
+
+## Learn more
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- Explore the complete [Mondoo Slack Resource Pack Reference](/mql/resources/slack-pack/).
+
+---
diff --git a/docs/cnspec/supplychain/docker.md b/docs/cnspec/supplychain/docker.md
new file mode 100644
index 000000000..236de6de1
--- /dev/null
+++ b/docs/cnspec/supplychain/docker.md
@@ -0,0 +1,55 @@
+---
+title: Assess Docker Image Security with cnspec
+sidebar_label: Docker
+sidebar_position: 1
+displayed_sidebar: cnspec
+description: This page provides an overview of how to use Mondoo to scan Docker images for security vulnerabilities.
+image: /img/featured_img/mondoo-docker.jpg
+---
+
+Use cnspec to scan Docker images and containers for security misconfigurations, CVEs, and end of life operating systems using the built in Mondoo security policies or your own custom policies.
+
+
+
+## Docker images
+
+Use cnspec to scan Docker images in public or private container registries using their registry name:
+
+```bash
+cnspec scan docker ubuntu:latest
+cnspec scan docker elastic/elasticsearch:7.2.0
+cnspec scan docker gcr.io/google-containers/ubuntu:22.04
+cnspec scan docker registry.access.redhat.com/ubi8/ubi
+```
+
+If the Docker agent is installed, you can scan images by their id:
+
+```bash
+cnspec scan docker docker-image-id
+```
+
+## Docker containers
+
+Scan a running or stopped Docker container by the container ID:
+
+```bash
+cnspec scan docker docker-container-id
+```
+
+:::note
+
+You can only scan Docker containers if the Docker engine is installed.
+
+:::
+
+## Manage cnspec providers for containers
+
+_Providers_ are the components of cnspec that allow it to evaluate specific platforms. To learn how to manage cnspec providers most efficiently for containers, read [Manage cnspec Providers](/cnspec/cnspec-adv-install/providers/).
+
+## Learn more
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+- Explore [Mondoo's Docker resources](/mql/resources/os-pack/).
+
+---
diff --git a/docs/cnspec/supplychain/packer.md b/docs/cnspec/supplychain/packer.md
new file mode 100644
index 000000000..1560de6d0
--- /dev/null
+++ b/docs/cnspec/supplychain/packer.md
@@ -0,0 +1,81 @@
+---
+title: Assess HashiCorp Packer Machine Image Security with cnspec
+sidebar_label: Packer
+sidebar_position: 2
+displayed_sidebar: cnspec
+description: This page provides an overview of how to use cnspec to build secure base images with HashiCorp Packer.
+image: /img/featured_img/mondoo-packer.jpg
+---
+
+Mondoo maintains an [open source plugin](https://github.com/mondoohq/packer-plugin-cnspec) for HashiCorp Packer for securing and validating machine images.
+
+# Install Packer Plugin cnspec
+
+## Using the `packer init` command
+
+Starting from version 1.7, Packer supports a new `packer init` command allowing automatic installation of Packer plugins. Read the [Packer documentation](https://developer.hashicorp.com/packer/docs/commands/init) for more information.
+
+To install this plugin, copy and paste this code into your Packer configuration . Then, run `packer init`.
+
+```hcl
+packer {
+ required_plugins {
+ mondoo = {
+ version = ">= 0.3.0"
+ source = "github.com/mondoohq/mondoo"
+ }
+ }
+}
+```
+
+#### Manual installation
+
+You can find pre-built binary releases of the plugin [here](https://github.com/mondoohq/packer-plugin-cnspec/releases).
+
+Once you have downloaded the latest archive corresponding to your target OS, uncompress it to retrieve the plugin binary file corresponding to your platform. To install the plugin, please follow the Packer documentation on
+[installing a plugin](https://developer.hashicorp.com/packer/docs/plugins#installing-plugins).
+
+### Build from source
+
+If you prefer to build the plugin from sources, clone the GitHub repository locally and run the command `go build` from the root directory. Upon successful compilation, a `packer-plugin-cnspec` plugin binary file can be found in the root directory. To install the compiled plugin, please follow the official Packer documentation on [installing a plugin](https://developer.hashicorp.com/packer/docs/plugins#installing-plugins).
+
+## Configuration
+
+| **Name** | **Description** | **Type** | **Default** | **Required** |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | ----------- | ------------ |
+| `annotations` | Custom annotations can be applied to Packer build assets to provide additional metadata for asset tracking. | `map of strings` | None | No |
+| `asset_name` | Overwrite the asset name in Mondoo Platform. | `string` | None | No |
+| `on_failure` | Set `on_failure = "continue"` to ignore build failures that do not meet any set `score_threshold`. | `string` | None | No |
+| `score_threshold` | Set a score threshold for Packer builds `[0-100]`. Any scans that fall below the `score_threshold` will fail unless `on_failure = "continue"`. | `int` | None | No |
+| `sudo` | Use sudo to elevate permissions when running scans. | `bool` | None | No |
+| `mondoo_config_path` | The path to the configuration to be used when running Mondoo scans. If left empty, cnspec tries to determine the config automatically. | `string` | None | No |
+
+### Example: Complete configuration
+
+```hcl
+ provisioner "mondoo" {
+ on_failure = "continue"
+ score_threshold = 85
+ mondoo_config_path = "/etc/mondoo-config.json"
+ asset_name = "example-secure-base-image"
+ sudo {
+ active = true
+ }
+
+ annotations = {
+ Source_AMI = "{{ .SourceAMI }}"
+ Creation_Date = "{{ .SourceAMICreationDate }}"
+ }
+ }
+}
+```
+
+## Learn more
+
+- AWS users can [build secure AMIs with Mondoo and Packer](/cnspec/cnspec-aws/cnspec-aws-packer/).
+
+- Google Cloud users can [build secure VMs with Mondoo and Packer](/cnspec/cnspec-gcp/cnspec-gcp-packer)
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+---
diff --git a/docs/cnspec/supplychain/registry/_category_.json b/docs/cnspec/supplychain/registry/_category_.json
new file mode 100644
index 000000000..5d8ce14d3
--- /dev/null
+++ b/docs/cnspec/supplychain/registry/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Container Registries",
+ "position": 9
+}
diff --git a/docs/cnspec/supplychain/registry/_providers-note.mdx b/docs/cnspec/supplychain/registry/_providers-note.mdx
new file mode 100644
index 000000000..d3f3de769
--- /dev/null
+++ b/docs/cnspec/supplychain/registry/_providers-note.mdx
@@ -0,0 +1,5 @@
+:::note
+
+_Providers_ are the components of cnspec that allow it to evaluate specific platforms. To learn how to manage cnspec providers most efficiently for containers, read [Manage cnspec Providers](/cnspec/cnspec-adv-install/providers/).
+
+:::
diff --git a/docs/cnspec/supplychain/registry/aws_ecr.md b/docs/cnspec/supplychain/registry/aws_ecr.md
new file mode 100644
index 000000000..82099c2f1
--- /dev/null
+++ b/docs/cnspec/supplychain/registry/aws_ecr.md
@@ -0,0 +1,270 @@
+---
+title: Discover and Scan Elastic Container Registry (ECR) Images
+sidebar_label: Elastic Container Registry (ECR)
+sidebar_position: 2
+displayed_sidebar: cnspec
+description: This page provides an overview of how to use Mondoo to scan Elastic Container Registry for vulnerabilities in your containers.
+image: /img/featured_img/mondoo-aws.jpg
+---
+
+The [Amazon Elastic Container Registry](https://aws.amazon.com/ecr/) allows you to store container images within AWS. To learn about the AWS container registry, read the [Getting Started Guide](https://aws.amazon.com/ecr/getting-started/) in the AWS documentation.
+
+When it scans an AWS account, cnspec can automatically discover and scan all ECR images in the account.
+
+
+import Partial from "./_providers-note.mdx";
+
+{" "}
+
+## Prerequisites
+
+Ensure you have your AWS credentials configured properly:
+
+```bash
+$ cat ~/.aws/credentials
+
+[default]
+aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+
+[mondoo]
+aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+```
+
+If you want to use a specific profile, set `AWS_PROFILE`
+
+```bash
+export AWS_PROFILE=mondoo
+```
+
+You can also set the region:
+
+```bash
+export AWS_REGION=us-east-1
+```
+
+## Scan
+
+After we completed the login, cnspec can scan the registry:
+
+```bash
+$ cnspec scan aws --discover ecr
+→ loaded configuration from /Users/letha/.config/mondoo/mondoo.yml using source default
+→ using service account credentials
+→ discover related assets for 1 asset(s)
+→ synchronize assets
+
+ luna-mars@sha256:ad2e043042a33820554not396437ca2adcfee710e1022real058c7f2274a3d22 ━━━━━━━━━━━━━━ 100% score: B
+
+
+Asset: luna-mars@sha256:ad2e043042a33820554not396437ca2adcfee710e1022real058c7f2274a3d22
+----------------------------------------------------------------------------------------
+
+Data queries:
+os.hostname: "localhost.localdomain"
+asset.title: "Ubuntu 22.04.3 LTS, Docker Image"
+groups.where.list: []
+asset.platform: "ubuntu"
+users.where.list: [
+ 0: {
+ name: "mwezi"
+ gid: 65534
+ uid: 65534
+ home: "/mwezi-home"
+ sshkeys: []
+ shell: "/usr/sbin/mwezi"
+ sid: ""
+ authorizedkeys.list: []
+... 3 more lines ...
+command.stdout.trim: ""
+python.packages: []
+title: "Ubuntu 22.04.3 LTS, Docker Image"
+arch: "arm64"
+asset: {
+ kind: "container-image"
+ title: "Ubuntu 22.04.3 LTS, Docker Image"
+ arch: "arm64"
+ platform: "ubuntu"
+ runtime: "docker-image"
+ name: "luna-mars@sha256:ad2e043042a33820554c396437ca2adcfee710e1022ad058c7f2274a3d22d8d4"
+}
+... 1 more lines ...
+machine.chassis: {
+ manufacturer: ""
+ serial: ""
+ version: ""
+ assetTag: ""
+}
+product: ""
+machine.baseboard: {
+ version: ""
+ manufacturer: ""
+ serial: ""
+ assetTag: ""
+ product: ""
+}
+manufacturer: ""
+mount.list: []
+asset.eol.date: 2027-03-31 17:00:00 -0700 PDT
+command.stdout.trim: ""
+machine.baseboard.product: ""
+machine.bios: {
+ version: ""
+ releaseDate: ""
+ vendor: ""
+}
+packages.list: [
+ 0: {
+ version: "3.118ubuntu5"
+ name: "adduser"
+ origin: ""
+ }
+ 1: {
+ version: "2.4.11"
+ name: "apt"
+ origin: ""
+... 497 more lines ...
+services.where.list: []
+command.stdout.trim.+: "M"
+asset.arch: "arm64"
+machine.system: {
+ sku: ""
+ serial: ""
+ family: ""
+ version: ""
+ product: ""
+ uuid: ""
+ manufacturer: ""
+}
+mondoo.version: "9.14.0"
+packages.list: [
+ 0: package name="adduser" version="3.118ubuntu5"
+ 1: package name="apt" version="2.4.11"
+ 2: package name="base-files" version="12ubuntu4.4"
+ 3: package name="base-passwd" version="3.5.52build1"
+ 4: package name="bash" version="5.1-6ubuntu1"
+ 5: package name="bsdutils" version="1:2.37.2-4ubuntu3"
+ 6: package name="coreutils" version="8.32-4.1ubuntu1"
+ 7: package name="dash" version="0.5.11+git20210903+057cd650a4ed-3build1"
+ 8: package name="debconf" version="1.5.79ubuntu1"
+... 93 more lines ...
+asset.version: "22.04"
+if: "Unknown"
+"ubuntu"
+""
+kernel.modules: []
+machine.baseboard.manufacturer: ""
+version: "22.04"
+asset: {
+ build: ""
+ version: "22.04"
+ platform: "ubuntu"
+}
+platform: "ubuntu"
+
+Checks:
+✕ Fail: C 50 Ensure filesystem integrity is regularly checked
+✓ Pass: A 100 Ensure permissions on all logfiles are configured
+✓ Pass: A 100 Ensure Avahi server is stopped and not enabled
+✓ Pass: A 100 Ensure NFS and RPC are stopped and not enabled
+✓ Pass: A 100 Ensure DNS server is stopped and not enabled
+✕ Fail: B 60 Ensure audit log storage size is configured
+✓ Pass: A 100 Ensure system accounts are non-login
+✓ Pass: A 100 Ensure rsync service is stopped and not enabled
+✓ Pass: A 100 Ensure shadow group is empty
+✕ Fail: C 50 Ensure auditd is installed
+✓ Pass: A 100 Ensure SNMP server is stopped and not enabled
+✓ Pass: A 100 Ensure telnet server is stopped and not enabled
+✓ Pass: A 100 Ensure Samba is stopped and not enabled
+✕ Fail: C 50 Ensure unsuccessful unauthorized file access attempts are collected
+✕ Fail: B 60 Ensure audit logs are not automatically deleted
+✕ Fail: C 50 Ensure rsyslog Service is enabled
+✓ Pass: A 100 Ensure X Window System is not installed
+✓ Pass: A 100 Ensure root group is empty
+✕ Fail: C 50 Ensure rsyslog default file permissions configured
+✕ Fail: D 25 Ensure TCP SYN Cookies is enabled
+. Skipped: Ensure secure permissions on /etc/gshadow- are set
+✓ Pass: A 100 Ensure HTTP Proxy server is stopped and not enabled
+✕ Fail: D 25 Ensure secure ICMP redirects are not accepted
+✓ Pass: A 100 Ensure HTTP servers are stopped and not enabled
+. Skipped: Ensure secure permissions on /etc/group- are set
+✓ Pass: A 100 Ensure no known platform advisories exist
+✓ Pass: A 100 Ensure no duplicate UIDs exist
+✕ Fail: D 25 Ensure bogus ICMP responses are ignored
+✕ Fail: C 40 Ensure Advanced Intrusion Detection Environment (AIDE) is installed
+✕ Fail: D 25 Ensure ICMP redirects are not accepted
+✓ Pass: A 100 Ensure LDAP server is stopped and not enabled
+. Skipped: Ensure secure permissions on /etc/passwd- are set
+✓ Pass: A 100 Ensure sudo logging is enabled
+✓ Pass: A 100 Ensure rsh server is stopped and not enabled
+✕ Fail: D 10 Ensure address space layout randomization (ASLR) is enabled
+✓ Pass: A 100 Ensure secure permissions on /etc/gshadow are set
+✓ Pass: A 100 Ensure IMAP and POP3 server is stopped and not enabled
+! Error: Ensure successful file system mounts are collected
+✓ Pass: A 100 Ensure tftp server is stopped and not enabled
+✕ Fail: B 60 Ensure events that modify user/group information are collected
+. Skipped: Ensure journald is configured to compress large log files
+✓ Pass: A 100 Ensure default group for the root account is GID 0
+✕ Fail: B 60 Ensure session initiation information is collected
+✓ Pass: A 100 Ensure login and logout events are collected
+✓ Pass: A 100 Ensure events that modify date and time information are collected
+✕ Fail: B 60 Ensure system is disabled when audit logs are full
+✓ Pass: A 100 Ensure file deletion events by users are collected
+✓ Pass: A 100 Ensure access to the su command is restricted
+✓ Pass: A 100 Ensure DHCP server is stopped and not enabled
+✓ Pass: Platform is not end-of-life
+✓ Pass: Ensure the platform is not near or currently end-of-life
+✕ Fail: D 25 Ensure packet redirect sending is disabled
+✓ Pass: A 100 Ensure events that modify the system\'s network environment are collected
+✓ Pass: A 100 Ensure secure permissions on /etc/shadow are set
+✓ Pass: A 100 Ensure secure permissions on /etc/passwd are set
+✓ Pass: A 100 Ensure mail transfer agent is configured for local-only mode
+✓ Pass: A 100 Ensure prelink is disabled
+✓ Pass: A 100 Ensure talk server is stopped and not enabled
+✕ Fail: C 40 Ensure broadcast ICMP requests are ignored
+✓ Pass: A 100 Ensure system administrator actions (sudolog) are collected
+. Skipped: Ensure journald is configured to write logfiles to persistent disk
+. Skipped: Ensure secure permissions on /etc/shadow- are set
+✕ Fail: D 25 Ensure IP forwarding is disabled
+✕ Fail: C 50 Ensure auditing for processes that start prior to auditd is enabled
+✕ Fail: C 50 Ensure rsyslog is installed
+. Skipped: Ensure journald is configured to send logs to rsyslog
+✓ Pass: A 100 Ensure CUPS is stopped and not enabled
+✓ Pass: A 100 Ensure FTP server is stopped and not enabled
+✓ Pass: A 100 Ensure each user is a member of a group
+✓ Pass: A 100 Ensure the audit configuration is immutable
+✕ Fail: D 25 Ensure IPv6 router advertisements are not accepted
+✕ Fail: C 50 Ensure changes to system administration scope (sudoers) is collected
+✕ Fail: C 50 Ensure discretionary access control permission modification events are collected
+✓ Pass: A 100 Ensure no duplicate GIDs exist
+✕ Fail: C 50 Ensure auditd service is enabled
+✓ Pass: A 100 Ensure no duplicate group names exist
+! Error: Ensure events that modify the system\'s Mandatory Access Controls are collected
+✕ Fail: D 25 Ensure core dumps are restricted
+✕ Fail: C 50 Ensure kernel module loading and unloading is collected
+✓ Pass: A 100 Ensure no duplicate user names exist
+✓ Pass: A 100 Ensure secure permissions on /etc/group are set
+✕ Fail: C 40 Ensure suspicious packets are logged
+✕ Fail: D 25 Ensure source routed packets are not accepted
+✓ Pass: A 100 Ensure NIS server is stopped and not enabled
+✓ Pass: A 100 Ensure UID_MIN is set to 1000
+✕ Fail: D 25 Ensure Reverse Path Filtering is enabled
+✓ Pass: A 100 Ensure all GIDs in /etc/passwd exist in /etc/group
+
+Vulnerabilities:
+ ■ SCORE PACKAGE INSTALLED FIXED AVAILABLE
+ ■ 0 libpam-modules 1.4.0-11ubuntu2.3 1.5.2-6ubuntu1.1
+
+Overall CVSS score: 0.0
+
+
+Scanned 1 asset
+
+Ubuntu 22.04.3 LTS
+ B luna-mars@sha256:ad2e043042a33820554c396437ca2adcfee710e1022ad058c7f2274a3d22d8d4
+
+See more scan results and asset relationships on the Mondoo Console: https://edge.console.mondoo.com/space/fleet/2b8va6KZDNOVql0f5fLlakhZUfl?spaceId=distracted-hawking-771479
+```
+
+---
diff --git a/docs/cnspec/supplychain/registry/azure_acr.md b/docs/cnspec/supplychain/registry/azure_acr.md
new file mode 100644
index 000000000..7f269e8d1
--- /dev/null
+++ b/docs/cnspec/supplychain/registry/azure_acr.md
@@ -0,0 +1,116 @@
+---
+title: Azure Container Registry (ACR)
+sidebar_label: Azure Container Registry (ACR)
+sidebar_position: 3
+displayed_sidebar: cnspec
+description: This page provides an overview of how to use Mondoo to scan Azure Container Registry for vulnerabilities in your containers.
+image: /img/featured_img/mondoo-azure.jpg
+---
+
+The [Azure Container Registry](https://azure.microsoft.com/en-us/products/container-registry/) allows you to store container images within Azure. To learn about the Azure registry, read [Get Started Guide](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli?tabs=azure-cli) in the Azure documentation.
+
+
+import Partial from "./_providers-note.mdx";
+
+{" "}
+
+## Prerequisite
+
+cnspec uses the configuration from [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest). Install the `az` command and log into Azure:
+
+```bash
+az login
+```
+
+Display all available registries:
+
+```bash
+$ az acr list --output table
+
+NAME RESOURCE GROUP LOCATION SKU LOGIN SERVER
+--------- ---------------- ---------- -------- --------------------
+ eastus Standard
+```
+
+List available container images:
+
+```bash
+$ az acr repository list --name --output table
+
+Result
+-----------
+centos
+hello-world
+ubuntu
+```
+
+Log into Docker to ensure the Azure CLI creates the correct docker configuration. Mondoo uses the Docker configuration to connect to Azure as well.
+
+```bash
+az acr login --name
+```
+
+## Scan
+
+Once you log in, cnspec can scan the registry:
+
+```bash
+# scan the complete registry
+$ cnspec scan container registry
+
+ → loaded configuration from /Users/suki/.config/mondoo/mondoo.yml
+Start the vulnerability scan:
+ → resolve asset connections
+ → verify platform access to 7e5330839326
+ → gather platform details
+ → detected centos 6.10
+ → gather platform packages for vulnerability scan
+ → found 129 packages
+ ✔ completed analysis for 7e5330839326
+ → verify platform access to 92c7f9c92844
+ → gather platform details
+ → detected scratch
+ → gather platform packages for vulnerability scan
+ → found 0 packages
+ ✔ completed analysis for 92c7f9c92844
+ → verify platform access to 61844ceb1dd5
+ → gather platform details
+ → detected ubuntu 19.04
+ → gather platform packages for vulnerability scan
+ → found 89 packages
+ ✔ completed analysis for 61844ceb1dd5
+Advisory Reports Overview
+ ■ SCORE NAME SCORE
+ ■ 9.8 7e5330839326 ══════════
+ ■ 0.0 92c7f9c92844 ══════════
+ ■ 0.0 61844ceb1dd5 ══════════
+```
+
+You can also scan individual repositories:
+
+```bash
+$ cnspec scan container registry /centos
+
+ → loaded configuration from /Users/suki/.config/mondoo/mondoo.yml
+Start the vulnerability scan:
+ → resolve asset connections
+ → verify platform access to 7e5330839326
+ → gather platform details
+ → detected centos 6.10
+ → gather platform packages for vulnerability scan
+ → found 129 packages
+ ✔ completed analysis for 7e5330839326
+Advisory Report ( asset 7e5330839326):
+ ■ SCORE PACKAGE INSTALLED VULNERABLE (<) AVAILABLE ADVISORY
+ ■ 9.8 python 2.6.6-66.el6_8 2.6.6-68.el6_10 2.6.6-66.el6_8 https://mondoo.app/vuln/CESA-2019%3A1467
+ ...
+ → ■ found 10 advisories: ■ 1 critical, ■ 5 high, ■ 4 medium, ■ 0 low, ■ 0 informational, ■ 0 unknown
+```
+
+To scan a specific container image, use:
+
+```bash
+cnspec scan docker mondooacr.azurecr.io/centos:6.10
+```
+
+---
diff --git a/docs/cnspec/supplychain/registry/docker_hub.md b/docs/cnspec/supplychain/registry/docker_hub.md
new file mode 100644
index 000000000..f531c043f
--- /dev/null
+++ b/docs/cnspec/supplychain/registry/docker_hub.md
@@ -0,0 +1,78 @@
+---
+title: Docker Hub
+sidebar_label: Docker Hub
+sidebar_position: 5
+displayed_sidebar: cnspec
+description: This page provides an overview of how to use Mondoo to scan Docker Hub for vulnerabilities in your containers.
+image: /img/featured_img/mondoo-docker.jpg
+---
+
+The [Docker Hub](https://hub.docker.com/) is a well-known registry that lists the major public container images. To learn about the Docker Hub, read the Docker Hub [Get Started Guide](https://docs.docker.com/docker-hub/).
+
+
+import Partial from "./_providers-note.mdx";
+
+{" "}
+
+## Prerequisite
+
+Install the Docker CLI and [Log into the registry](https://docs.docker.com/engine/reference/commandline/login/):
+
+```bash
+docker login
+```
+
+## Scan
+
+Once you log in, you can run `cnspec scan` to asses security:
+
+```bash
+$ cnspec scan container registry index.docker.io/mondoolabs/mondoo
+
+ → loaded configuration from /Users/username/.config/mondoo/mondoo.yml
+Start the vulnerability scan:
+ → resolve asset connections
+ → verify platform access to cf5442b2d681
+ → gather platform details
+ → detected alpine 3.10.1
+ → gather platform packages for vulnerability scan
+ → found 38 packages
+ ✔ completed analysis for cf5442b2d681
+ → verify platform access to 23ae745857f8
+ → gather platform details
+ → detected alpine 3.10.1
+ → gather platform packages for vulnerability scan
+ → found 38 packages
+ ✔ completed analysis for 23ae745857f8
+...
+ → verify platform access to b419fd9f16ae
+ → gather platform details
+ → detected alpine 3.10.2
+ → gather platform packages for vulnerability scan
+ → found 38 packages
+ ✔ completed analysis for b419fd9f16ae
+Advisory Reports Overview
+ ■ SCORE NAME SCORE
+ ■ 0.0 331cf0232075 ══════════
+ ■ 0.0 747afbd1fb74 ══════════
+ ■ 0.0 eafc9d1d5537 ══════════
+ ■ 0.0 b419fd9f16ae ══════════
+ ■ 0.0 9b4ae77d28b6 ══════════
+ ■ 0.0 cb01bf407dc2 ══════════
+ ■ 0.0 d16b8960ff5f ══════════
+ ■ 0.0 0b811b267d65 ══════════
+ ■ 0.0 c601ebfd35b4 ══════════
+ ■ 0.0 087756d58892 ══════════
+ ■ 0.0 5a2cd2cd75f3 ══════════
+ ■ 0.0 1e6c181819f1 ══════════
+ ■ 0.0 f36d3fba0066 ══════════
+ ■ 0.0 9908ccbd6449 ══════════
+ ■ 0.0 23ae745857f8 ══════════
+ ■ 0.0 4f81f1be7364 ══════════
+ ■ 0.0 487a85aea611 ══════════
+ ■ 0.0 69bd294493a0 ══════════
+ ■ 0.0 f59925492ed6 ══════════
+ ■ 0.0 cf5442b2d681 ══════════
+```
+
+---
diff --git a/docs/cnspec/supplychain/registry/gcp_gcr.md b/docs/cnspec/supplychain/registry/gcp_gcr.md
new file mode 100644
index 000000000..e3a8a4921
--- /dev/null
+++ b/docs/cnspec/supplychain/registry/gcp_gcr.md
@@ -0,0 +1,104 @@
+---
+title: Google Container Registry
+sidebar_label: Google Container Registry
+sidebar_position: 4
+displayed_sidebar: cnspec
+description: This page provides an overview of how to use Mondoo to scan Google Container Registry for vulnerabilities in your containers.
+image: /img/featured_img/mondoo-gcp.jpg
+---
+
+The [Container Registry](https://cloud.google.com/container-registry/docs) allows you to store container images within Google Cloud. To learn about the Google Cloud container registry, read the Container Registry [Get Started Guide](https://cloud.google.com/container-registry/docs).
+
+
+import Partial from "./_providers-note.mdx";
+
+{" "}
+
+## Prerequisite
+
+Install the [gcloud](https://cloud.google.com/sdk/install) command and [log in](https://cloud.google.com/sdk/gcloud/reference/auth/login) using `gcloud auth login`.
+
+Set your project:
+
+```bash
+$ gcloud config set project
+
+Updated property [core/project].
+```
+
+List all available container repositories:
+
+```bash
+$ gcloud container images list
+
+NAME
+gcr.io//
+```
+
+List the repositories' tags:
+
+```bash
+$ gcloud container images list-tags gcr.io//
+
+DIGEST TAGS TIMESTAMP
+e5dd9abc37df latest 2020-03-20T20:20:23
+a98d9dcf3a34 16.04 2020-02-21T23:22:30
+0925d0867157 18.04 2020-02-21T23:20:44
+61844ceb1dd5 19.04 2020-01-16T02:20:47
+```
+
+To authenticate with the registry, [log in with gcloud](https://cloud.google.com/container-registry/docs/advanced-authentication#standalone-helper)
+
+```bash
+gcloud auth configure-docker
+```
+
+## Scan
+
+To scan an individual repository, enter:
+
+```bash
+cnspec scan container registry gcr.io//
+
+ → loaded configuration from /Users/suki/.config/mondoo/mondoo.yml
+Start the vulnerability scan:
+ → resolve asset connections
+ → verify platform access to a98d9dcf3a34
+ → gather platform details
+ → detected ubuntu 16.04
+ → gather platform packages for vulnerability scan
+ → found 96 packages
+ ✔ completed analysis for a98d9dcf3a34
+ → verify platform access to 0925d0867157
+ → gather platform details
+ → detected ubuntu 18.04
+ → gather platform packages for vulnerability scan
+ → found 89 packages
+ ✔ completed analysis for 0925d0867157
+ → verify platform access to 61844ceb1dd5
+ → gather platform details
+ → detected ubuntu 19.04
+ → gather platform packages for vulnerability scan
+ → found 89 packages
+ ✔ completed analysis for 61844ceb1dd5
+ → verify platform access to e5dd9abc37df
+ → gather platform details
+ → detected ubuntu 18.04
+ → gather platform packages for vulnerability scan
+ → found 89 packages
+ ✔ completed analysis for e5dd9abc37df
+Advisory Reports Overview
+ ■ SCORE NAME SCORE
+ ■ 0.0 a98d9dcf3a34 ══════════
+ ■ 0.0 0925d0867157 ══════════
+ ■ 4.6 61844ceb1dd5 ══════════
+ ■ 0.0 e5dd9abc37df ══════════
+```
+
+Google Cloud also ships with non-standard extensions to search images on your project level. To use those extensions, use the `gcp gcr` provider:
+
+```bash
+cnspec scan gcp gcr
+```
+
+---
diff --git a/docs/cnspec/supplychain/registry/harbor.md b/docs/cnspec/supplychain/registry/harbor.md
new file mode 100644
index 000000000..c6b9aacd2
--- /dev/null
+++ b/docs/cnspec/supplychain/registry/harbor.md
@@ -0,0 +1,111 @@
+---
+title: Harbor Container Registry
+sidebar_label: Harbor Container Registry
+sidebar_position: 6
+displayed_sidebar: cnspec
+description: This page provides an overview of how to use cnspec to scan Harbor Container Registry for vulnerabilities in your containers.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+The [Harbor Registry](https://goharbor.io/) is an open source container registry. To learn how to set up the registry, read [Harbor Installation and Configuration](https://goharbor.io/docs/1.10/install-config/).
+
+
+import Partial from "./_providers-note.mdx";
+
+{" "}
+
+## Prerequisite
+
+Log into docker with your Harbor credentials. cnspec uses Docker's configuration.
+
+```bash
+docker login -u admin -p Harbor12345 harbor.lunalectric.com
+```
+
+## Individual scan
+
+> Note: If you are running Harbor with self-signed certificates, use the `--insecure` flag. It deactivates Mondoo certificate checks. We do not recommend to use a self-signed certificate in production
+
+To scan the whole registry, run:
+
+```bash
+cnspec scan container registry harbor.lunalectric.com --insecure
+```
+
+To scan an individual repository, run:
+
+```bash
+cnspec scan container registry harbor.lunalectric.com/library/centos --insecure
+```
+
+## Harbor interrogation services
+
+To complete this task, you must first [create a free Mondoo Platform account](/cnspec/cnspec-platform).
+
+1. In the Mondoo Console, create a new, separate space for the Harbor integration.
+
+2. Install Mondoo on a machine that the Harbor registry can access or a machine that runs Harbor. To learn more, read [the Linux installation instructions](/cnspec/cnspec-adv-install/linux.mdx). Register the agent with the created space
+
+3. Normal service-accounts do not have the permission to fetch report results, therefore we need to elevate the service account. Run `mondoo status` and note your service account ID.
+
+```
+$ mondoo status
+→ Hostname: mondoo-harbor.lunalectric.com
+→ IP: 192.168.178.22
+→ Platform: macos
+→ Release: 11.5.2
+...
+→ Service Account: //agents.api.mondoo.app/spaces/distracted-taussig-12345/serviceaccounts/1vCf14l6pSczU9pmhAmTmCABTk6
+→ agent is registered
+→ agent authenticated successfully
+```
+
+In the example above, the service account ID is `1vCf14l6pSczU9pmhAmTmCABTk6`.
+
+4. In the Mondoo Console, select your space -> Settings -> Service Accounts. Select the service account and set permissions to `Space Gateway Agent`.
+
+5. By default, the Mondoo service does not expose the harbor API, so you must edit the configuration file, `/etc/opt/mondoo/mondoo.yml` to match
+
+```yaml
+---
+space_mrn: //captain.api.mondoo.app/spaces/distracted-taussig-12345
+container_registries:
+ token: abc123 # change this to a random long token to secure the api
+ enable_harbor: true
+```
+
+6. Run: `mondoo serve`
+
+```bash
+mondoo serve -b https://0.0.0.0:8990
+→ loaded configuration from /Users/suki/.config/mondoo/mondoo.yml using source default
+→ enabled beta feature to scan for container registries, normal serve is deactivated
+→ use bearer token authentication token=abc123
+→ enable health check url=/Health/Check
+→ enable harbor webhook url=/harbor/
+→ enable bearer authentication
+→ start http server address=0.0.0.0:8990
+```
+
+6. Test the API:
+
+```bash
+curl -H 'Accept: application/vnd.scanner.adapter.metadata+json; version=1.0' -H 'Authorization: Bearer abc123' http://0.0.0.0:8990/harbor/api/v1/metadata
+{"scanner":{"name":"Mondoo","vendor":"Mondoo, Inc","version":"Mondoo 5.2.0 (3b16ff833, unknown)"},"capabilities":[{"consumes_mime_types":["application/vnd.oci.image.manifest.v1+json","application/vnd.docker.distribution.manifest.v2+json"],"produces_mime_types":["application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0","application/vnd.security.vulnerability.report; version=1.1"]}],"properties":{"harbor.scanner-adapter/registry-authorization-type":"Bearer","harbor.scanner-adapter/scanner-type":"os-package-vulnerability"}}
+```
+
+7. Open Harbor and configure the public IP of the machine running cnspec.
+
+
+
+
+
+8. Navigate to the container image you want to scan and select the scan button
+
+
+
+
+
+
+
+---
diff --git a/docs/cnspec/supplychain/terraform.md b/docs/cnspec/supplychain/terraform.md
new file mode 100644
index 000000000..60a2b2201
--- /dev/null
+++ b/docs/cnspec/supplychain/terraform.md
@@ -0,0 +1,418 @@
+---
+title: Assess HashiCorp Terraform Code Security with cnspec
+sidebar_label: Terraform
+sidebar_position: 3
+displayed_sidebar: cnspec
+description: This page provides an overview of how to use Mondoo alongside HashiCorp Terraform automation.
+image: /img/featured_img/mondoo-terraform.jpg
+---
+
+Mondoo is designed to scan and detect security issues and misconfigurations with Terraform (hcl) code during development process on the developer's workstation, as well as an automated step in CI/CD pipelines. Additionally, Mondoo can be configured as a post-provisioning step by scanning your infrastructure against policies as code after each Terraform apply.
+
+Mondoo's end-to-end process provides a multi-layered approach to find and fix security issues before they reach production. This page provides detailed information on how to use Mondoo alongside Terraform.
+
+### Before you begin
+
+Before you begin working with Mondoo for static analysis of Terraform code, ensure you have:
+
+- A Mondoo account (Go to [https://console.mondoo.com](https://console.mondoo.com) and sign-up for a free account).
+- cnspec [installed on your workstation](/cnspec/) and registered with Mondoo Platform.
+
+## Terraform static analysis with cnspec
+
+cnspec natively supports static analysis of Terraform (hcl) code for security misconfigurations using policy as code in Mondoo Platform. This process allows infrastructure developers responsible for writing and maintaining Terraform code for their organization to detect security issues before pushing changes to a remote repository.
+
+Static analysis of Terraform code can also be configured as a step into any CI/CD tool. This added step can be a guardrail to ensure infrastructure meets security requirements for the business.
+
+### Enable Terraform policies maintained by Mondoo
+
+Mondoo Platform has a growing list of policies for static analysis of Terraform code. Mondoo policies are developed by translating infrastructure configuration security recommendations and best practices into automated tests using MQL, and provide a solid template for developing your own policies should the need arise.
+
+Start by enabling any Terraform policies in Mondoo Platform you want to run against your Terraform code:
+
+1. Log in to [https://console.mondoo.com](https://console.mondoo.com).
+2. Navigate to **Registry**.
+3. In the **Filter policies...** box, search for "Terraform".
+4. Check the box next to any policies you want to enable, and select the **ENABLE** button.
+
+### Scan Terraform code with cnspec
+
+To scan your Terraform code with cnspec, open a terminal and run this command:
+
+```bash title="Static analysis of Terraform code with cnspec"
+cnspec scan terraform /path/to/terraform/
+```
+
+cnspec scans any `.tf` files in the specified directory and returns the results to `STDOUT` in the terminal. If you're logged into Mondoo Platform, cnspec also sends results to your Mondoo account.
+
+
+
+## Developing Terraform policies as code with Mondoo
+
+MQL provides native resources for querying Terraform code, and making checks. While detailed information on each Terraform specific resource can be found in our [MQL Reference](/mql/resources/), this section provides an overview of those resources as well as examples of translating security requirements for Terraform code into policy as code.
+
+### Overview of MQL resources for Terraform
+
+Terraform language syntax is built around two key syntax constructs: arguments and blocks. Additionally, there are a number of other constructs that Terraform provides with the language including resources, data sources, providers, and modules that are used when automating infrastructure with Terraform.
+
+MQL provides these native resources for querying Terraform code to develop checks for policies as code, and for querying using the cnspec shell:
+
+- `terraform` - Parent resource in MQL that provides a number of fields for describing Terraform code.
+- `terraform.files` - Returns a list of `terraform.file` resources of all of the Terraform files found when scanning a directory.
+- `terraform.tfvars` - Returns a dict with attributes from all `.tfvars` and `.tfvars.json` files found when scanning a directory.
+- `terraform.modules` - Returns a list of `terraform.module` resources from Terraform modules referenced throughout your Terraform code.
+- `terraform.blocks` - Returns a list of `terraform.block` resources describing any Terraform blocks within each Terraform resource.
+
+### Example: Ensure AWS S3 buckets use server-side encryption
+
+A common security configuration for AWS S3 buckets that is found in both the CIS AWS Foundations benchmark, as well as numerous AWS best practice policies is to enable server-side encryption. This configuration is optional when provisioning an S3 bucket with Terraform, but is easily tested with MQL.
+
+**Terraform S3 resource with server-side encryption**
+
+This code snippet provides an example of using Terraform to provision an S3 bucket with server-side encryption:
+
+```hcl
+
+resource "aws_kms_key" "mykey" {
+ description = "This key is used to encrypt bucket objects"
+ deletion_window_in_days = 10
+}
+
+resource "aws_s3_bucket" "my-encrypted-bucket" {
+ bucket = "my-encrypted-bucket"
+
+ server_side_encryption_configuration {
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = aws_kms_key.mykey.arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }
+}
+
+```
+
+As defined in the [Terraform documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#apply_server_side_encryption_by_default) for the `aws_s3_bucket` resource, the `server_side_encryption_configuration` argument is optional, but when used requires a `rule` object defining the SSE configuration. The example above defines an SSE rule with the argument `apply_server_side_encryption_by_default` that enables SSE by default for the bucket.
+
+**Translate policy to MQL**
+
+This code snippet provides an example of how to test Terraform code to ensure any `aws_s3_bucket` resources define a `rule` that sets the `apply_server_side_encryption_by_default` argument:
+
+```mql
+
+terraform.resources.where( nameLabel == 'aws_s3_bucket') {
+ blocks {
+ blocks.one( _.type == "rule" && _.blocks.one( type == 'apply_server_side_encryption_by_default' ))
+ }
+}
+
+```
+
+**How this query works**
+
+As Terraform projects tend to include many different Terraform resources within the same file or directory, MQL makes it easy to filter by specific resources using the `.where` built-in function so the query targets just the `aws_s3_bucket` resources:
+
+```mql
+terraform.resources.where( nameLabel == "aws_s3_bucket")
+```
+
+Filtering by `aws_s3_bucket` resources returns a list of objects that contains fields that describe the Terraform code. The `terraform.block` resource provides fields for describing blocks of code within a given resource. The code snippet above is an example of nested blocks (blocks inside of blocks) as follows:
+
+```hcl
+...
+ server_side_encryption_configuration {
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = aws_kms_key.mykey.arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+...
+```
+
+To access the nested block, the MQL query calls the `block` field on the results from `terraform.resources.where( nameLabel == 'aws_s3_bucket')`, which returns a list of all `blocks` with each `aws_s3_bucket` resource. To illustrate this further, consider this query in cnspec Shell that shows all of the available fields for the `terraform.block` resource:
+
+```mql
+mondoo> terraform.resources.where( nameLabel == 'aws_s3_bucket') { blocks {*} }
+terraform.resources.where: [
+ 0: {
+ blocks: [
+ 0: {
+ snippet: " 6 | resource \"aws_s3_bucket\" \"mybucket\" {
+ 7 | bucket = \"mybucket\"
+ 8 |
+ 9 | server_side_encryption_configuration {
+ 10 | rule {
+ 11 | apply_server_side_encryption_by_default {
+ 12 | kms_master_key_id = aws_kms_key.mykey.arn
+"
+ start: terraform.fileposition id = file.position//tmp/terraform/s3.tf/9/3
+ type: "server_side_encryption_configuration"
+ blocks: [
+ 0: terraform.block id = terraform.block//tmp/terraform/s3.tf/10/5
+ ]
+ arguments: {}
+ nameLabel: ""
+ end: terraform.fileposition id = file.position//tmp/terraform/s3.tf/9/3
+ labels: []
+ attributes: {}
+ }
+ ]
+ }
+]
+```
+
+The results show a number of fields that can be used to refine the query, including the existence of the nested `blocks`. The query above can be further refined by accessing the nested blocks as follows:
+
+```mql
+cnspec> terraform.resources.where( nameLabel == 'aws_s3_bucket') { blocks { blocks { * } } }
+terraform.resources.where: [....................
+ 0: {
+ blocks: [
+ 0: {
+ blocks: [
+ 0: {
+ end: terraform.fileposition id = file.position//tmp/terraform/s3.tf/10/5
+ labels: []
+ snippet: " 7 | bucket = \"mybucket\"
+ 8 |
+ 9 | server_side_encryption_configuration {
+ 10 | rule {
+ 11 | apply_server_side_encryption_by_default {
+ 12 | kms_master_key_id = aws_kms_key.mykey.arn
+ 13 | sse_algorithm = \"aws:kms\"
+"
+ arguments: {}
+ nameLabel: ""
+ attributes: {}
+ type: "rule"
+ blocks: [
+ 0: terraform.block id = terraform.block//tmp/terraform/s3.tf/11/7
+ ]
+ start: terraform.fileposition id = file.position//tmp/terraform/s3.tf/10/5
+ }
+ ]
+ }
+ ]
+ }
+]
+```
+
+The output above shows the nested block contains a field labeled `type` with a value of `"rule"`. The `aws_s3_bucket` resource `server_side_encryption_configuration` argument allows for the definition of multiple rules, and any of those rules may define the `apply_server_side_encryption_by_default` argument.
+
+MQL makes it easy to check for the existence of one configuration with the `.one` built-in function. The example above uses this query:
+
+```mql
+...
+
+blocks.one( _.type == "rule" && _.blocks.one( type == 'apply_server_side_encryption_by_default' ))
+
+...
+
+```
+
+The code above checks for one block where the `type == "rule"` along with using the `&&` operator to check for a `block` that has a `type == 'apply_server_side_encryption_by_default'`. The use of `_.type` and `_.blocks.one` are constructs of MQL to loop through any `type` and `block` fields, and can be used when iterating over lists.
+
+## Terraform post-provisioning scans with cnspec
+
+Mondoo can also be used to as post-provisioning step when running `terraform apply` to run policies as code against your infrastructure. Results from scans are sent to Mondoo Platform to provide observability that infrastructure is continuously scanned for adherence to company policy.
+
+Additionally, `cnspec scan` exit statuses can be used to trigger action in the event of a failure such as sending a notification to the appropriate team.
+
+### Example 1: Post-provision scan of Digital Ocean infrastructure
+
+This Terraform snippet launches a DigitalOcean droplet with Nginx installed, and scans the infrastructure with Mondoo against any policies enabled in Mondoo Platform.
+
+```tf title="main.tf"
+terraform {
+ required_providers {
+ digitalocean = {
+ source = "digitalocean/digitalocean"
+ version = ">= 2.5.1"
+ }
+ }
+}
+
+variable "do_token" {
+ description = "value of DIGITALOCEAN_TOKEN"
+}
+
+provider "digitalocean" {
+ token = var.do_token
+}
+
+variable "private_key" {
+ description = "path to private key"
+ default = "~/.ssh/id_rsa"
+}
+
+variable "public_key" {
+ description = "path to public key"
+ default = "~/.ssh/id_rsa.pub"
+}
+
+resource "digitalocean_ssh_key" "default" {
+ name = "terraform"
+ public_key = file(var.public_key)
+}
+
+resource "digitalocean_droplet" "mywebserver" {
+ ssh_keys = [
+ digitalocean_ssh_key.default.fingerprint
+ ]
+ image = "ubuntu-18-04-x64"
+ region = "nyc1"
+ size = "s-1vcpu-1gb"
+ private_networking = true
+ backups = true
+ ipv6 = true
+ name = "sample-tf-droplet"
+
+ # The connection is required to let provisioner's know how to connect
+ connection {
+ type = "ssh"
+ host = self.ipv4_address
+ user = "root"
+ timeout = "2m"
+ private_key = file(var.private_key)
+ }
+
+ provisioner "remote-exec" {
+ inline = [
+ "export PATH=$PATH:/usr/bin",
+ "sudo apt update",
+ "sudo apt install -y nginx",
+ ]
+ }
+
+ provisioner "local-exec" {
+ command = "cnspec scan ssh root@${self.ipv4_address} -i ${var.private_key} --insecure --score-threshold 0"
+ }
+}
+```
+
+**Run terraform apply**
+
+To run the example:
+
+```bash bash title="Command Line"
+# set token for DigitalOcean
+export DIGITALOCEAN_TOKEN=d1...ef
+# run terraform
+terraform apply -var do_token=$DIGITALOCEAN_TOKEN
+```
+
+To trigger cnspec, use the `local-exec` and pass in the required arguments to connect to the machine:
+
+```tf title="main.tf"
+provisioner "local-exec" {
+ command = "cnspec scan ssh root@${self.ipv4_address} -i ${var.private_key} --insecure --score-threshold 0"
+}
+```
+
+**Run terraform destroy**
+
+You can easily destroy the setup via:
+
+```bash title="Run terraform destroy"
+terraform destroy -var do_token=$DIGITALOCEAN_TOKEN
+```
+
+### Example 2: Post-provision scan of AWS infrastructure
+
+This example illustrates the combination of Terraform & Mondoo to build and scan infrastructure in AWS. Similar to the example above, it runs `cnspec scan` as a post-provisioning step for the EC2 instance. Additionally, it also runs a scan for the AWS account itself.
+
+**Terraform configuration**
+
+```tf title="main.tf"
+resource "aws_instance" "web" {
+ # The connection block tells our provisioner how to
+ # communicate with the resource (instance)
+ connection {
+ host = coalesce(self.public_ip, self.private_ip)
+ type = "ssh"
+ user = "ubuntu"
+ timeout = "2m"
+ private_key = file(var.private_key)
+ }
+
+ instance_type = "t2.micro"
+
+ # Lookup the correct AMI based on the region as we specified
+ ami = var.aws_amis[var.aws_region]
+
+ # The name of our SSH keypair we created above.
+ key_name = aws_key_pair.auth.id
+
+ # Our Security group to allow HTTP and SSH access
+ security_groups = [aws_security_group.default.name]
+
+ # We run a remote provisioner on the instance after creating it.
+ # In this case, we just install nginx and start it. By default,
+ # this should be on port 80s
+ provisioner "remote-exec" {
+ inline = [
+ "sudo apt update -y",
+ "sudo apt install -y nginx",
+ "sudo service nginx start",
+ ]
+ }
+
+ # run scan of instance
+ provisioner "local-exec" {
+ command = "cnspec scan ssh ubuntu@${coalesce(self.public_ip, self.private_ip)} -i ${var.private_key} --insecure --score-threshold 0"
+ }
+}
+
+# run scan of aws account
+resource "null_resource" "example1" {
+ provisioner "local-exec" {
+ command = "cnspec scan aws --option 'region=${var.aws_region}' --score-threshold 0"
+ }
+
+ depends_on = [
+ "aws_instance.web"
+ ]
+}
+
+```
+
+**Clone the example repository**
+
+To run the full example, clone the examples first:
+
+```bash title="Command Line"
+git clone https://github.com/mondoohq/installer.git
+cd mondoo/examples/terraform-aws
+```
+
+**Initialize the project**
+
+Initialize the project by running `terraform init`:
+
+```bash title="Download dependent modules"
+terraform init
+```
+
+**Run terraform apply**
+
+Now you can provision a new EC2 instance:
+
+```bash title="Run Terraform apply"
+terraform apply -var 'key_name=terraform' -var 'public_key=~/.ssh/id_rsa.pub' -var 'private_key=~/.ssh/id_rsa'
+```
+
+**Run terraform destroy**
+
+You can destroy the setup using:
+
+```bash title="Run terraform destroy"
+terraform destroy -var 'key_nameterraform' -var 'public_key=~/.ssh/id_rsa.pub' -var 'private_key=~/.ssh/id_rsa'
+```
+
+## Learn more
+
+- To learn more about how the MQL query language works, read [Write Effective MQL](/mql/mql.write/).
+
+---
diff --git a/docs/cnspec/uninstall.mdx b/docs/cnspec/uninstall.mdx
new file mode 100644
index 000000000..b42d0eea0
--- /dev/null
+++ b/docs/cnspec/uninstall.mdx
@@ -0,0 +1,83 @@
+---
+title: Uninstall cnspec
+sidebar_label: Uninstall cnspec
+displayed_sidebar: cnspec
+sidebar_position: 8
+description: Remove cnspec from a device
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+## Remove cnspec from a Debian-based Linux machine
+
+1. Log out the cnspec client from the back end:
+
+ ```bash
+ cnspec logout --force
+ ```
+
+2. Uninstall the package:
+
+ ```bash
+ apt remove mondoo
+ apt autoremove
+ ```
+
+3. Remove the repository:
+
+ ```bash
+ rm /usr/share/keyrings/mondoo-archive-keyring.gpg
+ rm /etc/apt/sources.list.d/mondoo.list
+ ```
+
+## Remove cnspec from a Red Hat-based Linux machine
+
+1. Log out the cnspec client from the back end:
+
+ ```bash
+ cnspec logout --force
+ ```
+
+2. Uninstall the package:
+
+ ```bash
+ dnf remove mondoo
+ ```
+
+3. Remove the repository:
+
+ ```bash
+ rm /etc/yum.repos.d/mondoo.repo
+ ```
+
+## Remove cnspec from a Windows machine
+
+1. Log out the cnspec client from the back end:
+
+ ```powershell
+ cnspec logout --force
+ ```
+
+2. Remove the MondooUpdater task:
+
+ ```powershell
+ Unregister-ScheduledTask -TaskName MondooUpdater -Confirm:$false;
+ $scheduleObject = New-Object -ComObject Schedule.Service; $scheduleObject.connect(); $rootFolder = $scheduleObject.GetFolder("\"); $rootFolder.DeleteFolder("Mondoo",$null)
+ ```
+
+3. Uninstall the Mondoo MSI package:
+
+ ```powershell
+ $app = Get-WmiObject -Class Win32_Product -Filter "Name = 'Mondoo'";$app.Uninstall();rm 'C:\Program Files\Mondoo\';rm 'C:\ProgramData\Mondoo\';
+ ```
+
+## Remove cnspec from a macOS machine
+
+1. Log out the cnspec client from the back end:
+
+ ```bash
+ cnspec logout --force
+ ```
+
+2. Remove cnspec using your preferred package manager, such as Homebrew or Nix.
+
+---
diff --git a/docs/glossary.mdx b/docs/glossary.mdx
new file mode 100644
index 000000000..aeabb464a
--- /dev/null
+++ b/docs/glossary.mdx
@@ -0,0 +1,112 @@
+---
+title: "Mondoo Glossary of Terms"
+description: Terminology used in the Mondoo, cnspec, cnquery, and MQL documentation
+sidebar_label: Glossary
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+### advisory
+
+An [advisory](/platform/security/vuln/advisories/) is a notice released by a software vendors that provides recommendations on how to fix or mitigate a vulnerability in their product.
+
+### annotation
+
+Metadata that you add to an asset in Mondoo is called an [annotation](/platform/intel/annotations/). Annotations are key-value pairs that you can use for anything you want.
+
+### API token
+
+An API token gives an application or service access to an application programming interface (API). It's one way to enable different software programs to interact. Some Mondoo integrations rely on API tokens. You can also [create API tokens that provide access to Mondoo's GraphQL API](/platform/maintain/access/api-tokens/).
+
+### asset
+
+An asset is a physical or virtual computing, network, or storage device or other component of the information environment. Workstations, servers, SaaS environments, cloud storage, repositories, and virtual machines are only a few examples.
+
+### check
+
+A check is a verification of information. For example, a check can assert that an asset has a certain setting enabled or a software version installed. To learn more, read [Policy as Code](/platform/security/posture/pac/).
+
+### CI/CD
+
+Continuous integration and continuous delivery/deployment (CI/CD) is a highly automated software development practice in which teams make, test, and deploy frequent, incremental code changes. Mondoo integrates with [major CI/CD platforms](/platform/infra/supply/cicd/overview/) to enable security testing throughout the development process.
+
+### cnquery
+
+[cnquery](/cnquery/cnquery-about/) is Mondoo's open source, cloud-native tool that answers every question about your infrastructure. It integrates with [over 600 resources](/mql/resources) to provide quick insight into your operations and development platforms.
+
+### cnspec
+
+[cnspec](/cnspec/cnspec-about/) is Mondoo's open source, cloud-native tool that evaluates the security of your entire infrastructure. It's also a core component of the [Mondoo Platform](/platform/start/plat-what-is/), serving as both a CLI and an agent for scanning.
+
+### control
+
+A [control](/platform/compliance/monitor/frameworks/#controls-and-checks) is a general guideline in a compliance framework. For example, "Log sensitive data access" and "Maintain secure network architecture" are controls in a framework.
+
+### CVE
+
+A [CVE](/platform/security/vuln/overview/) (common vulnerability and exposure) is a weakness in a computer system that an attacker can exploit to gain access or extract information.
+
+### integration
+
+An [integration](/platform/infra/overview/) is Mondoo's connection and communication with an [asset](#asset). Integrations allow Mondoo to gather inventory details, assess the security of an asset, and measure compliance.
+
+### inventory
+
+An [inventory](/platform/intel/overview) is a collection of all the [assets](#asset) in your infrastructure. Mondoo's inventory gives you visibility into the details of all your assets across multiple platforms.
+
+### Mondoo Platform
+
+[Mondoo Platform](/platform/start/plat-what-is/) is Mondoo's full-stack compliance, security, and asset intelligence solution for the enterprise. It integrates with your infrastructure to continuously monitor security and evaluate compliance with the most common industry frameworks.
+
+### MQL
+
+[MQL](/mql/home/) is a graph-based query language built for searching and checking infrastructure configuration data and building security policies.
+
+### organization
+
+An [organization](/platform/start/organize/organizations/) is a high-level Mondoo entity that can contain one or more [spaces](#space).
+
+### policy
+
+A [policy](/platform/security/posture/policies/) is a codified benchmark used to assess your infrastructure. Policies control what misconfigurations and security issues Mondoo checks for when it evaluates your digital business assets. To learn more, read [Policy as Code](/platform/security/posture/pac/).
+
+### property
+
+A [property](/platform/security/customize/props/) is a variable part of a [check](#check). Properties let you customize the checks in a policy. For example, a policy might include a check to ensure that passwords are at least eight characters. The password length is a property that you can change.
+
+### query
+
+A query is a request for information. The [cnquery](/cnquery/cnquery-about/) CLI tool allows you to query assets in your infrastructure.
+
+### region
+
+A [region](/platform/start/organize/regions/) is the part of the world in which an organization conducts business. Mondoo stores and processes your data in different regions to comply with global regulations.
+
+### registry
+
+Mondoo's [registry](/platform/security/posture/policies/) is the location in the Mondoo Console where you choose and manage the security policies that are the bases for assessing your infrastructure.
+
+### score
+
+Mondoo gives each asset and space a security [score] that represents their ability to withstand attack. Scores are based on the security [policies](#policy) you choose. To learn how Mondoo calculates scores, read [How Mondoo scores policies](/platform/security/posture/monitor/#how-mondoo-scores-policies).
+
+### security posture
+
+Your [security posture](/platform/security/posture/overview/) is your organization's ability to identify, respond to, and recover from security threats and risks.
+
+### service account
+
+A service account is an identity used by a non-human (such as an application or a service) to access a software system. Mondoo relies on service accounts for some [integrations](#integration). You can also [create service accounts that provide access to Mondoo](/platform/maintain/access/service_accounts/).
+
+### space
+
+A [space](/platform/start/organize/spaces/) is a collection of [assets](#asset), policies, and reports that are managed together within Mondoo Platform. Spaces also let you manage which members of your team have access to different information about your infrastructure.
+
+### team member
+
+A [team member](/platform/maintain/access/team_members/) is a person in your organization who has access to Mondoo.
+
+### vulnerability
+
+A [vulnerability](/platform/security/vuln/overview/) is a weakness in a computer system that an attacker can exploit to gain access or extract information. Vulnerabilities are also known as CVEs (common vulnerabilities and exposures).
+
+---
diff --git a/docs/intro.md b/docs/intro.md
new file mode 100644
index 000000000..df93ae28f
--- /dev/null
+++ b/docs/intro.md
@@ -0,0 +1,75 @@
+---
+slug: /
+title: "Mondoo Docs"
+hide_title: true
+id: intro
+description: Mondoo documentation home
+image: /img/featured_img/mondoo-feature.jpg
+hide_table_of_contents: true
+---
+
+
+
+With Mondoo's fully integrated suite of tools and services, you can reach compliance, secure your cloud and on-premises infrastructure, and gain unlimited insight into your environments.
+
+[Read what's new in our latest release!](releases)
+
+## [Mondoo Platform](/platform/home/)
+
+Mondoo's flagship SaaS platform provides full-stack security, asset intelligence, and compliance for your entire infrastructure.
+
+- [What Is Mondoo?](/platform/start/plat-what-is/)
+
+- [Get Started](/platform/start/plat-start-acct/)
+
+#### [Integrate Your Infrastructure with Mondoo](/platform/infra/overview/)
+
+- [Servers and Endpoints](/platform/infra/opsys/osoverview/)
+
+- [Cloud](/platform/infra/cloud/overview/)
+
+- [SaaS](/platform/infra/saas/overview/)
+
+- [Network](/platform/infra/networking/overview/)
+
+- [Software Supply Chain](/platform/infra/supply/overview/)
+
+#### [Security](/platform/security/overview/)
+
+#### [Compliance](/platform/compliance/overview/)
+
+#### [Asset Intelligence](/platform/intel/overview/)
+
+#### [Manage Mondoo](/platform/maintain/overview/)
+
+## [cnspec](/cnspec/home/)
+
+cnspec is an open source, cloud-native tool that evaluates the security of your entire infrastructure. It's also a core component of the Mondoo Platform, serving as both a CLI and an agent for scanning.
+
+- [Get Started with cnspec](cnspec/)
+
+- [Command Line Reference](/cnspec/cli/cnspec/)
+
+## [cnquery](/cnquery/home)
+
+cnquery is an open source, cloud-native tool that answers every question about your infrastructure.
+
+- [Get Started with cnquery](cnquery/)
+
+- [Command Line Reference](/cnquery/cli/cnquery/)
+
+## [MQL](/mql/home/)
+
+MQL is a graph-based query language built for searching and checking infrastructure configuration data and building security policies.
+
+- [MQL Resources](/mql/resources/)
+
+- [Write Effective MQL](/mql/mql.write/)
+
+## Can't find what you need?
+
+- Open source users: Join our community discussion on GitHub.
+
+- Mondoo Platform users: Join our community Slack channel to chat with us and other Mondoo users.
+
+---
diff --git a/docs/mql/_category_.json b/docs/mql/_category_.json
new file mode 100644
index 000000000..f31dad5d3
--- /dev/null
+++ b/docs/mql/_category_.json
@@ -0,0 +1,3 @@
+{
+ "label": "MQL"
+}
diff --git a/docs/mql/home.md b/docs/mql/home.md
new file mode 100644
index 000000000..fbefb83c0
--- /dev/null
+++ b/docs/mql/home.md
@@ -0,0 +1,36 @@
+---
+title: "MQL Docs"
+sidebar_label: MQL Docs Home
+displayed_sidebar: MQL
+sidebar_position: 1
+description: MQL documentation home
+image: /img/featured_img/mondoo-feature.jpg
+hide_table_of_contents: true
+---
+
+MQL is a graph-based query language built for searching and checking infrastructure configuration data and building security policies.
+
+### [What is MQL?](/mql/resources/)
+
+Learn the MQL basics.
+
+### [Write Effective MQL](/mql/mql.write)
+
+Dive into creating queries, checks, and policies.
+
+### [MQL Reference](/mql/resources/)
+
+Find all the resources you can query with MQL.
+
+
+
+#### See also:
+
+To learn how to structure and build your own policies, read the Mondoo [Policy Authoring Guide](/cnspec/cnspec-policies/write/).
+
+#### Can't find what you need?
+
+- Open source users: Join our community discussion on GitHub.
+- Mondoo Platform users: Join our community Slack channel to chat with us and other Mondoo users.
+
+---
diff --git a/docs/mql/mql-write.md b/docs/mql/mql-write.md
new file mode 100644
index 000000000..f146af9f4
--- /dev/null
+++ b/docs/mql/mql-write.md
@@ -0,0 +1,889 @@
+---
+title: Write Effective MQL
+sidebar_label: Write Effective MQL
+sidebar_position: 2
+displayed_sidebar: MQL
+id: mql.write
+description: How to write queries, checks, and policies in MQL
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+We built MQL for searching, filtering, and testing infrastructure configuration data. Easy, lightweight, and fast, MQL’s data extraction resembles GraphQL, while its intuitive scripting approach is similar to JavaScript.
+
+This page describes the conventions for writing queries and checks in MQL. It contains these sections:
+
+- [Basic structure](#basic-structure)
+ - [Resources and fields](#resources-and-fields)
+ - [Child resources](#child-resources)
+ - [Blocks](#blocks)
+ - [Nest blocks](#nest-blocks)
+ - [Request all fields from a resource](#request-all-fields-from-a-resource)
+ - [Lists](#lists)
+ - [Basic functions](#basic-functions)
+- [Control structures](#control-structures)
+ - [If](#if)
+ - [Switch](#switch)
+ - [Conditional operators](#conditional-operators)
+- [Functions](#functions-h2)
+ - [Parameters](#parameters)
+ - [Anonymous functions](#anonymous-functions)
+ - [Named arguments in functions](#named-arguments-in-functions)
+- [Data](#data)
+ - [Basic data types](#basic-data-types)
+ - [Regular expressions](#regular-expressions)
+ - [Time](#time)
+ - [Empty](#empty)
+ - [Arrays](#arrays)
+ - [Array assertions](#array-assertions)
+ - [Mapping field](#mapping-field)
+ - [Maps](#maps)
+ - [Dicts](#dicts)
+ - [recurse helper for dicts](#recurse-helper-for-dicts)
+ - [Nested data](#nested-data)
+- [Error handling](#error-handling)
+ - [Null chaining](#null-chaining)
+- [Concurrency](#concurrency)
+- [Commenting](#commenting)
+- [Embedding](#embedding)
+ - [CLI](#cli)
+ - [Code embedding](#code-embedding)
+
+These are other helpful resources in the Mondoo docs:
+
+| Page | Purpose |
+| ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
+| [MQL Resources](/mql/resources/) | Lists all of the information that MQL can retrieve from infrastructure assets and describes how to use them |
+| [Get Started with cnquery](/cnquery/) | Describes how to use the cnquery shell for ad hoc MQL queries |
+| [Query Your Infrastructure](/cnquery/cnquery-query) | Describes how to write queries to execute from the command line or to use in automation |
+| [cnquery CLI commands](/cnquery/cli/cnquery/) | Details all commands in the cnquery command line interface |
+| [Create Checks in cnspec Shell](/cnspec/cnspec-scan/) | Describes how to use the cnspec shell for ad hoc MQL assertions |
+| [cnspec CLI commands](/cnspec/cli/cnspec/) | Details all commands in the cnspec command line interface |
+
+## Basic structure
+
+All MQL code is in UTF-8 to support any characters. MQL is a type-safe and compiled language that can also be executed on the fly.
+
+These are the basic tools of MQL:
+[Resources and fields](#resources-and-fields)
+[Blocks](#blocks)
+[Lists](#lists)
+[Basic functions](#basic-functions)
+
+### Resources and fields
+
+A _resource_ is a source of information about an asset in your infrastructure. These are examples of resources:
+
+- A user on the asset
+- The operating system running on the asset
+- An AWS S3 bucket
+- A Google Cloud compute instance
+- A Terraform state
+- A Microsoft Entra ID domain
+
+Each resource has one or more _fields_, pieces of information you can request from the resource. These are examples of fields:
+
+- A user can have a unique ID, a group, an SSH key, and more.
+- An operating system can have a name, a path, and more.
+- An AWS S3 bucket can have a version, can be public or not public, have encryption information, and more.
+- A Google Cloud compute instance can have deletion protection on or off, a hostname, and more.
+- A Terraform state can have output values, modules, and more.
+- A Microsoft Entra ID domain can have a verified or unverified status, an authentication type, and more.
+
+This example requests the platform of an asset. `asset` is the resource and `platform` is the field:
+
+```coffee
+asset.platform
+```
+
+The output would be `redhat`, `windows`, `k8s-pod`, or similar.
+
+Access related resources
+
+```coffee
+sshd.config.file
+=> file("/etc/sshd/sshd_config")
+
+sshd.config.file.path
+=> "/etc/sshd/sshd_config"
+```
+
+#### Child resources
+
+Some resources have _child resources_. For example, the `aws.ec2` resource has multiple child resources, including `aws.ec2.volume`, `aws.ec2.snapshot`, and more.
+
+### Blocks
+
+_Blocks_ are a convenient way to group and extract information. They save you the trouble of repeating multiple requests for fields from one resource.
+
+Instead of making individual requests like this:
+
+```coffee
+sshd.config.file
+sshd.config.params
+sshd.config.ciphers
+```
+
+You can combine them into a block:
+
+```coffee
+sshd.config {
+ file
+ params
+ ciphers
+}
+```
+
+The output is the same.
+
+#### Nest blocks
+
+You can nest blocks:
+
+```coffee
+sshd.config {
+ file {
+ path
+ permissions
+ }
+}
+```
+
+#### Request all fields from a resource
+
+A quick way to request all fields from a resource is by using `{*}`. For example, this requests all fields from the `services` resource:
+
+```coffee
+services { * }
+```
+
+This expands all _immediate_ fields of the given resource. It does not cascade to list any child resources.
+
+### Lists
+
+Some resources provide information in _lists_. For example, this requests a list of users, a list of packages, and a list of services:
+
+```coffee
+users
+packages
+services
+```
+
+Using blocks, you can access specific field values from every item in a list. For example, this requests the `name`, `uid`, and `home` field values for each result in a list of users:
+
+```coffee
+users {
+ name
+ uid
+ home
+}
+```
+
+### Basic functions
+
+These help to take action on resources and fields. Some of the most important functions exist on lists and include `where`, `all`, `none`, and more.
+
+```coffee
+users.where( uid >= 1000 ) {
+ name
+ uid
+}
+```
+
+To learn more, read [Functions](#functions-h2).
+
+## Control structures
+
+These are the control structures that organize the flow of control in MQL:
+
+- [If](#if)
+- [Switch](#switch)
+- [Conditional operators](#conditional-operators)
+
+### If
+
+In MQL a simple `if` statement looks like this:
+
+```coffee
+if( x > 0 ) {
+ return y
+}
+```
+
+You can also chain statements with `else if` and `else`:
+
+```coffee
+if( x > 10 ) {
+return 1
+} else if( x > 0 ) {
+return 0
+} else {
+return -1
+}
+```
+
+### Switch
+
+You can more easily chain multiple conditionals together using `switch`:
+
+```coffee
+switch( x ) {
+case _ > 10:
+ return 1
+case _ > 0:
+ return 0
+default:
+ return -1
+}
+```
+
+MQL evaluates the cases from top to bottom until it finds a match. There is no automatic fall-through.
+
+### Conditional operators
+
+MQL supports these conditional operators:
+
+- `==`
+- `!=`
+- `>`
+- `<`
+- `>=`
+- `<=`
+
+:::tip
+
+Use `inRange` to check if an integer, float, or dict is in a numeric range. Follow this format:
+
+```coffee
+VALUE.inRange(MIN, MAX)
+```
+
+Examples:
+
+```coffee
+
+3.inRange(3, 5)
+
+password.length.inRange(9, 15)
+```
+
+:::
+
+Although MQL is type-safe and compiled, it’s also forgiving. You can easily express your assertions without having to fight with the type-safety.
+
+Here’s a simple example:
+
+```coffee
+a = 2
+b = "2"
+
+a == 2 && b == 2
+```
+
+Here’s a real-world example:
+
+```coffee
+sshd.config.params["Port"] == 22
+```
+
+`params` is a map of strings, so values like `Protocol` and `Port` are strings, even though they look like numbers.
+
+Many conditional operators allow soft comparisons:
+
+```coffee
+"2" == 2
+
+"2" == 2.0
+
+"3" > 2
+
+[1] == 1
+```
+
+This simplifies the usage of regular expressions as well:
+
+```coffee
+"Hello world" == /H.*o/
+```
+
+To learn about conditional operators with lists, see [Arrays](#arrays).
+
+To learn about conditional operators with maps, see [Maps](#maps).
+
+## Functions {#functions-h2}
+
+- [Parameters](#parameters)
+- [Anonymous functions](#anonymous-functions)
+
+### Parameters
+
+Many fields take unnamed parameters by default:
+
+```coffee
+sshd.config( "/path/to/my/sshd" )
+```
+
+You can also use named parameters to initialize resources.:
+
+```coffee
+parse.json(
+ command('lsblk --json').stdout
+)
+```
+
+### Anonymous functions
+
+You can call many functions with an embedded function. An example is `where`:
+
+```coffee
+users.where( uid >= 1000 )
+```
+
+The function takes an embedded function as an argument, which is executed against it. The fields (in the above example, `uid`) are by default bound to the calling resource (in the above example, `user`).
+
+You can combine these with global resources and variables:
+
+```coffee
+users.where( name == regex.email )
+```
+
+Some functions support both embedded and static values:
+
+```coffee
+[1,2,3].contains( 3 )
+[1,2,3].contains( _ > 2 )
+```
+
+### Named arguments in functions
+
+You can set a named argument in a function. This is useful in situations where you can only use one expression (such as with `all` or `one`). It also makes the code easier to understand, especially when nesting across multiple objects, as in this example:
+
+```coffee
+users.all(user:
+ groups.contains(group:
+ user.uid == group.gid
+ )
+)
+```
+
+## Data
+
+Learn about these data types in MQL:
+
+- [Basic data types](#basic-data-types)
+- [Maps](#maps)
+- [Dicts](#dicts)
+- [Empty](#empty)
+
+### Basic data types
+
+MQL's basic data types are:
+
+```coffee
+s1 = "I am a string"
+s2 = 'I am also a string'
+re = /Reg.* Expression/
+
+n1 = 1.0 + 2
+
+n = null
+b = true || false
+```
+
+#### Regular expressions
+
+For regular expressions, you can access a lot of pre-built expressions in the `regex` resource. These are a few examples:
+
+```coffee
+"anya@forger.com" == regex.email
+
+"10.0.0.255" == regex.ipv4
+"fe80::1042:2c47:b787:f6bb" == regex.ipv6
+
+"4832500902091714" == regex.creditCard
+```
+
+To learn about all the pre-build expressions, read the [`regex`](/mql/resources/core-pack/regex/) resource reference.
+
+#### Time
+
+MQL’s built-in time functions make these assertions easy:
+
+```coffee
+time.now
+# 2022-10-13 14:42:35 -0700 PDT
+
+time.now - time.day
+# 2022-10-12 14:42:35 -0700 PDT
+# subtracts a day from the current time
+
+time.now - 2*time.hour
+# 2022-10-13 11:42:35 -0700 PDT
+# subtracts 2 hours from the current time
+
+parse.date("2022-10-12T14:42:35Z")
+# 2022-10-12 14:42:35 +0000 UTC
+# uses RFC3339 layout by default
+```
+
+:::tip
+
+Use `inRange` to check if a date and time is in a range. Follow this format:
+
+```coffee
+DATE.inRange(MIN, MAX)
+```
+
+Example:
+
+```coffee
+time.inRange(yesterday, tomorrow)
+```
+
+:::
+
+MQL also can parse durations:
+
+```coffee
+parse.duration("3days")
+
+parse.duration("1y")
+```
+
+Although the parser is very lenient, for best results, use:
+
+```
+30s = 30 seconds
+1m = 1 minute
+3h = 3 hours
+90d = 90 days
+5y = 5 years
+```
+
+#### Empty
+
+The `empty` data type saves you the trouble of checking for different kinds of empty values, such as:
+
+- `[]`
+- `null`
+- `''`
+- `{}`
+
+For example, this query finds any type of empty value:
+
+```coffee
+users.list == empty
+```
+
+#### Semantic versioning
+
+Use the `semver` type for semantic versioning. Create a semver using the `semver` keyword, which takes a string as an argument:
+
+```coffee
+semver('3.12.1')
+```
+
+You can compare a semver with another semver or with a string:
+
+```coffee
+semver('1.2.3') < semver('2.3')
+
+semver('1.10') >= '1.2'
+```
+
+### Arrays
+
+Many resources contain lists of entries, like this example:
+
+```coffee
+users {
+ name
+ uid
+}
+```
+
+You can filter these lists using the `where` clause:
+
+```coffee
+users.where( uid >= 1000 ) {
+ name
+ uid
+}
+```
+
+#### Array assertions
+
+To avoid unnecessary loops, MQL provides some keywords that make assertions on lists a lot simpler. For example:
+
+```coffee
+users.all( uid >= 0 )
+```
+
+Failures to these print the affected elements:
+
+```coffee
+> users.all( uid > 0 )
+[failed] users.all()
+ actual: [
+ 0: user id = user/0/root
+ ]
+```
+
+The available assertions for all lists are:
+
+```coffee
+users.all( name != "anya" ) <= make sure no user is called anya
+users.one( name == "anya" ) <= one user must exist, but no more than one
+users.none( name == "anya" ) <= no user exists with the name anya
+users.contains( uid >= 1000 ) <= contains one or more users with uid >= 1000
+```
+
+For lists of strings, you can use the `in` assertion, which is the inverse of `contains`:
+
+```coffee
+"anya".in(["abel","amos","anya"])
+```
+
+An ideal use for `in` is to combine it with [properties](/cnspec/cnspec-policies/write/properties/). For example, if you define a property named `allowedCiphers`, you can assert that a configured cipher is in that list:
+
+```coffee
+sshd.config.ciphers.in( props.allowedCiphers )
+```
+
+Another useful assertion for lists of strings is `containsAll`:
+
+```coffee
+["abel","amos","anya"].containsAll(["abel","amos"])
+```
+
+#### Mapping field
+
+With block extraction, MQL provides arrays of maps:
+
+```coffee
+> users { name }
+[
+ 0: { name: "root" }
+
+ ...
+
+]
+```
+
+You can map these values into a simple list:
+
+```coffee
+> users.map(name)
+[
+ 0: "root",
+
+ ...
+
+]
+```
+
+This makes many queries and assertions easier:
+
+```coffee
+users.map(name).contains( "anya" )
+```
+
+### Maps
+
+_Maps_ are key-value structures in which the key is a string and the value can be any type. You can access individual fields using `[]` or get all `keys` and `values`
+
+These are simple examples:
+
+```coffee
+m = {"a": 1, "b": 2}
+
+> m.b
+# 2
+
+> m.keys
+# ["a", "b"]
+
+> m.values
+# [1, 2]
+```
+
+This is a real-life example:
+
+```
+> os.env["SHELL"]
+"/usr/bin/zsh"
+```
+
+#### Map assertions
+
+The available assertions for maps are:
+
+```coffee
+{'a': 1, 'b': 2}.contains( key == 'b' )
+{'a': 1, 'b': 2}.all( value > 0 )
+{'a': 1, 'b': 2}.one( value != 1 )
+{'a': 1, 'b': 2}.none( key == /d-f/ )
+```
+
+### Dicts
+
+_Dicts_ are similar to maps but have one key difference: Maps are statically typed ahead of time; they have known value types.
+
+That’s not the case when you process unknown data such as JSON. This presents a challenge, and the solution is `dict`:
+
+```coffee
+> parse.json("my.json")
+parse.json.params: {
+ 1: 1.000000
+ 1.0: 1.000000
+ _: null
+ date: "2016-01-28T23:02:24Z"
+ dict: {
+ ee: 3.000000
+ ej: 4.000000
+ ek: 5.000000
+ }
+
+ ...
+
+```
+
+As you can see, there can be mixed values for all supported base types.
+
+All other operations work as expected:
+
+```coffee
+> parse.json("my.json").params.keys
+parse.json.params.keys: [
+ 0: "int-array"
+ 1: "f"
+ 2: "string-array"
+ 3: "hello"
+
+
+> parse.json("my.json").params.value
+parse.json.params.values: [
+ 0: null
+ 1: true
+ 2: 1.000000
+ 3: "hello"
+
+> parse.json("my.json").params["f"][0]
+parse.json.params[f][0]: {
+ ff: 3.000000
+}
+
+> parse.json("my.json").
+ params["f"].
+ all( _.keys.contains("ff") )
+[ok] value: true
+```
+
+#### `recurse` helper for dicts
+
+The `recurse` helper makes it easy to extract data from a dict structure made up of mixed value types.
+
+For example, suppose you need to retrieve all users from this JSON data structure:
+
+```json
+{
+ "users": [{ "name": "bob" }],
+ "owners": {
+ "admins": [{ "name": "joy", "isOwner": true }]
+ }
+}
+```
+
+Because of the varying data types, finding users in this structure is difficult with traditional mechanisms. You need to understand the data structure and know where to search.
+
+`recurse` eliminates that difficulty:
+
+```coffee
+jdata.recurse( name != empty )
+```
+
+```coffee
+[
+ 0: {
+ name: "bob"
+ }
+ 1: {
+ isOwner: true
+ name: "joy"
+ }
+]
+```
+
+You can then map the user names:
+
+```coffee
+jdata.recurse( name != empty ).map(name)
+```
+
+```coffee
+[
+ 0: "bob"
+ 1: "joy"
+]
+```
+
+### Nested data
+
+JSON, Terraform, and Kubernetes artifacts can include nested structures that make data a challenge to access. To make these easier to query, MQL supports simple accessors:
+
+```coffee
+tfblock {
+ attributes.account_id.value
+}
+```
+
+## Error handling
+
+For values that cannot be accessed, MQL provides errors:
+
+```coffee
+> file("/etc/shadow").content
+[failed] file.content
+ error: open /etc/shadow: permission denied
+```
+
+#### Null chaining
+
+In general, `null` values are chained across their access:
+
+```coffee
+> sshd.config.params["NONE"].downcase == null
+[ok] value: _
+```
+
+## Concurrency
+
+MQL supports concurrent execution by default. All code that you write is executed in the order of its necessary I/O input.
+
+For example:
+
+```coffee
+hosts = [
+ tls("mondoo.com"),
+ tls("mondoo.io"),
+ ...
+]
+
+hosts.all(
+ ciphers
+ .none( /cbc/i )
+)
+```
+
+This call checks all TLS ciphers on all the hosts that were previously defined. Such calls can take a while to execute if done serially. However, MQL looks for the entry points where data is being processed and executes those in parallel. In the example above, the TLS requests to all hosts will run in parallel and aggregate.
+
+It doesn’t matter if the data is retrieved from an API, file, system command or other call; MQL always executes calls in parallel.
+
+You don't have to configure or think about concurrency or parallel value assignment in MQL; concurrency is automatic on all available streams.
+
+## Commenting
+
+MQL supports `#` commenting, which works best with YAML.
+
+```coffee
+# I am a comment
+sshd.config.params
+```
+
+MQL also supports `//`.
+
+## Embedding
+
+It’s easy to embed MQL in your code.
+
+### CLI
+
+A quick way to embed MQL is to execute MQL in the CLI and embed the results in other scripts:
+
+```bash
+> cnquery run local --json \
+ -c "processes.where(command == /long test/).map(pid)" | ...
+```
+
+### Code embedding
+
+You can embed the MQL execution engine as a dependency. This example embeds in Go:
+
+```golang
+package mqldiscovery
+
+import (
+ "go.mondoo.com/cnquery"
+ "go.mondoo.com/cnquery/llx"
+ "go.mondoo.com/cnquery/motor"
+ aws_provider "go.mondoo.com/cnquery/motor/providers/aws"
+ "go.mondoo.com/cnquery/mql"
+ "go.mondoo.com/cnquery/resources"
+ resource_pack "go.mondoo.com/cnquery/resources/packs/aws"
+)
+
+func New(provider *aws_provider.Provider) (*MqlDiscovery, error) {
+ m, err := motor.New(provider)
+ if err != nil {
+ return nil, err
+ }
+ rt := resources.NewRuntime(resource_pack.Registry, m)
+ return &MqlDiscovery{rt: rt}, nil
+}
+
+type MqlDiscovery struct {
+ rt *resources.Runtime
+}
+
+func (md *MqlDiscovery) GetResourceCount(query string) int32 {
+ mqlExecutor := mql.New(md.rt, cnquery.DefaultFeatures)
+ value, err := mqlExecutor.Exec(query, map[string]*llx.Primitive{})
+ if err != nil {
+ return 0
+ }
+
+ a := 0
+ d, _ := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+ Result: &a,
+ })
+ d.Decode(value.Value)
+ return int32(a)
+}
+
+func (md *MqlDiscovery) GetRegionsList() []string {
+ mqlExecutor := mql.New(md.rt, cnquery.DefaultFeatures)
+ value, err := mqlExecutor.Exec("aws.regions", map[string]*llx.Primitive{})
+ if err != nil {
+ return []string{}
+ }
+
+ a := []string{}
+ d, _ := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+ Result: &a,
+ })
+ d.Decode(value.Value)
+ return a
+}
+
+func (md *MqlDiscovery) Close() {
+ if md.rt != nil && md.rt.Motor != nil {
+ md.rt.Motor.Close()
+ }
+}
+
+func (md *MqlDiscovery) RunQuery(query string) interface{} {
+ mqlExecutor := mql.New(md.rt, cnquery.DefaultFeatures)
+ value, err := mqlExecutor.Exec(query, map[string]*llx.Primitive{})
+ if err != nil {
+ return nil
+ }
+
+ var a interface{}
+ d, _ := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+ Result: &a,
+ })
+ d.Decode(value.Value)
+ return a
+}
+```
+
+---
diff --git a/docs/mql/resources/README.md b/docs/mql/resources/README.md
new file mode 100644
index 000000000..8f380d9f2
--- /dev/null
+++ b/docs/mql/resources/README.md
@@ -0,0 +1,63 @@
+---
+title: MQL Reference
+sidebar_label: Overview
+sidebar_position: 3
+displayed_sidebar: MQL
+id: mql.reference
+description: Learn about all of the available MQL resources and how you can use them to query your infrastructure and to create security policies.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+**MQL** is a lightweight, ultra-fast query language purpose-built for:
+
+- Searching and filtering infrastructure configuration data
+- Making checks about infrastructure configuration
+- Building security policies
+
+For an introduction to MQL, read the [MQL intro slide deck](https://mondoohq.github.io/mql-intro/index.html)
+
+To learn how to create queries, checks, and policies in MQL, read [Write Effective MQL](/mql/mql.write/).
+
+## Resources
+
+A _resource_ is a source of information about an asset in your infrastructure, such as a file, a container image, or an AWS EC2 instance. We've organized MQL resources into packs to make it easy to find what you need.
+
+[**Core resource pack:**](./core-pack)
+The core pack is essential for queries and checks against many different systems. Use it to retrieve information about users, files, packages, ports, and much more.
+
+[**Operating system resource pack:**](./os-pack)
+Some of the resources in the operating system pack span different operating systems, while others are specific to a single operating system.
+
+[**Network resource pack:**](./network-pack)
+The network pack includes resources for querying assets like host names and checking certificate contents.
+
+**Platform-specific resource packs:**
+These specialized packs let you deep-dive into attributes unique to the platforms:
+
+- [Amazon Web Services (AWS) resource pack](./aws-pack)
+- [Atlassian resource pack](./atlassian-pack)
+- [Arista resource pack](./arista-pack)
+- [Azure resource pack](./azure-pack)
+- [Equinix Metal resource pack](./equinix-pack)
+- [GitHub resource pack](./github-pack)
+- [GitLab resource pack](./gitlab-pack)
+- [Google Cloud Platform (GCP) resource pack](./gcp-pack)
+- [Google Workspace resource pack](./google-workspace-pack/)
+- [IPMI resource pack](./ipmi-pack)
+- [Kubernetes resource pack](./k8s-pack)
+- [Microsoft 365 resource pack](./ms365-pack)
+- [Okta resource pack](./okta-pack)
+- [OPC UA resource pack](./opcua-pack)
+- [Oracle Cloud Infrastructure (OCI) resource pack](./oci-pack)
+- [Slack resource pack](./slack-pack)
+- [Terraform IaC resource pack](./terraform-pack)
+- [VMware Cloud Director resource pack](./vcd-pack/)
+- [VMware vSphere resource pack](./vsphere-pack)
+
+## Learn more
+
+- To learn about querying your systems with MQL, read the [cnquery docs](/cnquery/home/).
+
+- To learn how to create queries, checks, and policies in MQL, read [Write Effective MQL](/mql/mql.write/).
+
+---
diff --git a/docs/mql/resources/_category_.json b/docs/mql/resources/_category_.json
new file mode 100644
index 000000000..7143dac3f
--- /dev/null
+++ b/docs/mql/resources/_category_.json
@@ -0,0 +1,3 @@
+{
+ "label": "Resources"
+}
diff --git a/docs/mql/resources/arista-pack/README.md b/docs/mql/resources/arista-pack/README.md
new file mode 100644
index 000000000..9c8375af8
--- /dev/null
+++ b/docs/mql/resources/arista-pack/README.md
@@ -0,0 +1,26 @@
+---
+title: Arista EOS Resource Pack - MQL Resources
+id: arista.eos.pack
+sidebar_label: Arista EOS Resource Pack
+displayed_sidebar: MQL
+description: The Arista EOS resource pack lets you use MQL to query and assess the security of your Arista EOS network devices.
+---
+
+# Mondoo Arista EOS Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ----------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
+| [arista.eos](arista.eos.md) | Arista EOS resource |
+| [arista.eos.interface](arista.eos.interface.md) | Arista EOS interface resource |
+| [arista.eos.ipInterface](arista.eos.ipinterface.md) | Arista EOS IP interface |
+| [arista.eos.ntpSetting](arista.eos.ntpsetting.md) | Arista EOS NTP information resource |
+| [arista.eos.role](arista.eos.role.md) | Arista EOS role resource |
+| [arista.eos.runningConfig](arista.eos.runningconfig.md) | Arista EOS system’s operating configuration |
+| [arista.eos.runningConfig.section](arista.eos.runningconfig.section.md) | Arista EOS system’s operating configuration for a specific section |
+| [arista.eos.snmpSetting](arista.eos.snmpsetting.md) | Arista EOS SNMP information resource |
+| [arista.eos.spt.mstInterface](arista.eos.spt.mstinterface.md) | Multiple Spanning Tree Protocol (MSTP) information for a specified interface |
+| [arista.eos.stp](arista.eos.stp.md) | Arista Spanning Tree Protocol (STP) resource |
+| [arista.eos.stp.mst](arista.eos.stp.mst.md) | Arista Multiple Spanning Tree Protocol (MSTP) resource instance |
+| [arista.eos.user](arista.eos.user.md) | User on the local Arista EOS system |
diff --git a/docs/mql/resources/arista-pack/arista.eos.interface.md b/docs/mql/resources/arista-pack/arista.eos.interface.md
new file mode 100644
index 000000000..a7c5b2763
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.interface.md
@@ -0,0 +1,39 @@
+---
+title: arista.eos.interface
+id: arista.eos.interface
+sidebar_label: arista.eos.interface
+displayed_sidebar: MQL
+description: Arista EOS interface resource
+---
+
+# arista.eos.interface
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista EOS interface resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | -------------- | -------------------------------------------------------------------------------------- |
+| name | string | Interface name, link status, vlan, duplex, speed, and type of the specified interfaces |
+| bandwidth | int | Interface bandwidth |
+| burnedInAddress | string | 'burned in' address of the interface |
+| description | string | Interface description |
+| forwardingModel | string | Forwarding mode |
+| hardware | string | Hardware Name |
+| interfaceAddress | []dict | Interface address information |
+| interfaceCounters | dict | Traffic count information |
+| interfaceMembership | string | Interface membership |
+| interfaceStatistics | dict | Interface statistics |
+| interfaceStatus | string | Interface status |
+| l2Mtu | int | Layer 2 MTU |
+| lastStatusChangeTimestamp | int | Last interface change timestamp |
+| lineProtocolStatus | string | Interface protocol status |
+| mtu | int | MTU |
+| physicalAddress | string | MAC address of the interface |
+| status | dict | Interface link status, vlan, duplex, speed, and type |
diff --git a/docs/mql/resources/arista-pack/arista.eos.ipinterface.md b/docs/mql/resources/arista-pack/arista.eos.ipinterface.md
new file mode 100644
index 000000000..0c81250c3
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.ipinterface.md
@@ -0,0 +1,25 @@
+---
+title: arista.eos.ipInterface
+id: arista.eos.ipInterface
+sidebar_label: arista.eos.ipInterface
+displayed_sidebar: MQL
+description: Arista EOS IP interface
+---
+
+# arista.eos.ipInterface
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista EOS IP interface
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | -------------- |
+| name | string | Interface Name |
+| address | string | IP Address |
+| mtu | string | MTU |
diff --git a/docs/mql/resources/arista-pack/arista.eos.md b/docs/mql/resources/arista-pack/arista.eos.md
new file mode 100644
index 000000000..d993cd83e
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.md
@@ -0,0 +1,64 @@
+---
+title: arista.eos
+id: arista.eos
+sidebar_label: arista.eos
+displayed_sidebar: MQL
+description: Arista EOS resource
+---
+
+# arista.eos
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista EOS resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------------------------------------------------------------- | ----------------------------------- |
+| systemConfig | map[string]string | EOS system configuration |
+| ipInterfaces | [][arista.eos.ipInterface](arista.eos.ipinterface.md) | IP interfaces |
+| interfaces | [][arista.eos.interface](arista.eos.interface.md) | Details related to interfaces |
+| version | dict | Software and hardware versions |
+| hostname | string | The system hostname |
+| fqdn | string | The systems fqdn |
+| users | [][arista.eos.user](arista.eos.user.md) | Local user configuration |
+| roles | [][arista.eos.role](arista.eos.role.md) | All user-defined and built-in roles |
+| snmp | [arista.eos.snmpSetting](arista.eos.snmpsetting.md) | Details on SNMP operation |
+| ntp | [arista.eos.ntpSetting](arista.eos.ntpsetting.md) | Show NTP status |
+
+**Examples**
+
+Arista EOS Version
+
+```coffee
+arista.eos.version
+```
+
+Verify that Arista EOS Version is 18.x
+
+```coffee
+arista.eos.version['version'] == /18\./
+```
+
+Display EOS interfaces
+
+```coffee
+arista.eos.interfaces { name mtu bandwidth status }
+```
+
+Display all connected EOS interfaces
+
+```coffee
+arista.eos.interfaces.where ( status['linkStatus'] == "connected") { name mtu bandwidth status }
+```
+
+EOS Hostname
+
+```coffee
+arista.eos.hostname
+```
diff --git a/docs/mql/resources/arista-pack/arista.eos.ntpsetting.md b/docs/mql/resources/arista-pack/arista.eos.ntpsetting.md
new file mode 100644
index 000000000..281eb9ba2
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.ntpsetting.md
@@ -0,0 +1,23 @@
+---
+title: arista.eos.ntpSetting
+id: arista.eos.ntpSetting
+sidebar_label: arista.eos.ntpSetting
+displayed_sidebar: MQL
+description: Arista EOS NTP information resource
+---
+
+# arista.eos.ntpSetting
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista EOS NTP information resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------ | --------------------------- |
+| status | string | Status of NTP on the switch |
diff --git a/docs/mql/resources/arista-pack/arista.eos.role.md b/docs/mql/resources/arista-pack/arista.eos.role.md
new file mode 100644
index 000000000..a9eee8975
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.role.md
@@ -0,0 +1,25 @@
+---
+title: arista.eos.role
+id: arista.eos.role
+sidebar_label: arista.eos.role
+displayed_sidebar: MQL
+description: Arista EOS role resource
+---
+
+# arista.eos.role
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista EOS role resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | -------------- | --------------------------------------------------------- |
+| name | string | Name of role |
+| default | bool | Flag for default role |
+| rules | []dict | List of rules that restricts access to specified commands |
diff --git a/docs/mql/resources/arista-pack/arista.eos.runningconfig.md b/docs/mql/resources/arista-pack/arista.eos.runningconfig.md
new file mode 100644
index 000000000..94befa780
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.runningconfig.md
@@ -0,0 +1,23 @@
+---
+title: arista.eos.runningConfig
+id: arista.eos.runningConfig
+sidebar_label: arista.eos.runningConfig
+displayed_sidebar: MQL
+description: Arista EOS system’s operating configuration
+---
+
+# arista.eos.runningConfig
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista EOS system’s operating configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | ------------------ |
+| content | string | EOS running-config |
diff --git a/docs/mql/resources/arista-pack/arista.eos.runningconfig.section.md b/docs/mql/resources/arista-pack/arista.eos.runningconfig.section.md
new file mode 100644
index 000000000..6518c03fd
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.runningconfig.section.md
@@ -0,0 +1,24 @@
+---
+title: arista.eos.runningConfig.section
+id: arista.eos.runningConfig.section
+sidebar_label: arista.eos.runningConfig.section
+displayed_sidebar: MQL
+description: Arista EOS system’s operating configuration for a specific section
+---
+
+# arista.eos.runningConfig.section
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista EOS system’s operating configuration for a specific section
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | ------------------------------- |
+| name | string | Section name |
+| content | string | Section from EOS running-config |
diff --git a/docs/mql/resources/arista-pack/arista.eos.snmpsetting.md b/docs/mql/resources/arista-pack/arista.eos.snmpsetting.md
new file mode 100644
index 000000000..dbe66ae3d
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.snmpsetting.md
@@ -0,0 +1,24 @@
+---
+title: arista.eos.snmpSetting
+id: arista.eos.snmpSetting
+sidebar_label: arista.eos.snmpSetting
+displayed_sidebar: MQL
+description: Arista EOS SNMP information resource
+---
+
+# arista.eos.snmpSetting
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista EOS SNMP information resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | -------------- | -------------------------------- |
+| enabled | bool | SNMP logging status |
+| notifications | []dict | SNMP trap generation information |
diff --git a/docs/mql/resources/arista-pack/arista.eos.spt.mstinterface.md b/docs/mql/resources/arista-pack/arista.eos.spt.mstinterface.md
new file mode 100644
index 000000000..15167db32
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.spt.mstinterface.md
@@ -0,0 +1,47 @@
+---
+title: arista.eos.spt.mstInterface
+id: arista.eos.spt.mstInterface
+sidebar_label: arista.eos.spt.mstInterface
+displayed_sidebar: MQL
+description: Multiple Spanning Tree Protocol (MSTP) information for a specified interface
+---
+
+# arista.eos.spt.mstInterface
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Multiple Spanning Tree Protocol (MSTP) information for a specified interface
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------ | ----------------------------------------------------------------------------------------------- |
+| id | string | |
+| mstInstanceId | string | MST instance number |
+| name | string | Name of STP instance |
+| priority | int | Interface priority |
+| linkType | string | Link type |
+| state | string | Interface state |
+| cost | int | Cost value for the interface |
+| role | string | Port role |
+| inconsistentFeatures | dict | Interface inconsistent features |
+| portNumber | int | Port Number |
+| isEdgePort | bool | Flag if it is an edge port |
+| detail | dict | Details about Designated root, Designated bridge and Designated port |
+| boundaryType | string | Interface Boundary Type |
+| counters | dict | Number of BPDU transactions on this interface |
+| features | dict | Interface features: BPDU filter, specifies the BPDU reception rate & link type of the interface |
+
+**Examples**
+
+Verify the Spanning-Tree Version
+
+```coffee
+arista.eos.stp.mstInstances {
+ protocol == "mstp"
+}
+```
diff --git a/docs/mql/resources/arista-pack/arista.eos.stp.md b/docs/mql/resources/arista-pack/arista.eos.stp.md
new file mode 100644
index 000000000..a9f65e52a
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.stp.md
@@ -0,0 +1,23 @@
+---
+title: arista.eos.stp
+id: arista.eos.stp
+sidebar_label: arista.eos.stp
+displayed_sidebar: MQL
+description: Arista Spanning Tree Protocol (STP) resource
+---
+
+# arista.eos.stp
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista Spanning Tree Protocol (STP) resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------------------------------- | ----------------------------------------------- |
+| mstInstances | [][arista.eos.stp.mst](arista.eos.stp.mst.md) | Multiple Spanning Tree Protocol (MST) instances |
diff --git a/docs/mql/resources/arista-pack/arista.eos.stp.mst.md b/docs/mql/resources/arista-pack/arista.eos.stp.mst.md
new file mode 100644
index 000000000..8b2f67c54
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.stp.mst.md
@@ -0,0 +1,29 @@
+---
+title: arista.eos.stp.mst
+id: arista.eos.stp.mst
+sidebar_label: arista.eos.stp.mst
+displayed_sidebar: MQL
+description: Arista Multiple Spanning Tree Protocol (MSTP) resource instance
+---
+
+# arista.eos.stp.mst
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+Arista Multiple Spanning Tree Protocol (MSTP) resource instance
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ----------------------------------------------------------------------- | ---------------------------------------------------------- |
+| instanceId | string | MST instance number |
+| name | string | MST instance name |
+| protocol | string | SPT protocol |
+| bridge | dict | Detailed bridge information (Forward Delay, MAC, Priority) |
+| rootBridge | dict | Root bridge information |
+| regionalRootBridge | dict | Regional root bridge information |
+| interfaces | [][arista.eos.spt.mstInterface](arista.eos.spt.mstinterface.md) | interfaces on the specified MST instances |
diff --git a/docs/mql/resources/arista-pack/arista.eos.user.md b/docs/mql/resources/arista-pack/arista.eos.user.md
new file mode 100644
index 000000000..4fd3f4419
--- /dev/null
+++ b/docs/mql/resources/arista-pack/arista.eos.user.md
@@ -0,0 +1,29 @@
+---
+title: arista.eos.user
+id: arista.eos.user
+sidebar_label: arista.eos.user
+displayed_sidebar: MQL
+description: User on the local Arista EOS system
+---
+
+# arista.eos.user
+
+**Supported platform**
+
+- arista-eos
+
+**Description**
+
+User on the local Arista EOS system
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ---------------------------------------------------------------- |
+| name | string | The name of the user |
+| privilege | string | Indicates if the user is able to authenticate without a password |
+| role | string | User's assigned role |
+| nopassword | string | If the user is not password protected |
+| format | string | Specifies how the secret is encoded |
+| secret | string | The secret (password) assigned to this user |
+| sshkey | string | User's sshkey |
diff --git a/docs/mql/resources/atlassian-pack/README.md b/docs/mql/resources/atlassian-pack/README.md
new file mode 100644
index 000000000..b7c3535f9
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/README.md
@@ -0,0 +1,31 @@
+---
+title: Atlassian Resource Pack - MQL Resources
+id: atlassian.pack
+sidebar_label: Atlassian Resource Pack
+displayed_sidebar: MQL
+description: The Atlassian resource pack lets you use MQL to query and assess the security of your Atlassian services.
+---
+
+# Mondoo Atlassian Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| --------------------------------------------------------------------------------------- | ----------------------------------------- |
+| [atlassian.admin.organization](atlassian.admin.organization.md) | Organization |
+| [atlassian.admin.organization.domain](atlassian.admin.organization.domain.md) | Domains |
+| [atlassian.admin.organization.managedUser](atlassian.admin.organization.manageduser.md) | Managed users |
+| [atlassian.admin.organization.policy](atlassian.admin.organization.policy.md) | Policies (except authentication policies) |
+| [atlassian.confluence](atlassian.confluence.md) | Confluence |
+| [atlassian.confluence.user](atlassian.confluence.user.md) | Confluence user |
+| [atlassian.jira](atlassian.jira.md) | Jira |
+| [atlassian.jira.applicationRole](atlassian.jira.applicationrole.md) | Jira application role |
+| [atlassian.jira.group](atlassian.jira.group.md) | Jira group |
+| [atlassian.jira.issue](atlassian.jira.issue.md) | Issue |
+| [atlassian.jira.project](atlassian.jira.project.md) | Jira project |
+| [atlassian.jira.project.property](atlassian.jira.project.property.md) | Jira project property |
+| [atlassian.jira.serverInfo](atlassian.jira.serverinfo.md) | Jira server info |
+| [atlassian.jira.user](atlassian.jira.user.md) | Jira user |
+| [atlassian.scim](atlassian.scim.md) | Cross-domain Identity Management (SCIM) |
+| [atlassian.scim.group](atlassian.scim.group.md) | SCIM group |
+| [atlassian.scim.user](atlassian.scim.user.md) | SCIM user |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.admin.organization.domain.md b/docs/mql/resources/atlassian-pack/atlassian.admin.organization.domain.md
new file mode 100644
index 000000000..cc424528a
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.admin.organization.domain.md
@@ -0,0 +1,21 @@
+---
+title: atlassian.admin.organization.domain
+id: atlassian.admin.organization.domain
+sidebar_label: atlassian.admin.organization.domain
+displayed_sidebar: MQL
+description: Domains
+---
+
+# atlassian.admin.organization.domain
+
+**Description**
+
+Domains
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------ | ----------- |
+| id | string | Domain ID |
+| name | string | Name |
+| type | string | Type |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.admin.organization.manageduser.md b/docs/mql/resources/atlassian-pack/atlassian.admin.organization.manageduser.md
new file mode 100644
index 000000000..7ca0a56e7
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.admin.organization.manageduser.md
@@ -0,0 +1,25 @@
+---
+title: atlassian.admin.organization.managedUser
+id: atlassian.admin.organization.managedUser
+sidebar_label: atlassian.admin.organization.managedUser
+displayed_sidebar: MQL
+description: Managed users
+---
+
+# atlassian.admin.organization.managedUser
+
+**Description**
+
+Managed users
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | -------------- | -------------- |
+| id | string | ID |
+| name | string | Name |
+| type | string | Type |
+| email | string | Email |
+| status | string | Status |
+| lastActive | time | Last active |
+| productAccess | []dict | Product access |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.admin.organization.md b/docs/mql/resources/atlassian-pack/atlassian.admin.organization.md
new file mode 100644
index 000000000..9ef8a92db
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.admin.organization.md
@@ -0,0 +1,24 @@
+---
+title: atlassian.admin.organization
+id: atlassian.admin.organization
+sidebar_label: atlassian.admin.organization
+displayed_sidebar: MQL
+description: Organization
+---
+
+# atlassian.admin.organization
+
+**Description**
+
+Organization
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------------------------------------------------------------------------------------------------- | ----------------- |
+| id | string | Organization ID |
+| name | string | Name |
+| type | string | Organization type |
+| policies | [][atlassian.admin.organization.policy](atlassian.admin.organization.policy.md) | Policies |
+| domains | [][atlassian.admin.organization.domain](atlassian.admin.organization.domain.md) | Domains |
+| managedUsers | [][atlassian.admin.organization.managedUser](atlassian.admin.organization.manageduser.md) | Managed users |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.admin.organization.policy.md b/docs/mql/resources/atlassian-pack/atlassian.admin.organization.policy.md
new file mode 100644
index 000000000..4a98f4f1a
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.admin.organization.policy.md
@@ -0,0 +1,23 @@
+---
+title: atlassian.admin.organization.policy
+id: atlassian.admin.organization.policy
+sidebar_label: atlassian.admin.organization.policy
+displayed_sidebar: MQL
+description: Policies (except authentication policies)
+---
+
+# atlassian.admin.organization.policy
+
+**Description**
+
+Policies (except authentication policies)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ----------------------------- |
+| id | string | Policy ID |
+| type | string | Object type (always "policy") |
+| name | string | Policy name |
+| policyType | string | Type of policy |
+| status | string | Status |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.confluence.md b/docs/mql/resources/atlassian-pack/atlassian.confluence.md
new file mode 100644
index 000000000..b1fca5df7
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.confluence.md
@@ -0,0 +1,19 @@
+---
+title: atlassian.confluence
+id: atlassian.confluence
+sidebar_label: atlassian.confluence
+displayed_sidebar: MQL
+description: Confluence
+---
+
+# atlassian.confluence
+
+**Description**
+
+Confluence
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----- | ------------------------------------------------------------------- | ---------------- |
+| users | [][atlassian.confluence.user](atlassian.confluence.user.md) | Confluence users |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.confluence.user.md b/docs/mql/resources/atlassian-pack/atlassian.confluence.user.md
new file mode 100644
index 000000000..f7e0721e4
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.confluence.user.md
@@ -0,0 +1,21 @@
+---
+title: atlassian.confluence.user
+id: atlassian.confluence.user
+sidebar_label: atlassian.confluence.user
+displayed_sidebar: MQL
+description: Confluence user
+---
+
+# atlassian.confluence.user
+
+**Description**
+
+Confluence user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------ | ------------ |
+| id | string | Account ID |
+| name | string | Account name |
+| type | string | Account type |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.jira.applicationrole.md b/docs/mql/resources/atlassian-pack/atlassian.jira.applicationrole.md
new file mode 100644
index 000000000..a9bb29709
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.jira.applicationrole.md
@@ -0,0 +1,20 @@
+---
+title: atlassian.jira.applicationRole
+id: atlassian.jira.applicationRole
+sidebar_label: atlassian.jira.applicationRole
+displayed_sidebar: MQL
+description: Jira application role
+---
+
+# atlassian.jira.applicationRole
+
+**Description**
+
+Jira application role
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------ | ----------- |
+| id | string | Role ID |
+| name | string | Role name |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.jira.group.md b/docs/mql/resources/atlassian-pack/atlassian.jira.group.md
new file mode 100644
index 000000000..fe67a3189
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.jira.group.md
@@ -0,0 +1,20 @@
+---
+title: atlassian.jira.group
+id: atlassian.jira.group
+sidebar_label: atlassian.jira.group
+displayed_sidebar: MQL
+description: Jira group
+---
+
+# atlassian.jira.group
+
+**Description**
+
+Jira group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------ | ----------- |
+| id | string | Group ID |
+| name | string | Group name |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.jira.issue.md b/docs/mql/resources/atlassian-pack/atlassian.jira.issue.md
new file mode 100644
index 000000000..55780029a
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.jira.issue.md
@@ -0,0 +1,22 @@
+---
+title: atlassian.jira.issue
+id: atlassian.jira.issue
+sidebar_label: atlassian.jira.issue
+displayed_sidebar: MQL
+description: Issue
+---
+
+# atlassian.jira.issue
+
+**Description**
+
+Issue
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ----------- |
+| id | string | Issue ID |
+| project | string | Project |
+| status | string | Status |
+| description | string | Description |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.jira.md b/docs/mql/resources/atlassian-pack/atlassian.jira.md
new file mode 100644
index 000000000..cac765edd
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.jira.md
@@ -0,0 +1,23 @@
+---
+title: atlassian.jira
+id: atlassian.jira
+sidebar_label: atlassian.jira
+displayed_sidebar: MQL
+description: Jira
+---
+
+# atlassian.jira
+
+**Description**
+
+Jira
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------------------------------------------------------------- | ---------------- |
+| users | [][atlassian.jira.user](atlassian.jira.user.md) | Jira users |
+| projects | [][atlassian.jira.project](atlassian.jira.project.md) | Jira projects |
+| issues | [][atlassian.jira.issue](atlassian.jira.issue.md) | Jira groups |
+| groups | [][atlassian.jira.group](atlassian.jira.group.md) | Jira groups |
+| serverInfos | [atlassian.jira.serverInfo](atlassian.jira.serverinfo.md) | Jira server info |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.jira.project.md b/docs/mql/resources/atlassian-pack/atlassian.jira.project.md
new file mode 100644
index 000000000..2d1f27fd1
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.jira.project.md
@@ -0,0 +1,28 @@
+---
+title: atlassian.jira.project
+id: atlassian.jira.project
+sidebar_label: atlassian.jira.project
+displayed_sidebar: MQL
+description: Jira project
+---
+
+# atlassian.jira.project
+
+**Description**
+
+Jira project
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------------------------------------------------------------------------------- | ----------------------------------- |
+| id | string | Project ID |
+| name | string | Project name |
+| uuid | string | UUID |
+| key | string | Key |
+| url | string | URL |
+| email | string | Email |
+| private | bool | Whether the group is private |
+| deleted | bool | Whether the group has been deleted |
+| archived | bool | Whether the group has been archived |
+| properties | [][atlassian.jira.project.property](atlassian.jira.project.property.md) | Properties |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.jira.project.property.md b/docs/mql/resources/atlassian-pack/atlassian.jira.project.property.md
new file mode 100644
index 000000000..2790359e2
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.jira.project.property.md
@@ -0,0 +1,19 @@
+---
+title: atlassian.jira.project.property
+id: atlassian.jira.project.property
+sidebar_label: atlassian.jira.project.property
+displayed_sidebar: MQL
+description: Jira project property
+---
+
+# atlassian.jira.project.property
+
+**Description**
+
+Jira project property
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --- | ------ | ------------ |
+| id | string | Property key |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.jira.serverinfo.md b/docs/mql/resources/atlassian-pack/atlassian.jira.serverinfo.md
new file mode 100644
index 000000000..a8d65975d
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.jira.serverinfo.md
@@ -0,0 +1,22 @@
+---
+title: atlassian.jira.serverInfo
+id: atlassian.jira.serverInfo
+sidebar_label: atlassian.jira.serverInfo
+displayed_sidebar: MQL
+description: Jira server info
+---
+
+# atlassian.jira.serverInfo
+
+**Description**
+
+Jira server info
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------ | --------------- |
+| baseUrl | string | BaseUrl |
+| buildNumber | int | Build number |
+| serverTitle | string | Server title |
+| deploymentType | string | Deployment type |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.jira.user.md b/docs/mql/resources/atlassian-pack/atlassian.jira.user.md
new file mode 100644
index 000000000..058793647
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.jira.user.md
@@ -0,0 +1,24 @@
+---
+title: atlassian.jira.user
+id: atlassian.jira.user
+sidebar_label: atlassian.jira.user
+displayed_sidebar: MQL
+description: Jira user
+---
+
+# atlassian.jira.user
+
+**Description**
+
+Jira user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------------------------------------------------------------------- | ------------------- |
+| id | string | Account ID |
+| name | string | Name |
+| type | string | Account type |
+| picture | string | Picture of the user |
+| groups | [][atlassian.jira.group](atlassian.jira.group.md) | Groups |
+| applicationRoles | [][atlassian.jira.applicationRole](atlassian.jira.applicationrole.md) | Roles |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.scim.group.md b/docs/mql/resources/atlassian-pack/atlassian.scim.group.md
new file mode 100644
index 000000000..6b098c5cb
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.scim.group.md
@@ -0,0 +1,20 @@
+---
+title: atlassian.scim.group
+id: atlassian.scim.group
+sidebar_label: atlassian.scim.group
+displayed_sidebar: MQL
+description: SCIM group
+---
+
+# atlassian.scim.group
+
+**Description**
+
+SCIM group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------ | ----------- |
+| id | string | Group ID |
+| name | string | Group name |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.scim.md b/docs/mql/resources/atlassian-pack/atlassian.scim.md
new file mode 100644
index 000000000..41226c5cf
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.scim.md
@@ -0,0 +1,20 @@
+---
+title: atlassian.scim
+id: atlassian.scim
+sidebar_label: atlassian.scim
+displayed_sidebar: MQL
+description: Cross-domain Identity Management (SCIM)
+---
+
+# atlassian.scim
+
+**Description**
+
+Cross-domain Identity Management (SCIM)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | --------------------------------------------------------- | ----------- |
+| users | [][atlassian.scim.user](atlassian.scim.user.md) | SCIM users |
+| groups | [][atlassian.scim.group](atlassian.scim.group.md) | SCIM groups |
diff --git a/docs/mql/resources/atlassian-pack/atlassian.scim.user.md b/docs/mql/resources/atlassian-pack/atlassian.scim.user.md
new file mode 100644
index 000000000..22f593d89
--- /dev/null
+++ b/docs/mql/resources/atlassian-pack/atlassian.scim.user.md
@@ -0,0 +1,23 @@
+---
+title: atlassian.scim.user
+id: atlassian.scim.user
+sidebar_label: atlassian.scim.user
+displayed_sidebar: MQL
+description: SCIM user
+---
+
+# atlassian.scim.user
+
+**Description**
+
+SCIM user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | -------------------------------- |
+| id | string | User ID |
+| name | string | User name |
+| displayName | string | User's display name |
+| organization | string | Organization the user belongs to |
+| title | string | User's title |
diff --git a/docs/mql/resources/aws-pack/README.md b/docs/mql/resources/aws-pack/README.md
new file mode 100644
index 000000000..fb5b1da4c
--- /dev/null
+++ b/docs/mql/resources/aws-pack/README.md
@@ -0,0 +1,169 @@
+---
+title: Amazon Web Services (AWS) Resource Pack - MQL Resources
+id: amazon.web.services.aws.pack
+sidebar_label: Amazon Web Services (AWS) Resource Pack
+displayed_sidebar: MQL
+description: The Amazon Web Services (AWS) resource pack lets you use MQL to query and assess the security of your AWS cloud services.
+---
+
+# Mondoo Amazon Web Services (AWS) Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| [aws](aws.md) | AWS resource |
+| [aws.accessAnalyzer](aws.accessanalyzer.md) | AWS IAM Access Analyzer resource (for assessing the configuration of AWS IAM Access Analyzer) |
+| [aws.accessanalyzer.analyzer](aws.accessanalyzer.analyzer.md) | AWS IAM Access Analyzer resource (provides an object representing an individual AWS IAM Access Analyzer configuration) |
+| [aws.account](aws.account.md) | AWS Account |
+| [aws.acm](aws.acm.md) | AWS Certificate Manager resource (for assessing the configuration of AWS Certificate Manager) |
+| [aws.acm.certificate](aws.acm.certificate.md) | AWS Certificate Manager Certificate resource (provides an object representing an individual ACM certificate) |
+| [aws.apigateway](aws.apigateway.md) | Amazon API Gateway |
+| [aws.apigateway.restapi](aws.apigateway.restapi.md) | Amazon API Gateway REST API |
+| [aws.apigateway.stage](aws.apigateway.stage.md) | Amazon API Gateway REST API stages |
+| [aws.applicationAutoscaling](aws.applicationautoscaling.md) | AWS Application Auto Scaling |
+| [aws.applicationautoscaling.target](aws.applicationautoscaling.target.md) | AWS Application Auto Scaling target |
+| [aws.autoscaling](aws.autoscaling.md) | AWS Auto Scaling |
+| [aws.autoscaling.group](aws.autoscaling.group.md) | AWS Auto Scaling group |
+| [aws.backup](aws.backup.md) | AWS Backup |
+| [aws.backup.vault](aws.backup.vault.md) | AWS Backup vault |
+| [aws.backup.vaultRecoveryPoint](aws.backup.vaultrecoverypoint.md) | AWS Backup vault recovery point |
+| [aws.cloudfront](aws.cloudfront.md) | Amazon CloudFront |
+| [aws.cloudfront.distribution](aws.cloudfront.distribution.md) | Amazon CloudFront distribution |
+| [aws.cloudfront.distribution.origin](aws.cloudfront.distribution.origin.md) | Amazon CloudFront distribution origin |
+| [aws.cloudfront.function](aws.cloudfront.function.md) | Amazon CloudFront function |
+| [aws.cloudtrail](aws.cloudtrail.md) | AWS CloudTrail |
+| [aws.cloudtrail.trail](aws.cloudtrail.trail.md) | AWS CloudTrail trail |
+| [aws.cloudwatch](aws.cloudwatch.md) | Amazon CloudWatch |
+| [aws.cloudwatch.loggroup](aws.cloudwatch.loggroup.md) | Amazon CloudWatch log group |
+| [aws.cloudwatch.loggroup.metricsfilter](aws.cloudwatch.loggroup.metricsfilter.md) | Amazon CloudWatch log group metrics filter |
+| [aws.cloudwatch.metric](aws.cloudwatch.metric.md) | Amazon CloudWatch metric |
+| [aws.cloudwatch.metric.datapoint](aws.cloudwatch.metric.datapoint.md) | Amazon CloudWatch metric datapoint |
+| [aws.cloudwatch.metricdimension](aws.cloudwatch.metricdimension.md) | Amazon CloudWatch metric dimension |
+| [aws.cloudwatch.metricsalarm](aws.cloudwatch.metricsalarm.md) | Amazon CloudWatch metrics alarm |
+| [aws.cloudwatch.metricstatistics](aws.cloudwatch.metricstatistics.md) | Amazon CloudWatch metric statistics |
+| [aws.codebuild](aws.codebuild.md) | AWS CodeBuild for building and testing code |
+| [aws.codebuild.project](aws.codebuild.project.md) | AWS CodeBuild project |
+| [aws.config](aws.config.md) | AWS config |
+| [aws.config.recorder](aws.config.recorder.md) | AWS config recorder |
+| [aws.config.rule](aws.config.rule.md) | AWS config rule |
+| [aws.dms](aws.dms.md) | AWS Database Migration Service (DMS) |
+| [aws.dynamodb](aws.dynamodb.md) | Amazon DynamoDB |
+| [aws.dynamodb.globaltable](aws.dynamodb.globaltable.md) | Amazon DynamoDB global table |
+| [aws.dynamodb.limit](aws.dynamodb.limit.md) | Amazon DynamoDB limits |
+| [aws.dynamodb.table](aws.dynamodb.table.md) | Amazon DynamoDB table |
+| [aws.ec2](aws.ec2.md) | Amazon EC2 |
+| [aws.ec2.image](aws.ec2.image.md) | Amazon EC2 image (AMI) |
+| [aws.ec2.instance](aws.ec2.instance.md) | Amazon EC2 instance |
+| [aws.ec2.instance.device](aws.ec2.instance.device.md) | Amazon EC2 instance device |
+| [aws.ec2.internetgateway](aws.ec2.internetgateway.md) | Amazon EC2 internet gateway |
+| [aws.ec2.keypair](aws.ec2.keypair.md) | Amazon EC2 key pair |
+| [aws.ec2.networkacl](aws.ec2.networkacl.md) | Amazon EC2 network ACL |
+| [aws.ec2.networkacl.entry](aws.ec2.networkacl.entry.md) | Amazon EC2 network ACL entry |
+| [aws.ec2.networkacl.entry.portrange](aws.ec2.networkacl.entry.portrange.md) | Amazon EC2 network ACL entry port range |
+| [aws.ec2.securitygroup](aws.ec2.securitygroup.md) | Amazon EC2 security group |
+| [aws.ec2.securitygroup.ippermission](aws.ec2.securitygroup.ippermission.md) | Amazon EC2 security group IP permission |
+| [aws.ec2.snapshot](aws.ec2.snapshot.md) | Amazon EC2 (EBS) snapshot |
+| [aws.ec2.vgwtelemetry](aws.ec2.vgwtelemetry.md) | Amazon EC2 VPN tunnel telemetry |
+| [aws.ec2.volume](aws.ec2.volume.md) | Amazon EC2 (EBS) volume |
+| [aws.ec2.vpnconnection](aws.ec2.vpnconnection.md) | Amazon EC2 VPN connection |
+| [aws.ecr](aws.ecr.md) | AWS Elastic Container Registry (ECR) |
+| [aws.ecr.image](aws.ecr.image.md) | AWS Elastic Container Registry image |
+| [aws.ecr.repository](aws.ecr.repository.md) | AWS Elastic Container Registry repository |
+| [aws.ecs](aws.ecs.md) | Amazon Elastic Container Service (ECS) |
+| [aws.ecs.cluster](aws.ecs.cluster.md) | Amazon ECS cluster |
+| [aws.ecs.container](aws.ecs.container.md) | Amazon ECS container |
+| [aws.ecs.instance](aws.ecs.instance.md) | AWS ECS container instance |
+| [aws.ecs.task](aws.ecs.task.md) | Amazon ECS task |
+| [aws.efs](aws.efs.md) | AWS Elastic File System (EFS) service |
+| [aws.efs.filesystem](aws.efs.filesystem.md) | AWS Elastic File System (EFS) file system |
+| [aws.eks](aws.eks.md) | Amazon Elastic Kubernetes Service (EKS) |
+| [aws.eks.cluster](aws.eks.cluster.md) | Amazon EKS cluster |
+| [aws.elasticache](aws.elasticache.md) | Amazon ElastiCache |
+| [aws.elasticache.cluster](aws.elasticache.cluster.md) | Amazon ElastiCache cluster |
+| [aws.elb](aws.elb.md) | AWS Elastic Load Balancing |
+| [aws.elb.loadbalancer](aws.elb.loadbalancer.md) | AWS Elastic Load Balancing load balancer |
+| [aws.emr](aws.emr.md) | Amazon EMR |
+| [aws.emr.cluster](aws.emr.cluster.md) | Amazon EMR cluster |
+| [aws.es](aws.es.md) | AWS Elasticsearch service |
+| [aws.es.domain](aws.es.domain.md) | Amazon Elasticsearch service domain |
+| [aws.guardduty](aws.guardduty.md) | Amazon GuardDuty for threat detection |
+| [aws.guardduty.detector](aws.guardduty.detector.md) | Amazon GuardDuty detector |
+| [aws.iam](aws.iam.md) | AWS service to create and manage permissions for users and groups |
+| [aws.iam.group](aws.iam.group.md) | AWS IAM group |
+| [aws.iam.loginProfile](aws.iam.loginprofile.md) | AWS IAM login profile for a user |
+| [aws.iam.policy](aws.iam.policy.md) | AWS IAM policy |
+| [aws.iam.policyversion](aws.iam.policyversion.md) | AWS IAM policy version |
+| [aws.iam.role](aws.iam.role.md) | AWS IAM role |
+| [aws.iam.user](aws.iam.user.md) | AWS IAM user |
+| [aws.iam.usercredentialreportentry](aws.iam.usercredentialreportentry.md) | Entry in AWS IAM credential report |
+| [aws.iam.virtualmfadevice](aws.iam.virtualmfadevice.md) | AWS IAM virtual MFA device |
+| [aws.kms](aws.kms.md) | AWS Key Management Service (KMS) |
+| [aws.kms.key](aws.kms.key.md) | AWS Key Management Service (KMS) key |
+| [aws.lambda](aws.lambda.md) | AWS Lambda |
+| [aws.lambda.function](aws.lambda.function.md) | AWS Lambda function |
+| [aws.organization](aws.organization.md) | AWS Organization resource |
+| [aws.rds](aws.rds.md) | Amazon Relational Database Service (RDS) |
+| [aws.rds.dbcluster](aws.rds.dbcluster.md) | Amazon RDS database cluster |
+| [aws.rds.dbinstance](aws.rds.dbinstance.md) | Amazon RDS database instance |
+| [aws.rds.snapshot](aws.rds.snapshot.md) | Amazon RDS snapshot |
+| [aws.redshift](aws.redshift.md) | Amazon Redshift |
+| [aws.redshift.cluster](aws.redshift.cluster.md) | Amazon Redshift cluster |
+| [aws.s3](aws.s3.md) | Amazon S3 cloud object storage |
+| [aws.s3.bucket](aws.s3.bucket.md) | Amazon S3 bucket |
+| [aws.s3.bucket.corsrule](aws.s3.bucket.corsrule.md) | Amazon S3 bucket CORS rule |
+| [aws.s3.bucket.grant](aws.s3.bucket.grant.md) | Amazon S3 bucket grant |
+| [aws.s3.bucket.policy](aws.s3.bucket.policy.md) | Amazon S3 bucket policy |
+| [aws.s3control](aws.s3control.md) | Amazon S3 bucket control |
+| [aws.sagemaker](aws.sagemaker.md) | AWS SageMaker |
+| [aws.sagemaker.endpoint](aws.sagemaker.endpoint.md) | AWS SageMaker endpoint |
+| [aws.sagemaker.notebookinstance](aws.sagemaker.notebookinstance.md) | AWS SageMaker notebook instance |
+| [aws.sagemaker.notebookinstance.details](aws.sagemaker.notebookinstance.details.md) | AWS SageMaker notebook instance details |
+| [aws.secretsmanager](aws.secretsmanager.md) | AWS Secrets Manager |
+| [aws.secretsmanager.secret](aws.secretsmanager.secret.md) | AWS Secrets Manager secret |
+| [aws.securityhub](aws.securityhub.md) | AWS Security Hub |
+| [aws.securityhub.hub](aws.securityhub.hub.md) | AWS Security Hub hub |
+| [aws.sns](aws.sns.md) | AWS Simple Notification Service (SNS) |
+| [aws.sns.subscription](aws.sns.subscription.md) | AWS Simple Notification Service (SNS) subscription |
+| [aws.sns.topic](aws.sns.topic.md) | AWS Simple Notification Service (SNS) topic |
+| [aws.ssm](aws.ssm.md) | Amazon Systems Manager |
+| [aws.ssm.instance](aws.ssm.instance.md) | Amazon SSM instance |
+| [aws.vpc](aws.vpc.md) | Amazon Virtual Private Cloud (VPC) |
+| [aws.vpc.endpoint](aws.vpc.endpoint.md) | Amazon Virtual Private Cloud (VPC) endpoint |
+| [aws.vpc.flowlog](aws.vpc.flowlog.md) | Amazon Virtual Private Cloud (VPC) flow log |
+| [aws.vpc.routetable](aws.vpc.routetable.md) | Amazon Virtual Private Cloud (VPC) route table |
+| [aws.vpc.subnet](aws.vpc.subnet.md) | Amazon Virtual Private Cloud (VPC) subnet |
+| [aws.waf](aws.waf.md) | Amazon WAF v2 |
+| [aws.waf.acl](aws.waf.acl.md) | Amazon WAF v2 ACL |
+| [aws.waf.ipset](aws.waf.ipset.md) | Amazon WAF IP set (defining IP Ranges) |
+| [aws.waf.rule](aws.waf.rule.md) | Amazon WAF rule |
+| [aws.waf.rule.action](aws.waf.rule.action.md) | Action that happens if a rule statement matches |
+| [aws.waf.rule.fieldtomatch](aws.waf.rule.fieldtomatch.md) | Field to match |
+| [aws.waf.rule.fieldtomatch.body](aws.waf.rule.fieldtomatch.body.md) | Body of the field to match |
+| [aws.waf.rule.fieldtomatch.cookie](aws.waf.rule.fieldtomatch.cookie.md) | Cookie of the field to match |
+| [aws.waf.rule.fieldtomatch.headerorder](aws.waf.rule.fieldtomatch.headerorder.md) | Order of headers of the field to match |
+| [aws.waf.rule.fieldtomatch.headers](aws.waf.rule.fieldtomatch.headers.md) | Headers |
+| [aws.waf.rule.fieldtomatch.headers.matchpattern](aws.waf.rule.fieldtomatch.headers.matchpattern.md) | The pattern to match |
+| [aws.waf.rule.fieldtomatch.ja3fingerprint](aws.waf.rule.fieldtomatch.ja3fingerprint.md) | JA3 fingerprint |
+| [aws.waf.rule.fieldtomatch.jsonbody](aws.waf.rule.fieldtomatch.jsonbody.md) | Request body as JSON |
+| [aws.waf.rule.fieldtomatch.jsonbody.matchpattern](aws.waf.rule.fieldtomatch.jsonbody.matchpattern.md) | The pattern to match |
+| [aws.waf.rule.fieldtomatch.singleheader](aws.waf.rule.fieldtomatch.singleheader.md) | Single header of the field to match |
+| [aws.waf.rule.fieldtomatch.singlequeryargument](aws.waf.rule.fieldtomatch.singlequeryargument.md) | Single query argument |
+| [aws.waf.rule.statement](aws.waf.rule.statement.md) | |
+| [aws.waf.rule.statement.andstatement](aws.waf.rule.statement.andstatement.md) | Rule statement that matches if all of the rule statements inside it match |
+| [aws.waf.rule.statement.bytematchstatement](aws.waf.rule.statement.bytematchstatement.md) | Rule statement that matches a specified sequence of bytes |
+| [aws.waf.rule.statement.geomatchstatement](aws.waf.rule.statement.geomatchstatement.md) | Rule statement that checks for requests from certain countries |
+| [aws.waf.rule.statement.ipsetreferencestatement](aws.waf.rule.statement.ipsetreferencestatement.md) | Rule statement that checks for requests from IP addresses defined in an IPSet |
+| [aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig](aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig.md) | |
+| [aws.waf.rule.statement.labelmatchstatement](aws.waf.rule.statement.labelmatchstatement.md) | |
+| [aws.waf.rule.statement.managedrulegroupstatement](aws.waf.rule.statement.managedrulegroupstatement.md) | Rule statement that is managed by AWS |
+| [aws.waf.rule.statement.notstatement](aws.waf.rule.statement.notstatement.md) | Rule statement that negates another rule statement |
+| [aws.waf.rule.statement.orstatement](aws.waf.rule.statement.orstatement.md) | Rule statement that matches if one of the rule statements inside it matches |
+| [aws.waf.rule.statement.ratebasedstatement](aws.waf.rule.statement.ratebasedstatement.md) | Rule statement that matches at a certain rate of requests (rate limiting) |
+| [aws.waf.rule.statement.regexmatchstatement](aws.waf.rule.statement.regexmatchstatement.md) | Rule statement that matches a specified regex pattern |
+| [aws.waf.rule.statement.regexpatternsetreferencestatement](aws.waf.rule.statement.regexpatternsetreferencestatement.md) | Rule statement that checks for a regex pattern defined in a regex pattern set |
+| [aws.waf.rule.statement.rulegroupreferencestatement](aws.waf.rule.statement.rulegroupreferencestatement.md) | Rule statement that refers to a group of rules |
+| [aws.waf.rule.statement.sizeconstraintstatement](aws.waf.rule.statement.sizeconstraintstatement.md) | Rule statement that checks the size of the specified field |
+| [aws.waf.rule.statement.sqlimatchstatement](aws.waf.rule.statement.sqlimatchstatement.md) | Statement that matches SQLI attacks |
+| [aws.waf.rule.statement.xssmatchstatement](aws.waf.rule.statement.xssmatchstatement.md) | Statement that matches XSS attacks |
+| [aws.waf.rulegroup](aws.waf.rulegroup.md) | Amazon WAF v2 RuleGroup |
diff --git a/docs/mql/resources/aws-pack/aws.accessanalyzer.analyzer.md b/docs/mql/resources/aws-pack/aws.accessanalyzer.analyzer.md
new file mode 100644
index 000000000..3d33ea7a2
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.accessanalyzer.analyzer.md
@@ -0,0 +1,30 @@
+---
+title: aws.accessanalyzer.analyzer
+id: aws.accessanalyzer.analyzer
+sidebar_label: aws.accessanalyzer.analyzer
+displayed_sidebar: MQL
+description: AWS IAM Access Analyzer resource (provides an object representing an individual AWS IAM Access Analyzer configuration)
+---
+
+# aws.accessanalyzer.analyzer
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS IAM Access Analyzer resource (provides an object representing an individual AWS IAM Access Analyzer configuration)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ----------------- | ------------------------------------------------------------- |
+| arn | string | ARN for the analyzer |
+| name | string | Name for the analyzer |
+| status | string | Status of the analyzer: ACTIVE, CREATING, DISABLED, or FAILED |
+| type | string | Type of analyzer: ACCOUNT or ORGANIZATION |
+| tags | map[string]string | Tags for the analyzer |
+| lastResourceAnalyzed | string | The name of the last resource that was analyzed |
+| lastResourceAnalyzedAt | time | Last scan timestamp |
+| createdAt | time | Creation timestamp |
diff --git a/docs/mql/resources/aws-pack/aws.accessanalyzer.md b/docs/mql/resources/aws-pack/aws.accessanalyzer.md
new file mode 100644
index 000000000..94bd2b87b
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.accessanalyzer.md
@@ -0,0 +1,56 @@
+---
+title: aws.accessAnalyzer
+id: aws.accessAnalyzer
+sidebar_label: aws.accessAnalyzer
+displayed_sidebar: MQL
+description: AWS IAM Access Analyzer resource (for assessing the configuration of AWS IAM Access Analyzer)
+---
+
+# aws.accessAnalyzer
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS IAM Access Analyzer resource (for assessing the configuration of AWS IAM Access Analyzer)
+
+The `aws.accessAnalyzer` resource returns a list AWS IAM Access Analyzers configured across the AWS account.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
+| analyzers | [][aws.accessanalyzer.analyzer](aws.accessanalyzer.analyzer.md) | List of `aws.accessanalyzer.analyzer` objects for all AWS IAM Access Analyzers configured within the account |
+
+**Examples**
+
+Return a list of AWS IAM Access Analyzers configured across the AWS account
+
+```coffee
+aws.accessAnalyzer.analyzers
+```
+
+Return a list of `aws.accessAnalyzer.analyzer` resources and the value for specified fields
+
+```coffee
+aws.accessAnalyzer.analyzers {
+ arn
+ name
+ status
+ type
+}
+```
+
+Ensure that IAM Access analyzer is enabled for all regions
+
+```coffee
+aws.accessAnalyzer.analyzers.all(
+ status == "ACTIVE"
+)
+```
+
+**References**
+
+- [Using AWS IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)
diff --git a/docs/mql/resources/aws-pack/aws.account.md b/docs/mql/resources/aws-pack/aws.account.md
new file mode 100644
index 000000000..f1b159d64
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.account.md
@@ -0,0 +1,38 @@
+---
+title: aws.account
+id: aws.account
+sidebar_label: aws.account
+displayed_sidebar: MQL
+description: AWS Account
+---
+
+# aws.account
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Account
+
+The `aws.account` resource provides configuration for AWS accounts, including the account number and configured aliases.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | --------------------------------------- | ----------------------------------------------------- |
+| id | string | Account ID |
+| aliases | []string | Account aliases |
+| organization | [aws.organization](aws.organization.md) | Information about the associated organization, if any |
+
+**Examples**
+
+Return the account ID (number) and any configured account aliases
+
+```coffee
+aws.account {
+ id
+ aliases
+}
+```
diff --git a/docs/mql/resources/aws-pack/aws.acm.certificate.md b/docs/mql/resources/aws-pack/aws.acm.certificate.md
new file mode 100644
index 000000000..96a5a4ada
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.acm.certificate.md
@@ -0,0 +1,39 @@
+---
+title: aws.acm.certificate
+id: aws.acm.certificate
+sidebar_label: aws.acm.certificate
+displayed_sidebar: MQL
+description: AWS Certificate Manager Certificate resource (provides an object representing an individual ACM certificate)
+---
+
+# aws.acm.certificate
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Certificate Manager Certificate resource (provides an object representing an individual ACM certificate)
+
+The `aws.acm.certificate` resource provides fields for assessing the configuration of AWS ACM certificates. For usage, read the `aws.acm` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------------------- | --------------------------------------------------------------------------------------------------------- |
+| arn | string | ARN for the certificate |
+| notBefore | time | Time before which the certificate is not valid |
+| notAfter | time | Time after which the certificate is not valid |
+| createdAt | time | Time when the cert was requested |
+| domainName | string | FQDN for the certificate |
+| status | string | Status of the certificate: issued, expired, revoked, and so on |
+| subject | string | Name of the entity associated with the public key in the certificate |
+| certificate | network.certificate | Retrieves an Amazon-issued certificate and its certificate chain |
+| tags | map[string]string | Tags associated with the certificate |
+| keyAlgorithm | string | The algorithm that was used to generate the public-private key pair |
+| serial | string | The serial number of the certificate |
+| source | string | The source of the certificate: AMAZON_ISSUED or IMPORTED |
+| issuer | string | The name of the certificate authority that issued and signed the certificate |
+| issuedAt | time | The time at which the certificate was issued (exists only when the certificate source is AMAZON_ISSUED) |
+| importedAt | time | The date and time when the certificate was imported (exists only when the certificate source is IMPORTED) |
diff --git a/docs/mql/resources/aws-pack/aws.acm.md b/docs/mql/resources/aws-pack/aws.acm.md
new file mode 100644
index 000000000..c6e3e0953
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.acm.md
@@ -0,0 +1,61 @@
+---
+title: aws.acm
+id: aws.acm
+sidebar_label: aws.acm
+displayed_sidebar: MQL
+description: AWS Certificate Manager resource (for assessing the configuration of AWS Certificate Manager)
+---
+
+# aws.acm
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Certificate Manager resource (for assessing the configuration of AWS Certificate Manager)
+
+Use the `aws.acm` resource to assess the configuration of the AWS Certificates Manager service in the account. This resource returns a list of ACM certificates found in the account.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------- |
+| certificates | [][aws.acm.certificate](aws.acm.certificate.md) | List of `aws.acm.certificate` objects representing ACM certificates configured within the account |
+
+**Examples**
+
+Return a list of `aws.acm.certificate` resources within the AWS account
+
+```coffee
+aws.acm.certificates
+```
+
+Return a list of `aws.acm.certificate` resources within the AWS account along with values for specified fields
+
+```coffee
+aws.acm.certificates {
+ arn
+ notBefore
+ notAfter
+ createdAt
+ domainName
+ status
+ subject
+ certificate()
+}
+```
+
+Check whether ACM certificates in your account are marked for expiration within 90 days
+
+```coffee
+aws.acm.certificates.
+ where( status != /PENDING_VALIDATION/ ).
+ all (notAfter - notBefore <= 90 * time.day)
+```
+
+**References**
+
+- [What Is AWS Certificate Manager?](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html)
+- [Security in AWS Certificate Manager](https://docs.aws.amazon.com/acm/latest/userguide/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.apigateway.md b/docs/mql/resources/aws-pack/aws.apigateway.md
new file mode 100644
index 000000000..680a22b57
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.apigateway.md
@@ -0,0 +1,69 @@
+---
+title: aws.apigateway
+id: aws.apigateway
+sidebar_label: aws.apigateway
+displayed_sidebar: MQL
+description: Amazon API Gateway
+---
+
+# aws.apigateway
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon API Gateway
+
+Use the `aws.apigateway` resource to assess the configuration of the AWS API Gateway service.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- |
+| restApis | [][aws.apigateway.restapi](aws.apigateway.restapi.md) | List of `aws.apigateway.restapi` objects representing all rest APIs across all enabled regions in the account |
+
+**Examples**
+
+Return a list of `aws.apigateway.restapi` resources for all REST APIs configured with the account across all enabled regions
+
+```coffee
+aws.apigateway.restApis
+```
+
+Return a list of `aws.apigateway.restapi` resources for all REST APIs configured with the account across all enabled regions and the value for specified fields
+
+```coffee
+aws.apigateway.restApis {
+ createdDate
+ description
+ stages
+ region
+ arn
+ id
+ name
+}
+```
+
+Check that all methods in Amazon API Gateway have caching enabled and encrypted
+
+```coffee
+aws.apigateway.restApis.all(stages.all(
+ methodSettings['CachingEnabled'] == true &&
+ methodSettings['CacheDataEncrypted'] == true
+))
+```
+
+Check that all methods in Amazon API Gateway have logging enabled
+
+```coffee
+aws.apigateway.restApis.all(stages.all(
+methodSettings['LoggingLevel'] == "ERROR" || methodSettings['LoggingLevel'] == "INFO"
+))
+```
+
+**References**
+
+- [What is Amazon API Gateway?](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html)
+- [Security in Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.apigateway.restapi.md b/docs/mql/resources/aws-pack/aws.apigateway.restapi.md
new file mode 100644
index 000000000..4cded521d
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.apigateway.restapi.md
@@ -0,0 +1,32 @@
+---
+title: aws.apigateway.restapi
+id: aws.apigateway.restapi
+sidebar_label: aws.apigateway.restapi
+displayed_sidebar: MQL
+description: Amazon API Gateway REST API
+---
+
+# aws.apigateway.restapi
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon API Gateway REST API
+
+The `aws.apigateway.restapi` resource provides fields representing an individual REST API configured within the AWS account. For usage, read the `aws.apigateway` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------------------------------------- | ---------------------------------- |
+| arn | string | ARN for the REST API |
+| id | string | Unique ID for the REST API |
+| name | string | Name for the REST API |
+| createdDate | time | Time when the REST API was created |
+| description | string | Description for the REST API |
+| stages | [][aws.apigateway.stage](aws.apigateway.stage.md) | Stages for the REST API |
+| region | string | Region where the REST API exists |
+| tags | map[string]string | Tags for the REST API |
diff --git a/docs/mql/resources/aws-pack/aws.apigateway.stage.md b/docs/mql/resources/aws-pack/aws.apigateway.stage.md
new file mode 100644
index 000000000..271cff5b1
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.apigateway.stage.md
@@ -0,0 +1,41 @@
+---
+title: aws.apigateway.stage
+id: aws.apigateway.stage
+sidebar_label: aws.apigateway.stage
+displayed_sidebar: MQL
+description: Amazon API Gateway REST API stages
+---
+
+# aws.apigateway.stage
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon API Gateway REST API stages
+
+The `aws.apigateway.stage` resource provides fields representing an individual stage configured on a REST API. For usage, read the `aws.apigateway` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------ | ----------------------------------------------------- |
+| arn | string | ARN for the REST API stage |
+| name | string | Name for the stage |
+| tracingEnabled | bool | Bool that denotes if tracing is enabled for the stage |
+| description | string | Description for the stage |
+| deploymentId | string | ID of the deployment the stage is attached to |
+| methodSettings | dict | Method settings for the stage |
+
+**Examples**
+
+Return a list of AWS API Gateway REST APIs configured across all enabled regions in the AWS account and the values for the arn and stages
+
+```coffee
+aws.apigateway.restApis {
+ arn
+ stages
+}
+```
diff --git a/docs/mql/resources/aws-pack/aws.applicationautoscaling.md b/docs/mql/resources/aws-pack/aws.applicationautoscaling.md
new file mode 100644
index 000000000..8665fe5ae
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.applicationautoscaling.md
@@ -0,0 +1,46 @@
+---
+title: aws.applicationAutoscaling
+id: aws.applicationAutoscaling
+sidebar_label: aws.applicationAutoscaling
+displayed_sidebar: MQL
+description: AWS Application Auto Scaling
+---
+
+# aws.applicationAutoscaling
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Application Auto Scaling
+
+The aws.applicationAutoscaling resource inspects targets in the AWS Application Auto Scaling service. The AWS Auto Scaling service allows users to load balance multiple AWS services including:
+
+- AppStream 2.0 fleets
+- Aurora replicas
+- Amazon Comprehend document classification and entity recognizer endpoints
+- DynamoDB tables and global secondary indexes
+- Amazon Elastic Container Service (ECS) services
+- ElastiCache for Redis clusters (replication groups)
+- Amazon EMR clusters
+- Amazon Keyspaces (for Apache Cassandra) tables
+- Lambda function provisioned concurrency
+- Amazon Managed Streaming for Apache Kafka (MSK) broker storage
+- Amazon Neptune clusters
+- SageMaker endpoint variants
+- SageMaker inference components
+- SageMaker Serverless provisioned concurrency
+- Spot Fleet requests
+
+**Init**
+
+aws.applicationAutoscaling(namespace string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| namespace | string | Service namespace to query for application auto scaling: comprehend, rds, sagemaker, appstream, elasticmapreduce, dynamodb, lambda, ecs, cassandra, ec2, neptune, kafka, custom-resource, or elasticache |
+| scalableTargets | [][aws.applicationautoscaling.target](aws.applicationautoscaling.target.md) | List of scalable targets belonging to the service namespace |
diff --git a/docs/mql/resources/aws-pack/aws.applicationautoscaling.target.md b/docs/mql/resources/aws-pack/aws.applicationautoscaling.target.md
new file mode 100644
index 000000000..61bf96095
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.applicationautoscaling.target.md
@@ -0,0 +1,32 @@
+---
+title: aws.applicationautoscaling.target
+id: aws.applicationautoscaling.target
+sidebar_label: aws.applicationautoscaling.target
+displayed_sidebar: MQL
+description: AWS Application Auto Scaling target
+---
+
+# aws.applicationautoscaling.target
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Application Auto Scaling target
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------ | ------------------------------------------------ |
+| namespace | string | Namespace for the target |
+| arn | string | ARN of the auto scaling target |
+| scalableDimension | string | Scalable dimension for the target |
+| minCapacity | int | Minimum capacity set for the auto scaling target |
+| maxCapacity | int | Maximum capacity set for the auto scaling target |
+| suspendedState | dict | suspendedState for the auto scaling target |
+
+**References**
+
+- [What is Application Auto Scaling?](https://docs.aws.amazon.com/autoscaling/application/userguide/what-is-application-auto-scaling.html)
diff --git a/docs/mql/resources/aws-pack/aws.autoscaling.group.md b/docs/mql/resources/aws-pack/aws.autoscaling.group.md
new file mode 100644
index 000000000..dd82d73f5
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.autoscaling.group.md
@@ -0,0 +1,36 @@
+---
+title: aws.autoscaling.group
+id: aws.autoscaling.group
+sidebar_label: aws.autoscaling.group
+displayed_sidebar: MQL
+description: AWS Auto Scaling group
+---
+
+# aws.autoscaling.group
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Auto Scaling group
+
+The `aws.autoscaling.group` resource provides fields representing an individual AWS auto scaling group within the account. For usage, read the `aws.autoscaling` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ----------------- | ------------------------------------------------------------------------------------------- |
+| arn | string | ARN for the autoscaling group |
+| name | string | Name of the group |
+| loadBalancerNames | []string | List of load balancer names associated with the group |
+| healthCheckType | string | Health check type used by the group: ELB or EC2 |
+| tags | map[string]string | Tags for the asg |
+| region | string | The region of the Auto Scaling group |
+| minSize | int | The minimum number of instances to scale down to |
+| maxSize | int | The maximum number of instances to scale up to |
+| defaultCooldown | int | The time to wait after scaling up / down before the next scaling event is started |
+| launchConfigurationName | string | The name of the launch configuration |
+| healthCheckGracePeriod | int | The grace period in seconds before an instance with a failing health check will be replaced |
+| createdAt | time | Time when the autoscaling group was created |
diff --git a/docs/mql/resources/aws-pack/aws.autoscaling.md b/docs/mql/resources/aws-pack/aws.autoscaling.md
new file mode 100644
index 000000000..ea24d50d3
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.autoscaling.md
@@ -0,0 +1,51 @@
+---
+title: aws.autoscaling
+id: aws.autoscaling
+sidebar_label: aws.autoscaling
+displayed_sidebar: MQL
+description: AWS Auto Scaling
+---
+
+# aws.autoscaling
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Auto Scaling
+
+Use the `aws.autoscaling` resource to assess the configuration of AWS auto scaling groups within an AWS account. This resource provides the `.groups` field, which returns a list of all auto scaling groups configured across all enabled regions across the account.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ----------------------------------------------------------- | --------------------------------------------- |
+| groups | [][aws.autoscaling.group](aws.autoscaling.group.md) | List of autoscaling groups across the account |
+
+**Examples**
+
+Return a list of all auto-scaling groups configured across all enabled regions across the account and the values for specified fields
+
+```coffee
+aws.autoscaling.groups {
+ arn
+ healthCheckType
+ loadBalancerNames
+ name
+}
+```
+
+Check that all autoscaling groups associated with a load balancer use health checks
+
+```coffee
+aws.autoscaling.groups.where(loadBalancerNames.length > 0) {
+ healthCheckType == "ELB"
+}
+```
+
+**References**
+
+- [Security in Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/autoscaling/ec2/userguide/security.html)
+- [Compliance validation for Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-compliance.html)
diff --git a/docs/mql/resources/aws-pack/aws.backup.md b/docs/mql/resources/aws-pack/aws.backup.md
new file mode 100644
index 000000000..cd1276693
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.backup.md
@@ -0,0 +1,43 @@
+---
+title: aws.backup
+id: aws.backup
+sidebar_label: aws.backup
+displayed_sidebar: MQL
+description: AWS Backup
+---
+
+# aws.backup
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Backup
+
+Use the `aws.backup` resource to assess the configuration of AWS Backup vaults in an AWS account. This resource provides the `.vaults` field, which returns a list of all AWS Backup vaults configured across all enabled regions across the account.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------------------------------------------------- | ------------------------------ |
+| vaults | [][aws.backup.vault](aws.backup.vault.md) | List of vaults for the service |
+
+**Examples**
+
+Return a list of all AWS Backup vaults configured across all enabled regions across the account and all their recovery points
+
+```coffee
+aws.backup.vaults {
+ arn
+ region
+ recoveryPoints
+ name
+}
+```
+
+**References**
+
+- [What is AWS Backup?](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html)
+- [Compliance validation for AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-compliance.html)
diff --git a/docs/mql/resources/aws-pack/aws.backup.vault.md b/docs/mql/resources/aws-pack/aws.backup.vault.md
new file mode 100644
index 000000000..be5f8e1d9
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.backup.vault.md
@@ -0,0 +1,31 @@
+---
+title: aws.backup.vault
+id: aws.backup.vault
+sidebar_label: aws.backup.vault
+displayed_sidebar: MQL
+description: AWS Backup vault
+---
+
+# aws.backup.vault
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Backup vault
+
+The `aws.backup.vault` resource provides fields representing an individual AWS Backup vaults within the account. For usage, read the `aws.backup` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------------------------------------------- | -------------------------------------------------- |
+| arn | string | ARN of the vault |
+| name | string | Name of the vault |
+| recoveryPoints | [][aws.backup.vaultRecoveryPoint](aws.backup.vaultrecoverypoint.md) | List of recovery points stored in the backup vault |
+| region | string | The region of the vault |
+| createdAt | time | Date the backup vault was created |
+| locked | bool | Is the backup locked |
+| encryptionKeyArn | string | The ARN of the encryption key |
diff --git a/docs/mql/resources/aws-pack/aws.backup.vaultrecoverypoint.md b/docs/mql/resources/aws-pack/aws.backup.vaultrecoverypoint.md
new file mode 100644
index 000000000..f2c1b5845
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.backup.vaultrecoverypoint.md
@@ -0,0 +1,31 @@
+---
+title: aws.backup.vaultRecoveryPoint
+id: aws.backup.vaultRecoveryPoint
+sidebar_label: aws.backup.vaultRecoveryPoint
+displayed_sidebar: MQL
+description: AWS Backup vault recovery point
+---
+
+# aws.backup.vaultRecoveryPoint
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Backup vault recovery point
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | -------------------------------------------------------------- |
+| arn | string | ARN of the recovery point |
+| resourceType | string | Resource type for the recovery point: EFS, DynamoDB, and so on |
+| createdBy | dict | Information about who created the recovery point |
+| iamRoleArn | string | ARN of the IAM role used to create the recovery point |
+| status | string | Status of the recovery point |
+| creationDate | time | Date the recovery point was created |
+| completionDate | time | Date the recovery point completed |
+| encryptionKeyArn | string | ARN of the key used to encrypt the recovery point |
+| isEncrypted | bool | Whether the recovery point is encrypted |
diff --git a/docs/mql/resources/aws-pack/aws.cloudfront.distribution.md b/docs/mql/resources/aws-pack/aws.cloudfront.distribution.md
new file mode 100644
index 000000000..c0fbcc5d3
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudfront.distribution.md
@@ -0,0 +1,32 @@
+---
+title: aws.cloudfront.distribution
+id: aws.cloudfront.distribution
+sidebar_label: aws.cloudfront.distribution
+displayed_sidebar: MQL
+description: Amazon CloudFront distribution
+---
+
+# aws.cloudfront.distribution
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudFront distribution
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------------------------------------------------------------------------------------- | ------------------------------------------- |
+| arn | string | ARN of the CloudFront distribution |
+| status | string | Status of the distribution |
+| domainName | string | Domain Name of the distribution |
+| origins | [][aws.cloudfront.distribution.origin](aws.cloudfront.distribution.origin.md) | Details on the origins of this distribution |
+| defaultCacheBehavior | dict | Default cache behavior for the distribution |
+| cacheBehaviors | []dict | All cache behaviors for the distribution |
+| httpVersion | string | HTTP version of the distribution |
+| isIPV6Enabled | bool | Is the distribution IPV6 enabled |
+| enabled | bool | Is the distribution enabled |
+| priceClass | string | The price class of the distribution |
diff --git a/docs/mql/resources/aws-pack/aws.cloudfront.distribution.origin.md b/docs/mql/resources/aws-pack/aws.cloudfront.distribution.origin.md
new file mode 100644
index 000000000..29754b921
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudfront.distribution.origin.md
@@ -0,0 +1,28 @@
+---
+title: aws.cloudfront.distribution.origin
+id: aws.cloudfront.distribution.origin
+sidebar_label: aws.cloudfront.distribution.origin
+displayed_sidebar: MQL
+description: Amazon CloudFront distribution origin
+---
+
+# aws.cloudfront.distribution.origin
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudFront distribution origin
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ------ | --------------------------------------------------------------- |
+| domainName | string | Domain name for the origin |
+| id | string | Unique id for the origin |
+| connectionAttempts | int | Number of times CloudFront attempts to connect |
+| connectionTimeout | int | Number of seconds CloudFront waits when attempting a connection |
+| originPath | string | Path that CloudFront appends to original domain |
+| account | string | Account ID where the origin exists |
diff --git a/docs/mql/resources/aws-pack/aws.cloudfront.function.md b/docs/mql/resources/aws-pack/aws.cloudfront.function.md
new file mode 100644
index 000000000..1d233f483
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudfront.function.md
@@ -0,0 +1,30 @@
+---
+title: aws.cloudfront.function
+id: aws.cloudfront.function
+sidebar_label: aws.cloudfront.function
+displayed_sidebar: MQL
+description: Amazon CloudFront function
+---
+
+# aws.cloudfront.function
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudFront function
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ------------------------------------------------ |
+| name | string | Name of the CloudFront function |
+| status | string | Status of the CloudFront function |
+| arn | string | ARN of the CloudFront function |
+| lastModifiedTime | time | Date and time when the function was last updated |
+| createdTime | time | Date and time when the function was created |
+| stage | string | Stage that the function is in |
+| comment | string | Comment to describe the function |
+| runtime | string | Runtime environment for the function |
diff --git a/docs/mql/resources/aws-pack/aws.cloudfront.md b/docs/mql/resources/aws-pack/aws.cloudfront.md
new file mode 100644
index 000000000..778eee327
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudfront.md
@@ -0,0 +1,24 @@
+---
+title: aws.cloudfront
+id: aws.cloudfront
+sidebar_label: aws.cloudfront
+displayed_sidebar: MQL
+description: Amazon CloudFront
+---
+
+# aws.cloudfront
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudFront
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------------------------------------------------- | -------------------------------- |
+| distributions | [][aws.cloudfront.distribution](aws.cloudfront.distribution.md) | List of CloudFront distributions |
+| functions | [][aws.cloudfront.function](aws.cloudfront.function.md) | List of CloudFront functions |
diff --git a/docs/mql/resources/aws-pack/aws.cloudtrail.md b/docs/mql/resources/aws-pack/aws.cloudtrail.md
new file mode 100644
index 000000000..96b7f7315
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudtrail.md
@@ -0,0 +1,59 @@
+---
+title: aws.cloudtrail
+id: aws.cloudtrail
+sidebar_label: aws.cloudtrail
+displayed_sidebar: MQL
+description: AWS CloudTrail
+---
+
+# aws.cloudtrail
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS CloudTrail
+
+Use the `aws.cloudtrail` resource to assess the configuration of AWS CloudTrails deployed within an AWS account. The resource provides the `.trails` field, which creates a list of `aws.cloudtrail.trail` resources representing all CloudTrails configured across every enabled region.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | --------------------------------------------------------- | ----------------------------------------------------- |
+| trails | [][aws.cloudtrail.trail](aws.cloudtrail.trail.md) | List of CloudTrail trails associated with the account |
+
+**Examples**
+
+Return a list of `aws.cloudtrail.trail` resources representing all AWS Cloud Trails configured across all enabled regions and the values for specified fields
+
+```coffee
+aws.cloudtrail.trails {
+ arn
+ name
+ kmsKey
+ isMultiRegionTrail
+ isOrganizationTrail
+ logFileValidationEnabled
+ includeGlobalServiceEvents
+ s3bucket
+ snsTopicARN
+ status
+ logGroup
+ cloudWatchLogsRoleArn
+ cloudWatchLogsLogGroupArn
+ eventSelectors
+ region
+}
+```
+
+```coffee
+aws.cloudtrail.trails.any(
+ isMultiRegionTrail && status['IsLogging']
+)
+```
+
+**References**
+
+- [Security best practices in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html)
diff --git a/docs/mql/resources/aws-pack/aws.cloudtrail.trail.md b/docs/mql/resources/aws-pack/aws.cloudtrail.trail.md
new file mode 100644
index 000000000..602693ca9
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudtrail.trail.md
@@ -0,0 +1,39 @@
+---
+title: aws.cloudtrail.trail
+id: aws.cloudtrail.trail
+sidebar_label: aws.cloudtrail.trail
+displayed_sidebar: MQL
+description: AWS CloudTrail trail
+---
+
+# aws.cloudtrail.trail
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS CloudTrail trail
+
+The `aws.cloudtrail.trail` object represents an individual AWS CloudTrail configured within an account. For usage, read the `aws.cloudtrail` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------- | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
+| arn | string | ARN of the trail |
+| name | string | Name of the trail |
+| kmsKey | [aws.kms.key](aws.kms.key.md) | KMS key used to encrypt the logs |
+| isMultiRegionTrail | bool | Whether the trail exists in multiple regions (false if single region) |
+| isOrganizationTrail | bool | Whether trail is an organization trail (logs events for management and member accounts of the organization) |
+| logFileValidationEnabled | bool | Whether log file validation is enabled |
+| includeGlobalServiceEvents | bool | Whether API calls from global services are included |
+| s3bucket | [aws.s3.bucket](aws.s3.bucket.md) | S3 bucket where trail files are delivered |
+| snsTopicARN | string | ARN of the SNS topic that the trail uses to send notifications |
+| status | dict | JSON list of information about the trail |
+| logGroup | [aws.cloudwatch.loggroup](aws.cloudwatch.loggroup.md) | Log group where trail files are delivered |
+| cloudWatchLogsRoleArn | string | Role for logs endpoint to assume when writing to log group |
+| cloudWatchLogsLogGroupArn | string | Group for logs endpoint to assume when writing to log group |
+| eventSelectors | []dict | Settings for the trail's configured event selectors |
+| region | string | Region in which the trail was created (home region) |
diff --git a/docs/mql/resources/aws-pack/aws.cloudwatch.loggroup.md b/docs/mql/resources/aws-pack/aws.cloudwatch.loggroup.md
new file mode 100644
index 000000000..55c607926
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudwatch.loggroup.md
@@ -0,0 +1,30 @@
+---
+title: aws.cloudwatch.loggroup
+id: aws.cloudwatch.loggroup
+sidebar_label: aws.cloudwatch.loggroup
+displayed_sidebar: MQL
+description: Amazon CloudWatch log group
+---
+
+# aws.cloudwatch.loggroup
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudWatch log group
+
+The `aws.cloudwatch.loggroup` object represents an individual AWS CloudWatch log group configured within an account. For usage, read the `aws.cloudwatch` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
+| arn | string | ARN of the log group |
+| name | string | Name of the log group |
+| metricsFilters | [][aws.cloudwatch.loggroup.metricsfilter](aws.cloudwatch.loggroup.metricsfilter.md) | List of metric filters associated with the log group |
+| kmsKey | [aws.kms.key](aws.kms.key.md) | KMS key used for log encryption |
+| region | string | Region where the log group is stored |
+| retentionInDays | int | The number of days to retain the log events in the specified log group |
diff --git a/docs/mql/resources/aws-pack/aws.cloudwatch.loggroup.metricsfilter.md b/docs/mql/resources/aws-pack/aws.cloudwatch.loggroup.metricsfilter.md
new file mode 100644
index 000000000..02f525dda
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudwatch.loggroup.metricsfilter.md
@@ -0,0 +1,28 @@
+---
+title: aws.cloudwatch.loggroup.metricsfilter
+id: aws.cloudwatch.loggroup.metricsfilter
+sidebar_label: aws.cloudwatch.loggroup.metricsfilter
+displayed_sidebar: MQL
+description: Amazon CloudWatch log group metrics filter
+---
+
+# aws.cloudwatch.loggroup.metricsfilter
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudWatch log group metrics filter
+
+The `aws.cloudwatch.metricsfilter` object represents an individual AWS CloudWatch metrics filter configured within an account. For usage, read the `aws.cloudwatch` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------------------------------------- | ----------------------------------------- |
+| id | string | Unique ID for the metric |
+| filterName | string | Filter name associated with the metric |
+| filterPattern | string | Filter pattern associated with the metric |
+| metrics | [][aws.cloudwatch.metric](aws.cloudwatch.metric.md) | List of CloudWatch metrics |
diff --git a/docs/mql/resources/aws-pack/aws.cloudwatch.md b/docs/mql/resources/aws-pack/aws.cloudwatch.md
new file mode 100644
index 000000000..85cc1bde2
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudwatch.md
@@ -0,0 +1,51 @@
+---
+title: aws.cloudwatch
+id: aws.cloudwatch
+sidebar_label: aws.cloudwatch
+displayed_sidebar: MQL
+description: Amazon CloudWatch
+---
+
+# aws.cloudwatch
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudWatch
+
+Use the `aws.cloudwatch` resource to assess the configuration of the AWS CloudWatch service.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------------------------------------------------------------- | ----------------------------- |
+| logGroups | [][aws.cloudwatch.loggroup](aws.cloudwatch.loggroup.md) | List of CloudWatch log groups |
+| alarms | [][aws.cloudwatch.metricsalarm](aws.cloudwatch.metricsalarm.md) | List of CloudWatch alarms |
+| metrics | [][aws.cloudwatch.metric](aws.cloudwatch.metric.md) | List of CloudWatch metrics |
+
+**Examples**
+
+Return a list of `aws.cloudwatch.loggroup` resources representing individual CloudWatch log groups configured across all enabled regions
+
+```coffee
+aws.cloudwatch.logGroups
+```
+
+Return a list of `aws.cloudwatch.metric` resources representing individual CloudWatch metrics configured across all enabled regions
+
+```coffee
+aws.cloudwatch.metrics
+```
+
+Check that all cloudwatch alarms have at least one action enabled
+
+```coffee
+aws.cloudwatch.alarms.all(
+ actions.length > 0 == true &&
+ insufficientDataActions.length > 0 == props.cloudwatchAlarmInsufficientDataActionRequired &&
+ okActions.length > 0 == props.cloudwatchAlarmOkActionRequired
+)
+```
diff --git a/docs/mql/resources/aws-pack/aws.cloudwatch.metric.datapoint.md b/docs/mql/resources/aws-pack/aws.cloudwatch.metric.datapoint.md
new file mode 100644
index 000000000..176bdb510
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudwatch.metric.datapoint.md
@@ -0,0 +1,29 @@
+---
+title: aws.cloudwatch.metric.datapoint
+id: aws.cloudwatch.metric.datapoint
+sidebar_label: aws.cloudwatch.metric.datapoint
+displayed_sidebar: MQL
+description: Amazon CloudWatch metric datapoint
+---
+
+# aws.cloudwatch.metric.datapoint
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudWatch metric datapoint
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ----------------------------------- |
+| id | string | Unique identifier for the datapoint |
+| timestamp | time | Timestamp of the metric datapoint |
+| maximum | float | Maximum value for the statistic |
+| minimum | float | Minimum value for the statistic |
+| average | float | Average value for the statistic |
+| sum | float | Sum value for the statistic |
+| unit | string | Unit of the statistic |
diff --git a/docs/mql/resources/aws-pack/aws.cloudwatch.metric.md b/docs/mql/resources/aws-pack/aws.cloudwatch.metric.md
new file mode 100644
index 000000000..0b92d9525
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudwatch.metric.md
@@ -0,0 +1,30 @@
+---
+title: aws.cloudwatch.metric
+id: aws.cloudwatch.metric
+sidebar_label: aws.cloudwatch.metric
+displayed_sidebar: MQL
+description: Amazon CloudWatch metric
+---
+
+# aws.cloudwatch.metric
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudWatch metric
+
+The `aws.cloudwatch.metric` object represents an individual AWS CloudWatch metric configured within an account. For usage, read the `aws.cloudwatch` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------------------------------------------------------------------- | ----------------------------------------------- |
+| name | string | Name of the metric |
+| namespace | string | Namespace for the metric |
+| region | string | Region where the metric exists |
+| alarms | [][aws.cloudwatch.metricsalarm](aws.cloudwatch.metricsalarm.md) | List of CloudWatch metric alarms for the metric |
+| dimensions | [][aws.cloudwatch.metricdimension](aws.cloudwatch.metricdimension.md) | Dimensions that apply to the metric |
+| statistics | [aws.cloudwatch.metricstatistics](aws.cloudwatch.metricstatistics.md) | Statistics for the metric |
diff --git a/docs/mql/resources/aws-pack/aws.cloudwatch.metricdimension.md b/docs/mql/resources/aws-pack/aws.cloudwatch.metricdimension.md
new file mode 100644
index 000000000..83a397004
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudwatch.metricdimension.md
@@ -0,0 +1,24 @@
+---
+title: aws.cloudwatch.metricdimension
+id: aws.cloudwatch.metricdimension
+sidebar_label: aws.cloudwatch.metricdimension
+displayed_sidebar: MQL
+description: Amazon CloudWatch metric dimension
+---
+
+# aws.cloudwatch.metricdimension
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudWatch metric dimension
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----- | ------ | ---------------------- |
+| name | string | Name of the dimension |
+| value | string | Value of the dimension |
diff --git a/docs/mql/resources/aws-pack/aws.cloudwatch.metricsalarm.md b/docs/mql/resources/aws-pack/aws.cloudwatch.metricsalarm.md
new file mode 100644
index 000000000..2d9899fee
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudwatch.metricsalarm.md
@@ -0,0 +1,34 @@
+---
+title: aws.cloudwatch.metricsalarm
+id: aws.cloudwatch.metricsalarm
+sidebar_label: aws.cloudwatch.metricsalarm
+displayed_sidebar: MQL
+description: Amazon CloudWatch metrics alarm
+---
+
+# aws.cloudwatch.metricsalarm
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudWatch metrics alarm
+
+The `aws.cloudwatch.metricsalarm` object represents an individual AWS CloudWatch metric alarm configured within an account. For usage, read the `aws.cloudwatch` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ------------------------------------------- | ---------------------------------------------------------------- |
+| arn | string | ARN for the metric alarm |
+| metricName | string | Metric name associated with the alarm |
+| metricNamespace | string | Metric namespace associated with the alarm |
+| region | string | Region where the alarm exists |
+| actions | [][aws.sns.topic](aws.sns.topic.md) | List of alarm actions (SNS topic ARNs) associated with the alarm |
+| state | string | State of the alarm |
+| stateReason | string | Description of the reason for the state |
+| insufficientDataActions | [][aws.sns.topic](aws.sns.topic.md) | List of SNS topic ARNs to trigger for insufficient data actions |
+| okActions | [][aws.sns.topic](aws.sns.topic.md) | List of SNS topic ARNs to trigger for OK actions |
+| name | string | Name of the alarm |
diff --git a/docs/mql/resources/aws-pack/aws.cloudwatch.metricstatistics.md b/docs/mql/resources/aws-pack/aws.cloudwatch.metricstatistics.md
new file mode 100644
index 000000000..532f830e2
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.cloudwatch.metricstatistics.md
@@ -0,0 +1,33 @@
+---
+title: aws.cloudwatch.metricstatistics
+id: aws.cloudwatch.metricstatistics
+sidebar_label: aws.cloudwatch.metricstatistics
+displayed_sidebar: MQL
+description: Amazon CloudWatch metric statistics
+---
+
+# aws.cloudwatch.metricstatistics
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon CloudWatch metric statistics
+
+**Init**
+
+aws.cloudwatch.metricstatistics(namespace string)
+aws.cloudwatch.metricstatistics(region string)
+aws.cloudwatch.metricstatistics(name string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------------------------------------------------------------------------------- | --------------------------------------------------------------------- |
+| namespace | string | Namespace for the metric |
+| name | string | Name for the metric |
+| region | string | Region for the metrics |
+| label | string | Label for the statistics |
+| datapoints | [][aws.cloudwatch.metric.datapoint](aws.cloudwatch.metric.datapoint.md) | Datapoints for the statistic over the last 24 hours in hour intervals |
diff --git a/docs/mql/resources/aws-pack/aws.codebuild.md b/docs/mql/resources/aws-pack/aws.codebuild.md
new file mode 100644
index 000000000..0240d92d6
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.codebuild.md
@@ -0,0 +1,61 @@
+---
+title: aws.codebuild
+id: aws.codebuild
+sidebar_label: aws.codebuild
+displayed_sidebar: MQL
+description: AWS CodeBuild for building and testing code
+---
+
+# aws.codebuild
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS CodeBuild for building and testing code
+
+Use the `aws.codebuild` resource to assess the configuration of the AWS CodeBuild service and the projects within.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ----------------------------------------------------------- | ---------------------- |
+| projects | [][aws.codebuild.project](aws.codebuild.project.md) | List of build projects |
+
+**Examples**
+
+Return a list of `aws.codebuild.project` resources representing all AWS CodeBuild projects configured across all enabled regions within the account and the values for specified fields
+
+```coffee
+aws.codebuild.projects {
+ arn
+ description
+ name
+ environment
+ region
+ source
+}
+```
+
+Check that all projects containing env variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are not in plaintext
+
+```coffee
+aws.codebuild.projects {
+ environment ['EnvironmentVariables'].where(_['Name'] == "AWS_ACCESS_KEY_ID") { _['Type'] != "PLAINTEXT"}
+ environment ['EnvironmentVariables'].where(_['Name'] == "AWS_SECRET_ACCESS_KEY") { _['Type'] != "PLAINTEXT"}
+}
+```
+
+Check that all projects using GitHub or Bitbucket as the source use oauth
+
+```coffee
+aws.codebuild.projects.where( source['Type'] == "BITBUCKET" || source['Type'] == "GITHUB" ) {
+ source['Auth']['Type'] == "OAUTH"
+}
+```
+
+**References**
+
+- [Security in AWS CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.codebuild.project.md b/docs/mql/resources/aws-pack/aws.codebuild.project.md
new file mode 100644
index 000000000..5c4f5721c
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.codebuild.project.md
@@ -0,0 +1,31 @@
+---
+title: aws.codebuild.project
+id: aws.codebuild.project
+sidebar_label: aws.codebuild.project
+displayed_sidebar: MQL
+description: AWS CodeBuild project
+---
+
+# aws.codebuild.project
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS CodeBuild project
+
+The `aws.codebuild.project` resource provides fields representing an individual AWS CodeBuild project configured within the account. For usage, read the `aws.codebuild` documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------- | ----------------------------------------------- |
+| arn | string | ARN for the project |
+| description | string | Description of the project |
+| name | string | Name of the project |
+| environment | dict | Build environment information about the project |
+| region | string | Region where the project exists |
+| source | dict | Source used for the build project |
+| tags | map[string]string | Tags for the project |
diff --git a/docs/mql/resources/aws-pack/aws.config.md b/docs/mql/resources/aws-pack/aws.config.md
new file mode 100644
index 000000000..0f87544d6
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.config.md
@@ -0,0 +1,67 @@
+---
+title: aws.config
+id: aws.config
+sidebar_label: aws.config
+displayed_sidebar: MQL
+description: AWS config
+---
+
+# aws.config
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS config
+
+Use the `aws.config` resource to assess the configuration of the AWS Config service. The resource provides the `.recorders` field, which returns a list of `aws.config.recorder` resources representing all AWS Config recorders configured across all enabled regions, as well as the `.rules` field, which returns a list of `aws.config.rule` resources representing all AWS Config rules configured across all enabled regions in the account.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------------------------------------- | -------------------------------------------------------------- |
+| recorders | [][aws.config.recorder](aws.config.recorder.md) | List of configuration recorders for each region in the account |
+| rules | [][aws.config.rule](aws.config.rule.md) | List of AWS Config rules |
+
+**Examples**
+
+Return a list of `aws.config.rule` resources representing AWS Config rules configured across all enabled regions and the values for specified fields
+
+```coffee
+aws.config.rules {
+ arn
+ state
+ source
+}
+```
+
+Return a list of AWS Config recorders configured across all enabled regions and the values for specified fields
+
+```coffee
+aws.config.recorders {
+ name
+ roleArn
+ allSupported
+ includeGlobalResourceTypes
+ resourceTypes
+ recording
+ lastStatus
+ region
+}
+```
+
+Ensure AWS Config is enabled in all regions
+
+```coffee
+aws.config.recorders.any(allSupported == true && includeGlobalResourceTypes == true)
+aws.config.recorders.where(allSupported == true && includeGlobalResourceTypes == true).all(
+ recording == true && lastStatus == "SUCCESS"
+)
+```
+
+**References**
+
+- [Security in AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security.html)
+- [AWS Config best practices](https://aws.amazon.com/blogs/mt/aws-config-best-practices/)
diff --git a/docs/mql/resources/aws-pack/aws.config.recorder.md b/docs/mql/resources/aws-pack/aws.config.recorder.md
new file mode 100644
index 000000000..353682c87
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.config.recorder.md
@@ -0,0 +1,32 @@
+---
+title: aws.config.recorder
+id: aws.config.recorder
+sidebar_label: aws.config.recorder
+displayed_sidebar: MQL
+description: AWS config recorder
+---
+
+# aws.config.recorder
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS config recorder
+
+The `aws.config.recorder` resource provides fields representing an individual AWS Config recorder configured within an account. For usage, read the `aws.config` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------- | ---------------- | ----------------------------------------------------------------------------------------- |
+| name | string | Name of the recorder |
+| roleArn | string | ARN of the IAM role used to describe the AWS resources associated with the account |
+| allSupported | bool | Whether the recorder records config changes for every supported type of regional resource |
+| includeGlobalResourceTypes | bool | Whether the recorder records all supported types of global resources |
+| recording | bool | Whether the recorder is currently recording |
+| lastStatus | string | Last (previous) status of the recorder |
+| region | string | Region for the recorder |
+| resourceTypes | []string | Whether the recorder records specific resource types |
diff --git a/docs/mql/resources/aws-pack/aws.config.rule.md b/docs/mql/resources/aws-pack/aws.config.rule.md
new file mode 100644
index 000000000..a6b896286
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.config.rule.md
@@ -0,0 +1,31 @@
+---
+title: aws.config.rule
+id: aws.config.rule
+sidebar_label: aws.config.rule
+displayed_sidebar: MQL
+description: AWS config rule
+---
+
+# aws.config.rule
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS config rule
+
+The `aws.config.rule` resource provides fields representing an individual AWS Config rule configured within an account. For usage, read the `aws.config` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | -------------------------------------------------------------- |
+| arn | string | ARN for the config rule |
+| state | string | State of the rule |
+| source | dict | Rule identifier that causes the function to evaluate resources |
+| id | string | The ID of the Config rule |
+| name | string | The name that you assigned to the Config rule |
+| description | string | The description that provided for the Config rule |
+| region | string | Region for the Config rule |
diff --git a/docs/mql/resources/aws-pack/aws.dms.md b/docs/mql/resources/aws-pack/aws.dms.md
new file mode 100644
index 000000000..e764423d6
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.dms.md
@@ -0,0 +1,45 @@
+---
+title: aws.dms
+id: aws.dms
+sidebar_label: aws.dms
+displayed_sidebar: MQL
+description: AWS Database Migration Service (DMS)
+---
+
+# aws.dms
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Database Migration Service (DMS)
+
+Use the `aws.dms` resource to assess the configuration of the AWS Database Migration service.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | -------------- | --------------------------------- |
+| replicationInstances | []dict | List of DMS replication instances |
+
+**Examples**
+
+Return a list of AWS Database Migration service replication instances
+
+```coffee
+aws.dms.replicationInstances
+```
+
+Check whether AWS Database Migration Service replication instances are public
+
+```coffee
+aws.dms.replicationInstances.none(
+ _['PubliclyAccessible'] == true
+)
+```
+
+**References**
+
+- [Security in AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html)
diff --git a/docs/mql/resources/aws-pack/aws.dynamodb.globaltable.md b/docs/mql/resources/aws-pack/aws.dynamodb.globaltable.md
new file mode 100644
index 000000000..43b792fae
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.dynamodb.globaltable.md
@@ -0,0 +1,27 @@
+---
+title: aws.dynamodb.globaltable
+id: aws.dynamodb.globaltable
+sidebar_label: aws.dynamodb.globaltable
+displayed_sidebar: MQL
+description: Amazon DynamoDB global table
+---
+
+# aws.dynamodb.globaltable
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon DynamoDB global table
+
+The `aws.dynamodb.globaltable` resource provides fields representing a DynamoDB global table. For usage, see `aws.dynamodb` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | -------------- | -------------------------------------- |
+| arn | string | ARN for the global table |
+| name | string | Table name |
+| replicaSettings | []dict | List of replica settings for the table |
diff --git a/docs/mql/resources/aws-pack/aws.dynamodb.limit.md b/docs/mql/resources/aws-pack/aws.dynamodb.limit.md
new file mode 100644
index 000000000..3a44ad607
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.dynamodb.limit.md
@@ -0,0 +1,30 @@
+---
+title: aws.dynamodb.limit
+id: aws.dynamodb.limit
+sidebar_label: aws.dynamodb.limit
+displayed_sidebar: MQL
+description: Amazon DynamoDB limits
+---
+
+# aws.dynamodb.limit
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon DynamoDB limits
+
+The `aws.dynamodb.limit` resource provides fields representing a DynamoDB limit configuration. For usage, see `aws.dynamodb` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------ | ------------------------------------------------------------- |
+| arn | string | ARN representing the account + region where the limit applies |
+| region | string | Region where the limits apply |
+| accountMaxRead | int | Account max read limit |
+| accountMaxWrite | int | Account max write limit |
+| tableMaxRead | int | Table max read limit |
+| tableMaxWrite | int | Table max write limit |
diff --git a/docs/mql/resources/aws-pack/aws.dynamodb.md b/docs/mql/resources/aws-pack/aws.dynamodb.md
new file mode 100644
index 000000000..d439e546f
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.dynamodb.md
@@ -0,0 +1,79 @@
+---
+title: aws.dynamodb
+id: aws.dynamodb
+sidebar_label: aws.dynamodb
+displayed_sidebar: MQL
+description: Amazon DynamoDB
+---
+
+# aws.dynamodb
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon DynamoDB
+
+Use the `aws.dynamodb` resource to assess the configuration of the AWS DynamoDB.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------------------------------------------- | -------------------------------------------- |
+| backups | []dict | List of backups for DynamoDB |
+| globalTables | [][aws.dynamodb.globaltable](aws.dynamodb.globaltable.md) | List of global tables for DynamoDB |
+| tables | [][aws.dynamodb.table](aws.dynamodb.table.md) | List of tables for DynamoDB |
+| limits | [][aws.dynamodb.limit](aws.dynamodb.limit.md) | List of DynamoDB settings across all regions |
+
+**Examples**
+
+Return a list of `aws.dynamodb.table` resources and the values for specified fields
+
+```coffee
+aws.dynamodb.tables {
+ arn
+ name
+ region
+ backups
+ sseDescription
+ provisionedThroughput
+ continuousBackups
+}
+```
+
+Return a list of `aws.dynamodb.limit` resources and the values for specified fields
+
+```coffee
+aws.dynamodb.limits {
+ arn
+ region
+ accountMaxRead
+ accountMaxWrite
+ tableMaxRead
+ tableMaxWrite
+}
+```
+
+Return a list of `aws.dynamodb.globaltable` resources and the value for specified fields
+
+```coffee
+aws.dynamodb.globaltables {
+ arn
+ name
+ replicaSettings
+}
+```
+
+Check that all DynamoDB tables are encrypted with AWS Key Management Service (KMS)
+
+```coffee
+aws.dynamodb.tables.all(
+ sseDescription['SSEType'] == 'KMS' && sseDescription['Status'] == 'ENABLED'
+)
+```
+
+**References**
+
+- [Security and Compliance in Amazon DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.dynamodb.table.md b/docs/mql/resources/aws-pack/aws.dynamodb.table.md
new file mode 100644
index 000000000..f17735a97
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.dynamodb.table.md
@@ -0,0 +1,38 @@
+---
+title: aws.dynamodb.table
+id: aws.dynamodb.table
+sidebar_label: aws.dynamodb.table
+displayed_sidebar: MQL
+description: Amazon DynamoDB table
+---
+
+# aws.dynamodb.table
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon DynamoDB table
+
+The `aws.dynamodb.table` resource provides fields representing a DynamoDB table. For usage, see `aws.dynamodb` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ----------------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| arn | string | ARN for the table |
+| name | string | Table name |
+| region | string | Region where the table exists |
+| backups | []dict | Backups for the table |
+| sseDescription | dict | Description of server-side encryption for the table |
+| provisionedThroughput | dict | Provisioned throughput settings for the table |
+| continuousBackups | dict | Continuous backups and point-in-time recovery settings for the table |
+| tags | map[string]string | Tags for the table |
+| createdTime | time | The creation time of the table |
+| deletionProtectionEnabled | bool | Is deletion protection enabled |
+| globalTableVersion | string | The global table version |
+| id | string | The table ID |
+| sizeBytes | int | The total size of the specified table, in bytes. DynamoDB updates this value approximately every six hours. |
+| status | string | The current state of the table: CREATING, UPDATING, DELETING, ACTIVE, INACCESSIBLE_ENCRYPTION_CREDENTIALS, ARCHIVING, or ARCHIVED |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.image.md b/docs/mql/resources/aws-pack/aws.ec2.image.md
new file mode 100644
index 000000000..b38ffe4d3
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.image.md
@@ -0,0 +1,30 @@
+---
+title: aws.ec2.image
+id: aws.ec2.image
+sidebar_label: aws.ec2.image
+displayed_sidebar: MQL
+description: Amazon EC2 image (AMI)
+---
+
+# aws.ec2.image
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 image (AMI)
+
+The `aws.ec2.image` resource provides fields for assessing AMIs within an account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | -------------------------------------- |
+| arn | string | ARN for the AMI |
+| id | string | ID of the image |
+| name | string | Name for the image |
+| architecture | string | Architecture associated with the image |
+| ownerId | string | AWS account ID of the image owner |
+| ownerAlias | string | Alias for the image owner |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.instance.device.md b/docs/mql/resources/aws-pack/aws.ec2.instance.device.md
new file mode 100644
index 000000000..32591b3d1
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.instance.device.md
@@ -0,0 +1,28 @@
+---
+title: aws.ec2.instance.device
+id: aws.ec2.instance.device
+sidebar_label: aws.ec2.instance.device
+displayed_sidebar: MQL
+description: Amazon EC2 instance device
+---
+
+# aws.ec2.instance.device
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 instance device
+
+The `aws.ec2.instance.device` resource provides fields for assessing the configuration of devices attached to EC2 instances within an account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ------ | -------------------------------------------------------------------------- |
+| deleteOnTermination | bool | Boolean to denote whether volume should be deleted on instance termination |
+| status | string | Status of the device |
+| volumeId | string | Volume id for the device |
+| deviceName | string | Name for the device |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.instance.md b/docs/mql/resources/aws-pack/aws.ec2.instance.md
new file mode 100644
index 000000000..d8c715676
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.instance.md
@@ -0,0 +1,58 @@
+---
+title: aws.ec2.instance
+id: aws.ec2.instance
+sidebar_label: aws.ec2.instance
+displayed_sidebar: MQL
+description: Amazon EC2 instance
+---
+
+# aws.ec2.instance
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 instance
+
+The `aws.ec2.instance` resource provides fields for assessing the configuration of EC2 instances within an account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------- |
+| arn | string | ARN for the instance |
+| instanceId | string | Instance ID for the instance |
+| detailedMonitoring | string | Whether detailed monitoring is enabled |
+| region | string | Region where the instance exists |
+| publicIp | string | Public IP for instance |
+| ssm | dict | Amazon Systems Manager information for the instance |
+| vpc | [aws.vpc](aws.vpc.md) | VPC associated with the instance |
+| httpTokens | string | A value of "optional" denotes IMDSv1 server compatibility; "required" denotes IMDSv2 |
+| httpEndpoint | string | Status of the IMDS endpoint enabled on the instance |
+| patchState | dict | Patch state information about the instance |
+| state | string | State of the instance: pending, running, stopping, stopped, rebooting, or terminated |
+| deviceMappings | [][aws.ec2.instance.device](aws.ec2.instance.device.md) | List of devices attached to the instance (such as EBS volume) |
+| securityGroups | [][aws.ec2.securitygroup](aws.ec2.securitygroup.md) | List of security groups (IDs) associated with the instance |
+| platformDetails | string | Platform details |
+| publicDnsName | string | Public DNS name for the instance |
+| instanceStatus | dict | The status of the specified instance |
+| stateReason | dict | Reason for the most recent state transition |
+| stateTransitionReason | string | Reason for the most recent state transition |
+| ebsOptimized | bool | Whether the instance has EBS optimization turned on |
+| enaSupported | bool | Whether enhanced networking with ENA is enabled |
+| instanceType | string | Instance type, such as t2.micro |
+| tags | map[string]string | Tags on the instance |
+| image | [aws.ec2.image](aws.ec2.image.md) | Image that was used for the instance |
+| launchTime | time | Launch time of the instance |
+| privateIp | string | Private IP address for the instance |
+| privateDnsName | string | Private DNS name for the instance |
+| keypair | [aws.ec2.keypair](aws.ec2.keypair.md) | Key pair associated with the instance |
+| stateTransitionTime | time | Time when the last state transition occurred |
+| vpcArn | string | The ARN of the VPC associated with the instance |
+| hypervisor | string | The hypervisor type of the instance: ovm or xen |
+| instanceLifecycle | string | Whether this is a Spot Instance or a Scheduled Instance: spot, scheduled, or capacity-block |
+| rootDeviceType | string | The root device type used by the AMI: ebs or instance-store |
+| rootDeviceName | string | The device name of the root device volume, such as /dev/sda1 |
+| architecture | string | The architecture of the instance |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.internetgateway.md b/docs/mql/resources/aws-pack/aws.ec2.internetgateway.md
new file mode 100644
index 000000000..c80e5b1a2
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.internetgateway.md
@@ -0,0 +1,27 @@
+---
+title: aws.ec2.internetgateway
+id: aws.ec2.internetgateway
+sidebar_label: aws.ec2.internetgateway
+displayed_sidebar: MQL
+description: Amazon EC2 internet gateway
+---
+
+# aws.ec2.internetgateway
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 internet gateway
+
+The `aws.ec2.internetgateway` resource provides fields for assessing the configuration of internet gateways within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | -------------- | ------------------- |
+| arn | string | ARN for the gateway |
+| id | string | ID for the gateway |
+| attachments | []dict | VPC attachments |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.keypair.md b/docs/mql/resources/aws-pack/aws.ec2.keypair.md
new file mode 100644
index 000000000..22130898e
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.keypair.md
@@ -0,0 +1,29 @@
+---
+title: aws.ec2.keypair
+id: aws.ec2.keypair
+sidebar_label: aws.ec2.keypair
+displayed_sidebar: MQL
+description: Amazon EC2 key pair
+---
+
+# aws.ec2.keypair
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 key pair
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------- | -------------------------------- |
+| arn | string | ARN of the key pair |
+| fingerprint | string | Fingerprint for the key pair |
+| name | string | Name of the key pair |
+| type | string | Type of key, such as RSA |
+| tags | map[string]string | Tags for the key pair |
+| region | string | Region where the key pair exists |
+| createdAt | time | Date the keypair was created |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.md b/docs/mql/resources/aws-pack/aws.ec2.md
new file mode 100644
index 000000000..16d9d7755
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.md
@@ -0,0 +1,97 @@
+---
+title: aws.ec2
+id: aws.ec2
+sidebar_label: aws.ec2
+displayed_sidebar: MQL
+description: Amazon EC2
+---
+
+# aws.ec2
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2
+
+Use the `aws.ec2` resource to assess the configuration of AWS EC2 instances.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | --------------------------------------------------------------- | ------------------------------------------------------------------------------- |
+| securityGroups | [][aws.ec2.securitygroup](aws.ec2.securitygroup.md) | List of security groups available to the account |
+| instances | [][aws.ec2.instance](aws.ec2.instance.md) | List of instances across the AWS account (all regions) |
+| ebsEncryptionByDefault | map[string]bool | map[region]boolean used to denote if ebs encryption is on by default per region |
+| volumes | [][aws.ec2.volume](aws.ec2.volume.md) | List of volumes across the AWS account |
+| snapshots | [][aws.ec2.snapshot](aws.ec2.snapshot.md) | List of snapshots across the account |
+| internetGateways | [][aws.ec2.internetgateway](aws.ec2.internetgateway.md) | List of internet gateways |
+| vpnConnections | [][aws.ec2.vpnconnection](aws.ec2.vpnconnection.md) | List of VPN connections |
+| networkAcls | [][aws.ec2.networkacl](aws.ec2.networkacl.md) | List of network ACLs |
+| keypairs | [][aws.ec2.keypair](aws.ec2.keypair.md) | List of keypairs for the account |
+
+**Examples**
+
+Return a list of all EC2 instances across all enabled regions in the account and the values for specified fields
+
+```coffee
+aws.ec2.instances {
+ arn
+ instanceId
+ detailedMonitoring
+ region
+ publicIp
+ ssm
+ vpc
+ httpTokens
+ patchState
+ state
+ deviceMappings
+ securityGroups
+ publicDnsName
+ instanceStatus
+ stateReason
+ stateTransitionReason
+ ebsOptimized
+ instanceType
+ tags
+ image
+ launchTime
+}
+```
+
+Return a list of security groups across every enabled region and the value for specified fields
+
+```coffee
+aws.ec2.securityGroups {
+ arn
+ region
+ vpc
+ id
+}
+```
+
+Return a list of all EBS volumes along with the associated ARN and the region the volume exists in
+
+```coffee
+aws.ec2.volumes {
+ arn
+ region
+}
+```
+
+Ensure the default security group of every VPC restricts all traffic
+
+```coffee
+aws.ec2.securityGroups.where(name == "default") {
+ ipPermissions.all(ipRanges.length == 0 && ipv6Ranges.length == 0 && fromPort == 0 && toPort == 0)
+ ipPermissionsEgress.all(ipRanges.length == 0 && ipv6Ranges.length == 0 && fromPort == 0 && toPort == 0)
+}
+```
+
+**References**
+
+- [Security in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security.html)
+- [Security in Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.ec2.networkacl.entry.md b/docs/mql/resources/aws-pack/aws.ec2.networkacl.entry.md
new file mode 100644
index 000000000..c9ba94364
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.networkacl.entry.md
@@ -0,0 +1,31 @@
+---
+title: aws.ec2.networkacl.entry
+id: aws.ec2.networkacl.entry
+sidebar_label: aws.ec2.networkacl.entry
+displayed_sidebar: MQL
+description: Amazon EC2 network ACL entry
+---
+
+# aws.ec2.networkacl.entry
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 network ACL entry
+
+The `aws.ec2.networkacl.entry` resource provides fields for assessing the configuration of network ACL entries within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------------------------------------------------------------- | ----------------------------------------- |
+| egress | bool | Whether this is an entry for egress rules |
+| ruleAction | string | Allow or deny |
+| ruleNumber | int | The rule number |
+| portRange | [aws.ec2.networkacl.entry.portrange](aws.ec2.networkacl.entry.portrange.md) | Port range for the ACL entry |
+| cidrBlock | string | CIDR block for the ACL entry |
+| ipv6CidrBlock | string | IPv6 CIDR block for the ACL entry |
+| id | string | ID for the ACL entry rule |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.networkacl.entry.portrange.md b/docs/mql/resources/aws-pack/aws.ec2.networkacl.entry.portrange.md
new file mode 100644
index 000000000..a84419792
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.networkacl.entry.portrange.md
@@ -0,0 +1,27 @@
+---
+title: aws.ec2.networkacl.entry.portrange
+id: aws.ec2.networkacl.entry.portrange
+sidebar_label: aws.ec2.networkacl.entry.portrange
+displayed_sidebar: MQL
+description: Amazon EC2 network ACL entry port range
+---
+
+# aws.ec2.networkacl.entry.portrange
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 network ACL entry port range
+
+The `aws.ec2.networkacl.portrange` resource provides fields for assessing the port range configuration of network ACL entries within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------ | ---------------------------- |
+| from | int | Starting port for port range |
+| to | int | Ending port for port range |
+| id | string | ID for the entry port range |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.networkacl.md b/docs/mql/resources/aws-pack/aws.ec2.networkacl.md
new file mode 100644
index 000000000..40390b019
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.networkacl.md
@@ -0,0 +1,30 @@
+---
+title: aws.ec2.networkacl
+id: aws.ec2.networkacl
+sidebar_label: aws.ec2.networkacl
+displayed_sidebar: MQL
+description: Amazon EC2 network ACL
+---
+
+# aws.ec2.networkacl
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 network ACL
+
+The `aws.ec2.networkacl` resource provides fields for assessing the configuration of VPC network ACLs within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------------------------------------------------------- | ------------------------------------------------------ |
+| arn | string | ARN for the network ACL |
+| id | string | ID for the network ACL |
+| region | string | Region for the network ACL |
+| entries | [][aws.ec2.networkacl.entry](aws.ec2.networkacl.entry.md) | Entries for the network ACL |
+| isDefault | bool | Whether the ACL is the default network ACL for the VPC |
+| tags | map[string]string | Tags for the network ACL |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.securitygroup.ippermission.md b/docs/mql/resources/aws-pack/aws.ec2.securitygroup.ippermission.md
new file mode 100644
index 000000000..4ea2fb273
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.securitygroup.ippermission.md
@@ -0,0 +1,30 @@
+---
+title: aws.ec2.securitygroup.ippermission
+id: aws.ec2.securitygroup.ippermission
+sidebar_label: aws.ec2.securitygroup.ippermission
+displayed_sidebar: MQL
+description: Amazon EC2 security group IP permission
+---
+
+# aws.ec2.securitygroup.ippermission
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 security group IP permission
+
+The `aws.ec2.securitygroup.ippermission` resource provides fields for assessing the configuration of ip permissions for security groups within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ---------------- | ----------------------------------------- |
+| id | string | Unique ID for the IP permission |
+| fromPort | int | Start of port range for TCP/UDP protocols |
+| toPort | int | End of port range for TCP/UDP protocols |
+| ipProtocol | string | IP protocol name |
+| ipRanges | []string | IPv4 ranges |
+| ipv6Ranges | []string | IPv6 ranges |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.securitygroup.md b/docs/mql/resources/aws-pack/aws.ec2.securitygroup.md
new file mode 100644
index 000000000..de39be9e6
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.securitygroup.md
@@ -0,0 +1,34 @@
+---
+title: aws.ec2.securitygroup
+id: aws.ec2.securitygroup
+sidebar_label: aws.ec2.securitygroup
+displayed_sidebar: MQL
+description: Amazon EC2 security group
+---
+
+# aws.ec2.securitygroup
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 security group
+
+The `aws.ec2.securitygroup` resource provides fields for assessing the configuration of security groups within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------------- | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
+| arn | string | Security group ARN |
+| id | string | Security group ID |
+| name | string | Name of the security group |
+| description | string | Description of the security group |
+| tags | map[string]string | A map of tags associated with the security group |
+| vpc | [aws.vpc](aws.vpc.md) | VPC associated with the security group |
+| ipPermissions | [][aws.ec2.securitygroup.ippermission](aws.ec2.securitygroup.ippermission.md) | IP permissions (ingress) for the security group |
+| ipPermissionsEgress | [][aws.ec2.securitygroup.ippermission](aws.ec2.securitygroup.ippermission.md) | IP permissions (egress) for the security group |
+| region | string | Region associated with the security group |
+| isAttachedToNetworkInterface | bool | Whether the security group is attached to Amazon Elastic Compute Cloud |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.snapshot.md b/docs/mql/resources/aws-pack/aws.ec2.snapshot.md
new file mode 100644
index 000000000..bd1a8ed5d
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.snapshot.md
@@ -0,0 +1,35 @@
+---
+title: aws.ec2.snapshot
+id: aws.ec2.snapshot
+sidebar_label: aws.ec2.snapshot
+displayed_sidebar: MQL
+description: Amazon EC2 (EBS) snapshot
+---
+
+# aws.ec2.snapshot
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 (EBS) snapshot
+
+The `aws.ec2.snapshot` resource provides fields for assessing the configuration of EBS snapshots within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ----------------- | ---------------------------------------------------------------------------- |
+| arn | string | ARN for the snapshot |
+| id | string | ID for the snapshot |
+| region | string | Region where the snapshot exists |
+| createVolumePermission | []dict | Users/groups that have the permissions to create volumes from the snapshot |
+| volumeId | string | ID of the volume used to create the snapshot |
+| startTime | time | Time when the snapshot was initiated |
+| tags | map[string]string | Tags for the snapshot |
+| state | string | State of the snapshot: pending, completed, error, recoverable, or recovering |
+| volumeSize | int | The size of the volume, in GiB |
+| description | string | The description of the snapshot |
+| encrypted | bool | Whether the snapshot is encrypted |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.vgwtelemetry.md b/docs/mql/resources/aws-pack/aws.ec2.vgwtelemetry.md
new file mode 100644
index 000000000..be154a3e8
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.vgwtelemetry.md
@@ -0,0 +1,27 @@
+---
+title: aws.ec2.vgwtelemetry
+id: aws.ec2.vgwtelemetry
+sidebar_label: aws.ec2.vgwtelemetry
+displayed_sidebar: MQL
+description: Amazon EC2 VPN tunnel telemetry
+---
+
+# aws.ec2.vgwtelemetry
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 VPN tunnel telemetry
+
+The `aws.ec2.vgwtelemetry` resource provides fields for assessing the configuration of telemetry for VPN tunnels within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ------------------------- |
+| outsideIpAddress | string | Outside IP address |
+| status | string | VPN tunnel status |
+| statusMessage | string | VPN tunnel status message |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.volume.md b/docs/mql/resources/aws-pack/aws.ec2.volume.md
new file mode 100644
index 000000000..ed9060f1c
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.volume.md
@@ -0,0 +1,38 @@
+---
+title: aws.ec2.volume
+id: aws.ec2.volume
+sidebar_label: aws.ec2.volume
+displayed_sidebar: MQL
+description: Amazon EC2 (EBS) volume
+---
+
+# aws.ec2.volume
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 (EBS) volume
+
+The `aws.ec2.volume` resource provides fields for assessing the configuration of EBS volumes within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| arn | string | ARN for the EC2 volume |
+| id | string | ID of the EC2 volume |
+| attachments | []dict | Information about the volume attachments |
+| encrypted | bool | Whether the volume is encrypted |
+| state | string | State of the volume: creating, available, in-use, and so on |
+| tags | map[string]string | A map of tags associated with the EBS volume |
+| availabilityZone | string | Availability Zone in which the volume was created |
+| volumeType | string | EBS volume type: gp2, gp3, io1, io2, st1, sc1, or standard |
+| createTime | time | Time the volume was created |
+| region | string | Region where the EC2 volume is stored |
+| multiAttachEnabled | bool | Whether Amazon EBS Multi-Attach is enabled. |
+| throughput | int | The throughput that the volume supports, in MiB/s. |
+| size | int | The size of the volume, in GiBs. |
+| iops | int | The number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, this represents the number of IOPS that are provisioned for the volume. For gp2 volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. |
diff --git a/docs/mql/resources/aws-pack/aws.ec2.vpnconnection.md b/docs/mql/resources/aws-pack/aws.ec2.vpnconnection.md
new file mode 100644
index 000000000..4794179b7
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ec2.vpnconnection.md
@@ -0,0 +1,26 @@
+---
+title: aws.ec2.vpnconnection
+id: aws.ec2.vpnconnection
+sidebar_label: aws.ec2.vpnconnection
+displayed_sidebar: MQL
+description: Amazon EC2 VPN connection
+---
+
+# aws.ec2.vpnconnection
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EC2 VPN connection
+
+The `aws.ec2.vpnconnection` resource provides fields for assessing the configuration of VPN connections within an AWS account. For usage, see `aws.ec2` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | --------------------------------------------------------- | ---------------------------------- |
+| arn | string | ARN for the VPN connection |
+| vgwTelemetry | [][aws.ec2.vgwtelemetry](aws.ec2.vgwtelemetry.md) | List of telemetry data for the VPN |
diff --git a/docs/mql/resources/aws-pack/aws.ecr.image.md b/docs/mql/resources/aws-pack/aws.ecr.image.md
new file mode 100644
index 000000000..d520a8aa3
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ecr.image.md
@@ -0,0 +1,48 @@
+---
+title: aws.ecr.image
+id: aws.ecr.image
+sidebar_label: aws.ecr.image
+displayed_sidebar: MQL
+description: AWS Elastic Container Registry image
+---
+
+# aws.ecr.image
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Elastic Container Registry image
+
+Use the `aws.ecr.image` resource to assess a container image stored in an Amazon Elastic Container Registry.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ---------------- | ------------------------------------------------------------- |
+| digest | string | SHA256 of the image manifest |
+| mediaType | string | Type of image manifest |
+| tags | []string | List of tags associated with image |
+| registryId | string | AWS account ID associated with public registry for this image |
+| repoName | string | Name of the repository for the image |
+| region | string | Region where the ECR image is located |
+| arn | string | ARN for the image |
+| uri | string | uri for the image repository |
+
+**Examples**
+
+Return a list of `aws.ecr.image` resources representing the images stored in public repositories.
+
+```coffee
+aws.ecr {
+ publicRepositories {
+ images {
+ digest
+ repoName
+ tags
+ }
+ }
+}
+```
diff --git a/docs/mql/resources/aws-pack/aws.ecr.md b/docs/mql/resources/aws-pack/aws.ecr.md
new file mode 100644
index 000000000..1cd21ce68
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ecr.md
@@ -0,0 +1,39 @@
+---
+title: aws.ecr
+id: aws.ecr
+sidebar_label: aws.ecr
+displayed_sidebar: MQL
+description: AWS Elastic Container Registry (ECR)
+---
+
+# aws.ecr
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Elastic Container Registry (ECR)
+
+The `aws.ecr` resource to assess the configuration of an Amazon Elastic Container Registry.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ----------------------------------------------------- | ----------------------------------------------------------- |
+| privateRepositories | [][aws.ecr.repository](aws.ecr.repository.md) | List of private repositories |
+| publicRepositories | [][aws.ecr.repository](aws.ecr.repository.md) | List of public repositories associated with the AWS account |
+| images | [][aws.ecr.image](aws.ecr.image.md) | List of images |
+
+**Examples**
+
+Return a `aws.ecr` resource representing the Elastic Container Registry.
+
+```coffee
+aws.ecr {*}
+```
+
+**References**
+
+- [Security in Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.ecr.repository.md b/docs/mql/resources/aws-pack/aws.ecr.repository.md
new file mode 100644
index 000000000..928616759
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ecr.repository.md
@@ -0,0 +1,45 @@
+---
+title: aws.ecr.repository
+id: aws.ecr.repository
+sidebar_label: aws.ecr.repository
+displayed_sidebar: MQL
+description: AWS Elastic Container Registry repository
+---
+
+# aws.ecr.repository
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Elastic Container Registry repository
+
+Use the `aws.ecr.repository` resource to assess the Amazon Elastic Container Registry repositories.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------------------------------- | ------------------------------------------------------------------ |
+| arn | string | ARN of the repository |
+| name | string | Name of the repository |
+| uri | string | URI of the repository, used for push/pull operations |
+| registryId | string | AWS Account ID associated with public registry for this repository |
+| public | bool | Whether the repository is public |
+| images | [][aws.ecr.image](aws.ecr.image.md) | List of images in the repository |
+| region | string | Region where the image is stored |
+| imageScanOnPush | bool | Repository option to scan on image push |
+
+**Examples**
+
+Return a list of `aws.ecr.repository` resources representing the public repositories.
+
+```coffee
+aws.ecr {
+ publicRepositories {
+ name
+ uri
+ }
+}
+```
diff --git a/docs/mql/resources/aws-pack/aws.ecs.cluster.md b/docs/mql/resources/aws-pack/aws.ecs.cluster.md
new file mode 100644
index 000000000..c6bdae6de
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ecs.cluster.md
@@ -0,0 +1,33 @@
+---
+title: aws.ecs.cluster
+id: aws.ecs.cluster
+sidebar_label: aws.ecs.cluster
+displayed_sidebar: MQL
+description: Amazon ECS cluster
+---
+
+# aws.ecs.cluster
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon ECS cluster
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------------- | ------------------------------------------------- | ------------------------------------------------------ |
+| arn | string | ARN of the ECS cluster |
+| name | string | Name of the ECS cluster |
+| tags | map[string]string | Tags of the ECS cluster |
+| runningTasksCount | int | Count of running tasks in the cluster |
+| pendingTasksCount | int | Count of pending tasks in the cluster |
+| registeredContainerInstancesCount | int | Count of container instances registered to the cluster |
+| configuration | dict | Configuration for the cluster |
+| status | string | Status of the cluster |
+| tasks | [][aws.ecs.task](aws.ecs.task.md) | List of AWS ECS task definitions |
+| containerInstances | [][aws.ecs.instance](aws.ecs.instance.md) | List of AWS ECS container instances |
+| region | string | The region where the cluster is located |
diff --git a/docs/mql/resources/aws-pack/aws.ecs.container.md b/docs/mql/resources/aws-pack/aws.ecs.container.md
new file mode 100644
index 000000000..903cd9d83
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ecs.container.md
@@ -0,0 +1,37 @@
+---
+title: aws.ecs.container
+id: aws.ecs.container
+sidebar_label: aws.ecs.container
+displayed_sidebar: MQL
+description: Amazon ECS container
+---
+
+# aws.ecs.container
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon ECS container
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ---------------- | ------------------------------------------------------------- |
+| name | string | Name of the ECS container + IP for unique identification |
+| arn | string | ARN of the ECS container |
+| publicIp | string | Public IP address of the ECS container |
+| image | string | Image used for the ECS container |
+| clusterName | string | Cluster associated with the ECS container |
+| taskDefinitionArn | string | ARN for the task definition associated with the ECS container |
+| logDriver | string | logDriver setting for the ECS container |
+| platformFamily | string | Platform family associated with the ECS container |
+| platformVersion | string | Platform version assigned to the ECS container |
+| status | string | Status of the ECS container |
+| region | string | Region where the ECS Container is located |
+| command | []string | Command used to start the container |
+| taskArn | string | ARN for the task used to create the container |
+| runtimeId | string | Runtime id for the container |
+| containerName | string | Name of the ECS container |
diff --git a/docs/mql/resources/aws-pack/aws.ecs.instance.md b/docs/mql/resources/aws-pack/aws.ecs.instance.md
new file mode 100644
index 000000000..eaaefbcb7
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ecs.instance.md
@@ -0,0 +1,28 @@
+---
+title: aws.ecs.instance
+id: aws.ecs.instance
+sidebar_label: aws.ecs.instance
+displayed_sidebar: MQL
+description: AWS ECS container instance
+---
+
+# aws.ecs.instance
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS ECS container instance
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------- | ------------------------------------------------------------------------ |
+| agentConnected | bool | True if agent is connected to ECS |
+| id | string | ID for the container instance |
+| arn | string | ARN for the container instance |
+| capacityProvider | string | Capacity provider associated with the container instance |
+| ec2Instance | [aws.ec2.instance](aws.ec2.instance.md) | If container instance is EC2 instance, this is the EC2 instance resource |
+| region | string | Region for the container instance |
diff --git a/docs/mql/resources/aws-pack/aws.ecs.md b/docs/mql/resources/aws-pack/aws.ecs.md
new file mode 100644
index 000000000..a2b9293ca
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ecs.md
@@ -0,0 +1,25 @@
+---
+title: aws.ecs
+id: aws.ecs
+sidebar_label: aws.ecs
+displayed_sidebar: MQL
+description: Amazon Elastic Container Service (ECS)
+---
+
+# aws.ecs
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Elastic Container Service (ECS)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | --------------------------------------------------- | ----------------------------------- |
+| clusters | [][aws.ecs.cluster](aws.ecs.cluster.md) | List of AWS ECS Clusters |
+| containers | [][aws.ecs.container](aws.ecs.container.md) | List of AWS ECS Containers |
+| containerInstances | [][aws.ecs.instance](aws.ecs.instance.md) | List of AWS ECS Container Instances |
diff --git a/docs/mql/resources/aws-pack/aws.ecs.task.md b/docs/mql/resources/aws-pack/aws.ecs.task.md
new file mode 100644
index 000000000..1b5f01fdd
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ecs.task.md
@@ -0,0 +1,30 @@
+---
+title: aws.ecs.task
+id: aws.ecs.task
+sidebar_label: aws.ecs.task
+displayed_sidebar: MQL
+description: Amazon ECS task
+---
+
+# aws.ecs.task
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon ECS task
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------- | ---------------------------------------------- |
+| arn | string | ARN of the ECS task |
+| clusterName | string | Cluster associated with the ECS task |
+| connectivity | dict | Connectivity status of the ECS task |
+| lastStatus | string | Last reported status for the ECS task |
+| platformFamily | string | Platform Family assigned to the ECS task |
+| platformVersion | string | Platform Version assigned to the ECS task |
+| tags | map[string]string | User-defined tags associated with the ECS task |
+| containers | [][aws.ecs.container](aws.ecs.container.md) | List of AWS ECS containers |
diff --git a/docs/mql/resources/aws-pack/aws.efs.filesystem.md b/docs/mql/resources/aws-pack/aws.efs.filesystem.md
new file mode 100644
index 000000000..959387ed2
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.efs.filesystem.md
@@ -0,0 +1,34 @@
+---
+title: aws.efs.filesystem
+id: aws.efs.filesystem
+sidebar_label: aws.efs.filesystem
+displayed_sidebar: MQL
+description: AWS Elastic File System (EFS) file system
+---
+
+# aws.efs.filesystem
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Elastic File System (EFS) file system
+
+The `aws.efs.filesystem` resource provides fields for assessing the configuration of individual EFS deployments. For usage, read the `aws.efs` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------------------- | -------------------------------------------------------------------------- |
+| name | string | Name of the file system |
+| id | string | ID of the file system |
+| arn | string | ARN of the file system |
+| encrypted | bool | Whether or not the file system is encrypted |
+| kmsKey | [aws.kms.key](aws.kms.key.md) | KMS key used for encryption of the file system |
+| backupPolicy | dict | Backup policy for the file system |
+| region | string | Region in which the file system exists |
+| availabilityZone | string | Availability zone where the file system exists if a specific AZ is defined |
+| tags | map[string]string | Tags for the file system |
+| createdAt | time | Creation timestamp |
diff --git a/docs/mql/resources/aws-pack/aws.efs.md b/docs/mql/resources/aws-pack/aws.efs.md
new file mode 100644
index 000000000..195dad902
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.efs.md
@@ -0,0 +1,53 @@
+---
+title: aws.efs
+id: aws.efs
+sidebar_label: aws.efs
+displayed_sidebar: MQL
+description: AWS Elastic File System (EFS) service
+---
+
+# aws.efs
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Elastic File System (EFS) service
+
+Use the `aws.efs` resource to assess the configuration of Amazon Elastic File System deployments.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------------------------------------------- | --------------------------------------------- |
+| filesystems | [][aws.efs.filesystem](aws.efs.filesystem.md) | A list of file systems managed by the service |
+
+**Examples**
+
+Return a list of `aws.efs.filesystem` resources representing any EFS deployments across all enabled regions in the account
+
+```coffee
+aws.efs.filesystems {
+ name
+ id
+ arn
+ encrypted
+ kmsKey
+ backupPolicy
+ region
+}
+```
+
+Check whether all EFS systems are configured to encrypt file data using KMS
+
+```coffee
+aws.efs.filesystems.all(
+ encrypted == true && kmsKey.arn == /^arn:aws:kms:.*/
+)
+```
+
+**References**
+
+- [Security in Amazon EFS](https://docs.aws.amazon.com/efs/latest/ug/security-considerations.html)
diff --git a/docs/mql/resources/aws-pack/aws.eks.cluster.md b/docs/mql/resources/aws-pack/aws.eks.cluster.md
new file mode 100644
index 000000000..5c71eb076
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.eks.cluster.md
@@ -0,0 +1,35 @@
+---
+title: aws.eks.cluster
+id: aws.eks.cluster
+sidebar_label: aws.eks.cluster
+displayed_sidebar: MQL
+description: Amazon EKS cluster
+---
+
+# aws.eks.cluster
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EKS cluster
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ----------------- | ----------------------------------------- |
+| name | string | Name of the cluster |
+| arn | string | ARN of the cluster |
+| region | string | Region for the cluster |
+| tags | map[string]string | A map of tags associated with the cluster |
+| endpoint | string | The endpoint of Kubernetes API server |
+| version | string | Kubernetes server version |
+| platformVersion | string | Amazon EKS cluster version |
+| status | string | Cluster status |
+| encryptionConfig | []dict | Encryption configuration for the cluster |
+| logging | dict | Cluster logging configuration |
+| networkConfig | dict | Kubernetes network configuration |
+| resourcesVpcConfig | dict | VPC configuration |
+| createdAt | time | Cluster creation timestamp |
diff --git a/docs/mql/resources/aws-pack/aws.eks.md b/docs/mql/resources/aws-pack/aws.eks.md
new file mode 100644
index 000000000..5ed916ecd
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.eks.md
@@ -0,0 +1,23 @@
+---
+title: aws.eks
+id: aws.eks
+sidebar_label: aws.eks
+displayed_sidebar: MQL
+description: Amazon Elastic Kubernetes Service (EKS)
+---
+
+# aws.eks
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Elastic Kubernetes Service (EKS)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ----------------------------------------------- | ------------ |
+| clusters | [][aws.eks.cluster](aws.eks.cluster.md) | EKS clusters |
diff --git a/docs/mql/resources/aws-pack/aws.elasticache.cluster.md b/docs/mql/resources/aws-pack/aws.elasticache.cluster.md
new file mode 100644
index 000000000..bde0ded23
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.elasticache.cluster.md
@@ -0,0 +1,49 @@
+---
+title: aws.elasticache.cluster
+id: aws.elasticache.cluster
+sidebar_label: aws.elasticache.cluster
+displayed_sidebar: MQL
+description: Amazon ElastiCache cluster
+---
+
+# aws.elasticache.cluster
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon ElastiCache cluster
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| arn | string | ARN for the cluster |
+| atRestEncryptionEnabled | bool | Whether the cluster has at rest encryption enabled |
+| authTokenEnabled | bool | Whether Redis authentication tokens (or passwords) enable Redis to require a password before allowing clients to run commands |
+| authTokenLastModifiedDate | time | Date and time authentication token was last modified |
+| autoMinorVersionUpgrade | bool | Whether the cluster is configured to auto-upgrade to the next minor version (Redis 6.0 or later) |
+| cacheClusterCreateTime | time | The date and time when the cluster was created |
+| cacheClusterId | string | The user-supplied unique key that identifies the cluster |
+| cacheClusterStatus | string | The current state of the cluster: available, creating, deleted, deleting, incompatible-network, modifying, rebooting cluster nodes, restore-failed, or snapshotting |
+| cacheNodeType | string | The name of the compute and memory capacity node type for the cluster |
+| cacheNodes | []string | A list of cache nodes that are members of the cluster |
+| cacheSecurityGroups | []string | A list of cache security group elements, composed of name and status sub-elements |
+| cacheSubnetGroupName | string | The name of the cache subnet group associated with the cluster |
+| clientDownloadLandingPage | string | The URL of the web page where you can download the latest ElastiCache client library |
+| nodeType | string | The node type for the nodes in the cluster |
+| engine | string | The name of the cache engine used for this cluster: Memcached or Redis |
+| engineVersion | string | The version of the cache engine that is used in this cluster |
+| ipDiscovery | string | The network type associated with the cluster: ipv4 or ipv6 |
+| logDeliveryConfigurations | []dict | The log delivery configurations being modified |
+| networkType | string | The supported network connection type for the cluster: ipv4, ipv6, or dual_stack |
+| notificationConfiguration | string | Describes a notification topic and its status |
+| numCacheNodes | int | The number of cache nodes in the cluster |
+| preferredAvailabilityZone | string | The name of the availability zone in which the cluster is located or "Multiple" if the cache nodes are located in different availability zones |
+| region | string | Region where the cluster exists |
+| securityGroups | [][aws.ec2.securitygroup](aws.ec2.securitygroup.md) | A list of VPC security groups associated with the cluster |
+| snapshotRetentionLimit | int | The number of days for which ElastiCache retains automatic cluster snapshots before deleting them |
+| transitEncryptionEnabled | bool | Whether in-transit encryption is enabled |
+| transitEncryptionMode | string | Whether migrating clients to use in-transit encryption (with no downtime) is allowed |
diff --git a/docs/mql/resources/aws-pack/aws.elasticache.md b/docs/mql/resources/aws-pack/aws.elasticache.md
new file mode 100644
index 000000000..30303bbda
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.elasticache.md
@@ -0,0 +1,40 @@
+---
+title: aws.elasticache
+id: aws.elasticache
+sidebar_label: aws.elasticache
+displayed_sidebar: MQL
+description: Amazon ElastiCache
+---
+
+# aws.elasticache
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon ElastiCache
+
+Use the `aws.elasticache` resource to assess the configuration of Amazon ElastiCache.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------------------------------------------------- | ---------------------------------------- |
+| clusters | []dict | Deprecated. Use `cacheClusters` instead. |
+| cacheClusters | [][aws.elasticache.cluster](aws.elasticache.cluster.md) | List of clusters |
+
+**Examples**
+
+Check if the ElastiCache Redis clusters have automatic backup turned on
+
+```coffee
+aws.elasticache.clusters.all(
+ _['SnapshotRetentionLimit'] > _['SnapshotRetentionPeriod']
+)
+```
+
+**References**
+
+- [Security in Amazon ElastiCache](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/redis-security.html)
diff --git a/docs/mql/resources/aws-pack/aws.elb.loadbalancer.md b/docs/mql/resources/aws-pack/aws.elb.loadbalancer.md
new file mode 100644
index 000000000..5f83cd15f
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.elb.loadbalancer.md
@@ -0,0 +1,32 @@
+---
+title: aws.elb.loadbalancer
+id: aws.elb.loadbalancer
+sidebar_label: aws.elb.loadbalancer
+displayed_sidebar: MQL
+description: AWS Elastic Load Balancing load balancer
+---
+
+# aws.elb.loadbalancer
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Elastic Load Balancing load balancer
+
+The `aws.elb.loadbalancer` resource provides fields for assessing the configuration of individual classic, application, gateway, and network Amazon Elastic Load Balancers. For usage, read the `aws.elb` documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | -------------- | ----------------------------------------------------- |
+| arn | string | ARN for the load balancer |
+| dnsName | string | DNS name for the load balancer |
+| listenerDescriptions | []dict | List of listener configurations for the load balancer |
+| name | string | User specified name for the load balancer |
+| scheme | string | Scheme for the lb: internet-facing or internal |
+| attributes | []dict | A list of attributes for the load balancer |
+| vpcId | string | The ID of the VPC where the load balancer is located |
+| createdTime | time | Date and time when the load balancer was created |
diff --git a/docs/mql/resources/aws-pack/aws.elb.md b/docs/mql/resources/aws-pack/aws.elb.md
new file mode 100644
index 000000000..7cd0ad61b
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.elb.md
@@ -0,0 +1,74 @@
+---
+title: aws.elb
+id: aws.elb
+sidebar_label: aws.elb
+displayed_sidebar: MQL
+description: AWS Elastic Load Balancing
+---
+
+# aws.elb
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Elastic Load Balancing
+
+Use the `aws.elb` resource to assess the configuration of Amazon Elastic Load Balancers within an AWS account.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | --------------------------------------------------------- | ---------------------------------------------------------------- |
+| classicLoadBalancers | [][aws.elb.loadbalancer](aws.elb.loadbalancer.md) | List of classic load balancers |
+| loadBalancers | [][aws.elb.loadbalancer](aws.elb.loadbalancer.md) | List of application, gateway, and network load balancers (elbv2) |
+
+**Examples**
+
+Return a list of all application, gateway, and network Elastic Load Balancers deployed across every enabled region and the values for specified fields
+
+```coffee
+aws.elb.loadbalancers {
+ arn
+ dnsName
+ listenerDescriptions
+ name
+ scheme
+ attributes
+}
+```
+
+Return a list of all classic Elastic Load Balancers deployed across every enabled region and the values for specified fields
+
+```coffee
+aws.elb.classicLoadBalancers {
+ arn
+ dnsName
+ listenerDescriptions
+ name
+ scheme
+ attributes
+}
+```
+
+Check whether HTTP to HTTPS redirection is configured on all application load balancer http listeners
+
+```coffee
+aws.elb.loadBalancers.all( listenerDescriptions.any (
+ _['Protocol'] == "HTTPS" || _['Protocol'] == "SSL" )
+)
+```
+
+Check that all Classic Load Balancers use SSL certificates provided by AWS Cert Mgr
+
+```coffee
+aws.elb.classicLoadBalancers.all( listenerDescriptions.any (
+ _['Listener']['Protocol'] == "HTTPS" || _['Listener']['Protocol'] == "SSL" )
+)
+```
+
+**References**
+
+- [Security in Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.emr.cluster.md b/docs/mql/resources/aws-pack/aws.emr.cluster.md
new file mode 100644
index 000000000..3b33fff1d
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.emr.cluster.md
@@ -0,0 +1,32 @@
+---
+title: aws.emr.cluster
+id: aws.emr.cluster
+sidebar_label: aws.emr.cluster
+displayed_sidebar: MQL
+description: Amazon EMR cluster
+---
+
+# aws.emr.cluster
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EMR cluster
+
+The `aws.emr.cluster` resource provides fields for assessing the configuration of individual Amazon EMR clusters. For usage, read the `aws.emr` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ----------------- | -------------------------------------------------------------------------- |
+| arn | string | ARN for the cluster |
+| name | string | Name of the cluster |
+| normalizedInstanceHours | int | An approximation of the cost of the cluster, represented in m1.small/hours |
+| outpostArn | string | ARN of outpost where cluster is launched |
+| status | dict | Details about the current status of the cluster |
+| masterInstances | []dict | List of master instances for the cluster |
+| id | string | EMR cluster ID |
+| tags | map[string]string | Tags for the cluster |
diff --git a/docs/mql/resources/aws-pack/aws.emr.md b/docs/mql/resources/aws-pack/aws.emr.md
new file mode 100644
index 000000000..0d0e466f1
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.emr.md
@@ -0,0 +1,53 @@
+---
+title: aws.emr
+id: aws.emr
+sidebar_label: aws.emr
+displayed_sidebar: MQL
+description: Amazon EMR
+---
+
+# aws.emr
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon EMR
+
+Use the `aws.emr` resource to assess the configuration of Amazon EMR clusters. This resource provides a list of `aws.emr.cluster` resources representing EMR clusters deployed across all enabled regions.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ----------------------------------------------- | -------------------- |
+| clusters | [][aws.emr.cluster](aws.emr.cluster.md) | List of EMR clusters |
+
+**Examples**
+
+Return a list of EMR clusters deployed across all enabled regions and the value for specified fields
+
+```coffee
+aws.emr.clusters {
+ arn
+ name
+ normalizedInstanceHours
+ outpostArn
+ status
+ masterInstances
+ id
+}
+```
+
+Check whether EMR cluster master nodes have public ips
+
+```coffee
+aws.emr.clusters.all(
+ masterInstances { _['PublicIpAddress'] == null }
+)
+```
+
+**References**
+
+- [Security in Amazon EMR](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-security.html)
diff --git a/docs/mql/resources/aws-pack/aws.es.domain.md b/docs/mql/resources/aws-pack/aws.es.domain.md
new file mode 100644
index 000000000..c6584ef40
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.es.domain.md
@@ -0,0 +1,34 @@
+---
+title: aws.es.domain
+id: aws.es.domain
+sidebar_label: aws.es.domain
+displayed_sidebar: MQL
+description: Amazon Elasticsearch service domain
+---
+
+# aws.es.domain
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Elasticsearch service domain
+
+The `aws.es.domain` provides fields for assessing the configuration of individual Amazon Elasticsearch domains. For usage, read the `aws.es` resource documentation
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------- | ----------------- | -------------------------------------------------- |
+| arn | string | ARN for the Elasticsearch domain |
+| encryptionAtRestEnabled | bool | Whether encryption at rest is enabled |
+| nodeToNodeEncryptionEnabled | bool | Denoted whether node to node encryption is enabled |
+| name | string | Name of the Elasticsearch domain |
+| endpoint | string | Endpoint used to submit index and search requests |
+| region | string | Region where the domain exists |
+| tags | map[string]string | Tags for the domain |
+| elasticsearchVersion | string | The version of Elasticsearch running |
+| domainId | string | The Elasticsearch domain ID |
+| domainName | string | The Elasticsearch domain name |
diff --git a/docs/mql/resources/aws-pack/aws.es.md b/docs/mql/resources/aws-pack/aws.es.md
new file mode 100644
index 000000000..fca7a909b
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.es.md
@@ -0,0 +1,29 @@
+---
+title: aws.es
+id: aws.es
+sidebar_label: aws.es
+displayed_sidebar: MQL
+description: AWS Elasticsearch service
+---
+
+# aws.es
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Elasticsearch service
+
+Use the `aws.es` resource to assess the configuration of Amazon Elasticsearch domains. This resource provides a list of `aws.es.domain` resources representing Elasticsearch domains deployed across all enabled regions.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------------------------------------------- | ----------------------------- |
+| domains | [][aws.es.domain](aws.es.domain.md) | List of Elasticsearch domains |
+
+**References**
+
+- [Amazon Security Blog on Elasticsearch](https://aws.amazon.com/blogs/security/tag/amazon-elasticsearch-service/)
diff --git a/docs/mql/resources/aws-pack/aws.guardduty.detector.md b/docs/mql/resources/aws-pack/aws.guardduty.detector.md
new file mode 100644
index 000000000..2209bf8e4
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.guardduty.detector.md
@@ -0,0 +1,29 @@
+---
+title: aws.guardduty.detector
+id: aws.guardduty.detector
+sidebar_label: aws.guardduty.detector
+displayed_sidebar: MQL
+description: Amazon GuardDuty detector
+---
+
+# aws.guardduty.detector
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon GuardDuty detector
+
+The `aws.guardduty.detector` provides fields for assessing the configuration of individual Amazon GuardDuty Detectors. For usage, read the `aws.guardduty` resource documentation
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------- | -------------- | ------------------------------------------------ |
+| id | string | Unique ID for the detector |
+| region | string | Region for the detector |
+| status | string | Status of the detector: ENABLED or DISABLED |
+| findingPublishingFrequency | string | Publishing frequency for the detector |
+| unarchivedFindings | []dict | List of unarchivedFindings found by the detector |
diff --git a/docs/mql/resources/aws-pack/aws.guardduty.md b/docs/mql/resources/aws-pack/aws.guardduty.md
new file mode 100644
index 000000000..c614b6e8c
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.guardduty.md
@@ -0,0 +1,49 @@
+---
+title: aws.guardduty
+id: aws.guardduty
+sidebar_label: aws.guardduty
+displayed_sidebar: MQL
+description: Amazon GuardDuty for threat detection
+---
+
+# aws.guardduty
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon GuardDuty for threat detection
+
+Use the `aws.guardduty` resource to assess the configuration of the AWS GuardDuty service. The resource provides a list of `aws.guardduty.detector` resources representing GuardDuty Detectors deployed across all enabled regions.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------------------------------------------- | --------------------------- |
+| detectors | [][aws.guardduty.detector](aws.guardduty.detector.md) | List of GuardDuty detectors |
+
+**Examples**
+
+Return a list of Amazon GuardDuty Detectors along with the values for specified fields
+
+```coffee
+aws.guardduty.detectors {
+ id
+ region
+ status
+ findingPublishingFrequency
+ unarchivedFindings
+}
+```
+
+Check that guardduty is enabled in all regions
+
+```coffee
+aws.guardduty.detectors.all( status == "ENABLED" )
+```
+
+**References**
+
+- [Security in Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.iam.group.md b/docs/mql/resources/aws-pack/aws.iam.group.md
new file mode 100644
index 000000000..5160bf47d
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.iam.group.md
@@ -0,0 +1,29 @@
+---
+title: aws.iam.group
+id: aws.iam.group
+sidebar_label: aws.iam.group
+displayed_sidebar: MQL
+description: AWS IAM group
+---
+
+# aws.iam.group
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS IAM group
+
+The `aws.iam.group` provides fields for assessing the configuration of IAM Groups. For usage, read the `aws.iam` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ---------------- | ------------------------------------------ |
+| arn | string | ARN of the group |
+| id | string | ID of the group |
+| name | string | Name of the group |
+| createDate | time | Time when the group was created |
+| usernames | []string | List of usernames that belong to the group |
diff --git a/docs/mql/resources/aws-pack/aws.iam.loginprofile.md b/docs/mql/resources/aws-pack/aws.iam.loginprofile.md
new file mode 100644
index 000000000..5f1ef03b9
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.iam.loginprofile.md
@@ -0,0 +1,23 @@
+---
+title: aws.iam.loginProfile
+id: aws.iam.loginProfile
+sidebar_label: aws.iam.loginProfile
+displayed_sidebar: MQL
+description: AWS IAM login profile for a user
+---
+
+# aws.iam.loginProfile
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS IAM login profile for a user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ---- | --------------------------------------- |
+| createdAt | time | Time when the login profile was created |
diff --git a/docs/mql/resources/aws-pack/aws.iam.md b/docs/mql/resources/aws-pack/aws.iam.md
new file mode 100644
index 000000000..4a86e3316
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.iam.md
@@ -0,0 +1,81 @@
+---
+title: aws.iam
+id: aws.iam
+sidebar_label: aws.iam
+displayed_sidebar: MQL
+description: AWS service to create and manage permissions for users and groups
+---
+
+# aws.iam
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS service to create and manage permissions for users and groups
+
+Use the `aws.iam` resource to assess the configuration of the AWS IAM service. The resource provides a list of `aws.iam.user` resources representing GuardDuty Detectors deployed across all enabled regions.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------- |
+| users | [][aws.iam.user](aws.iam.user.md) | List of IAM users in the account |
+| roles | [][aws.iam.role](aws.iam.role.md) | List of IAM roles in the account |
+| groups | [][aws.iam.group](aws.iam.group.md) | List of IAM groups in the account |
+| policies | [][aws.iam.policy](aws.iam.policy.md) | List of IAM policies in the account |
+| attachedPolicies | [][aws.iam.policy](aws.iam.policy.md) | List of IAM policies attached to a user, role, or group |
+| credentialReport | [][aws.iam.usercredentialreportentry](aws.iam.usercredentialreportentry.md) | IAM credential report |
+| accountPasswordPolicy | dict | IAM account password policy for the account |
+| accountSummary | map[string]int | IAM account summary |
+| virtualMfaDevices | [][aws.iam.virtualmfadevice](aws.iam.virtualmfadevice.md) | List of virtual mfs devices associated with the account |
+| serverCertificates | []dict | List of server certificates stored in IAM |
+
+**Examples**
+
+Return a list of `aws.iam.user` resources representing IAM users in the account and specified fields
+
+```coffee
+aws.iam.users {
+ users
+ roles
+ groups
+ policies
+ attachedPolicies
+ accountSummary
+ virtualMfaDevices
+ serverCertificates
+}
+```
+
+Return a list of users that do not have MFA configured along with the ARN, name, and associated IAM Groups
+
+```coffee
+aws.iam.credentialReport.where(mfaActive == false) {
+ user {
+ arn
+ name
+ groups
+ }
+}
+```
+
+Do not setup access keys during initial user setup for all IAM users that have a console password
+
+```coffee
+aws.iam.credentialReport.
+ where(
+ passwordEnabled &&
+ accessKey1Active &&
+ userCreationTime < time.today
+ ).
+ all(
+ accessKey1LastUsedDate != null
+ )
+```
+
+**References**
+
+- [Security in IAM and AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.iam.policy.md b/docs/mql/resources/aws-pack/aws.iam.policy.md
new file mode 100644
index 000000000..0adeb55c4
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.iam.policy.md
@@ -0,0 +1,38 @@
+---
+title: aws.iam.policy
+id: aws.iam.policy
+sidebar_label: aws.iam.policy
+displayed_sidebar: MQL
+description: AWS IAM policy
+---
+
+# aws.iam.policy
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS IAM policy
+
+The `aws.iam.policy` provides fields for assessing the configuration of individual IAM Policies. For usage, read the `aws.iam` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------ |
+| arn | string | ARN of the policy |
+| id | string | ID of the policy |
+| name | string | Name of the policy |
+| description | string | Description of the policy |
+| isAttachable | bool | Denotes if the policy can be attached |
+| attachmentCount | int | The number of principal entities (users, groups, and roles) that the policy is attached to |
+| createDate | time | Time when the policy was created |
+| updateDate | time | Time when the policy was updated |
+| scope | string | Scope of the policy |
+| versions | [][aws.iam.policyversion](aws.iam.policyversion.md) | List of versions for the policy |
+| defaultVersion | [aws.iam.policyversion](aws.iam.policyversion.md) | Default version of the policy |
+| attachedUsers | [][aws.iam.user](aws.iam.user.md) | List of users attached to the policy |
+| attachedRoles | [][aws.iam.role](aws.iam.role.md) | List of roles attached to the policy |
+| attachedGroups | [][aws.iam.group](aws.iam.group.md) | List of groups attached to the policy |
diff --git a/docs/mql/resources/aws-pack/aws.iam.policyversion.md b/docs/mql/resources/aws-pack/aws.iam.policyversion.md
new file mode 100644
index 000000000..69f85a6da
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.iam.policyversion.md
@@ -0,0 +1,29 @@
+---
+title: aws.iam.policyversion
+id: aws.iam.policyversion
+sidebar_label: aws.iam.policyversion
+displayed_sidebar: MQL
+description: AWS IAM policy version
+---
+
+# aws.iam.policyversion
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS IAM policy version
+
+The `aws.iam.policyversion` provides fields for assessing the metadata for IAM Policy versions. For usage, read the `aws.iam` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ----------------------------------------------------- |
+| arn | string | ARN of the policy version |
+| versionId | string | Version ID |
+| isDefaultVersion | bool | Denotes if this version is the policy default version |
+| document | dict | JSON statements for this policy version |
+| createDate | time | Time when this policy version was created |
diff --git a/docs/mql/resources/aws-pack/aws.iam.role.md b/docs/mql/resources/aws-pack/aws.iam.role.md
new file mode 100644
index 000000000..1abd8e5c9
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.iam.role.md
@@ -0,0 +1,30 @@
+---
+title: aws.iam.role
+id: aws.iam.role
+sidebar_label: aws.iam.role
+displayed_sidebar: MQL
+description: AWS IAM role
+---
+
+# aws.iam.role
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS IAM role
+
+The `aws.iam.role` provides fields for assessing the configuration of individual IAM Roles. For usage, read the `aws.iam` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------- | ------------------------------ |
+| arn | string | ARN of the role |
+| id | string | ID of the role |
+| name | string | Name of the role |
+| description | string | Description of the role |
+| tags | map[string]string | Tags associated with the role |
+| createDate | time | Time when the role was created |
diff --git a/docs/mql/resources/aws-pack/aws.iam.user.md b/docs/mql/resources/aws-pack/aws.iam.user.md
new file mode 100644
index 000000000..1d9cfb550
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.iam.user.md
@@ -0,0 +1,35 @@
+---
+title: aws.iam.user
+id: aws.iam.user
+sidebar_label: aws.iam.user
+displayed_sidebar: MQL
+description: AWS IAM user
+---
+
+# aws.iam.user
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS IAM user
+
+The `aws.iam.user` provides fields for assessing the configuration of individual IAM users. For usage, read the `aws.iam` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------------------------------------- | ----------------------------------------------------- |
+| arn | string | ARN of the IAM user |
+| id | string | ID of the IAM user |
+| name | string | Name of the user |
+| createDate | time | Time when user was created |
+| passwordLastUsed | time | Time when password was last used |
+| tags | map[string]string | Tags for the IAM user |
+| policies | []string | List of inline policies attached to the user |
+| attachedPolicies | [][aws.iam.policy](aws.iam.policy.md) | List of managed policies attached to the user |
+| groups | []string | List of group ARNs that the user belongs to |
+| accessKeys | []dict | List of access keys metadata associated with the user |
+| loginProfile | [aws.iam.loginProfile](aws.iam.loginprofile.md) | Login profile for the user |
diff --git a/docs/mql/resources/aws-pack/aws.iam.usercredentialreportentry.md b/docs/mql/resources/aws-pack/aws.iam.usercredentialreportentry.md
new file mode 100644
index 000000000..950923aaf
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.iam.usercredentialreportentry.md
@@ -0,0 +1,51 @@
+---
+title: aws.iam.usercredentialreportentry
+id: aws.iam.usercredentialreportentry
+sidebar_label: aws.iam.usercredentialreportentry
+displayed_sidebar: MQL
+description: Entry in AWS IAM credential report
+---
+
+# aws.iam.usercredentialreportentry
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Entry in AWS IAM credential report
+
+The `aws.iam.credentialreportentry` provides fields for assessing the metadata for individual IAM Credential Report entries. For usage, read the `aws.iam` resource documentation.
+
+**Init**
+
+aws.iam.usercredentialreportentry(properties map[string]string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ------------------------------- | -------------------------------------------- |
+| properties | map[string]string | properties on the IAM user credential report |
+| arn | string | ARN for the credential report |
+| accessKey1Active | bool | Denotes if the access key is active |
+| accessKey1LastRotated | time | Time when key was last rotated |
+| accessKey1LastUsedDate | time | Time when key was last used |
+| accessKey1LastUsedRegion | string | Region in which the key was last used |
+| accessKey1LastUsedService | string | Service that last used the key |
+| accessKey2Active | bool | Denotes if the access key is active |
+| accessKey2LastRotated | time | Time when key was last rotated |
+| accessKey2LastUsedDate | time | Time when key was last used |
+| accessKey2LastUsedRegion | string | Region in which the key was last used |
+| accessKey2LastUsedService | string | Service that last used the key |
+| cert1Active | bool | Denotes if the cert is active |
+| cert1LastRotated | time | Time when the cert was last rotated |
+| cert2Active | bool | Denotes if the cert is active |
+| cert2LastRotated | time | Time when the cert was last rotated |
+| mfaActive | bool | Denotes if mfa is active in the account |
+| passwordEnabled | bool | Whether passwords are enabled |
+| passwordLastChanged | time | Time when the password was last changed |
+| passwordLastUsed | time | Time when the password was last used |
+| passwordNextRotation | time | Next time when the password should rotate |
+| user | [aws.iam.user](aws.iam.user.md) | IAM user |
+| userCreationTime | time | Time when user was created |
diff --git a/docs/mql/resources/aws-pack/aws.iam.virtualmfadevice.md b/docs/mql/resources/aws-pack/aws.iam.virtualmfadevice.md
new file mode 100644
index 000000000..5551c552a
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.iam.virtualmfadevice.md
@@ -0,0 +1,27 @@
+---
+title: aws.iam.virtualmfadevice
+id: aws.iam.virtualmfadevice
+sidebar_label: aws.iam.virtualmfadevice
+displayed_sidebar: MQL
+description: AWS IAM virtual MFA device
+---
+
+# aws.iam.virtualmfadevice
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS IAM virtual MFA device
+
+The `aws.iam.virtualmfadevice` provides fields for assessing the metadata for individual virtual MFA devices associated with IAM users. For usage, read the `aws.iam` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------------------------------- | ------------------------------------ |
+| serialNumber | string | Serial number for the MFA device |
+| enableDate | time | Time when the MFA device was enabled |
+| user | [aws.iam.user](aws.iam.user.md) | User associated with the MFA device |
diff --git a/docs/mql/resources/aws-pack/aws.kms.key.md b/docs/mql/resources/aws-pack/aws.kms.key.md
new file mode 100644
index 000000000..b98d99e65
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.kms.key.md
@@ -0,0 +1,29 @@
+---
+title: aws.kms.key
+id: aws.kms.key
+sidebar_label: aws.kms.key
+displayed_sidebar: MQL
+description: AWS Key Management Service (KMS) key
+---
+
+# aws.kms.key
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Key Management Service (KMS) key
+
+The `aws.kms.key` provides fields for assessing the configuration of individual KMS keys. For usage, read the `aws.kms` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ------ | --------------------------------------------------- |
+| id | string | Unique identifier for the key |
+| arn | string | ARN of the key |
+| region | string | Region the key lives in |
+| keyRotationEnabled | bool | Bool that specifies whether key rotation is enabled |
+| metadata | dict | Metadata for the key |
diff --git a/docs/mql/resources/aws-pack/aws.kms.md b/docs/mql/resources/aws-pack/aws.kms.md
new file mode 100644
index 000000000..059c698ce
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.kms.md
@@ -0,0 +1,33 @@
+---
+title: aws.kms
+id: aws.kms
+sidebar_label: aws.kms
+displayed_sidebar: MQL
+description: AWS Key Management Service (KMS)
+---
+
+# aws.kms
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Key Management Service (KMS)
+
+Use the `aws.kms` resource to assess the configuration of AWS KMS keys.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | --------------------------------------- | ------------------------------------------------------------------------------------------ |
+| keys | [][aws.kms.key](aws.kms.key.md) | A list of all customer master keys (CMKs) in the caller's AWS account (across all regions) |
+
+**Examples**
+
+Ensure rotation for customer created CMKs is enabled
+
+```coffee
+aws.kms.keys.where( metadata['KeyState'] == "Enabled" ).all( keyRotationEnabled == true )
+```
diff --git a/docs/mql/resources/aws-pack/aws.lambda.function.md b/docs/mql/resources/aws-pack/aws.lambda.function.md
new file mode 100644
index 000000000..8cb92fe10
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.lambda.function.md
@@ -0,0 +1,33 @@
+---
+title: aws.lambda.function
+id: aws.lambda.function
+sidebar_label: aws.lambda.function
+displayed_sidebar: MQL
+description: AWS Lambda function
+---
+
+# aws.lambda.function
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Lambda function
+
+The `aws.lambda.function` provides fields for assessing the configuration of individual AWS Lambda functions. For usage, read the `aws.lambda` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------- | ------------------------------------------ |
+| arn | string | ARN of the function |
+| name | string | Name of the function |
+| runtime | string | Runtime environment for the function |
+| concurrency | int | Concurrency limit for the function |
+| dlqTargetArn | string | Target ARN of the dead-letter queue config |
+| policy | dict | Policy for the function |
+| vpcConfig | dict | VPC configuration for the lambda function |
+| region | string | Region where the function exists |
+| tags | map[string]string | Tags for the function |
diff --git a/docs/mql/resources/aws-pack/aws.lambda.md b/docs/mql/resources/aws-pack/aws.lambda.md
new file mode 100644
index 000000000..1bbb6dd96
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.lambda.md
@@ -0,0 +1,25 @@
+---
+title: aws.lambda
+id: aws.lambda
+sidebar_label: aws.lambda
+displayed_sidebar: MQL
+description: AWS Lambda
+---
+
+# aws.lambda
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Lambda
+
+Use the `aws.lambda` resource to assess the configuration of AWS Lambda.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------------------------------------- | ---------------------------------------------------------- |
+| functions | [][aws.lambda.function](aws.lambda.function.md) | List of lambda functions across all regions in the account |
diff --git a/docs/mql/resources/aws-pack/aws.md b/docs/mql/resources/aws-pack/aws.md
new file mode 100644
index 000000000..f13f43326
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.md
@@ -0,0 +1,65 @@
+---
+title: aws
+id: aws
+sidebar_label: aws
+displayed_sidebar: MQL
+description: AWS resource
+---
+
+# aws
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS resource
+
+Use the `aws` resource to assess the configuration of AWS accounts. It features the `aws.regions` field, which returns a list of enabled AWS regions in the account, and the `aws.vpcs` field, which provides a list of VPCs configured within the account.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------------------------------- | ----------------------------------------------------------------------------------------- |
+| vpcs | [][aws.vpc](aws.vpc.md) | List of `aws.vpc` objects representing all VPCs in the account across all enabled regions |
+| regions | []string | List of all enabled regions in the account |
+
+**Examples**
+
+List all enabled regions within the AWS account
+
+```coffee
+aws.regions
+```
+
+List of `aws.vpc` resources for all VPCs across all enabled regions
+
+```coffee
+aws.vpcs
+```
+
+List of `aws.vpc` resources for all VPCs across all enabled regions and the values for specified fields
+
+```coffee
+aws.vpcs {
+ arn
+ id
+ state
+ isDefault
+ region
+ flowLogs
+ routeTables
+}
+```
+
+Ensure VPC flow logging is enabled in all VPCs
+
+```coffee
+aws.vpcs.all( flowLogs.any(status == "ACTIVE") )
+```
+
+**References**
+
+- [AWS Documentation: Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html)
+- [AWS Documentation: Security in Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/security.html)
diff --git a/docs/mql/resources/aws-pack/aws.organization.md b/docs/mql/resources/aws-pack/aws.organization.md
new file mode 100644
index 000000000..f2462e340
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.organization.md
@@ -0,0 +1,26 @@
+---
+title: aws.organization
+id: aws.organization
+sidebar_label: aws.organization
+displayed_sidebar: MQL
+description: AWS Organization resource
+---
+
+# aws.organization
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Organization resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ------ | ------------------------------------------------------------------------- |
+| arn | string | ARN of the organization |
+| featureSet | string | Specifies the functionality available to org: ALL or CONSOLIDATED_BILLING |
+| masterAccountId | string | ID of the organization's master account |
+| masterAccountEmail | string | Email owner of the organization's master account |
diff --git a/docs/mql/resources/aws-pack/aws.rds.dbcluster.md b/docs/mql/resources/aws-pack/aws.rds.dbcluster.md
new file mode 100644
index 000000000..1a690f651
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.rds.dbcluster.md
@@ -0,0 +1,48 @@
+---
+title: aws.rds.dbcluster
+id: aws.rds.dbcluster
+sidebar_label: aws.rds.dbcluster
+displayed_sidebar: MQL
+description: Amazon RDS database cluster
+---
+
+# aws.rds.dbcluster
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon RDS database cluster
+
+The `aws.rds.dbcluster` provides fields for assessing the configuration of AWS RDS Clusters.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ----------------------------------------------------------- | --------------------------------------------------------------------------------- |
+| arn | string | ARN for the database cluster |
+| region | string | Region where the database cluster exists |
+| id | string | Identifier for the database cluster |
+| members | [][aws.rds.dbinstance](aws.rds.dbinstance.md) | List of database instances that belong to the cluster |
+| snapshots | [][aws.rds.snapshot](aws.rds.snapshot.md) | List of snapshots for the cluster |
+| tags | map[string]string | Tags for the database cluster |
+| storageEncrypted | bool | Whether the cluster is encrypted |
+| storageAllocated | int | The amount of storage, in GiB, provisioned on the cluster |
+| storageIops | int | The storage IOPS provisioned on the cluster |
+| storageType | string | The type of storage provisioned on the cluster |
+| status | string | Current state of the cluster |
+| createdTime | time | The creation date of the RDS cluster |
+| backupRetentionPeriod | int | Number of days for which automated snapshots are retained |
+| autoMinorVersionUpgrade | bool | Whether minor version patches are applied automatically |
+| clusterDbInstanceClass | string | Name of the compute and memory capacity class of the Cluster DB instances |
+| engine | string | Name of the database engine for this DB cluster |
+| engineVersion | string | The version of the database engine for this DB cluster |
+| publiclyAccessible | bool | Whether the cluster is publicly accessible |
+| multiAZ | bool | Whether the cluster is a Multi-AZ deployment |
+| deletionProtection | bool | Whether deletion protection is enabled |
+| securityGroups | [][aws.ec2.securitygroup](aws.ec2.securitygroup.md) | List of VPC security group elements that the DB cluster belongs to |
+| availabilityZones | []string | List of Availability Zones (AZs) where instances in the DB cluster can be created |
+| port | int | The port that the database engine is listening on |
+| endpoint | string | The connection endpoint for the primary instance of the DB cluster |
diff --git a/docs/mql/resources/aws-pack/aws.rds.dbinstance.md b/docs/mql/resources/aws-pack/aws.rds.dbinstance.md
new file mode 100644
index 000000000..df75353f1
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.rds.dbinstance.md
@@ -0,0 +1,51 @@
+---
+title: aws.rds.dbinstance
+id: aws.rds.dbinstance
+sidebar_label: aws.rds.dbinstance
+displayed_sidebar: MQL
+description: Amazon RDS database instance
+---
+
+# aws.rds.dbinstance
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon RDS database instance
+
+The `aws.rds.dbinstance` provides fields for assessing the configuration of RDS instances. For usage, read the `aws.rds` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------------- | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| arn | string | ARN for the database instance |
+| name | string | Name of the database instance |
+| backupRetentionPeriod | int | Number of days for which automated snapshots are retained |
+| snapshots | [][aws.rds.snapshot](aws.rds.snapshot.md) | List of snapshots for the database instance |
+| storageEncrypted | bool | Whether the instance is encrypted |
+| storageAllocated | int | The amount of storage, in GiB, provisioned on the instance |
+| storageIops | int | The storage IOPS provisioned on the instance |
+| storageType | string | The type of storage provisioned on the instance |
+| region | string | Region where the instance exists |
+| availabilityZone | string | Availability zone where the instance exists |
+| publiclyAccessible | bool | Whether the instance is publicly accessible |
+| enabledCloudwatchLogsExports | []string | List of log types the instance is configured to export to CloudWatch logs |
+| deletionProtection | bool | Whether deletion protection is enabled |
+| multiAZ | bool | Whether the instance is a Multi-AZ deployment |
+| id | string | Identifier for the database instance |
+| enhancedMonitoringResourceArn | string | ARN of the CloudWatch log stream that receives the enhanced monitoring metrics data |
+| tags | map[string]string | Tags for the database instance |
+| dbInstanceClass | string | Name of the compute and memory capacity class of the DB instance |
+| dbInstanceIdentifier | string | User-supplied unique key that identifies a DB instance |
+| engine | string | Name of the database engine for this DB instance |
+| engineVersion | string | The version of the database engine for this DB instance |
+| securityGroups | [][aws.ec2.securitygroup](aws.ec2.securitygroup.md) | List of VPC security group elements that the DB instance belongs to |
+| status | string | Current state of this database |
+| autoMinorVersionUpgrade | bool | Whether minor version patches are applied automatically |
+| createdTime | time | The creation date of the RDS instance |
+| port | int | The port that the DB instance listens on. If the DB instance is part of a DB cluster, this can be a different port than the DB cluster port. |
+| endpoint | string | The connection endpoint for the DB instance |
diff --git a/docs/mql/resources/aws-pack/aws.rds.md b/docs/mql/resources/aws-pack/aws.rds.md
new file mode 100644
index 000000000..0ead4393d
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.rds.md
@@ -0,0 +1,50 @@
+---
+title: aws.rds
+id: aws.rds
+sidebar_label: aws.rds
+displayed_sidebar: MQL
+description: Amazon Relational Database Service (RDS)
+---
+
+# aws.rds
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Relational Database Service (RDS)
+
+Use the `aws.rds` resource to assess the configuration of AWS RDS deployments. The resource returns lists of `aws.rds.dbcluster`, `aws.rds.dbinstance`, and `aws.rds.snapshot` resources, each with fields for assessing the configuration of those assets.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------------------------------------------- | ----------------------------- |
+| dbInstances | [][aws.rds.dbinstance](aws.rds.dbinstance.md) | List of database instances |
+| dbClusters | [][aws.rds.dbcluster](aws.rds.dbcluster.md) | List of RDS database clusters |
+
+**Examples**
+
+Check whether RDS DB instances have backups enabled
+
+```coffee
+aws.rds.dbInstances.all(snapshots.length > 0)
+```
+
+Check whether high availability is enabled for all rds instances
+
+```coffee
+aws.rds.dbInstances.all(multiAZ == true)
+```
+
+Return a list of RDS Clusters across all regions where snapshots are not encrypted and return the `arn` `region` and `id` for the cluster
+
+```coffee
+aws.rds.dbClusters { snapshots.where( encrypted == false) } { arn region id }
+```
+
+**References**
+
+- [Security in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html)
diff --git a/docs/mql/resources/aws-pack/aws.rds.snapshot.md b/docs/mql/resources/aws-pack/aws.rds.snapshot.md
new file mode 100644
index 000000000..5d12cd951
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.rds.snapshot.md
@@ -0,0 +1,38 @@
+---
+title: aws.rds.snapshot
+id: aws.rds.snapshot
+sidebar_label: aws.rds.snapshot
+displayed_sidebar: MQL
+description: Amazon RDS snapshot
+---
+
+# aws.rds.snapshot
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon RDS snapshot
+
+The `aws.rds.snapshot` provides fields for assessing the configuration of RDS snapshots. For usage, read the `aws.rds` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------- | ------------------------------------------------------------------ |
+| arn | string | ARN of the snapshot |
+| id | string | ID of the snapshot |
+| attributes | []dict | Attribute values that describe permissions to restore the snapshot |
+| type | string | Type of snapshot: manual or automated |
+| encrypted | bool | Whether the snapshot is encrypted |
+| region | string | Region where the snapshot exists |
+| isClusterSnapshot | bool | Whether the snapshot is for a cluster |
+| tags | map[string]string | Tags for the snapshot |
+| engine | string | The snapshot DB engine |
+| engineVersion | string | The snapshot DB engine version |
+| status | string | The snapshot status |
+| allocatedStorage | int | The amount of storage allocated to the snapshot |
+| port | int | The port that the DB instance or cluster listens on |
+| createdAt | time | The creation date of the snapshot |
diff --git a/docs/mql/resources/aws-pack/aws.redshift.cluster.md b/docs/mql/resources/aws-pack/aws.redshift.cluster.md
new file mode 100644
index 000000000..5b8687066
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.redshift.cluster.md
@@ -0,0 +1,47 @@
+---
+title: aws.redshift.cluster
+id: aws.redshift.cluster
+sidebar_label: aws.redshift.cluster
+displayed_sidebar: MQL
+description: Amazon Redshift cluster
+---
+
+# aws.redshift.cluster
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Redshift cluster
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------------- | ----------------- | ---------------------------------------------------------------------------------------------- |
+| allowVersionUpgrade | bool | Whether major upgrades are applied automatically |
+| arn | string | ARN for the cluster |
+| automatedSnapshotRetentionPeriod | int | Number of days automatic cluster snapshots are retained |
+| availabilityZone | string | Availability zone where the cluster exists |
+| clusterParameterGroupNames | []string | List of cluster parameter group names |
+| clusterRevisionNumber | string | Specific revision number of the database in the cluster |
+| clusterStatus | string | Current state of this cluster: available, creating, deleting, rebooting, renaming, or resizing |
+| clusterSubnetGroupName | string | Name of the subnet group associated with the cluster |
+| clusterVersion | string | Version of the Redshift engine running on the cluster |
+| createdAt | time | Cluster creation timestamp |
+| dbName | string | Name of the initial database that was created when the cluster was created |
+| encrypted | bool | Whether the cluster is encrypted at rest |
+| enhancedVpcRouting | bool | Whether enhanced VPC routing is enabled for the cluster traffic |
+| logging | dict | Logging configuration for the cluster |
+| masterUsername | string | Master user name for the cluster. |
+| name | string | Name of the initial database created when cluster was created |
+| nextMaintenanceWindowStartTime | time | The next scheduled maintenance window |
+| nodeType | string | The node type for the nodes in the cluster |
+| numberOfNodes | int | The number of nodes in the cluster |
+| parameters | []dict | Detailed list of parameters for each parameter group name |
+| preferredMaintenanceWindow | string | Weekly time range for system maintenance (in UTC) |
+| publiclyAccessible | bool | Whether the cluster is publicly accessible |
+| region | string | Region where the cluster exists |
+| tags | map[string]string | Tags for the cluster |
+| vpcId | string | The ID of the VPC where the cluster is running |
diff --git a/docs/mql/resources/aws-pack/aws.redshift.md b/docs/mql/resources/aws-pack/aws.redshift.md
new file mode 100644
index 000000000..d17478a89
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.redshift.md
@@ -0,0 +1,60 @@
+---
+title: aws.redshift
+id: aws.redshift
+sidebar_label: aws.redshift
+displayed_sidebar: MQL
+description: Amazon Redshift
+---
+
+# aws.redshift
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Redshift
+
+Use the `aws.redshift` resource to assess the configuration of Amazon Redshift deployments. The resource returns lists of `aws.rds.dbcluster`, `aws.rds.dbinstance`, and `aws.rds.snapshot` resources, each with fields for assessing the configuration of those assets.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | --------------------------------------------------------- | ---------------- |
+| clusters | [][aws.redshift.cluster](aws.redshift.cluster.md) | List of clusters |
+
+**Examples**
+
+Return a list of Amazon Redshift clusters deployed across all enabled regions and the values for specified fields
+
+```coffee
+aws.redshift.clusters {
+ arn
+ encrypted
+ nodeType
+ allowVersionUpgrade
+ preferredMaintenanceWindow
+ automatedSnapshotRetentionPeriod
+ publiclyAccessible
+ parameters
+ logging
+ name
+ region
+ clusterParameterGroupNames
+}
+```
+
+Return a list of Amazon Redshift clusters that are not encrypted and the values for the `arn` `region` and `name` fields
+
+```coffee
+aws.redshift.clusters.where( encrypted == false ) {
+ arn
+ region
+ name
+}
+```
+
+**References**
+
+- [Amazon Redshift security overview](https://docs.aws.amazon.com/redshift/latest/dg/c_security-overview.html)
diff --git a/docs/mql/resources/aws-pack/aws.s3.bucket.corsrule.md b/docs/mql/resources/aws-pack/aws.s3.bucket.corsrule.md
new file mode 100644
index 000000000..45f198ed0
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.s3.bucket.corsrule.md
@@ -0,0 +1,28 @@
+---
+title: aws.s3.bucket.corsrule
+id: aws.s3.bucket.corsrule
+sidebar_label: aws.s3.bucket.corsrule
+displayed_sidebar: MQL
+description: Amazon S3 bucket CORS rule
+---
+
+# aws.s3.bucket.corsrule
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon S3 bucket CORS rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ---------------- | ---------------------------------------------------------- |
+| name | string | Name of the rule |
+| allowedHeaders | []string | List of allowed headers |
+| allowedMethods | []string | List of allowed methods GET, POST, PUT, and so on |
+| allowedOrigins | []string | List of origins from which the bucket can be accessed |
+| exposeHeaders | []string | List of exposed response headers |
+| maxAgeSeconds | int | Time in seconds that the browser caches preflight response |
diff --git a/docs/mql/resources/aws-pack/aws.s3.bucket.grant.md b/docs/mql/resources/aws-pack/aws.s3.bucket.grant.md
new file mode 100644
index 000000000..5a6d8be27
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.s3.bucket.grant.md
@@ -0,0 +1,26 @@
+---
+title: aws.s3.bucket.grant
+id: aws.s3.bucket.grant
+sidebar_label: aws.s3.bucket.grant
+displayed_sidebar: MQL
+description: Amazon S3 bucket grant
+---
+
+# aws.s3.bucket.grant
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon S3 bucket grant
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------- | ------------------------------------ |
+| id | string | ID of the bucket grant |
+| name | string | Name for the bucket grant |
+| permission | string | Permission associated with the grant |
+| grantee | map[string]string | Grantee associated with the grant |
diff --git a/docs/mql/resources/aws-pack/aws.s3.bucket.md b/docs/mql/resources/aws-pack/aws.s3.bucket.md
new file mode 100644
index 000000000..a9826230c
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.s3.bucket.md
@@ -0,0 +1,47 @@
+---
+title: aws.s3.bucket
+id: aws.s3.bucket
+sidebar_label: aws.s3.bucket
+displayed_sidebar: MQL
+description: Amazon S3 bucket
+---
+
+# aws.s3.bucket
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon S3 bucket
+
+The `aws.s3.bucket` resource provides fields for assessing the configuration of AWS S3 buckets. For usage, read the `aws.s3` resource documentation.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------------------------------------------------------------- | ------------------------------------------------------------- |
+| arn | string | ARN of the bucket |
+| name | string | Name of the bucket |
+| policy | [aws.s3.bucket.policy](aws.s3.bucket.policy.md) | Policy associated with the bucket |
+| tags | map[string]string | Tags for the bucket |
+| acl | [][aws.s3.bucket.grant](aws.s3.bucket.grant.md) | List of access control grants associated with the bucket |
+| owner | map[string]string | Owner for the bucket |
+| public | bool | Whether the bucket is public |
+| cors | [][aws.s3.bucket.corsrule](aws.s3.bucket.corsrule.md) | List of CORS information for the bucket |
+| location | string | Location of the bucket |
+| versioning | map[string]string | Versioning state and MFA delete status of bucket |
+| logging | map[string]string | Logging status and user permissions for bucket logging status |
+| staticWebsiteHosting | map[string]string | Website configuration for the bucket |
+| defaultLock | string | Whether the bucket is locked by default |
+| replication | dict | Bucket cross-region replication configuration |
+| encryption | dict | Bucket encryption configuration |
+| publicAccessBlock | dict | Public access block configuration for the bucket |
+| exists | bool | Whether the bucket still exists (stale reference) |
+| createdTime | time | Date the bucket was created |
+
+**References**
+
+- [Amazon S3 Product Page](https://aws.amazon.com/s3/)
+- [AWS Documentation: Buckets overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html)
diff --git a/docs/mql/resources/aws-pack/aws.s3.bucket.policy.md b/docs/mql/resources/aws-pack/aws.s3.bucket.policy.md
new file mode 100644
index 000000000..72548bb16
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.s3.bucket.policy.md
@@ -0,0 +1,33 @@
+---
+title: aws.s3.bucket.policy
+id: aws.s3.bucket.policy
+sidebar_label: aws.s3.bucket.policy
+displayed_sidebar: MQL
+description: Amazon S3 bucket policy
+---
+
+# aws.s3.bucket.policy
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon S3 bucket policy
+
+Bucket policies grant permission to your Amazon S3 resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | -------------- | --------------------------------- |
+| id | string | Unique ID for the policy |
+| name | string | Name for the policy |
+| document | string | Document for the policy |
+| version | string | Version of the policy |
+| statements | []dict | List of statements for the policy |
+
+**References**
+
+- [AWS Documentation: Using bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
diff --git a/docs/mql/resources/aws-pack/aws.s3.md b/docs/mql/resources/aws-pack/aws.s3.md
new file mode 100644
index 000000000..dbbf6161a
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.s3.md
@@ -0,0 +1,84 @@
+---
+title: aws.s3
+id: aws.s3
+sidebar_label: aws.s3
+displayed_sidebar: MQL
+description: Amazon S3 cloud object storage
+---
+
+# aws.s3
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon S3 cloud object storage
+
+Amazon Simple Storage Service (Amazon S3) is an object storage service
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------------------------------------------- | ------------------------------------- |
+| buckets | [][aws.s3.bucket](aws.s3.bucket.md) | List of S3 buckets across the account |
+
+**Examples**
+
+Return a list of AWS S3 buckets and the values for specified fields
+
+```coffee
+aws.s3.buckets {
+ arn
+ name
+ policy
+ tags
+ acl
+ owner
+ public
+ cors
+ location
+ versioning
+ logging
+ staticWebsiteHosting
+ defaultLock
+ replication
+ encryption
+ publicAccessBlock
+ exists
+}
+```
+
+Return a list of AWS S3 buckets that are public and return the values for the `arn` `name` `location` `tags` and `publicAccessBlock`
+
+```coffee
+aws.s3.buckets.where( public == true ) {
+ arn
+ name
+ location
+ tags
+ publicAccessBlock
+}
+```
+
+Check whether S3 buckets have cross-region replication enabled
+
+```coffee
+aws.s3.buckets.all(
+ replication['Rules'] { _['Status'] == "Enabled" }
+)
+```
+
+Check that all buckets are encrypted with kms
+
+```coffee
+aws.s3.buckets.all(
+ encryption['Rules'] { _['ApplyServerSideEncryptionByDefault']['KMSMasterKeyID'] == /^arn:aws:kms:.*/}
+)
+```
+
+**References**
+
+- [Amazon S3 Product Page](https://aws.amazon.com/s3/)
+- [AWS Documentation: What is Amazon S3?](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html)
diff --git a/docs/mql/resources/aws-pack/aws.s3control.md b/docs/mql/resources/aws-pack/aws.s3control.md
new file mode 100644
index 000000000..48c006b29
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.s3control.md
@@ -0,0 +1,23 @@
+---
+title: aws.s3control
+id: aws.s3control
+sidebar_label: aws.s3control
+displayed_sidebar: MQL
+description: Amazon S3 bucket control
+---
+
+# aws.s3control
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon S3 bucket control
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ---- | ------------------------------------------------ |
+| accountPublicAccessBlock | dict | Account level public access configuration for S3 |
diff --git a/docs/mql/resources/aws-pack/aws.sagemaker.endpoint.md b/docs/mql/resources/aws-pack/aws.sagemaker.endpoint.md
new file mode 100644
index 000000000..861b7039e
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.sagemaker.endpoint.md
@@ -0,0 +1,27 @@
+---
+title: aws.sagemaker.endpoint
+id: aws.sagemaker.endpoint
+sidebar_label: aws.sagemaker.endpoint
+displayed_sidebar: MQL
+description: AWS SageMaker endpoint
+---
+
+# aws.sagemaker.endpoint
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS SageMaker endpoint
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ----------------- | ------------------------------------------ |
+| arn | string | ARN for the endpoint |
+| name | string | Name of the endpoint |
+| config | dict | Configuration information for the endpoint |
+| region | string | Region where the endpoint exists |
+| tags | map[string]string | Tags for the endpoint |
diff --git a/docs/mql/resources/aws-pack/aws.sagemaker.md b/docs/mql/resources/aws-pack/aws.sagemaker.md
new file mode 100644
index 000000000..2a12ee108
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.sagemaker.md
@@ -0,0 +1,24 @@
+---
+title: aws.sagemaker
+id: aws.sagemaker
+sidebar_label: aws.sagemaker
+displayed_sidebar: MQL
+description: AWS SageMaker
+---
+
+# aws.sagemaker
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS SageMaker
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------------------------------------------------------------------- | ------------------------------------ |
+| endpoints | [][aws.sagemaker.endpoint](aws.sagemaker.endpoint.md) | List of SageMaker endpoints |
+| notebookInstances | [][aws.sagemaker.notebookinstance](aws.sagemaker.notebookinstance.md) | List of SageMaker notebook instances |
diff --git a/docs/mql/resources/aws-pack/aws.sagemaker.notebookinstance.details.md b/docs/mql/resources/aws-pack/aws.sagemaker.notebookinstance.details.md
new file mode 100644
index 000000000..31ce95c3e
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.sagemaker.notebookinstance.details.md
@@ -0,0 +1,25 @@
+---
+title: aws.sagemaker.notebookinstance.details
+id: aws.sagemaker.notebookinstance.details
+sidebar_label: aws.sagemaker.notebookinstance.details
+displayed_sidebar: MQL
+description: AWS SageMaker notebook instance details
+---
+
+# aws.sagemaker.notebookinstance.details
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS SageMaker notebook instance details
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ----------------------------- | ---------------------------------------------------------- |
+| arn | string | ARN for the notebook instance |
+| kmsKey | [aws.kms.key](aws.kms.key.md) | KMS key used to encrypt data |
+| directInternetAccess | string | Whether SageMaker provides internet access to the instance |
diff --git a/docs/mql/resources/aws-pack/aws.sagemaker.notebookinstance.md b/docs/mql/resources/aws-pack/aws.sagemaker.notebookinstance.md
new file mode 100644
index 000000000..fc25628ab
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.sagemaker.notebookinstance.md
@@ -0,0 +1,27 @@
+---
+title: aws.sagemaker.notebookinstance
+id: aws.sagemaker.notebookinstance
+sidebar_label: aws.sagemaker.notebookinstance
+displayed_sidebar: MQL
+description: AWS SageMaker notebook instance
+---
+
+# aws.sagemaker.notebookinstance
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS SageMaker notebook instance
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ----------------------------------------------------------------------------------- | ----------------------------------------- |
+| arn | string | ARN for the notebook instance |
+| name | string | Name of the notebook instance |
+| details | [aws.sagemaker.notebookinstance.details](aws.sagemaker.notebookinstance.details.md) | Details about the notebook |
+| region | string | Region where the notebook instance exists |
+| tags | map[string]string | Tags for the notebook instance |
diff --git a/docs/mql/resources/aws-pack/aws.secretsmanager.md b/docs/mql/resources/aws-pack/aws.secretsmanager.md
new file mode 100644
index 000000000..b50fed0bf
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.secretsmanager.md
@@ -0,0 +1,23 @@
+---
+title: aws.secretsmanager
+id: aws.secretsmanager
+sidebar_label: aws.secretsmanager
+displayed_sidebar: MQL
+description: AWS Secrets Manager
+---
+
+# aws.secretsmanager
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Secrets Manager
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------------------------------------------------------------------- | --------------- |
+| secrets | [][aws.secretsmanager.secret](aws.secretsmanager.secret.md) | List of secrets |
diff --git a/docs/mql/resources/aws-pack/aws.secretsmanager.secret.md b/docs/mql/resources/aws-pack/aws.secretsmanager.secret.md
new file mode 100644
index 000000000..d9fa5a7cf
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.secretsmanager.secret.md
@@ -0,0 +1,32 @@
+---
+title: aws.secretsmanager.secret
+id: aws.secretsmanager.secret
+sidebar_label: aws.secretsmanager.secret
+displayed_sidebar: MQL
+description: AWS Secrets Manager secret
+---
+
+# aws.secretsmanager.secret
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Secrets Manager secret
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------- | -------------------------------------------------- |
+| arn | string | ARN for the secret |
+| createdAt | time | Creation date of the secret |
+| description | string | Description of the secret |
+| lastChangedDate | time | The last date the secret was changed |
+| lastRotatedDate | time | The last date the secret was automatically rotated |
+| name | string | Name of the secret |
+| nextRotationDate | time | The date of the next secret rotation |
+| primaryRegion | string | The primary region of the secret |
+| rotationEnabled | bool | Whether rotation is enabled for the secret |
+| tags | map[string]string | Tags for the secret |
diff --git a/docs/mql/resources/aws-pack/aws.securityhub.hub.md b/docs/mql/resources/aws-pack/aws.securityhub.hub.md
new file mode 100644
index 000000000..17ddcddcd
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.securityhub.hub.md
@@ -0,0 +1,24 @@
+---
+title: aws.securityhub.hub
+id: aws.securityhub.hub
+sidebar_label: aws.securityhub.hub
+displayed_sidebar: MQL
+description: AWS Security Hub hub
+---
+
+# aws.securityhub.hub
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Security Hub hub
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | -------------------------------------- |
+| arn | string | ARN for the Security Hub |
+| subscribedAt | string | Date and time when the hub was enabled |
diff --git a/docs/mql/resources/aws-pack/aws.securityhub.md b/docs/mql/resources/aws-pack/aws.securityhub.md
new file mode 100644
index 000000000..45739e315
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.securityhub.md
@@ -0,0 +1,23 @@
+---
+title: aws.securityhub
+id: aws.securityhub
+sidebar_label: aws.securityhub
+displayed_sidebar: MQL
+description: AWS Security Hub
+---
+
+# aws.securityhub
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Security Hub
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------------------------------------------------------- | ------------------------------------ |
+| hubs | [][aws.securityhub.hub](aws.securityhub.hub.md) | List of Security Hubs in the account |
diff --git a/docs/mql/resources/aws-pack/aws.sns.md b/docs/mql/resources/aws-pack/aws.sns.md
new file mode 100644
index 000000000..af95ab04b
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.sns.md
@@ -0,0 +1,23 @@
+---
+title: aws.sns
+id: aws.sns
+sidebar_label: aws.sns
+displayed_sidebar: MQL
+description: AWS Simple Notification Service (SNS)
+---
+
+# aws.sns
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Simple Notification Service (SNS)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------------------------------------------- | ------------------ |
+| topics | [][aws.sns.topic](aws.sns.topic.md) | List of SNS topics |
diff --git a/docs/mql/resources/aws-pack/aws.sns.subscription.md b/docs/mql/resources/aws-pack/aws.sns.subscription.md
new file mode 100644
index 000000000..f9de1ac45
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.sns.subscription.md
@@ -0,0 +1,24 @@
+---
+title: aws.sns.subscription
+id: aws.sns.subscription
+sidebar_label: aws.sns.subscription
+displayed_sidebar: MQL
+description: AWS Simple Notification Service (SNS) subscription
+---
+
+# aws.sns.subscription
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Simple Notification Service (SNS) subscription
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | ----------------------------------- |
+| arn | string | ARN of the subscription |
+| protocol | string | Protocol value for the subscription |
diff --git a/docs/mql/resources/aws-pack/aws.sns.topic.md b/docs/mql/resources/aws-pack/aws.sns.topic.md
new file mode 100644
index 000000000..0f17ae08f
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.sns.topic.md
@@ -0,0 +1,27 @@
+---
+title: aws.sns.topic
+id: aws.sns.topic
+sidebar_label: aws.sns.topic
+displayed_sidebar: MQL
+description: AWS Simple Notification Service (SNS) topic
+---
+
+# aws.sns.topic
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+AWS Simple Notification Service (SNS) topic
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------------------------------------------- | ----------------------------------------------------- |
+| arn | string | SNS topic ARN |
+| region | string | Region where the SNS topic exists |
+| subscriptions | [][aws.sns.subscription](aws.sns.subscription.md) | List of subscriptions associated with the topic ARN |
+| attributes | dict | Attributes for the SNS topic, including KMS ID if any |
+| tags | map[string]string | Tags for the topic |
diff --git a/docs/mql/resources/aws-pack/aws.ssm.instance.md b/docs/mql/resources/aws-pack/aws.ssm.instance.md
new file mode 100644
index 000000000..3fbb0d106
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ssm.instance.md
@@ -0,0 +1,31 @@
+---
+title: aws.ssm.instance
+id: aws.ssm.instance
+sidebar_label: aws.ssm.instance
+displayed_sidebar: MQL
+description: Amazon SSM instance
+---
+
+# aws.ssm.instance
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon SSM instance
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | -------------------------------------------------------------------------------- |
+| instanceId | string | Instance ID for the SSM Instance |
+| pingStatus | string | Ping status (such as online) for the SSM Instance |
+| ipAddress | string | IP Address for the SSM instance |
+| platformName | string | Platform name for the SSM Instance, as described by AWS |
+| platformType | string | The type of for the SSM Instance, as described by AWS: Windows, Linux, and so on |
+| platformVersion | string | Platform version for the SSM Instance, as described by AWS |
+| region | string | Region where the SSM instance is located |
+| arn | string | ARN for the SSM instance |
+| tags | map[string]string | Tags for the SSM instance |
diff --git a/docs/mql/resources/aws-pack/aws.ssm.md b/docs/mql/resources/aws-pack/aws.ssm.md
new file mode 100644
index 000000000..1e148fe75
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.ssm.md
@@ -0,0 +1,23 @@
+---
+title: aws.ssm
+id: aws.ssm
+sidebar_label: aws.ssm
+displayed_sidebar: MQL
+description: Amazon Systems Manager
+---
+
+# aws.ssm
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Systems Manager
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------------------------------- | ----------- |
+| instances | [][aws.ssm.instance](aws.ssm.instance.md) | |
diff --git a/docs/mql/resources/aws-pack/aws.vpc.endpoint.md b/docs/mql/resources/aws-pack/aws.vpc.endpoint.md
new file mode 100644
index 000000000..26b909b40
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.vpc.endpoint.md
@@ -0,0 +1,32 @@
+---
+title: aws.vpc.endpoint
+id: aws.vpc.endpoint
+sidebar_label: aws.vpc.endpoint
+displayed_sidebar: MQL
+description: Amazon Virtual Private Cloud (VPC) endpoint
+---
+
+# aws.vpc.endpoint
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Virtual Private Cloud (VPC) endpoint
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ---------------- | ----------------------------------------------------------------- |
+| id | string | Unique ID of the endpoint |
+| type | string | Type of the endpoint |
+| vpc | string | VPC in which the endpoint exists |
+| region | string | Region in which the VPC exists |
+| serviceName | string | The name of the endpoint service |
+| policyDocument | string | The policy document associated with the endpoint, if applicable |
+| subnets | []string | The subnets for the (interface) endpoint |
+| privateDnsEnabled | bool | Whether to associate a private hosted zone with the specified VPC |
+| state | string | VPC endpoint state |
+| createdAt | time | Creation timestamp |
diff --git a/docs/mql/resources/aws-pack/aws.vpc.flowlog.md b/docs/mql/resources/aws-pack/aws.vpc.flowlog.md
new file mode 100644
index 000000000..bffc4a840
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.vpc.flowlog.md
@@ -0,0 +1,33 @@
+---
+title: aws.vpc.flowlog
+id: aws.vpc.flowlog
+sidebar_label: aws.vpc.flowlog
+displayed_sidebar: MQL
+description: Amazon Virtual Private Cloud (VPC) flow log
+---
+
+# aws.vpc.flowlog
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Virtual Private Cloud (VPC) flow log
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| id | string | Unique ID of the flow log |
+| vpc | string | VPC in which the flow log exists |
+| region | string | Region in which the flow log exists |
+| status | string | Status of the flow log |
+| tags | map[string]string | Tags on the flow log |
+| createdAt | time | Creation timestamp |
+| destination | string | The destination for the flow log data |
+| destinationType | string | The destination type for the flow log data |
+| deliverLogsStatus | string | The delivery log status for the flow log data |
+| maxAggregationInterval | int | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. The possible values are 60 seconds (1 minute) or 600 seconds (10 minutes). |
+| trafficType | string | The type of traffic to monitor. ACCEPT, ALL, and REJECT |
diff --git a/docs/mql/resources/aws-pack/aws.vpc.md b/docs/mql/resources/aws-pack/aws.vpc.md
new file mode 100644
index 000000000..212796492
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.vpc.md
@@ -0,0 +1,34 @@
+---
+title: aws.vpc
+id: aws.vpc
+sidebar_label: aws.vpc
+displayed_sidebar: MQL
+description: Amazon Virtual Private Cloud (VPC)
+---
+
+# aws.vpc
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Virtual Private Cloud (VPC)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------- | ------------------------------------------------------------------------------------- |
+| arn | string | ARN of the VPC |
+| id | string | ID of the VPC |
+| cidrBlock | string | IPv4 CIDR block of the VPC |
+| state | string | State of the VPC: pending or available |
+| isDefault | bool | Whether the VPC is the default VPC |
+| instanceTenancy | string | How instance hardware tenancy settings are enforced on instances launched in this VPC |
+| region | string | Region in which the VPC exists |
+| endpoints | [][aws.vpc.endpoint](aws.vpc.endpoint.md) | List of endpoints for the VPC |
+| flowLogs | [][aws.vpc.flowlog](aws.vpc.flowlog.md) | List of flow logs for the VPC |
+| routeTables | [][aws.vpc.routetable](aws.vpc.routetable.md) | List of route tables for the VPC |
+| subnets | [][aws.vpc.subnet](aws.vpc.subnet.md) | List of subnets for the VPC |
+| tags | map[string]string | Tags on the VPC |
diff --git a/docs/mql/resources/aws-pack/aws.vpc.routetable.md b/docs/mql/resources/aws-pack/aws.vpc.routetable.md
new file mode 100644
index 000000000..00c037e67
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.vpc.routetable.md
@@ -0,0 +1,25 @@
+---
+title: aws.vpc.routetable
+id: aws.vpc.routetable
+sidebar_label: aws.vpc.routetable
+displayed_sidebar: MQL
+description: Amazon Virtual Private Cloud (VPC) route table
+---
+
+# aws.vpc.routetable
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Virtual Private Cloud (VPC) route table
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ----------------- | ---------------------------- |
+| id | string | Unique ID of the route table |
+| routes | []dict | A list of route descriptions |
+| tags | map[string]string | Tags on the route table |
diff --git a/docs/mql/resources/aws-pack/aws.vpc.subnet.md b/docs/mql/resources/aws-pack/aws.vpc.subnet.md
new file mode 100644
index 000000000..9dc451611
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.vpc.subnet.md
@@ -0,0 +1,30 @@
+---
+title: aws.vpc.subnet
+id: aws.vpc.subnet
+sidebar_label: aws.vpc.subnet
+displayed_sidebar: MQL
+description: Amazon Virtual Private Cloud (VPC) subnet
+---
+
+# aws.vpc.subnet
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon Virtual Private Cloud (VPC) subnet
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------ |
+| arn | string | ARN of the subnet |
+| id | string | Unique ID of the subnet |
+| cidrs | string | List of CIDR descriptions |
+| mapPublicIpOnLaunch | bool | Whether instances launched in this subnet receive public IPv4 addresses |
+| availabilityZone | string | The availability zone where this subnet is located |
+| defaultForAvailabilityZone | bool | Whether this is the default subnet for the availability zone |
+| assignIpv6AddressOnCreation | bool | Whether a network interface created in this subnet (including a network interface created by RunInstances ) receives an IPv6 address |
+| state | string | The state of the subnet: pending or available |
diff --git a/docs/mql/resources/aws-pack/aws.waf.acl.md b/docs/mql/resources/aws-pack/aws.waf.acl.md
new file mode 100644
index 000000000..b9044b0e0
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.acl.md
@@ -0,0 +1,29 @@
+---
+title: aws.waf.acl
+id: aws.waf.acl
+sidebar_label: aws.waf.acl
+displayed_sidebar: MQL
+description: Amazon WAF v2 ACL
+---
+
+# aws.waf.acl
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon WAF v2 ACL
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ----------------------------------------- | ---------------------------------------------- |
+| arn | string | ARN of the ACL |
+| id | string | ID of the ACL |
+| name | string | Name of the ACL |
+| description | string | Description of the ACL |
+| managedByFirewallManager | bool | Whether the ACL is managed by Firewall Manager |
+| rules | [][aws.waf.rule](aws.waf.rule.md) | List of WAF rules |
+| scope | string | Scope either REGIONAL or CLOUDFRONT |
diff --git a/docs/mql/resources/aws-pack/aws.waf.ipset.md b/docs/mql/resources/aws-pack/aws.waf.ipset.md
new file mode 100644
index 000000000..6e76cecb1
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.ipset.md
@@ -0,0 +1,29 @@
+---
+title: aws.waf.ipset
+id: aws.waf.ipset
+sidebar_label: aws.waf.ipset
+displayed_sidebar: MQL
+description: Amazon WAF IP set (defining IP Ranges)
+---
+
+# aws.waf.ipset
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon WAF IP set (defining IP Ranges)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ----------------------------- |
+| arn | string | ARN of the IP set |
+| id | string | ID of the IP set |
+| scope | string | Scope: REGIONAL or CLOUDFRONT |
+| name | string | Name of the IP set |
+| description | string | Description of the IP set |
+| addressType | string | Address type: ipv4 or ipv6 |
+| addresses | dict | list of IP addresses |
diff --git a/docs/mql/resources/aws-pack/aws.waf.md b/docs/mql/resources/aws-pack/aws.waf.md
new file mode 100644
index 000000000..aeb89d826
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.md
@@ -0,0 +1,26 @@
+---
+title: aws.waf
+id: aws.waf
+sidebar_label: aws.waf
+displayed_sidebar: MQL
+description: Amazon WAF v2
+---
+
+# aws.waf
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon WAF v2
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | --------------------------------------------------- | ----------------------------------- |
+| acls | [][aws.waf.acl](aws.waf.acl.md) | List of WAF ACLs |
+| ruleGroups | [][aws.waf.rulegroup](aws.waf.rulegroup.md) | List of WAF rules |
+| ipSets | [][aws.waf.ipset](aws.waf.ipset.md) | List of WAF IP sets |
+| scope | string | Scope either REGIONAL or CLOUDFRONT |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.action.md b/docs/mql/resources/aws-pack/aws.waf.rule.action.md
new file mode 100644
index 000000000..5a1ebace0
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.action.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.action
+id: aws.waf.rule.action
+sidebar_label: aws.waf.rule.action
+displayed_sidebar: MQL
+description: Action that happens if a rule statement matches
+---
+
+# aws.waf.rule.action
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Action that happens if a rule statement matches
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ----------------------------------------------- |
+| ruleName | string | Name of the rule this action belongs to |
+| action | string | One of Block, Allow, Count, Captcha |
+| responseCode | string | HTTP Response Code, only if the action is Block |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.body.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.body.md
new file mode 100644
index 000000000..5a525f1f6
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.body.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.fieldtomatch.body
+id: aws.waf.rule.fieldtomatch.body
+sidebar_label: aws.waf.rule.fieldtomatch.body
+displayed_sidebar: MQL
+description: Body of the field to match
+---
+
+# aws.waf.rule.fieldtomatch.body
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Body of the field to match
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| overSizeHandling | string | What to do if the body is over size |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.cookie.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.cookie.md
new file mode 100644
index 000000000..eac0d9170
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.cookie.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.fieldtomatch.cookie
+id: aws.waf.rule.fieldtomatch.cookie
+sidebar_label: aws.waf.rule.fieldtomatch.cookie
+displayed_sidebar: MQL
+description: Cookie of the field to match
+---
+
+# aws.waf.rule.fieldtomatch.cookie
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Cookie of the field to match
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| overSizeHandling | string | What to do if the cookie is over size |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.headerorder.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.headerorder.md
new file mode 100644
index 000000000..3dbdf9af0
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.headerorder.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.fieldtomatch.headerorder
+id: aws.waf.rule.fieldtomatch.headerorder
+sidebar_label: aws.waf.rule.fieldtomatch.headerorder
+displayed_sidebar: MQL
+description: Order of headers of the field to match
+---
+
+# aws.waf.rule.fieldtomatch.headerorder
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Order of headers of the field to match
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ----------------------------------------------- |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| overSizeHandling | string | What to do if the order of headers is over size |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.headers.matchpattern.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.headers.matchpattern.md
new file mode 100644
index 000000000..2b7e9a094
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.headers.matchpattern.md
@@ -0,0 +1,27 @@
+---
+title: aws.waf.rule.fieldtomatch.headers.matchpattern
+id: aws.waf.rule.fieldtomatch.headers.matchpattern
+sidebar_label: aws.waf.rule.fieldtomatch.headers.matchpattern
+displayed_sidebar: MQL
+description: The pattern to match
+---
+
+# aws.waf.rule.fieldtomatch.headers.matchpattern
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+The pattern to match
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ---------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| all | bool | Whether to match all |
+| includeHeaders | []string | Headers to include |
+| excludeHeaders | []string | Headers to exclude |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.headers.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.headers.md
new file mode 100644
index 000000000..78d499ec7
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.headers.md
@@ -0,0 +1,27 @@
+---
+title: aws.waf.rule.fieldtomatch.headers
+id: aws.waf.rule.fieldtomatch.headers
+sidebar_label: aws.waf.rule.fieldtomatch.headers
+displayed_sidebar: MQL
+description: Headers
+---
+
+# aws.waf.rule.fieldtomatch.headers
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Headers
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| matchScope | string | Match scope |
+| overSizeHandling | string | What to do if the headers are over size |
+| matchPattern | [aws.waf.rule.fieldtomatch.headers.matchpattern](aws.waf.rule.fieldtomatch.headers.matchpattern.md) | Match pattern |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.ja3fingerprint.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.ja3fingerprint.md
new file mode 100644
index 000000000..2f7e57fff
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.ja3fingerprint.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.fieldtomatch.ja3fingerprint
+id: aws.waf.rule.fieldtomatch.ja3fingerprint
+sidebar_label: aws.waf.rule.fieldtomatch.ja3fingerprint
+displayed_sidebar: MQL
+description: JA3 fingerprint
+---
+
+# aws.waf.rule.fieldtomatch.ja3fingerprint
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+JA3 fingerprint
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| fallbackBehavior | string | FallbackBehavior |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.jsonbody.matchpattern.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.jsonbody.matchpattern.md
new file mode 100644
index 000000000..9a0d3410b
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.jsonbody.matchpattern.md
@@ -0,0 +1,26 @@
+---
+title: aws.waf.rule.fieldtomatch.jsonbody.matchpattern
+id: aws.waf.rule.fieldtomatch.jsonbody.matchpattern
+sidebar_label: aws.waf.rule.fieldtomatch.jsonbody.matchpattern
+displayed_sidebar: MQL
+description: The pattern to match
+---
+
+# aws.waf.rule.fieldtomatch.jsonbody.matchpattern
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+The pattern to match
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ---------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| all | bool | Whether to match all |
+| includePaths | []string | Paths to include |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.jsonbody.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.jsonbody.md
new file mode 100644
index 000000000..c6068daed
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.jsonbody.md
@@ -0,0 +1,28 @@
+---
+title: aws.waf.rule.fieldtomatch.jsonbody
+id: aws.waf.rule.fieldtomatch.jsonbody
+sidebar_label: aws.waf.rule.fieldtomatch.jsonbody
+displayed_sidebar: MQL
+description: Request body as JSON
+---
+
+# aws.waf.rule.fieldtomatch.jsonbody
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Request body as JSON
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| overSizeHandling | string | What to do if the body is over size |
+| matchScope | string | Match scope |
+| invalidFallbackBehavior | string | What to do if the body is not valid JSON |
+| matchPattern | [aws.waf.rule.fieldtomatch.jsonbody.matchpattern](aws.waf.rule.fieldtomatch.jsonbody.matchpattern.md) | Match pattern |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.md
new file mode 100644
index 000000000..f118c4a71
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.md
@@ -0,0 +1,37 @@
+---
+title: aws.waf.rule.fieldtomatch
+id: aws.waf.rule.fieldtomatch
+sidebar_label: aws.waf.rule.fieldtomatch
+displayed_sidebar: MQL
+description: Field to match
+---
+
+# aws.waf.rule.fieldtomatch
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Field to match
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- |
+| target | string | |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| method | bool | Whether to match the HTTP method: GET or POST |
+| uriPath | bool | Whether to match the URI path |
+| queryString | bool | Whether to match the query string |
+| allQueryArguments | bool | Whether to match all query arguments |
+| body | [aws.waf.rule.fieldtomatch.body](aws.waf.rule.fieldtomatch.body.md) | Whether to match the body (match if not null) |
+| cookie | [aws.waf.rule.fieldtomatch.cookie](aws.waf.rule.fieldtomatch.cookie.md) | Whether to match the cookie (match if not null) |
+| singleHeader | [aws.waf.rule.fieldtomatch.singleheader](aws.waf.rule.fieldtomatch.singleheader.md) | Whether to match the single header (match if not null) |
+| headerOrder | [aws.waf.rule.fieldtomatch.headerorder](aws.waf.rule.fieldtomatch.headerorder.md) | Whether to match the header order (match if not null) |
+| headers | [aws.waf.rule.fieldtomatch.headers](aws.waf.rule.fieldtomatch.headers.md) | Whether to match the header (match if not null) |
+| ja3Fingerprint | [aws.waf.rule.fieldtomatch.ja3fingerprint](aws.waf.rule.fieldtomatch.ja3fingerprint.md) | Whether to match the JA3 fingerprint (match if not null) |
+| jsonBody | [aws.waf.rule.fieldtomatch.jsonbody](aws.waf.rule.fieldtomatch.jsonbody.md) | Whether to match the JSON body (match if not null) |
+| singleQueryArgument | [aws.waf.rule.fieldtomatch.singlequeryargument](aws.waf.rule.fieldtomatch.singlequeryargument.md) | Whether to match the single query argument of the field (match if not null) |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.singleheader.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.singleheader.md
new file mode 100644
index 000000000..d2b86020f
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.singleheader.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.fieldtomatch.singleheader
+id: aws.waf.rule.fieldtomatch.singleheader
+sidebar_label: aws.waf.rule.fieldtomatch.singleheader
+displayed_sidebar: MQL
+description: Single header of the field to match
+---
+
+# aws.waf.rule.fieldtomatch.singleheader
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Single header of the field to match
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| name | string | Name of the header |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.singlequeryargument.md b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.singlequeryargument.md
new file mode 100644
index 000000000..01179e187
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.fieldtomatch.singlequeryargument.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.fieldtomatch.singlequeryargument
+id: aws.waf.rule.fieldtomatch.singlequeryargument
+sidebar_label: aws.waf.rule.fieldtomatch.singlequeryargument
+displayed_sidebar: MQL
+description: Single query argument
+---
+
+# aws.waf.rule.fieldtomatch.singlequeryargument
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Single query argument
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| name | string | Name of the query argument |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.md b/docs/mql/resources/aws-pack/aws.waf.rule.md
new file mode 100644
index 000000000..52813f800
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.md
@@ -0,0 +1,28 @@
+---
+title: aws.waf.rule
+id: aws.waf.rule
+sidebar_label: aws.waf.rule
+displayed_sidebar: MQL
+description: Amazon WAF rule
+---
+
+# aws.waf.rule
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon WAF rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
+| id | string | arn of the acl/ruleGroup + the name of the rule |
+| name | string | Name of the rule |
+| priority | int | Priority from lowest to highest number |
+| statement | [aws.waf.rule.statement](aws.waf.rule.statement.md) | Part of the rule that tells WAF how to inspect a web request |
+| action | [aws.waf.rule.action](aws.waf.rule.action.md) | Part of the rule that tells WAF what to do with a web request when it matches the criteria defined in the rule |
+| belongsTo | string | The ARN of either rule ACL or the RuleGroup that this rule belongs to |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.andstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.andstatement.md
new file mode 100644
index 000000000..cccb3e114
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.andstatement.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.statement.andstatement
+id: aws.waf.rule.statement.andstatement
+sidebar_label: aws.waf.rule.statement.andstatement
+displayed_sidebar: MQL
+description: Rule statement that matches if all of the rule statements inside it match
+---
+
+# aws.waf.rule.statement.andstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that matches if all of the rule statements inside it match
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| statements | [][aws.waf.rule.statement](aws.waf.rule.statement.md) | Sub-statements |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.bytematchstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.bytematchstatement.md
new file mode 100644
index 000000000..c67336fb0
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.bytematchstatement.md
@@ -0,0 +1,26 @@
+---
+title: aws.waf.rule.statement.bytematchstatement
+id: aws.waf.rule.statement.bytematchstatement
+sidebar_label: aws.waf.rule.statement.bytematchstatement
+displayed_sidebar: MQL
+description: Rule statement that matches a specified sequence of bytes
+---
+
+# aws.waf.rule.statement.bytematchstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that matches a specified sequence of bytes
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | --------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| fieldToMatch | [aws.waf.rule.fieldtomatch](aws.waf.rule.fieldtomatch.md) | Field to match |
+| searchString | string | String to search for |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.geomatchstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.geomatchstatement.md
new file mode 100644
index 000000000..4e943c7d2
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.geomatchstatement.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.statement.geomatchstatement
+id: aws.waf.rule.statement.geomatchstatement
+sidebar_label: aws.waf.rule.statement.geomatchstatement
+displayed_sidebar: MQL
+description: Rule statement that checks for requests from certain countries
+---
+
+# aws.waf.rule.statement.geomatchstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that checks for requests from certain countries
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ---------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| countryCodes | []string | Country codes |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig.md
new file mode 100644
index 000000000..10c1d2ee0
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig.md
@@ -0,0 +1,22 @@
+---
+title: aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig
+id: aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig
+sidebar_label: aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig
+displayed_sidebar: MQL
+---
+
+# aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig
+
+**Supported platform**
+
+- aws
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| headerName | string | Name of the header |
+| position | string | Position |
+| fallbackBehavior | string | Fallback behavior |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.ipsetreferencestatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.ipsetreferencestatement.md
new file mode 100644
index 000000000..339afb390
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.ipsetreferencestatement.md
@@ -0,0 +1,26 @@
+---
+title: aws.waf.rule.statement.ipsetreferencestatement
+id: aws.waf.rule.statement.ipsetreferencestatement
+sidebar_label: aws.waf.rule.statement.ipsetreferencestatement
+displayed_sidebar: MQL
+description: Rule statement that checks for requests from IP addresses defined in an IPSet
+---
+
+# aws.waf.rule.statement.ipsetreferencestatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that checks for requests from IP addresses defined in an IPSet
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| arn | string | arn of the ipset |
+| ipSetForwardedIPConfig | [aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig](aws.waf.rule.statement.ipsetreferencestatement.ipsetforwardedipconfig.md) | ipSetForwardedIPConfig |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.labelmatchstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.labelmatchstatement.md
new file mode 100644
index 000000000..c4b3ba78d
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.labelmatchstatement.md
@@ -0,0 +1,21 @@
+---
+title: aws.waf.rule.statement.labelmatchstatement
+id: aws.waf.rule.statement.labelmatchstatement
+sidebar_label: aws.waf.rule.statement.labelmatchstatement
+displayed_sidebar: MQL
+---
+
+# aws.waf.rule.statement.labelmatchstatement
+
+**Supported platform**
+
+- aws
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| key | string | Key |
+| scope | string | Scope |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.managedrulegroupstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.managedrulegroupstatement.md
new file mode 100644
index 000000000..5df82c893
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.managedrulegroupstatement.md
@@ -0,0 +1,26 @@
+---
+title: aws.waf.rule.statement.managedrulegroupstatement
+id: aws.waf.rule.statement.managedrulegroupstatement
+sidebar_label: aws.waf.rule.statement.managedrulegroupstatement
+displayed_sidebar: MQL
+description: Rule statement that is managed by AWS
+---
+
+# aws.waf.rule.statement.managedrulegroupstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that is managed by AWS
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| name | string | Name |
+| vendorName | string | Vendor name |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.md
new file mode 100644
index 000000000..18ac4d9fd
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.md
@@ -0,0 +1,35 @@
+---
+title: aws.waf.rule.statement
+id: aws.waf.rule.statement
+sidebar_label: aws.waf.rule.statement
+displayed_sidebar: MQL
+---
+
+# aws.waf.rule.statement
+
+**Supported platform**
+
+- aws
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ |
+| id | string | ID of the statement |
+| kind | string | Kind of statement, e.g., "sqliMatchStatement" |
+| json | dict | Entire statement as JSON |
+| sqliMatchStatement | [aws.waf.rule.statement.sqlimatchstatement](aws.waf.rule.statement.sqlimatchstatement.md) | Statement that detects SQL injection attacks |
+| xssMatchStatement | [aws.waf.rule.statement.xssmatchstatement](aws.waf.rule.statement.xssmatchstatement.md) | Statement that detects XSS attacks |
+| byteMatchStatement | [aws.waf.rule.statement.bytematchstatement](aws.waf.rule.statement.bytematchstatement.md) | Statement that matches certain bytes |
+| regexMatchStatement | [aws.waf.rule.statement.regexmatchstatement](aws.waf.rule.statement.regexmatchstatement.md) | Statement that matches a regex pattern |
+| geoMatchStatement | [aws.waf.rule.statement.geomatchstatement](aws.waf.rule.statement.geomatchstatement.md) | Statement that matches requests from certain countries |
+| ipSetReferenceStatement | [aws.waf.rule.statement.ipsetreferencestatement](aws.waf.rule.statement.ipsetreferencestatement.md) | Statement that matches requests from certain ips defined in an IPSet |
+| labelMatchStatement | [aws.waf.rule.statement.labelmatchstatement](aws.waf.rule.statement.labelmatchstatement.md) | Statement that matches requests with certain labels |
+| managedRuleGroupStatement | [aws.waf.rule.statement.managedrulegroupstatement](aws.waf.rule.statement.managedrulegroupstatement.md) | Statement managed by AWS |
+| notStatement | [aws.waf.rule.statement.notstatement](aws.waf.rule.statement.notstatement.md) | Statement that matches if the conditions are not met |
+| orStatement | [aws.waf.rule.statement.orstatement](aws.waf.rule.statement.orstatement.md) | Statement that matches if one or many sub-statements match |
+| andStatement | [aws.waf.rule.statement.andstatement](aws.waf.rule.statement.andstatement.md) | Statement that matches if all sub-statements match |
+| rateBasedStatement | [aws.waf.rule.statement.ratebasedstatement](aws.waf.rule.statement.ratebasedstatement.md) | Statement that matches if a request comes in at a certain rate (rate limiting) |
+| regexPatternSetReferenceStatement | [aws.waf.rule.statement.regexpatternsetreferencestatement](aws.waf.rule.statement.regexpatternsetreferencestatement.md) | Statement that matches a regex pattern defined in a regex pattern set |
+| ruleGroupReferenceStatement | [aws.waf.rule.statement.rulegroupreferencestatement](aws.waf.rule.statement.rulegroupreferencestatement.md) | Statement that refers to the rules in a rule group |
+| sizeConstraintStatement | [aws.waf.rule.statement.sizeconstraintstatement](aws.waf.rule.statement.sizeconstraintstatement.md) | Statement that matches the size of the request |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.notstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.notstatement.md
new file mode 100644
index 000000000..90c18de63
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.notstatement.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.statement.notstatement
+id: aws.waf.rule.statement.notstatement
+sidebar_label: aws.waf.rule.statement.notstatement
+displayed_sidebar: MQL
+description: Rule statement that negates another rule statement
+---
+
+# aws.waf.rule.statement.notstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that negates another rule statement
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| statement | [aws.waf.rule.statement](aws.waf.rule.statement.md) | Sub-statement (will be negated) |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.orstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.orstatement.md
new file mode 100644
index 000000000..edd0ca5c5
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.orstatement.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.statement.orstatement
+id: aws.waf.rule.statement.orstatement
+sidebar_label: aws.waf.rule.statement.orstatement
+displayed_sidebar: MQL
+description: Rule statement that matches if one of the rule statements inside it matches
+---
+
+# aws.waf.rule.statement.orstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that matches if one of the rule statements inside it matches
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| statements | [][aws.waf.rule.statement](aws.waf.rule.statement.md) | Sub-statements |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.ratebasedstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.ratebasedstatement.md
new file mode 100644
index 000000000..c8a6e053e
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.ratebasedstatement.md
@@ -0,0 +1,17 @@
+---
+title: aws.waf.rule.statement.ratebasedstatement
+id: aws.waf.rule.statement.ratebasedstatement
+sidebar_label: aws.waf.rule.statement.ratebasedstatement
+displayed_sidebar: MQL
+description: Rule statement that matches at a certain rate of requests (rate limiting)
+---
+
+# aws.waf.rule.statement.ratebasedstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that matches at a certain rate of requests (rate limiting)
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.regexmatchstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.regexmatchstatement.md
new file mode 100644
index 000000000..908da36dd
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.regexmatchstatement.md
@@ -0,0 +1,26 @@
+---
+title: aws.waf.rule.statement.regexmatchstatement
+id: aws.waf.rule.statement.regexmatchstatement
+sidebar_label: aws.waf.rule.statement.regexmatchstatement
+displayed_sidebar: MQL
+description: Rule statement that matches a specified regex pattern
+---
+
+# aws.waf.rule.statement.regexmatchstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that matches a specified regex pattern
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | --------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| fieldToMatch | [aws.waf.rule.fieldtomatch](aws.waf.rule.fieldtomatch.md) | Field to match |
+| regexString | string | Regex pattern to match |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.regexpatternsetreferencestatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.regexpatternsetreferencestatement.md
new file mode 100644
index 000000000..1d165e7cf
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.regexpatternsetreferencestatement.md
@@ -0,0 +1,26 @@
+---
+title: aws.waf.rule.statement.regexpatternsetreferencestatement
+id: aws.waf.rule.statement.regexpatternsetreferencestatement
+sidebar_label: aws.waf.rule.statement.regexpatternsetreferencestatement
+displayed_sidebar: MQL
+description: Rule statement that checks for a regex pattern defined in a regex pattern set
+---
+
+# aws.waf.rule.statement.regexpatternsetreferencestatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that checks for a regex pattern defined in a regex pattern set
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | --------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| arn | string | ARN of the regex pattern set |
+| fieldToMatch | [aws.waf.rule.fieldtomatch](aws.waf.rule.fieldtomatch.md) | Field that is matched |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.rulegroupreferencestatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.rulegroupreferencestatement.md
new file mode 100644
index 000000000..b0a59bc2f
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.rulegroupreferencestatement.md
@@ -0,0 +1,26 @@
+---
+title: aws.waf.rule.statement.rulegroupreferencestatement
+id: aws.waf.rule.statement.rulegroupreferencestatement
+sidebar_label: aws.waf.rule.statement.rulegroupreferencestatement
+displayed_sidebar: MQL
+description: Rule statement that refers to a group of rules
+---
+
+# aws.waf.rule.statement.rulegroupreferencestatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that refers to a group of rules
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ---------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| arn | string | ARN of the rule group |
+| excludeRules | []string | List of rules to exclude |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.sizeconstraintstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.sizeconstraintstatement.md
new file mode 100644
index 000000000..af050197e
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.sizeconstraintstatement.md
@@ -0,0 +1,27 @@
+---
+title: aws.waf.rule.statement.sizeconstraintstatement
+id: aws.waf.rule.statement.sizeconstraintstatement
+sidebar_label: aws.waf.rule.statement.sizeconstraintstatement
+displayed_sidebar: MQL
+description: Rule statement that checks the size of the specified field
+---
+
+# aws.waf.rule.statement.sizeconstraintstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Rule statement that checks the size of the specified field
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | --------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| size | int | The size that triggers this statement |
+| comparisonOperator | string | How to compare the size |
+| fieldToMatch | [aws.waf.rule.fieldtomatch](aws.waf.rule.fieldtomatch.md) | Field to match |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.sqlimatchstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.sqlimatchstatement.md
new file mode 100644
index 000000000..e13c7f436
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.sqlimatchstatement.md
@@ -0,0 +1,26 @@
+---
+title: aws.waf.rule.statement.sqlimatchstatement
+id: aws.waf.rule.statement.sqlimatchstatement
+sidebar_label: aws.waf.rule.statement.sqlimatchstatement
+displayed_sidebar: MQL
+description: Statement that matches SQLI attacks
+---
+
+# aws.waf.rule.statement.sqlimatchstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Statement that matches SQLI attacks
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| fieldToMatch | [aws.waf.rule.fieldtomatch](aws.waf.rule.fieldtomatch.md) | Field to match |
+| sensitivityLevel | string | How aggressive the statement matches |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rule.statement.xssmatchstatement.md b/docs/mql/resources/aws-pack/aws.waf.rule.statement.xssmatchstatement.md
new file mode 100644
index 000000000..c3d7fadf9
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rule.statement.xssmatchstatement.md
@@ -0,0 +1,25 @@
+---
+title: aws.waf.rule.statement.xssmatchstatement
+id: aws.waf.rule.statement.xssmatchstatement
+sidebar_label: aws.waf.rule.statement.xssmatchstatement
+displayed_sidebar: MQL
+description: Statement that matches XSS attacks
+---
+
+# aws.waf.rule.statement.xssmatchstatement
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Statement that matches XSS attacks
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | --------------------------------------------------------- | ------------------------------------------ |
+| ruleName | string | Name of the rule this statement belongs to |
+| statementID | string | ID of the statement |
+| fieldToMatch | [aws.waf.rule.fieldtomatch](aws.waf.rule.fieldtomatch.md) | Field to match |
diff --git a/docs/mql/resources/aws-pack/aws.waf.rulegroup.md b/docs/mql/resources/aws-pack/aws.waf.rulegroup.md
new file mode 100644
index 000000000..d942b894c
--- /dev/null
+++ b/docs/mql/resources/aws-pack/aws.waf.rulegroup.md
@@ -0,0 +1,28 @@
+---
+title: aws.waf.rulegroup
+id: aws.waf.rulegroup
+sidebar_label: aws.waf.rulegroup
+displayed_sidebar: MQL
+description: Amazon WAF v2 RuleGroup
+---
+
+# aws.waf.rulegroup
+
+**Supported platform**
+
+- aws
+
+**Description**
+
+Amazon WAF v2 RuleGroup
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------------------------------- | ----------------------------------- |
+| arn | string | ARN of the rulegroup |
+| id | string | ID of the rulegroup |
+| name | string | Name of the rulegroup |
+| description | string | Description of the rulegroup |
+| rules | [][aws.waf.rule](aws.waf.rule.md) | List of waf rules |
+| scope | string | Scope either REGIONAL or CLOUDFRONT |
diff --git a/docs/mql/resources/azure-pack/README.md b/docs/mql/resources/azure-pack/README.md
new file mode 100644
index 000000000..d06732562
--- /dev/null
+++ b/docs/mql/resources/azure-pack/README.md
@@ -0,0 +1,111 @@
+---
+title: Azure Resource Pack - MQL Resources
+id: azure.pack
+sidebar_label: Azure Resource Pack
+displayed_sidebar: MQL
+description: The Azure resource pack lets you use MQL to query and assess the security of your Azure cloud services.
+---
+
+# Mondoo Azure Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- |
+| [azure](azure.md) | Azure resource |
+| [azure.subscription](azure.subscription.md) | Azure subscription |
+| [azure.subscription.advisorService](azure.subscription.advisorservice.md) | Azure Advisor |
+| [azure.subscription.advisorService.recommendation](azure.subscription.advisorservice.recommendation.md) | Azure Advisor recommendation |
+| [azure.subscription.advisorService.score](azure.subscription.advisorservice.score.md) | Azure Advisor score |
+| [azure.subscription.advisorService.securityScore](azure.subscription.advisorservice.securityscore.md) | Azure Advisor security score |
+| [azure.subscription.advisorService.timeSeries](azure.subscription.advisorservice.timeseries.md) | Azure Advisor time series |
+| [azure.subscription.aksService](azure.subscription.aksservice.md) | Azure Kubernetes Service |
+| [azure.subscription.aksService.cluster](azure.subscription.aksservice.cluster.md) | Azure Kubernetes Service cluster |
+| [azure.subscription.authorizationService](azure.subscription.authorizationservice.md) | Azure authorization |
+| [azure.subscription.authorizationService.roleDefinition](azure.subscription.authorizationservice.roledefinition.md) | Azure role definition |
+| [azure.subscription.authorizationService.roleDefinition.permission](azure.subscription.authorizationservice.roledefinition.permission.md) | Azure role definition permission |
+| [azure.subscription.cloudDefenderService](azure.subscription.clouddefenderservice.md) | Microsoft Defender for Cloud |
+| [azure.subscription.cloudDefenderService.securityContact](azure.subscription.clouddefenderservice.securitycontact.md) | Microsoft Defender for Cloud security contact |
+| [azure.subscription.computeService](azure.subscription.computeservice.md) | Azure compute |
+| [azure.subscription.computeService.disk](azure.subscription.computeservice.disk.md) | Azure disk resource |
+| [azure.subscription.computeService.vm](azure.subscription.computeservice.vm.md) | Azure compute virtual machine |
+| [azure.subscription.cosmosDbService](azure.subscription.cosmosdbservice.md) | Azure Cosmos DB |
+| [azure.subscription.cosmosDbService.account](azure.subscription.cosmosdbservice.account.md) | Azure Cosmos DB account |
+| [azure.subscription.keyVaultService](azure.subscription.keyvaultservice.md) | Azure Key Vault |
+| [azure.subscription.keyVaultService.certificate](azure.subscription.keyvaultservice.certificate.md) | Azure Key Vault certificate |
+| [azure.subscription.keyVaultService.key](azure.subscription.keyvaultservice.key.md) | Azure Key Vault key |
+| [azure.subscription.keyVaultService.secret](azure.subscription.keyvaultservice.secret.md) | Azure Key Vault secret |
+| [azure.subscription.keyVaultService.vault](azure.subscription.keyvaultservice.vault.md) | Azure Key Vault vault |
+| [azure.subscription.mariaDbService](azure.subscription.mariadbservice.md) | Azure Database for MariaDB |
+| [azure.subscription.mariaDbService.database](azure.subscription.mariadbservice.database.md) | Azure Database for MariaDB database |
+| [azure.subscription.mariaDbService.server](azure.subscription.mariadbservice.server.md) | Azure Database for MariaDB server |
+| [azure.subscription.monitorService](azure.subscription.monitorservice.md) | Azure Monitor |
+| [azure.subscription.monitorService.activityLog](azure.subscription.monitorservice.activitylog.md) | Azure Monitor activity log |
+| [azure.subscription.monitorService.activityLog.alert](azure.subscription.monitorservice.activitylog.alert.md) | Azure Monitor activity log alert |
+| [azure.subscription.monitorService.applicationInsight](azure.subscription.monitorservice.applicationinsight.md) | Azure Monitor application insights |
+| [azure.subscription.monitorService.diagnosticsetting](azure.subscription.monitorservice.diagnosticsetting.md) | Azure Monitor diagnostic setting |
+| [azure.subscription.monitorService.logprofile](azure.subscription.monitorservice.logprofile.md) | Azure Monitor log profile |
+| [azure.subscription.mySqlService](azure.subscription.mysqlservice.md) | Azure Database for MySQL |
+| [azure.subscription.mySqlService.database](azure.subscription.mysqlservice.database.md) | Azure Database for MySQL database |
+| [azure.subscription.mySqlService.flexibleServer](azure.subscription.mysqlservice.flexibleserver.md) | Azure Database for MySQL flexible server |
+| [azure.subscription.mySqlService.server](azure.subscription.mysqlservice.server.md) | Azure Database for MySQL server |
+| [azure.subscription.networkService](azure.subscription.networkservice.md) | Azure network |
+| [azure.subscription.networkService.appSecurityGroup](azure.subscription.networkservice.appsecuritygroup.md) | Azure network application security group |
+| [azure.subscription.networkService.applicationFirewallPolicy](azure.subscription.networkservice.applicationfirewallpolicy.md) | Azure Application Firewall Policy (WAF) |
+| [azure.subscription.networkService.applicationGateway](azure.subscription.networkservice.applicationgateway.md) | Azure Application Gateway |
+| [azure.subscription.networkService.backendAddressPool](azure.subscription.networkservice.backendaddresspool.md) | Azure network backend address pool |
+| [azure.subscription.networkService.bastionHost](azure.subscription.networkservice.bastionhost.md) | Azure Network Bastion host |
+| [azure.subscription.networkService.bgpSettings](azure.subscription.networkservice.bgpsettings.md) | Azure network BGP settings |
+| [azure.subscription.networkService.bgpSettings.ipConfigurationBgpPeeringAddress](azure.subscription.networkservice.bgpsettings.ipconfigurationbgppeeringaddress.md) | Azure BGP settings IP configuration |
+| [azure.subscription.networkService.firewall](azure.subscription.networkservice.firewall.md) | Azure network firewall |
+| [azure.subscription.networkService.firewall.applicationRule](azure.subscription.networkservice.firewall.applicationrule.md) | Azure network firewall application rule |
+| [azure.subscription.networkService.firewall.ipConfig](azure.subscription.networkservice.firewall.ipconfig.md) | Azure network firewall IP configuration |
+| [azure.subscription.networkService.firewall.natRule](azure.subscription.networkservice.firewall.natrule.md) | Azure network firewall NAT rule |
+| [azure.subscription.networkService.firewall.networkRule](azure.subscription.networkservice.firewall.networkrule.md) | Azure network firewall network rule |
+| [azure.subscription.networkService.firewallPolicy](azure.subscription.networkservice.firewallpolicy.md) | Azure network firewall policy |
+| [azure.subscription.networkService.frontendIpConfig](azure.subscription.networkservice.frontendipconfig.md) | Azure network frontend IP configuration |
+| [azure.subscription.networkService.inboundNatPool](azure.subscription.networkservice.inboundnatpool.md) | Azure network inbound NAT pool |
+| [azure.subscription.networkService.inboundNatRule](azure.subscription.networkservice.inboundnatrule.md) | Azure network inbound NAT rule |
+| [azure.subscription.networkService.interface](azure.subscription.networkservice.interface.md) | Azure network interface |
+| [azure.subscription.networkService.ipAddress](azure.subscription.networkservice.ipaddress.md) | Azure network IP address |
+| [azure.subscription.networkService.loadBalancer](azure.subscription.networkservice.loadbalancer.md) | Azure Load Balancer |
+| [azure.subscription.networkService.loadBalancerRule](azure.subscription.networkservice.loadbalancerrule.md) | Azure Load Balancer rule |
+| [azure.subscription.networkService.natGateway](azure.subscription.networkservice.natgateway.md) | Azure network NAT gateway |
+| [azure.subscription.networkService.outboundRule](azure.subscription.networkservice.outboundrule.md) | Azure network outbound rule |
+| [azure.subscription.networkService.probe](azure.subscription.networkservice.probe.md) | Azure network probe |
+| [azure.subscription.networkService.securityGroup](azure.subscription.networkservice.securitygroup.md) | Azure network security group |
+| [azure.subscription.networkService.securityrule](azure.subscription.networkservice.securityrule.md) | Azure network security rule |
+| [azure.subscription.networkService.subnet](azure.subscription.networkservice.subnet.md) | Azure network subnet |
+| [azure.subscription.networkService.virtualNetwork](azure.subscription.networkservice.virtualnetwork.md) | Azure Virtual network (VNet) |
+| [azure.subscription.networkService.virtualNetwork.dhcpOptions](azure.subscription.networkservice.virtualnetwork.dhcpoptions.md) | Azure Virtual Network DHCP options |
+| [azure.subscription.networkService.virtualNetworkGateway](azure.subscription.networkservice.virtualnetworkgateway.md) | Azure virtual network (VNet) gateway |
+| [azure.subscription.networkService.virtualNetworkGateway.connection](azure.subscription.networkservice.virtualnetworkgateway.connection.md) | Azure Virtual Network (VNet) gateway connection |
+| [azure.subscription.networkService.virtualNetworkGateway.ipConfig](azure.subscription.networkservice.virtualnetworkgateway.ipconfig.md) | Azure Virtual Network (VNet) gateway IP configuration |
+| [azure.subscription.networkService.watcher](azure.subscription.networkservice.watcher.md) | Azure Network Watcher |
+| [azure.subscription.networkService.watcher.flowlog](azure.subscription.networkservice.watcher.flowlog.md) | Azure Network Watcher flow log |
+| [azure.subscription.postgreSqlService](azure.subscription.postgresqlservice.md) | Azure Database for PostgreSQL |
+| [azure.subscription.postgreSqlService.database](azure.subscription.postgresqlservice.database.md) | Azure Database for PostgreSQL database |
+| [azure.subscription.postgreSqlService.server](azure.subscription.postgresqlservice.server.md) | Azure Database for PostgreSQL server |
+| [azure.subscription.resource](azure.subscription.resource.md) | Azure resource |
+| [azure.subscription.resourcegroup](azure.subscription.resourcegroup.md) | Azure resource group |
+| [azure.subscription.sqlService](azure.subscription.sqlservice.md) | Azure SQL |
+| [azure.subscription.sqlService.configuration](azure.subscription.sqlservice.configuration.md) | Azure SQL configuration |
+| [azure.subscription.sqlService.database](azure.subscription.sqlservice.database.md) | Azure SQL server database |
+| [azure.subscription.sqlService.databaseusage](azure.subscription.sqlservice.databaseusage.md) | Azure SQL database usage |
+| [azure.subscription.sqlService.firewallrule](azure.subscription.sqlservice.firewallrule.md) | Azure SQL firewall rule |
+| [azure.subscription.sqlService.server](azure.subscription.sqlservice.server.md) | Azure SQL server |
+| [azure.subscription.sqlService.server.administrator](azure.subscription.sqlservice.server.administrator.md) | Azure SQL server administrator |
+| [azure.subscription.sqlService.server.vulnerabilityassessmentsettings](azure.subscription.sqlservice.server.vulnerabilityassessmentsettings.md) | Azure SQL server vulnerability assessment settings |
+| [azure.subscription.sqlService.virtualNetworkRule](azure.subscription.sqlservice.virtualnetworkrule.md) | Azure SQL virtual network rule |
+| [azure.subscription.storageService](azure.subscription.storageservice.md) | Azure Storage |
+| [azure.subscription.storageService.account](azure.subscription.storageservice.account.md) | Azure Storage account |
+| [azure.subscription.storageService.account.container](azure.subscription.storageservice.account.container.md) | Azure Storage container |
+| [azure.subscription.storageService.account.dataProtection](azure.subscription.storageservice.account.dataprotection.md) | Azure Storage account data protection |
+| [azure.subscription.storageService.account.service.properties](azure.subscription.storageservice.account.service.properties.md) | Azure Storage account service properties |
+| [azure.subscription.storageService.account.service.properties.logging](azure.subscription.storageservice.account.service.properties.logging.md) | Azure Storage account service properties logging |
+| [azure.subscription.storageService.account.service.properties.metrics](azure.subscription.storageservice.account.service.properties.metrics.md) | Azure Storage account service properties metrics |
+| [azure.subscription.storageService.account.service.properties.retentionPolicy](azure.subscription.storageservice.account.service.properties.retentionpolicy.md) | Azure Storage account service properties retention policy |
+| [azure.subscription.webService](azure.subscription.webservice.md) | Azure Web |
+| [azure.subscription.webService.appsite](azure.subscription.webservice.appsite.md) | Azure Web app site |
+| [azure.subscription.webService.appsiteauthsettings](azure.subscription.webservice.appsiteauthsettings.md) | Azure AppSite authentication settings |
+| [azure.subscription.webService.appsiteconfig](azure.subscription.webservice.appsiteconfig.md) | Azure AppSite config |
diff --git a/docs/mql/resources/azure-pack/azure.md b/docs/mql/resources/azure-pack/azure.md
new file mode 100644
index 000000000..f0441fbd6
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.md
@@ -0,0 +1,17 @@
+---
+title: azure
+id: azure
+sidebar_label: azure
+displayed_sidebar: MQL
+description: Azure resource
+---
+
+# azure
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure resource
diff --git a/docs/mql/resources/azure-pack/azure.subscription.advisorservice.md b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.md
new file mode 100644
index 000000000..1c960918a
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.md
@@ -0,0 +1,28 @@
+---
+title: azure.subscription.advisorService
+id: azure.subscription.advisorService
+sidebar_label: azure.subscription.advisorService
+displayed_sidebar: MQL
+description: Azure Advisor
+---
+
+# azure.subscription.advisorService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Advisor
+
+Use the `azure.subscription.advisorService` resource to retrieve scoring and recommendations from Microsoft Azure Advisor.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| subscriptionId | string | Subscription identifier |
+| recommendations | [][azure.subscription.advisorService.recommendation](azure.subscription.advisorservice.recommendation.md) | List of all recommendations by the advisor |
+| scores | [][azure.subscription.advisorService.score](azure.subscription.advisorservice.score.md) | List of scores by categories |
+| averageScore | float | Average advisory score |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.advisorservice.recommendation.md b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.recommendation.md
new file mode 100644
index 000000000..a43dae1d8
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.recommendation.md
@@ -0,0 +1,33 @@
+---
+title: azure.subscription.advisorService.recommendation
+id: azure.subscription.advisorService.recommendation
+sidebar_label: azure.subscription.advisorService.recommendation
+displayed_sidebar: MQL
+description: Azure Advisor recommendation
+---
+
+# azure.subscription.advisorService.recommendation
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Advisor recommendation
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------ | ----------------------------------- |
+| id | string | Recommendation ID |
+| name | string | Recommendation name |
+| type | string | Recommendation resource type |
+| category | string | Recommendation category |
+| risk | string | Recommendation risk |
+| impact | string | Recommendation risk |
+| description | string | Recommendation description |
+| remediation | string | Recommendation remediation |
+| impactedResourceType | string | The impacted resource category type |
+| impactedResource | string | The impacted resource |
+| properties | dict | Recommendation properties |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.advisorservice.score.md b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.score.md
new file mode 100644
index 000000000..28bc7bf4a
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.score.md
@@ -0,0 +1,27 @@
+---
+title: azure.subscription.advisorService.score
+id: azure.subscription.advisorService.score
+sidebar_label: azure.subscription.advisorService.score
+displayed_sidebar: MQL
+description: Azure Advisor score
+---
+
+# azure.subscription.advisorService.score
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Advisor score
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
+| id | string | Score identifier |
+| name | string | Score name |
+| type | string | Score type |
+| currentScore | [azure.subscription.advisorService.securityScore](azure.subscription.advisorservice.securityscore.md) | Current score for the advisor category |
+| timeSeries | [][azure.subscription.advisorService.timeSeries](azure.subscription.advisorservice.timeseries.md) | List of time series, containing previous scores for the category |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.advisorservice.securityscore.md b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.securityscore.md
new file mode 100644
index 000000000..0ae4798ea
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.securityscore.md
@@ -0,0 +1,29 @@
+---
+title: azure.subscription.advisorService.securityScore
+id: azure.subscription.advisorService.securityScore
+sidebar_label: azure.subscription.advisorService.securityScore
+displayed_sidebar: MQL
+description: Azure Advisor security score
+---
+
+# azure.subscription.advisorService.securityScore
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Advisor security score
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ------ | ------------------------------------------------------------------------------------------------------------------ |
+| id | string | Security score identifier |
+| score | float | Security score score |
+| date | time | The date the score was calculated |
+| potentialScoreIncrease | float | The potential percentage increase in overall score at subscription level after all recommendations are implemented |
+| impactedResourcesCount | int | The number of impacted resources |
+| categoryCount | int | The count of impacted categories |
+| consumptionUnits | float | The consumption units for the score |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.advisorservice.timeseries.md b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.timeseries.md
new file mode 100644
index 000000000..56ae7c1d3
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.advisorservice.timeseries.md
@@ -0,0 +1,25 @@
+---
+title: azure.subscription.advisorService.timeSeries
+id: azure.subscription.advisorService.timeSeries
+sidebar_label: azure.subscription.advisorService.timeSeries
+displayed_sidebar: MQL
+description: Azure Advisor time series
+---
+
+# azure.subscription.advisorService.timeSeries
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Advisor time series
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------------------------------------------------------------------------------- | ----------------------------------------- |
+| id | string | Advisor time series identifier |
+| aggregationLevel | string | The aggregation level for the time series |
+| scores | [][azure.subscription.advisorService.securityScore](azure.subscription.advisorservice.securityscore.md) | The scores in the time series |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.aksservice.cluster.md b/docs/mql/resources/azure-pack/azure.subscription.aksservice.cluster.md
new file mode 100644
index 000000000..b21d5c9d8
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.aksservice.cluster.md
@@ -0,0 +1,42 @@
+---
+title: azure.subscription.aksService.cluster
+id: azure.subscription.aksService.cluster
+sidebar_label: azure.subscription.aksService.cluster
+displayed_sidebar: MQL
+description: Azure Kubernetes Service cluster
+---
+
+# azure.subscription.aksService.cluster
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Kubernetes Service cluster
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ----------------- | -------------------------------------------------- |
+| id | string | ID of the AKS cluster |
+| name | string | Name of the AKS cluster |
+| location | string | Location of the AKS cluster |
+| kubernetesVersion | string | The Kubernetes version of the AKS cluster |
+| provisioningState | string | The provisioning state of the AKS cluster |
+| powerState | string | The power state of the AKS cluster |
+| tags | map[string]string | The tags of the AKS cluster |
+| nodeResourceGroup | string | The node resource group of the AKS cluster |
+| createdAt | time | Time the AKS cluster was created |
+| rbacEnabled | bool | Whether RBAC is enabled for the AKS cluster |
+| fqdn | string | The fully qualified domain name of the AKS cluster |
+| dnsPrefix | string | The DNS prefix of the AKS cluster |
+| storageProfile | dict | The storage profile of the AKS cluster |
+| workloadAutoScalerProfile | dict | The workload autoscaler profile of the AKS cluster |
+| securityProfile | dict | The security profile of the AKS cluster |
+| podIdentityProfile | dict | The pod identity profile of the AKS cluster |
+| networkProfile | dict | The network profile of the AKS cluster |
+| httpProxyConfig | dict | The HTTP proxy config of the AKS cluster |
+| addonProfiles | []dict | The add-on profiles of the AKS cluster |
+| agentPoolProfiles | []dict | The agent pool profiles of the AKS cluster |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.aksservice.md b/docs/mql/resources/azure-pack/azure.subscription.aksservice.md
new file mode 100644
index 000000000..daafddc68
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.aksservice.md
@@ -0,0 +1,24 @@
+---
+title: azure.subscription.aksService
+id: azure.subscription.aksService
+sidebar_label: azure.subscription.aksService
+displayed_sidebar: MQL
+description: Azure Kubernetes Service
+---
+
+# azure.subscription.aksService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Kubernetes Service
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------- |
+| subscriptionId | string | Subscription identifier |
+| clusters | [][azure.subscription.aksService.cluster](azure.subscription.aksservice.cluster.md) | List all the AKS clusters inside the subscription |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.authorizationservice.md b/docs/mql/resources/azure-pack/azure.subscription.authorizationservice.md
new file mode 100644
index 000000000..486242e22
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.authorizationservice.md
@@ -0,0 +1,28 @@
+---
+title: azure.subscription.authorizationService
+id: azure.subscription.authorizationService
+sidebar_label: azure.subscription.authorizationService
+displayed_sidebar: MQL
+description: Azure authorization
+---
+
+# azure.subscription.authorizationService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure authorization
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
+| subscriptionId | string | Subscription identifier |
+| roleDefinitions | [][azure.subscription.authorizationService.roleDefinition](azure.subscription.authorizationservice.roledefinition.md) | Role definitions for the Azure subscription |
+
+**References**
+
+- [Azure RBAC documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.authorizationservice.roledefinition.md b/docs/mql/resources/azure-pack/azure.subscription.authorizationservice.roledefinition.md
new file mode 100644
index 000000000..03aea906f
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.authorizationservice.roledefinition.md
@@ -0,0 +1,32 @@
+---
+title: azure.subscription.authorizationService.roleDefinition
+id: azure.subscription.authorizationService.roleDefinition
+sidebar_label: azure.subscription.authorizationService.roleDefinition
+displayed_sidebar: MQL
+description: Azure role definition
+---
+
+# azure.subscription.authorizationService.roleDefinition
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure role definition
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- |
+| id | string | ID of the role definition |
+| description | string | Description of the role definition |
+| name | string | Name of the role definition |
+| isCustom | bool | Whether the role definition is manually created |
+| scopes | []string | Scopes for which the role definition applies |
+| permissions | [][azure.subscription.authorizationService.roleDefinition.permission](azure.subscription.authorizationservice.roledefinition.permission.md) | Permissions that are attached to the role definition |
+
+**References**
+
+- [Azure RBAC documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.authorizationservice.roledefinition.permission.md b/docs/mql/resources/azure-pack/azure.subscription.authorizationservice.roledefinition.permission.md
new file mode 100644
index 000000000..063a1c250
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.authorizationservice.roledefinition.permission.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.authorizationService.roleDefinition.permission
+id: azure.subscription.authorizationService.roleDefinition.permission
+sidebar_label: azure.subscription.authorizationService.roleDefinition.permission
+displayed_sidebar: MQL
+description: Azure role definition permission
+---
+
+# azure.subscription.authorizationService.roleDefinition.permission
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure role definition permission
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ---------------- | ---------------------------------------------------------------- |
+| id | string | ID of the permission |
+| allowedActions | []string | List of allowed actions that are attached to the permission |
+| deniedActions | []string | List of denied actions that are attached to the permission |
+| allowedDataActions | []string | List of allowed data actions that are attached to the permission |
+| deniedDataActions | []string | List of denied data actions that are attached to the permission |
+
+**References**
+
+- [Azure RBAC documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.clouddefenderservice.md b/docs/mql/resources/azure-pack/azure.subscription.clouddefenderservice.md
new file mode 100644
index 000000000..3263f1257
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.clouddefenderservice.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.cloudDefenderService
+id: azure.subscription.cloudDefenderService
+sidebar_label: azure.subscription.cloudDefenderService
+displayed_sidebar: MQL
+description: Microsoft Defender for Cloud
+---
+
+# azure.subscription.cloudDefenderService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Microsoft Defender for Cloud
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
+| subscriptionId | string | Subscription identifier |
+| monitoringAgentAutoProvision | bool | Whether the monitoring agent is automatically provisioned on new VMs |
+| defenderForServers | dict | List of Defender for Server components and whether they are enabled |
+| defenderForContainers | dict | List of Defender for Container components and whether they are enabled |
+| securityContacts | [][azure.subscription.cloudDefenderService.securityContact](azure.subscription.clouddefenderservice.securitycontact.md) | List of configured security contacts |
+
+**References**
+
+- [Microsoft Defender for Cloud Apps overview](https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.clouddefenderservice.securitycontact.md b/docs/mql/resources/azure-pack/azure.subscription.clouddefenderservice.securitycontact.md
new file mode 100644
index 000000000..02df019a4
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.clouddefenderservice.securitycontact.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.cloudDefenderService.securityContact
+id: azure.subscription.cloudDefenderService.securityContact
+sidebar_label: azure.subscription.cloudDefenderService.securityContact
+displayed_sidebar: MQL
+description: Microsoft Defender for Cloud security contact
+---
+
+# azure.subscription.cloudDefenderService.securityContact
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Microsoft Defender for Cloud security contact
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ---------------- | ----------------------------------- |
+| id | string | ID of the security contact |
+| name | string | Name of the security contact |
+| emails | []string | Emails that receive security alerts |
+| alertNotifications | dict | Alerts notification settings |
+| notificationsByRole | dict | Notifications by role settings |
+
+**References**
+
+- [Microsoft Defender for Cloud Apps overview](https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.computeservice.disk.md b/docs/mql/resources/azure-pack/azure.subscription.computeservice.disk.md
new file mode 100644
index 000000000..9e32daf6c
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.computeservice.disk.md
@@ -0,0 +1,32 @@
+---
+title: azure.subscription.computeService.disk
+id: azure.subscription.computeService.disk
+sidebar_label: azure.subscription.computeService.disk
+displayed_sidebar: MQL
+description: Azure disk resource
+---
+
+# azure.subscription.computeService.disk
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure disk resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------- | ------------------------------------------------------------------------------- |
+| id | string | Disk resource ID |
+| name | string | Disk resource name |
+| location | string | Disk resource location |
+| tags | map[string]string | Disk resource tags |
+| type | string | Disk resource type |
+| managedBy | string | A relative URI containing the ID of the VM that has the disk attached |
+| managedByExtended | []string | List of relative URIs containing the IDs of the VMs that have the disk attached |
+| zones | []string | The logical zone list for disk |
+| sku | dict | The disk SKU name and tier |
+| properties | dict | Disk resource properties |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.computeservice.md b/docs/mql/resources/azure-pack/azure.subscription.computeservice.md
new file mode 100644
index 000000000..834f9065c
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.computeservice.md
@@ -0,0 +1,25 @@
+---
+title: azure.subscription.computeService
+id: azure.subscription.computeService
+sidebar_label: azure.subscription.computeService
+displayed_sidebar: MQL
+description: Azure compute
+---
+
+# azure.subscription.computeService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure compute
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | --------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| subscriptionId | string | Subscription identifier |
+| vms | [][azure.subscription.computeService.vm](azure.subscription.computeservice.vm.md) | All compute instances under a subscription |
+| disks | [][azure.subscription.computeService.disk](azure.subscription.computeservice.disk.md) | All the disks under a subscription |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.computeservice.vm.md b/docs/mql/resources/azure-pack/azure.subscription.computeservice.vm.md
new file mode 100644
index 000000000..2c07e19bf
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.computeservice.vm.md
@@ -0,0 +1,39 @@
+---
+title: azure.subscription.computeService.vm
+id: azure.subscription.computeService.vm
+sidebar_label: azure.subscription.computeService.vm
+displayed_sidebar: MQL
+description: Azure compute virtual machine
+---
+
+# azure.subscription.computeService.vm
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure compute virtual machine
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| id | string | VM ID |
+| name | string | VM name |
+| location | string | VM location |
+| zones | []string | VM zones |
+| state | string | VM state |
+| isRunning | bool | Indicates if the VM is running |
+| tags | map[string]string | VM tags |
+| type | string | VM type |
+| properties | dict | VM properties |
+| extensions | []dict | VM extension |
+| osDisk | [azure.subscription.computeService.disk](azure.subscription.computeservice.disk.md) | VM compute disk |
+| dataDisks | [][azure.subscription.computeService.disk](azure.subscription.computeservice.disk.md) | VM compute data disk |
+| publicIpAddresses | [][azure.subscription.networkService.ipAddress](azure.subscription.networkservice.ipaddress.md) | VM public IP addresses |
+
+**References**
+
+- [Virtual machines in Azure](https://learn.microsoft.com/en-us/azure/virtual-machines/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.cosmosdbservice.account.md b/docs/mql/resources/azure-pack/azure.subscription.cosmosdbservice.account.md
new file mode 100644
index 000000000..7183869d1
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.cosmosdbservice.account.md
@@ -0,0 +1,33 @@
+---
+title: azure.subscription.cosmosDbService.account
+id: azure.subscription.cosmosDbService.account
+sidebar_label: azure.subscription.cosmosDbService.account
+displayed_sidebar: MQL
+description: Azure Cosmos DB account
+---
+
+# azure.subscription.cosmosDbService.account
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Cosmos DB account
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------- | ---------------------------- |
+| id | string | Cosmos DB account ID |
+| name | string | Cosmos DB account name |
+| properties | dict | Cosmos DB account properties |
+| location | string | Cosmos DB account location |
+| tags | map[string]string | Cosmos DB account tags |
+| type | string | Cosmos DB account type |
+| kind | string | Cosmos DB account kind |
+
+**References**
+
+- [Azure Cosmos DB documentation](https://learn.microsoft.com/en-us/azure/cosmos-db/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.cosmosdbservice.md b/docs/mql/resources/azure-pack/azure.subscription.cosmosdbservice.md
new file mode 100644
index 000000000..3237531a1
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.cosmosdbservice.md
@@ -0,0 +1,28 @@
+---
+title: azure.subscription.cosmosDbService
+id: azure.subscription.cosmosDbService
+sidebar_label: azure.subscription.cosmosDbService
+displayed_sidebar: MQL
+description: Azure Cosmos DB
+---
+
+# azure.subscription.cosmosDbService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Cosmos DB
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ----------------------------------------------------------------------------------------------------- | -------------------------- |
+| subscriptionId | string | Subscription identifier |
+| accounts | [][azure.subscription.cosmosDbService.account](azure.subscription.cosmosdbservice.account.md) | List of Cosmos DB accounts |
+
+**References**
+
+- [Azure Cosmos DB documentation](https://learn.microsoft.com/en-us/azure/cosmos-db/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.certificate.md b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.certificate.md
new file mode 100644
index 000000000..17195ba76
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.certificate.md
@@ -0,0 +1,38 @@
+---
+title: azure.subscription.keyVaultService.certificate
+id: azure.subscription.keyVaultService.certificate
+sidebar_label: azure.subscription.keyVaultService.certificate
+displayed_sidebar: MQL
+description: Azure Key Vault certificate
+---
+
+# azure.subscription.keyVaultService.certificate
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Key Vault certificate
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------------------------------------------------------------------------------------------------------------- | ---------------------------------- |
+| id | string | Certificate ID |
+| tags | map[string]string | Certificate tags |
+| x5t | string | Certificate x5t |
+| enabled | bool | Whether the certificate is enabled |
+| notBefore | time | Certificate not before date |
+| expires | time | Certificate expiration date |
+| created | time | Certificate creation time |
+| updated | time | Certificate last update time |
+| recoveryLevel | string | Certificate recovery level |
+| certName | string | Certificate name |
+| version | string | Certificate version |
+| versions | [][azure.subscription.keyVaultService.certificate](azure.subscription.keyvaultservice.certificate.md) | List of certificate versions |
+
+**References**
+
+- [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.key.md b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.key.md
new file mode 100644
index 000000000..b633f560b
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.key.md
@@ -0,0 +1,38 @@
+---
+title: azure.subscription.keyVaultService.key
+id: azure.subscription.keyVaultService.key
+sidebar_label: azure.subscription.keyVaultService.key
+displayed_sidebar: MQL
+description: Azure Key Vault key
+---
+
+# azure.subscription.keyVaultService.key
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Key Vault key
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------------------------------------------------------------------------------- | -------------------------------- |
+| kid | string | Key ID |
+| tags | map[string]string | Key tags |
+| managed | bool | Whether the key is managed |
+| enabled | bool | Whether the key is enabled |
+| notBefore | time | Date the key begins to be usable |
+| expires | time | Date the key expires |
+| created | time | Key creation time |
+| updated | time | Key last update time |
+| recoveryLevel | string | Key recovery level |
+| keyName | string | Key name |
+| version | string | Key version |
+| versions | [][azure.subscription.keyVaultService.key](azure.subscription.keyvaultservice.key.md) | List of key versions |
+
+**References**
+
+- [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.md b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.md
new file mode 100644
index 000000000..b8dc88370
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.md
@@ -0,0 +1,28 @@
+---
+title: azure.subscription.keyVaultService
+id: azure.subscription.keyVaultService
+sidebar_label: azure.subscription.keyVaultService
+displayed_sidebar: MQL
+description: Azure Key Vault
+---
+
+# azure.subscription.keyVaultService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Key Vault
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------------------------------------------------------------------------------------------------- | ------------------------ |
+| subscriptionId | string | Subscription identifier |
+| vaults | [][azure.subscription.keyVaultService.vault](azure.subscription.keyvaultservice.vault.md) | List of Azure key vaults |
+
+**References**
+
+- [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.secret.md b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.secret.md
new file mode 100644
index 000000000..7245e6452
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.secret.md
@@ -0,0 +1,38 @@
+---
+title: azure.subscription.keyVaultService.secret
+id: azure.subscription.keyVaultService.secret
+sidebar_label: azure.subscription.keyVaultService.secret
+displayed_sidebar: MQL
+description: Azure Key Vault secret
+---
+
+# azure.subscription.keyVaultService.secret
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Key Vault secret
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------------------------------------------------------------------------------- | ----------------------------------- |
+| id | string | Secret ID |
+| tags | map[string]string | Secret tags |
+| contentType | string | Secret content type |
+| managed | bool | Whether the secret is managed |
+| enabled | bool | Whether the secret is enabled |
+| notBefore | time | Date the secret begins to be usable |
+| expires | time | Secret expiration date |
+| created | time | Secret creation date |
+| updated | time | Secret last updated date |
+| secretName | string | Secret name |
+| version | string | Secret version |
+| versions | [][azure.subscription.keyVaultService.secret](azure.subscription.keyvaultservice.secret.md) | List of secret versions |
+
+**References**
+
+- [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.vault.md b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.vault.md
new file mode 100644
index 000000000..a02c4a933
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.keyvaultservice.vault.md
@@ -0,0 +1,38 @@
+---
+title: azure.subscription.keyVaultService.vault
+id: azure.subscription.keyVaultService.vault
+sidebar_label: azure.subscription.keyVaultService.vault
+displayed_sidebar: MQL
+description: Azure Key Vault vault
+---
+
+# azure.subscription.keyVaultService.vault
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Key Vault vault
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
+| id | string | Vault ID |
+| vaultName | string | Vault name |
+| type | string | Vault type |
+| location | string | Vault location |
+| tags | map[string]string | Vault tags |
+| vaultUri | string | Vault URL |
+| properties | dict | Vault properties |
+| rbacAuthorizationEnabled | bool | Whether RBAC access to the vault is enabled |
+| keys | [][azure.subscription.keyVaultService.key](azure.subscription.keyvaultservice.key.md) | Vault keys |
+| certificates | [][azure.subscription.keyVaultService.certificate](azure.subscription.keyvaultservice.certificate.md) | Vault certificates |
+| secrets | [][azure.subscription.keyVaultService.secret](azure.subscription.keyvaultservice.secret.md) | Vault secrets |
+| diagnosticSettings | [][azure.subscription.monitorService.diagnosticsetting](azure.subscription.monitorservice.diagnosticsetting.md) | Vault diagnostic settings |
+
+**References**
+
+- [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.mariadbservice.database.md b/docs/mql/resources/azure-pack/azure.subscription.mariadbservice.database.md
new file mode 100644
index 000000000..6e0a5a4c4
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.mariadbservice.database.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.mariaDbService.database
+id: azure.subscription.mariaDbService.database
+sidebar_label: azure.subscription.mariaDbService.database
+displayed_sidebar: MQL
+description: Azure Database for MariaDB database
+---
+
+# azure.subscription.mariaDbService.database
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for MariaDB database
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ------------------------------ |
+| id | string | MariaDB database ID |
+| name | string | MariaDB database name |
+| type | string | MariaDB database type |
+| charset | string | MariaDB database character set |
+| collation | string | MariaDB database collation |
+
+**References**
+
+- [Azure Database for MariaDB documentation](https://learn.microsoft.com/en-us/azure/mariadb/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.mariadbservice.md b/docs/mql/resources/azure-pack/azure.subscription.mariadbservice.md
new file mode 100644
index 000000000..d9339785b
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.mariadbservice.md
@@ -0,0 +1,28 @@
+---
+title: azure.subscription.mariaDbService
+id: azure.subscription.mariaDbService
+sidebar_label: azure.subscription.mariaDbService
+displayed_sidebar: MQL
+description: Azure Database for MariaDB
+---
+
+# azure.subscription.mariaDbService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for MariaDB
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------------------------------------------------------------------------------------------------- | ----------------------- |
+| subscriptionId | string | Subscription identifier |
+| servers | [][azure.subscription.mariaDbService.server](azure.subscription.mariadbservice.server.md) | List of MariaDB servers |
+
+**References**
+
+- [Azure Database for MariaDB documentation](https://learn.microsoft.com/en-us/azure/mariadb/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.mariadbservice.server.md b/docs/mql/resources/azure-pack/azure.subscription.mariadbservice.server.md
new file mode 100644
index 000000000..b065e9026
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.mariadbservice.server.md
@@ -0,0 +1,35 @@
+---
+title: azure.subscription.mariaDbService.server
+id: azure.subscription.mariaDbService.server
+sidebar_label: azure.subscription.mariaDbService.server
+displayed_sidebar: MQL
+description: Azure Database for MariaDB server
+---
+
+# azure.subscription.mariaDbService.server
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for MariaDB server
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------------------------------------------------------------------------------------------------------- | ----------------------------- |
+| id | string | MariaDB server ID |
+| name | string | MariaDB server name |
+| location | string | MariaDB server location |
+| tags | map[string]string | MariaDB server tags |
+| type | string | MariaDB server type |
+| properties | dict | MariaDB server properties |
+| configuration | [][azure.subscription.sqlService.configuration](azure.subscription.sqlservice.configuration.md) | MariaDB server configuration |
+| databases | [][azure.subscription.mariaDbService.database](azure.subscription.mariadbservice.database.md) | MariaDB server databases |
+| firewallRules | [][azure.subscription.sqlService.firewallrule](azure.subscription.sqlservice.firewallrule.md) | MariaDB server firewall rules |
+
+**References**
+
+- [Azure Database for MariaDB documentation](https://learn.microsoft.com/en-us/azure/mariadb/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.md b/docs/mql/resources/azure-pack/azure.subscription.md
new file mode 100644
index 000000000..5633c6ef1
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.md
@@ -0,0 +1,61 @@
+---
+title: azure.subscription
+id: azure.subscription
+sidebar_label: azure.subscription
+displayed_sidebar: MQL
+description: Azure subscription
+---
+
+# azure.subscription
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure subscription
+
+Use the `azure.subscription` resource to assess the configuration of Azure subscriptions.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | ------------------------------------------------------------------------------------- | --------------------------------------------- |
+| id | string | Full resource identifier of the subscription |
+| name | string | Name of the subscription |
+| subscriptionId | string | Subscription identifier |
+| tenantId | string | Subscription tenant identifier |
+| managedByTenants | []string | List of tenants that manage the subscription |
+| tags | map[string]string | Subscription tags |
+| state | string | Subscription state |
+| authorizationSource | string | Subscription authorization source |
+| subscriptionsPolicies | dict | Subscription policies |
+| resources | [][azure.subscription.resource](azure.subscription.resource.md) | All resources in a subscription |
+| resourceGroups | [][azure.subscription.resourcegroup](azure.subscription.resourcegroup.md) | Resource groups in the subscription |
+| compute | [azure.subscription.computeService](azure.subscription.computeservice.md) | Compute resources in the subscription |
+| network | [azure.subscription.networkService](azure.subscription.networkservice.md) | Network resources in the subscription |
+| storage | [azure.subscription.storageService](azure.subscription.storageservice.md) | Storage resources in the subscription |
+| web | [azure.subscription.webService](azure.subscription.webservice.md) | Web resources in the subscription |
+| sql | [azure.subscription.sqlService](azure.subscription.sqlservice.md) | SQL resources in the subscription |
+| mySql | [azure.subscription.mySqlService](azure.subscription.mysqlservice.md) | MySQL resources inside the subscription |
+| postgreSql | [azure.subscription.postgreSqlService](azure.subscription.postgresqlservice.md) | PostgreSQL resources in the subscription |
+| mariaDb | [azure.subscription.mariaDbService](azure.subscription.mariadbservice.md) | MariaDB resources in the subscription |
+| cosmosDb | [azure.subscription.cosmosDbService](azure.subscription.cosmosdbservice.md) | Cosmos DB resources in the subscription |
+| keyVault | [azure.subscription.keyVaultService](azure.subscription.keyvaultservice.md) | Azure Key Vault resources in the subscription |
+| authorization | [azure.subscription.authorizationService](azure.subscription.authorizationservice.md) | Authorization resources in the subscription |
+| monitor | [azure.subscription.monitorService](azure.subscription.monitorservice.md) | Monitor resources in the subscription |
+| cloudDefender | [azure.subscription.cloudDefenderService](azure.subscription.clouddefenderservice.md) | Cloud defender resources in the subscription |
+| aks | [azure.subscription.aksService](azure.subscription.aksservice.md) | AKS resources in the subscription |
+| advisor | [azure.subscription.advisorService](azure.subscription.advisorservice.md) | Advisor resources in the subscription |
+
+**Examples**
+
+Return the subscription ID and a list of tenants that manage the subscription
+
+```coffee
+azure.subscription {
+ subscriptionId
+ managedByTenants
+}
+```
diff --git a/docs/mql/resources/azure-pack/azure.subscription.monitorservice.activitylog.alert.md b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.activitylog.alert.md
new file mode 100644
index 000000000..ccc55db1e
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.activitylog.alert.md
@@ -0,0 +1,35 @@
+---
+title: azure.subscription.monitorService.activityLog.alert
+id: azure.subscription.monitorService.activityLog.alert
+sidebar_label: azure.subscription.monitorService.activityLog.alert
+displayed_sidebar: MQL
+description: Azure Monitor activity log alert
+---
+
+# azure.subscription.monitorService.activityLog.alert
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Monitor activity log alert
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------- | --------------------------------------------------------------- |
+| id | string | ID of the activity log alert |
+| type | string | Type of the activity log alert |
+| name | string | Name of the activity log alert |
+| description | string | Description of the activity log alert |
+| conditions | []dict | Conditions for the activity log alert, all of which must be met |
+| location | string | Location of the alert |
+| tags | map[string]string | Tags of the alert |
+| actions | []dict | Actions that activate when the conditions are met |
+| scopes | []string | List of resource IDs that must be present to trigger the alert |
+
+**References**
+
+- [Azure Database for MariaDB documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.monitorservice.activitylog.md b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.activitylog.md
new file mode 100644
index 000000000..57b411881
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.activitylog.md
@@ -0,0 +1,28 @@
+---
+title: azure.subscription.monitorService.activityLog
+id: azure.subscription.monitorService.activityLog
+sidebar_label: azure.subscription.monitorService.activityLog
+displayed_sidebar: MQL
+description: Azure Monitor activity log
+---
+
+# azure.subscription.monitorService.activityLog
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Monitor activity log
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ----------------------------------------------------------------------------------------------------------------------- | --------------------------- |
+| subscriptionId | string | Subscription identifier |
+| alerts | [][azure.subscription.monitorService.activityLog.alert](azure.subscription.monitorservice.activitylog.alert.md) | List of activity log alerts |
+
+**References**
+
+- [Azure Database for MariaDB documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.monitorservice.applicationinsight.md b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.applicationinsight.md
new file mode 100644
index 000000000..c643e9ffc
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.applicationinsight.md
@@ -0,0 +1,33 @@
+---
+title: azure.subscription.monitorService.applicationInsight
+id: azure.subscription.monitorService.applicationInsight
+sidebar_label: azure.subscription.monitorService.applicationInsight
+displayed_sidebar: MQL
+description: Azure Monitor application insights
+---
+
+# azure.subscription.monitorService.applicationInsight
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Monitor application insights
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------- | ------------------------------ |
+| id | string | Application insight ID |
+| name | string | Application insight name |
+| properties | dict | Application insight properties |
+| tags | map[string]string | Application insight tags |
+| location | string | Application insight location |
+| kind | string | Application insight kind |
+| type | string | Application insight type |
+
+**References**
+
+- [Azure Database for MariaDB documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.monitorservice.diagnosticsetting.md b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.diagnosticsetting.md
new file mode 100644
index 000000000..4fafa8cc2
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.diagnosticsetting.md
@@ -0,0 +1,32 @@
+---
+title: azure.subscription.monitorService.diagnosticsetting
+id: azure.subscription.monitorService.diagnosticsetting
+sidebar_label: azure.subscription.monitorService.diagnosticsetting
+displayed_sidebar: MQL
+description: Azure Monitor diagnostic setting
+---
+
+# azure.subscription.monitorService.diagnosticsetting
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Monitor diagnostic setting
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------------------------------------------------------------------------------- | -------------------------------------------- |
+| id | string | Diagnostic setting ID |
+| name | string | Diagnostic setting name |
+| type | string | Diagnostic setting type |
+| properties | dict | Diagnostic setting properties |
+| storageAccountId | string | ID of the diagnostic setting storage account |
+| storageAccount | [azure.subscription.storageService.account](azure.subscription.storageservice.account.md) | Diagnostic setting storage account |
+
+**References**
+
+- [Azure Database for MariaDB documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.monitorservice.logprofile.md b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.logprofile.md
new file mode 100644
index 000000000..cbbd22958
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.logprofile.md
@@ -0,0 +1,34 @@
+---
+title: azure.subscription.monitorService.logprofile
+id: azure.subscription.monitorService.logprofile
+sidebar_label: azure.subscription.monitorService.logprofile
+displayed_sidebar: MQL
+description: Azure Monitor log profile
+---
+
+# azure.subscription.monitorService.logprofile
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Monitor log profile
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------------------------------------------------------------------------------- | ------------------------------------- |
+| id | string | Log profile ID |
+| name | string | Log profile name |
+| location | string | Log profile location |
+| type | string | Log profile type |
+| tags | map[string]string | Log profile tags |
+| properties | dict | Log profile properties |
+| storageAccountId | string | ID of the log profile storage account |
+| storageAccount | [azure.subscription.storageService.account](azure.subscription.storageservice.account.md) | Log profile storage account |
+
+**References**
+
+- [Azure Database for MariaDB documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.monitorservice.md b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.md
new file mode 100644
index 000000000..a03c1a31e
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.monitorservice.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.monitorService
+id: azure.subscription.monitorService
+sidebar_label: azure.subscription.monitorService
+displayed_sidebar: MQL
+description: Azure Monitor
+---
+
+# azure.subscription.monitorService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Monitor
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
+| subscriptionId | string | Subscription identifier |
+| logProfiles | [][azure.subscription.monitorService.logprofile](azure.subscription.monitorservice.logprofile.md) | List of log profiles |
+| diagnosticSettings | [][azure.subscription.monitorService.diagnosticsetting](azure.subscription.monitorservice.diagnosticsetting.md) | List of diagnostic settings for the subscription |
+| applicationInsights | [][azure.subscription.monitorService.applicationInsight](azure.subscription.monitorservice.applicationinsight.md) | Application insights for the subscription |
+| activityLog | [azure.subscription.monitorService.activityLog](azure.subscription.monitorservice.activitylog.md) | Monitor activity log |
+
+**References**
+
+- [Azure Database for MariaDB documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.database.md b/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.database.md
new file mode 100644
index 000000000..ce2503cad
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.database.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.mySqlService.database
+id: azure.subscription.mySqlService.database
+sidebar_label: azure.subscription.mySqlService.database
+displayed_sidebar: MQL
+description: Azure Database for MySQL database
+---
+
+# azure.subscription.mySqlService.database
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for MySQL database
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ---------------------------- |
+| id | string | MySQL database ID |
+| name | string | MySQL database name |
+| type | string | MySQL database type |
+| charset | string | MySQL database character set |
+| collation | string | MySQL database collation |
+
+**References**
+
+- [Azure Database for MySQL - Flexible Server documentation](https://learn.microsoft.com/en-us/azure/mysql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.flexibleserver.md b/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.flexibleserver.md
new file mode 100644
index 000000000..d52ea5d75
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.flexibleserver.md
@@ -0,0 +1,35 @@
+---
+title: azure.subscription.mySqlService.flexibleServer
+id: azure.subscription.mySqlService.flexibleServer
+sidebar_label: azure.subscription.mySqlService.flexibleServer
+displayed_sidebar: MQL
+description: Azure Database for MySQL flexible server
+---
+
+# azure.subscription.mySqlService.flexibleServer
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for MySQL flexible server
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------ |
+| id | string | MySQL flexible server ID |
+| name | string | MySQL flexible server name |
+| location | string | MySQL flexible server location |
+| tags | map[string]string | MySQL flexible server tags |
+| type | string | MySQL flexible server type |
+| properties | dict | MySQL flexible server properties |
+| configuration | [][azure.subscription.sqlService.configuration](azure.subscription.sqlservice.configuration.md) | MySQL flexible server configuration |
+| databases | [][azure.subscription.mySqlService.database](azure.subscription.mysqlservice.database.md) | MySQL flexible server databases |
+| firewallRules | [][azure.subscription.sqlService.firewallrule](azure.subscription.sqlservice.firewallrule.md) | MySQL flexible server firewall rules |
+
+**References**
+
+- [Azure Database for MySQL - Flexible Server documentation](https://learn.microsoft.com/en-us/azure/mysql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.md b/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.md
new file mode 100644
index 000000000..ca819e69d
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.md
@@ -0,0 +1,29 @@
+---
+title: azure.subscription.mySqlService
+id: azure.subscription.mySqlService
+sidebar_label: azure.subscription.mySqlService
+displayed_sidebar: MQL
+description: Azure Database for MySQL
+---
+
+# azure.subscription.mySqlService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for MySQL
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| subscriptionId | string | Subscription identifier |
+| servers | [][azure.subscription.mySqlService.server](azure.subscription.mysqlservice.server.md) | List of MySQL servers |
+| flexibleServers | [][azure.subscription.mySqlService.flexibleServer](azure.subscription.mysqlservice.flexibleserver.md) | List of Flexible MySQL servers |
+
+**References**
+
+- [Azure Database for MySQL - Flexible Server documentation](https://learn.microsoft.com/en-us/azure/mysql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.server.md b/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.server.md
new file mode 100644
index 000000000..17de158f6
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.mysqlservice.server.md
@@ -0,0 +1,35 @@
+---
+title: azure.subscription.mySqlService.server
+id: azure.subscription.mySqlService.server
+sidebar_label: azure.subscription.mySqlService.server
+displayed_sidebar: MQL
+description: Azure Database for MySQL server
+---
+
+# azure.subscription.mySqlService.server
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for MySQL server
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------------------------------------------------------------------------------------------------------- | --------------------------- |
+| id | string | MySQL server ID |
+| name | string | MySQL server name |
+| location | string | MySQL server location |
+| tags | map[string]string | MySQL server tags |
+| type | string | MySQL server type |
+| properties | dict | MySQL server properties |
+| configuration | [][azure.subscription.sqlService.configuration](azure.subscription.sqlservice.configuration.md) | MySQL server configuration |
+| databases | [][azure.subscription.mySqlService.database](azure.subscription.mysqlservice.database.md) | MySQL server databases |
+| firewallRules | [][azure.subscription.sqlService.firewallrule](azure.subscription.sqlservice.firewallrule.md) | MySQL server firewall rules |
+
+**References**
+
+- [Azure Database for MySQL - Flexible Server documentation](https://learn.microsoft.com/en-us/azure/mysql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.applicationfirewallpolicy.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.applicationfirewallpolicy.md
new file mode 100644
index 000000000..e8a69d34a
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.applicationfirewallpolicy.md
@@ -0,0 +1,34 @@
+---
+title: azure.subscription.networkService.applicationFirewallPolicy
+id: azure.subscription.networkService.applicationFirewallPolicy
+sidebar_label: azure.subscription.networkService.applicationFirewallPolicy
+displayed_sidebar: MQL
+description: Azure Application Firewall Policy (WAF)
+---
+
+# azure.subscription.networkService.applicationFirewallPolicy
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Application Firewall Policy (WAF)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- |
+| id | string | Application firewall policy ID |
+| name | string | Application firewall policy name |
+| location | string | Application firewall policy location |
+| tags | map[string]string | Application firewall policy tags |
+| type | string | Application firewall policy resource type |
+| etag | string | Application firewall policy etag |
+| properties | dict | Application firewall policy properties |
+| gateways | [][azure.subscription.networkService.applicationGateway](azure.subscription.networkservice.applicationgateway.md) | List of associated application gateways |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.applicationgateway.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.applicationgateway.md
new file mode 100644
index 000000000..ff8337ab8
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.applicationgateway.md
@@ -0,0 +1,34 @@
+---
+title: azure.subscription.networkService.applicationGateway
+id: azure.subscription.networkService.applicationGateway
+sidebar_label: azure.subscription.networkService.applicationGateway
+displayed_sidebar: MQL
+description: Azure Application Gateway
+---
+
+# azure.subscription.networkService.applicationGateway
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Application Gateway
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- |
+| id | string | Application Gateway ID |
+| name | string | Application Gateway name |
+| location | string | Application Gateway location |
+| tags | map[string]string | Application Gateway tags |
+| type | string | Application Gateway resource type |
+| etag | string | Application Gateway etag |
+| properties | dict | Application Gateway properties |
+| policy | [azure.subscription.networkService.applicationFirewallPolicy](azure.subscription.networkservice.applicationfirewallpolicy.md) | Gets the attached application firewall policy |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.appsecuritygroup.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.appsecuritygroup.md
new file mode 100644
index 000000000..480db3bd6
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.appsecuritygroup.md
@@ -0,0 +1,33 @@
+---
+title: azure.subscription.networkService.appSecurityGroup
+id: azure.subscription.networkService.appSecurityGroup
+sidebar_label: azure.subscription.networkService.appSecurityGroup
+displayed_sidebar: MQL
+description: Azure network application security group
+---
+
+# azure.subscription.networkService.appSecurityGroup
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network application security group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------- | ------------------------------------- |
+| id | string | Application security group ID |
+| name | string | Application security group name |
+| location | string | Application security group location |
+| tags | map[string]string | Application security group tags |
+| type | string | Application security group type |
+| etag | string | Application security group etag |
+| properties | dict | Application security group properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.backendaddresspool.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.backendaddresspool.md
new file mode 100644
index 000000000..4eeda9ef2
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.backendaddresspool.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.networkService.backendAddressPool
+id: azure.subscription.networkService.backendAddressPool
+sidebar_label: azure.subscription.networkService.backendAddressPool
+displayed_sidebar: MQL
+description: Azure network backend address pool
+---
+
+# azure.subscription.networkService.backendAddressPool
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network backend address pool
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ------------------------------- |
+| id | string | Backend Address Pool ID |
+| name | string | Backend Address Pool name |
+| type | string | Backend Address Pool type |
+| etag | string | Backend Address Pool etag |
+| properties | dict | Backend Address Pool properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.bastionhost.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.bastionhost.md
new file mode 100644
index 000000000..bd42621ad
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.bastionhost.md
@@ -0,0 +1,33 @@
+---
+title: azure.subscription.networkService.bastionHost
+id: azure.subscription.networkService.bastionHost
+sidebar_label: azure.subscription.networkService.bastionHost
+displayed_sidebar: MQL
+description: Azure Network Bastion host
+---
+
+# azure.subscription.networkService.bastionHost
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Network Bastion host
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------- | ----------------------- |
+| id | string | Bastion Host ID |
+| name | string | Bastion Host name |
+| location | string | Bastion Host location |
+| tags | map[string]string | Bastion Host tags |
+| type | string | Bastion Host type |
+| properties | dict | Bastion host properties |
+| sku | dict | Bastion host SKU |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.bgpsettings.ipconfigurationbgppeeringaddress.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.bgpsettings.ipconfigurationbgppeeringaddress.md
new file mode 100644
index 000000000..166d52304
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.bgpsettings.ipconfigurationbgppeeringaddress.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.networkService.bgpSettings.ipConfigurationBgpPeeringAddress
+id: azure.subscription.networkService.bgpSettings.ipConfigurationBgpPeeringAddress
+sidebar_label: azure.subscription.networkService.bgpSettings.ipConfigurationBgpPeeringAddress
+displayed_sidebar: MQL
+description: Azure BGP settings IP configuration
+---
+
+# azure.subscription.networkService.bgpSettings.ipConfigurationBgpPeeringAddress
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure BGP settings IP configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | ---------------- | ------------------------------------------------------------ |
+| id | string | BGP Settings IP Configuration ID |
+| customBgpIpAddresses | []string | BGP Settings IP Configuration custom BGP IP addresses |
+| ipConfigurationId | string | BGP Settings IP Configuration ID |
+| defaultBgpIpAddresses | []string | BGP Settings IP Configuration default BGP IP addresses |
+| tunnelIpAddresses | []string | BGP Settings IP Configuration tunnel public BGP IP addresses |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.bgpsettings.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.bgpsettings.md
new file mode 100644
index 000000000..b006fca7c
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.bgpsettings.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.networkService.bgpSettings
+id: azure.subscription.networkService.bgpSettings
+sidebar_label: azure.subscription.networkService.bgpSettings
+displayed_sidebar: MQL
+description: Azure network BGP settings
+---
+
+# azure.subscription.networkService.bgpSettings
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network BGP settings
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- |
+| id | string | BGP Settings ID |
+| asn | int | BGP Settings speaker ASN |
+| bgpPeeringAddress | string | The BGP peering address and BGP identifier of this BGP speaker |
+| peerWeight | int | The weight added to routes learned from this BGP speaker |
+| bgpPeeringAddressesConfig | [][azure.subscription.networkService.bgpSettings.ipConfigurationBgpPeeringAddress](azure.subscription.networkservice.bgpsettings.ipconfigurationbgppeeringaddress.md) | The BGP peering addresses with IP configuration |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.applicationrule.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.applicationrule.md
new file mode 100644
index 000000000..be82ab083
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.applicationrule.md
@@ -0,0 +1,30 @@
+---
+title: azure.subscription.networkService.firewall.applicationRule
+id: azure.subscription.networkService.firewall.applicationRule
+sidebar_label: azure.subscription.networkService.firewall.applicationRule
+displayed_sidebar: MQL
+description: Azure network firewall application rule
+---
+
+# azure.subscription.networkService.firewall.applicationRule
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network firewall application rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ------------------------------------ |
+| id | string | Firewall application rule ID |
+| name | string | Firewall application rule name |
+| etag | string | Firewall application rule etag |
+| properties | dict | Firewall application rule properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.ipconfig.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.ipconfig.md
new file mode 100644
index 000000000..a29c4820a
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.ipconfig.md
@@ -0,0 +1,33 @@
+---
+title: azure.subscription.networkService.firewall.ipConfig
+id: azure.subscription.networkService.firewall.ipConfig
+sidebar_label: azure.subscription.networkService.firewall.ipConfig
+displayed_sidebar: MQL
+description: Azure network firewall IP configuration
+---
+
+# azure.subscription.networkService.firewall.ipConfig
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network firewall IP configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------------------------------------------------------------- | ------------------------------------------------------- |
+| id | string | Firewall IP configuration ID |
+| name | string | Firewall IP configuration name |
+| etag | string | Firewall IP configuration etag |
+| privateIpAddress | string | Firewall IP configuration private IP address |
+| properties | dict | Firewall IP configuration properties |
+| publicIpAddress | [azure.subscription.networkService.ipAddress](azure.subscription.networkservice.ipaddress.md) | Public IP address associated with this IP configuration |
+| subnet | [azure.subscription.networkService.subnet](azure.subscription.networkservice.subnet.md) | Subnet associated with this IP configuration |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.md
new file mode 100644
index 000000000..43fdac321
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.md
@@ -0,0 +1,39 @@
+---
+title: azure.subscription.networkService.firewall
+id: azure.subscription.networkService.firewall
+sidebar_label: azure.subscription.networkService.firewall
+displayed_sidebar: MQL
+description: Azure network firewall
+---
+
+# azure.subscription.networkService.firewall
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network firewall
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
+| id | string | Firewall ID |
+| name | string | Firewall name |
+| location | string | Firewall location |
+| tags | map[string]string | Firewall tags |
+| type | string | Firewall type |
+| etag | string | Firewall etag |
+| properties | dict | Firewall properties |
+| provisioningState | string | Firewall provisioning state |
+| skuName | string | Firewall SKU name |
+| skuTier | string | Firewall SKU tier |
+| threatIntelMode | string | Firewall threat intel mode |
+| policy | [azure.subscription.networkService.firewallPolicy](azure.subscription.networkservice.firewallpolicy.md) | Policy associated with this firewall |
+| ipConfigurations | [][azure.subscription.networkService.firewall.ipConfig](azure.subscription.networkservice.firewall.ipconfig.md) | List of IP configurations for the firewall |
+| managementIpConfiguration | [azure.subscription.networkService.firewall.ipConfig](azure.subscription.networkservice.firewall.ipconfig.md) | The IP configuration used for management traffic |
+| networkRules | [][azure.subscription.networkService.firewall.networkRule](azure.subscription.networkservice.firewall.networkrule.md) | List of network rules for the firewall |
+| natRules | [][azure.subscription.networkService.firewall.natRule](azure.subscription.networkservice.firewall.natrule.md) | List of NAT rules for the firewall |
+| applicationRules | [][azure.subscription.networkService.firewall.applicationRule](azure.subscription.networkservice.firewall.applicationrule.md) | List of application rules for the firewall |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.natrule.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.natrule.md
new file mode 100644
index 000000000..ca2902e5e
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.natrule.md
@@ -0,0 +1,30 @@
+---
+title: azure.subscription.networkService.firewall.natRule
+id: azure.subscription.networkService.firewall.natRule
+sidebar_label: azure.subscription.networkService.firewall.natRule
+displayed_sidebar: MQL
+description: Azure network firewall NAT rule
+---
+
+# azure.subscription.networkService.firewall.natRule
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network firewall NAT rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ---------------------------- |
+| id | string | Firewall NAT rule ID |
+| name | string | Firewall NAT rule name |
+| etag | string | Firewall NAT rule etag |
+| properties | dict | Firewall NAT rule properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.networkrule.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.networkrule.md
new file mode 100644
index 000000000..a3ac11cc9
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewall.networkrule.md
@@ -0,0 +1,30 @@
+---
+title: azure.subscription.networkService.firewall.networkRule
+id: azure.subscription.networkService.firewall.networkRule
+sidebar_label: azure.subscription.networkService.firewall.networkRule
+displayed_sidebar: MQL
+description: Azure network firewall network rule
+---
+
+# azure.subscription.networkService.firewall.networkRule
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network firewall network rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | -------------------------------- |
+| id | string | Firewall network rule ID |
+| name | string | Firewall network rule name |
+| etag | string | Firewall network rule etag |
+| properties | dict | Firewall network rule properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewallpolicy.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewallpolicy.md
new file mode 100644
index 000000000..e13bb1134
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.firewallpolicy.md
@@ -0,0 +1,37 @@
+---
+title: azure.subscription.networkService.firewallPolicy
+id: azure.subscription.networkService.firewallPolicy
+sidebar_label: azure.subscription.networkService.firewallPolicy
+displayed_sidebar: MQL
+description: Azure network firewall policy
+---
+
+# azure.subscription.networkService.firewallPolicy
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network firewall policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- |
+| id | string | Firewall policy ID |
+| name | string | Firewall policy name |
+| location | string | Firewall policy location |
+| tags | map[string]string | Firewall policy tags |
+| type | string | Firewall policy type |
+| etag | string | Firewall policy etag |
+| properties | dict | Firewall policy properties |
+| provisioningState | string | Firewall policy provisioning state |
+| basePolicy | [azure.subscription.networkService.firewallPolicy](azure.subscription.networkservice.firewallpolicy.md) | The parent firewall policy from which rules are inherited |
+| childPolicies | [][azure.subscription.networkService.firewallPolicy](azure.subscription.networkservice.firewallpolicy.md) | List of child policies this policy is associated with |
+| firewalls | [][azure.subscription.networkService.firewall](azure.subscription.networkservice.firewall.md) | List of firewalls the policy is associated with |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.frontendipconfig.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.frontendipconfig.md
new file mode 100644
index 000000000..c013a1114
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.frontendipconfig.md
@@ -0,0 +1,32 @@
+---
+title: azure.subscription.networkService.frontendIpConfig
+id: azure.subscription.networkService.frontendIpConfig
+sidebar_label: azure.subscription.networkService.frontendIpConfig
+displayed_sidebar: MQL
+description: Azure network frontend IP configuration
+---
+
+# azure.subscription.networkService.frontendIpConfig
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network frontend IP configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ---------------- | ------------------------------------ |
+| id | string | Frontend IP Configuration ID |
+| name | string | Frontend IP Configuration name |
+| type | string | Frontend IP Configuration type |
+| etag | string | Frontend IP Configuration etag |
+| properties | dict | Frontend IP Configuration properties |
+| zones | []string | Frontend IP Configuration zones |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.inboundnatpool.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.inboundnatpool.md
new file mode 100644
index 000000000..21a63e05c
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.inboundnatpool.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.networkService.inboundNatPool
+id: azure.subscription.networkService.inboundNatPool
+sidebar_label: azure.subscription.networkService.inboundNatPool
+displayed_sidebar: MQL
+description: Azure network inbound NAT pool
+---
+
+# azure.subscription.networkService.inboundNatPool
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network inbound NAT pool
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | --------------------------- |
+| id | string | Inbound NAT Pool ID |
+| name | string | Inbound NAT Pool name |
+| type | string | Inbound NAT Pool type |
+| etag | string | Inbound NAT Pool etag |
+| properties | dict | Inbound NAT Pool properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.inboundnatrule.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.inboundnatrule.md
new file mode 100644
index 000000000..41e2fb517
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.inboundnatrule.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.networkService.inboundNatRule
+id: azure.subscription.networkService.inboundNatRule
+sidebar_label: azure.subscription.networkService.inboundNatRule
+displayed_sidebar: MQL
+description: Azure network inbound NAT rule
+---
+
+# azure.subscription.networkService.inboundNatRule
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network inbound NAT rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | --------------------------- |
+| id | string | Inbound NAT Rule ID |
+| name | string | Inbound NAT Rule name |
+| type | string | Inbound NAT Rule type |
+| etag | string | Inbound NAT Rule etag |
+| properties | dict | Inbound NAT Rule properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.interface.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.interface.md
new file mode 100644
index 000000000..af5b72c33
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.interface.md
@@ -0,0 +1,34 @@
+---
+title: azure.subscription.networkService.interface
+id: azure.subscription.networkService.interface
+sidebar_label: azure.subscription.networkService.interface
+displayed_sidebar: MQL
+description: Azure network interface
+---
+
+# azure.subscription.networkService.interface
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network interface
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------------------------------------------------------------------------------- | ---------------------------- |
+| id | string | Network interface ID |
+| name | string | Network interface name |
+| location | string | Network interface name |
+| tags | map[string]string | Network interface tags |
+| type | string | Network interface type |
+| etag | string | Network interface etag |
+| properties | dict | Network interface properties |
+| vm | [azure.subscription.computeService.vm](azure.subscription.computeservice.vm.md) | Network interface compute vm |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.ipaddress.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.ipaddress.md
new file mode 100644
index 000000000..bfc1f9959
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.ipaddress.md
@@ -0,0 +1,32 @@
+---
+title: azure.subscription.networkService.ipAddress
+id: azure.subscription.networkService.ipAddress
+sidebar_label: azure.subscription.networkService.ipAddress
+displayed_sidebar: MQL
+description: Azure network IP address
+---
+
+# azure.subscription.networkService.ipAddress
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network IP address
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------- | ------------------- |
+| id | string | IP address ID |
+| name | string | IP address name |
+| location | string | IP address location |
+| tags | map[string]string | IP address tags |
+| ipAddress | string | IP address |
+| type | string | IP address type |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.loadbalancer.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.loadbalancer.md
new file mode 100644
index 000000000..8193368c7
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.loadbalancer.md
@@ -0,0 +1,41 @@
+---
+title: azure.subscription.networkService.loadBalancer
+id: azure.subscription.networkService.loadBalancer
+sidebar_label: azure.subscription.networkService.loadBalancer
+displayed_sidebar: MQL
+description: Azure Load Balancer
+---
+
+# azure.subscription.networkService.loadBalancer
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Load Balancer
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
+| id | string | Load Balancer ID |
+| name | string | Load Balancer name |
+| location | string | Load Balancer location |
+| tags | map[string]string | Load Balancer tags |
+| type | string | Load Balancer type |
+| properties | dict | Load Balancer properties |
+| etag | string | Load Balancer etag |
+| sku | string | Load Balancer SKU |
+| probes | [][azure.subscription.networkService.probe](azure.subscription.networkservice.probe.md) | List of Load Balancer probes |
+| backendPools | [][azure.subscription.networkService.backendAddressPool](azure.subscription.networkservice.backendaddresspool.md) | List of Load Balancer backend address pools |
+| frontendIpConfigs | [][azure.subscription.networkService.frontendIpConfig](azure.subscription.networkservice.frontendipconfig.md) | List of Load Balancer frontend IP configurations |
+| inboundNatPools | [][azure.subscription.networkService.inboundNatPool](azure.subscription.networkservice.inboundnatpool.md) | List of Load Balancer inbound NAT pools |
+| inboundNatRules | [][azure.subscription.networkService.inboundNatRule](azure.subscription.networkservice.inboundnatrule.md) | List of Load Balancer inbound NAT rules |
+| outboundRules | [][azure.subscription.networkService.outboundRule](azure.subscription.networkservice.outboundrule.md) | List of Load Balancer outbound rules |
+| loadBalancerRules | [][azure.subscription.networkService.loadBalancerRule](azure.subscription.networkservice.loadbalancerrule.md) | List of Load Balancer rules |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.loadbalancerrule.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.loadbalancerrule.md
new file mode 100644
index 000000000..cf6d0435b
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.loadbalancerrule.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.networkService.loadBalancerRule
+id: azure.subscription.networkService.loadBalancerRule
+sidebar_label: azure.subscription.networkService.loadBalancerRule
+displayed_sidebar: MQL
+description: Azure Load Balancer rule
+---
+
+# azure.subscription.networkService.loadBalancerRule
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Load Balancer rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ----------------------------- |
+| id | string | Load Balancer rule ID |
+| name | string | Load Balancer rule name |
+| type | string | Load Balancer rule type |
+| etag | string | Load Balancer rule etag |
+| properties | dict | Load Balancer rule properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.md
new file mode 100644
index 000000000..33f7796a5
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.md
@@ -0,0 +1,41 @@
+---
+title: azure.subscription.networkService
+id: azure.subscription.networkService
+sidebar_label: azure.subscription.networkService
+displayed_sidebar: MQL
+description: Azure network
+---
+
+# azure.subscription.networkService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
+| subscriptionId | string | Subscription identifier |
+| interfaces | [][azure.subscription.networkService.interface](azure.subscription.networkservice.interface.md) | List of network interfaces |
+| securityGroups | [][azure.subscription.networkService.securityGroup](azure.subscription.networkservice.securitygroup.md) | List of network security groups |
+| watchers | [][azure.subscription.networkService.watcher](azure.subscription.networkservice.watcher.md) | List of network watchers |
+| publicIpAddresses | [][azure.subscription.networkService.ipAddress](azure.subscription.networkservice.ipaddress.md) | List of public IP addresses |
+| bastionHosts | [][azure.subscription.networkService.bastionHost](azure.subscription.networkservice.bastionhost.md) | List of Bastion hosts |
+| loadBalancers | [][azure.subscription.networkService.loadBalancer](azure.subscription.networkservice.loadbalancer.md) | List of load balancers |
+| natGateways | [][azure.subscription.networkService.natGateway](azure.subscription.networkservice.natgateway.md) | List of NAT gateways |
+| virtualNetworks | [][azure.subscription.networkService.virtualNetwork](azure.subscription.networkservice.virtualnetwork.md) | List of virtual networks |
+| virtualNetworkGateways | [][azure.subscription.networkService.virtualNetworkGateway](azure.subscription.networkservice.virtualnetworkgateway.md) | List of virtual network gateways |
+| firewalls | [][azure.subscription.networkService.firewall](azure.subscription.networkservice.firewall.md) | List of network firewalls |
+| firewallPolicies | [][azure.subscription.networkService.firewallPolicy](azure.subscription.networkservice.firewallpolicy.md) | List of firewall policies |
+| applicationSecurityGroups | [][azure.subscription.networkService.appSecurityGroup](azure.subscription.networkservice.appsecuritygroup.md) | List of application security groups |
+| applicationGateways | [][azure.subscription.networkService.applicationGateway](azure.subscription.networkservice.applicationgateway.md) | List of application gateways |
+| applicationFirewallPolicies | [][azure.subscription.networkService.applicationFirewallPolicy](azure.subscription.networkservice.applicationfirewallpolicy.md) | List of application firewall policies |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.natgateway.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.natgateway.md
new file mode 100644
index 000000000..05a99a0b7
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.natgateway.md
@@ -0,0 +1,36 @@
+---
+title: azure.subscription.networkService.natGateway
+id: azure.subscription.networkService.natGateway
+sidebar_label: azure.subscription.networkService.natGateway
+displayed_sidebar: MQL
+description: Azure network NAT gateway
+---
+
+# azure.subscription.networkService.natGateway
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network NAT gateway
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- |
+| id | string | NAT Gateway ID |
+| name | string | NAT Gateway name |
+| location | string | NAT Gateway location |
+| tags | map[string]string | NAT Gateway tags |
+| type | string | NAT Gateway type |
+| etag | string | NAT Gateway etag |
+| properties | dict | NAT Gateway properties |
+| zones | []string | NAT Gateway availability zones |
+| publicIpAddresses | [][azure.subscription.networkService.ipAddress](azure.subscription.networkservice.ipaddress.md) | List of public IP addresses the NAT Gateway is associated with |
+| subnets | [][azure.subscription.networkService.subnet](azure.subscription.networkservice.subnet.md) | List of subnets the NAT Gateway is associated with |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.outboundrule.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.outboundrule.md
new file mode 100644
index 000000000..77dda5822
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.outboundrule.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.networkService.outboundRule
+id: azure.subscription.networkService.outboundRule
+sidebar_label: azure.subscription.networkService.outboundRule
+displayed_sidebar: MQL
+description: Azure network outbound rule
+---
+
+# azure.subscription.networkService.outboundRule
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network outbound rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ------------------------ |
+| id | string | Outbound rule ID |
+| name | string | Outbound rule name |
+| type | string | Outbound rule type |
+| etag | string | Outbound rule etag |
+| properties | dict | Outbound rule properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.probe.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.probe.md
new file mode 100644
index 000000000..19e56cdd0
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.probe.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.networkService.probe
+id: azure.subscription.networkService.probe
+sidebar_label: azure.subscription.networkService.probe
+displayed_sidebar: MQL
+description: Azure network probe
+---
+
+# azure.subscription.networkService.probe
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network probe
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ---------------- |
+| id | string | Probe ID |
+| name | string | Probe name |
+| type | string | Probe type |
+| etag | string | Probe etag |
+| properties | dict | Probe properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.securitygroup.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.securitygroup.md
new file mode 100644
index 000000000..65f327b3c
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.securitygroup.md
@@ -0,0 +1,36 @@
+---
+title: azure.subscription.networkService.securityGroup
+id: azure.subscription.networkService.securityGroup
+sidebar_label: azure.subscription.networkService.securityGroup
+displayed_sidebar: MQL
+description: Azure network security group
+---
+
+# azure.subscription.networkService.securityGroup
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network security group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
+| id | string | Security group ID |
+| name | string | Security group name |
+| location | string | Security group location |
+| tags | map[string]string | Security group tags |
+| type | string | Security group type |
+| etag | string | Security group etag |
+| properties | dict | Security group properties |
+| interfaces | [][azure.subscription.networkService.interface](azure.subscription.networkservice.interface.md) | Security group interfaces |
+| securityRules | [][azure.subscription.networkService.securityrule](azure.subscription.networkservice.securityrule.md) | Security group rules |
+| defaultSecurityRules | [][azure.subscription.networkService.securityrule](azure.subscription.networkservice.securityrule.md) | Security group default security rules |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.securityrule.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.securityrule.md
new file mode 100644
index 000000000..584d10d9b
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.securityrule.md
@@ -0,0 +1,32 @@
+---
+title: azure.subscription.networkService.securityrule
+id: azure.subscription.networkService.securityrule
+sidebar_label: azure.subscription.networkService.securityrule
+displayed_sidebar: MQL
+description: Azure network security rule
+---
+
+# azure.subscription.networkService.securityrule
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network security rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | -------------- | --------------------------------------------- |
+| id | string | Security rule ID |
+| name | string | Security rule name |
+| etag | string | Security rule etag |
+| properties | dict | Security rule properties |
+| destinationPortRange | []dict | Security rule destination port range |
+| direction | string | Security rule direction (outbound or inbound) |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.subnet.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.subnet.md
new file mode 100644
index 000000000..8b7a66d60
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.subnet.md
@@ -0,0 +1,34 @@
+---
+title: azure.subscription.networkService.subnet
+id: azure.subscription.networkService.subnet
+sidebar_label: azure.subscription.networkService.subnet
+displayed_sidebar: MQL
+description: Azure network subnet
+---
+
+# azure.subscription.networkService.subnet
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure network subnet
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
+| id | string | Subnet ID |
+| name | string | Subnet name |
+| type | string | Subnet type |
+| etag | string | Subnet etag |
+| addressPrefix | string | Subnet address prefix |
+| properties | dict | Subnet properties |
+| natGateway | [azure.subscription.networkService.natGateway](azure.subscription.networkservice.natgateway.md) | The NAT gateway this subnet is associated with, if any |
+| ipConfigurations | [][azure.subscription.networkService.virtualNetworkGateway.ipConfig](azure.subscription.networkservice.virtualnetworkgateway.ipconfig.md) | List of IP configurations for the subnet |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetwork.dhcpoptions.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetwork.dhcpoptions.md
new file mode 100644
index 000000000..956243387
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetwork.dhcpoptions.md
@@ -0,0 +1,24 @@
+---
+title: azure.subscription.networkService.virtualNetwork.dhcpOptions
+id: azure.subscription.networkService.virtualNetwork.dhcpOptions
+sidebar_label: azure.subscription.networkService.virtualNetwork.dhcpOptions
+displayed_sidebar: MQL
+description: Azure Virtual Network DHCP options
+---
+
+# azure.subscription.networkService.virtualNetwork.dhcpOptions
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Virtual Network DHCP options
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ---------------- | -------------------------------------------- |
+| id | string | DHCP options ID |
+| dnsServers | []string | The DNS servers, used by the virtual network |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetwork.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetwork.md
new file mode 100644
index 000000000..8056bcbda
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetwork.md
@@ -0,0 +1,37 @@
+---
+title: azure.subscription.networkService.virtualNetwork
+id: azure.subscription.networkService.virtualNetwork
+sidebar_label: azure.subscription.networkService.virtualNetwork
+displayed_sidebar: MQL
+description: Azure Virtual network (VNet)
+---
+
+# azure.subscription.networkService.virtualNetwork
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Virtual network (VNet)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
+| id | string | Virtual Network ID |
+| name | string | Virtual Network name |
+| location | string | Virtual Network location |
+| tags | map[string]string | Virtual Network tags |
+| type | string | Virtual Network type |
+| etag | string | Virtual Network etag |
+| properties | dict | Virtual Network properties |
+| subnets | [][azure.subscription.networkService.subnet](azure.subscription.networkservice.subnet.md) | List of subnets within the virtual network |
+| dhcpOptions | [azure.subscription.networkService.virtualNetwork.dhcpOptions](azure.subscription.networkservice.virtualnetwork.dhcpoptions.md) | Virtual Network DHCP options |
+| enableDdosProtection | bool | Indicates if DDoS protection is enabled for all the protected resources in the virtual network. |
+| enableVmProtection | bool | Indicates if VM protection is enabled for all the subnets in the virtual network |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetworkgateway.connection.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetworkgateway.connection.md
new file mode 100644
index 000000000..c973d110d
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetworkgateway.connection.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.networkService.virtualNetworkGateway.connection
+id: azure.subscription.networkService.virtualNetworkGateway.connection
+sidebar_label: azure.subscription.networkService.virtualNetworkGateway.connection
+displayed_sidebar: MQL
+description: Azure Virtual Network (VNet) gateway connection
+---
+
+# azure.subscription.networkService.virtualNetworkGateway.connection
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Virtual Network (VNet) gateway connection
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ---------------------------------- |
+| id | string | VNet gateway connection ID |
+| name | string | VNet gateway Connection name |
+| type | string | VNet gateway Connection type |
+| etag | string | VNet gateway Connection etag |
+| properties | dict | VNet gateway Connection properties |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetworkgateway.ipconfig.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetworkgateway.ipconfig.md
new file mode 100644
index 000000000..b1383a457
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetworkgateway.ipconfig.md
@@ -0,0 +1,32 @@
+---
+title: azure.subscription.networkService.virtualNetworkGateway.ipConfig
+id: azure.subscription.networkService.virtualNetworkGateway.ipConfig
+sidebar_label: azure.subscription.networkService.virtualNetworkGateway.ipConfig
+displayed_sidebar: MQL
+description: Azure Virtual Network (VNet) gateway IP configuration
+---
+
+# azure.subscription.networkService.virtualNetworkGateway.ipConfig
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Virtual Network (VNet) gateway IP configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
+| id | string | VNet gateway IP Configuration ID |
+| name | string | VNet gateway IP Configuration name |
+| etag | string | VNet gateway IP Configuration etag |
+| privateIpAddress | string | VNet gateway IP Configuration private IP address |
+| properties | dict | VNet gateway IP Configuration properties |
+| publicIpAddress | [azure.subscription.networkService.ipAddress](azure.subscription.networkservice.ipaddress.md) | The public IP address, associated with this IP configuration |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetworkgateway.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetworkgateway.md
new file mode 100644
index 000000000..9531641f9
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.virtualnetworkgateway.md
@@ -0,0 +1,52 @@
+---
+title: azure.subscription.networkService.virtualNetworkGateway
+id: azure.subscription.networkService.virtualNetworkGateway
+sidebar_label: azure.subscription.networkService.virtualNetworkGateway
+displayed_sidebar: MQL
+description: Azure virtual network (VNet) gateway
+---
+
+# azure.subscription.networkService.virtualNetworkGateway
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure virtual network (VNet) gateway
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- |
+| id | string | VNet gateway ID |
+| name | string | VNet gateway name |
+| location | string | VNet gateway location |
+| tags | map[string]string | VNet gateway tags |
+| type | string | VNet gateway resource type |
+| etag | string | VNet gateway etag |
+| properties | dict | VNet gateway properties |
+| active | bool | Whether the virtual network gateway is active |
+| enableBgp | bool | Whether BGP is enabled for this virtual network gateway |
+| enableBgpRouteTranslationForNat | bool | Whether BGP route translation is enabled for this VNet gateway |
+| enableDNSForwarding | bool | Whether DNS forwarding is enabled for this VNet gateway |
+| enablePrivateIPAddress | bool | Whether private IP must be enabled for connections |
+| disableIPSecReplayProtection | bool | Whether IP sec replay protection is disabled for this VNet gateway |
+| provisioningState | string | VNet gateway provisioning state |
+| inboundDNSForwardingEndpoint | string | The IP address allocated by the gateway to which DNS requests can be sent |
+| skuName | string | VNet gateway SKU name |
+| skuCapacity | int | VNet gateway SKU capacity |
+| addressPrefixes | []string | A list of address blocks reserved for this virtual network in CIDR notation |
+| gatewayType | string | VNet gateway type |
+| vpnGatewayGeneration | string | VNet gateway generation |
+| vpnType | string | VNet gateway VPN type |
+| ipConfigurations | [][azure.subscription.networkService.virtualNetworkGateway.ipConfig](azure.subscription.networkservice.virtualnetworkgateway.ipconfig.md) | VNet gateway IP configurations |
+| bgpSettings | [azure.subscription.networkService.bgpSettings](azure.subscription.networkservice.bgpsettings.md) | VNet gateway BGP settings |
+| natRules | []azure.subscription.networkService.virtualNetworkGateway.natRule | VNet gateway NAT rules |
+| connections | [][azure.subscription.networkService.virtualNetworkGateway.connection](azure.subscription.networkservice.virtualnetworkgateway.connection.md) | Applicable connections for the gateway |
+| vpnClientConfiguration | dict | VPN client configuration (only set if P2S is configured for the gateway) |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.watcher.flowlog.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.watcher.flowlog.md
new file mode 100644
index 000000000..2849d259c
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.watcher.flowlog.md
@@ -0,0 +1,41 @@
+---
+title: azure.subscription.networkService.watcher.flowlog
+id: azure.subscription.networkService.watcher.flowlog
+sidebar_label: azure.subscription.networkService.watcher.flowlog
+displayed_sidebar: MQL
+description: Azure Network Watcher flow log
+---
+
+# azure.subscription.networkService.watcher.flowlog
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Network Watcher flow log
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ----------------- | --------------------------------------------------- |
+| id | string | Network watcher flow log ID |
+| name | string | Network watcher flow log name |
+| location | string | Network watcher flow log location |
+| tags | map[string]string | Network watcher flow log tags |
+| type | string | Network watcher flow log type |
+| etag | string | Network watcher flow log etag |
+| provisioningState | string | Network watcher flow log provisioning state |
+| enabled | bool | whether the network watcher flow log is enabled |
+| storageAccountId | string | Network watcher flow log storage account identifier |
+| targetResourceId | string | Network watcher flow log target resource identifier |
+| targetResourceGuid | string | Network watcher flow log target resource guid |
+| version | int | Network watcher flow log version |
+| format | string | Network watcher flow log format |
+| retentionPolicy | dict | Network watcher flow log retention policy |
+| analytics | dict | Network watcher flow log analytics |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.networkservice.watcher.md b/docs/mql/resources/azure-pack/azure.subscription.networkservice.watcher.md
new file mode 100644
index 000000000..de12ad09c
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.networkservice.watcher.md
@@ -0,0 +1,35 @@
+---
+title: azure.subscription.networkService.watcher
+id: azure.subscription.networkService.watcher
+sidebar_label: azure.subscription.networkService.watcher
+displayed_sidebar: MQL
+description: Azure Network Watcher
+---
+
+# azure.subscription.networkService.watcher
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Network Watcher
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------- | ---------------------------------- |
+| id | string | Network watcher ID |
+| name | string | Network watcher name |
+| location | string | Network watcher location |
+| tags | map[string]string | Network watcher tags |
+| type | string | Network watcher type |
+| etag | string | Network watcher etag |
+| properties | dict | Network watcher properties |
+| flowLogs | [][azure.subscription.networkService.watcher.flowlog](azure.subscription.networkservice.watcher.flowlog.md) | Network watcher flow logs |
+| provisioningState | string | Network watcher provisioning state |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/virtual-network/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.postgresqlservice.database.md b/docs/mql/resources/azure-pack/azure.subscription.postgresqlservice.database.md
new file mode 100644
index 000000000..95b294056
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.postgresqlservice.database.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.postgreSqlService.database
+id: azure.subscription.postgreSqlService.database
+sidebar_label: azure.subscription.postgreSqlService.database
+displayed_sidebar: MQL
+description: Azure Database for PostgreSQL database
+---
+
+# azure.subscription.postgreSqlService.database
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for PostgreSQL database
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ----------------------------- |
+| id | string | PostgreSQL database ID |
+| name | string | PostgreSQL database name |
+| type | string | PostgreSQL database type |
+| charset | string | PostgreSQL database charset |
+| collation | string | PostgreSQL database collation |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/postgresql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.postgresqlservice.md b/docs/mql/resources/azure-pack/azure.subscription.postgresqlservice.md
new file mode 100644
index 000000000..eadc9e01f
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.postgresqlservice.md
@@ -0,0 +1,24 @@
+---
+title: azure.subscription.postgreSqlService
+id: azure.subscription.postgreSqlService
+sidebar_label: azure.subscription.postgreSqlService
+displayed_sidebar: MQL
+description: Azure Database for PostgreSQL
+---
+
+# azure.subscription.postgreSqlService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for PostgreSQL
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------------------------------------------------------------------------------------------------------- | -------------------------- |
+| subscriptionId | string | Subscription identifier |
+| servers | [][azure.subscription.postgreSqlService.server](azure.subscription.postgresqlservice.server.md) | List of PostgreSQL servers |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.postgresqlservice.server.md b/docs/mql/resources/azure-pack/azure.subscription.postgresqlservice.server.md
new file mode 100644
index 000000000..0015152d3
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.postgresqlservice.server.md
@@ -0,0 +1,35 @@
+---
+title: azure.subscription.postgreSqlService.server
+id: azure.subscription.postgreSqlService.server
+sidebar_label: azure.subscription.postgreSqlService.server
+displayed_sidebar: MQL
+description: Azure Database for PostgreSQL server
+---
+
+# azure.subscription.postgreSqlService.server
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Database for PostgreSQL server
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------------------------------------------------------------------------------------- | -------------------------------- |
+| id | string | PostgreSQL server ID |
+| name | string | PostgreSQL server name |
+| location | string | PostgreSQL server location |
+| tags | map[string]string | PostgreSQL server tags |
+| type | string | PostgreSQL server type |
+| properties | dict | PostgreSQL server properties |
+| configuration | [][azure.subscription.sqlService.configuration](azure.subscription.sqlservice.configuration.md) | PostgreSQL server configuration |
+| databases | [][azure.subscription.postgreSqlService.database](azure.subscription.postgresqlservice.database.md) | PostgreSQL server databases |
+| firewallRules | [][azure.subscription.sqlService.firewallrule](azure.subscription.sqlservice.firewallrule.md) | PostgreSQL server firewall rules |
+
+**References**
+
+- [Virtual Network documentation](https://learn.microsoft.com/en-us/azure/postgresql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.resource.md b/docs/mql/resources/azure-pack/azure.subscription.resource.md
new file mode 100644
index 000000000..eccea449e
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.resource.md
@@ -0,0 +1,39 @@
+---
+title: azure.subscription.resource
+id: azure.subscription.resource
+sidebar_label: azure.subscription.resource
+displayed_sidebar: MQL
+description: Azure resource
+---
+
+# azure.subscription.resource
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------- | --------------------------------------------- |
+| id | string | Resource ID |
+| name | string | Resource name |
+| kind | string | Resource kind |
+| location | string | Resource location |
+| tags | map[string]string | Resource tags |
+| type | string | Resource type |
+| managedBy | string | ID of the resource that manages this resource |
+| sku | dict | Resource SKU |
+| plan | dict | Resource plan |
+| identity | dict | Resource identity |
+| provisioningState | string | Resource provisioning state |
+| createdTime | time | When the resource was created |
+| changedTime | time | When the resource was last changed |
+
+**References**
+
+- [Azure Resource Manager documentation](https://learn.microsoft.com/en-us/azure/azure-resource-manager/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.resourcegroup.md b/docs/mql/resources/azure-pack/azure.subscription.resourcegroup.md
new file mode 100644
index 000000000..c9c6cc581
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.resourcegroup.md
@@ -0,0 +1,33 @@
+---
+title: azure.subscription.resourcegroup
+id: azure.subscription.resourcegroup
+sidebar_label: azure.subscription.resourcegroup
+displayed_sidebar: MQL
+description: Azure resource group
+---
+
+# azure.subscription.resourcegroup
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure resource group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------- | --------------------------------------------------- |
+| id | string | Resource group ID |
+| name | string | Resource group name |
+| location | string | Resource group location |
+| tags | map[string]string | Resource group tags |
+| type | string | Resource group type |
+| managedBy | string | ID of the resource that manages this resource group |
+| provisioningState | string | Resource group provisioning state |
+
+**References**
+
+- [Azure Resource Manager documentation](https://learn.microsoft.com/en-us/azure/azure-resource-manager/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.sqlservice.configuration.md b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.configuration.md
new file mode 100644
index 000000000..1edab78c8
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.configuration.md
@@ -0,0 +1,35 @@
+---
+title: azure.subscription.sqlService.configuration
+id: azure.subscription.sqlService.configuration
+sidebar_label: azure.subscription.sqlService.configuration
+displayed_sidebar: MQL
+description: Azure SQL configuration
+---
+
+# azure.subscription.sqlService.configuration
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure SQL configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------ | -------------------------------- |
+| id | string | SQL configuration ID |
+| name | string | SQL configuration name |
+| type | string | SQL configuration type |
+| value | string | SQL configuration value |
+| description | string | SQL configuration description |
+| defaultValue | string | SQL configuration default value |
+| dataType | string | SQL configuration data type |
+| allowedValues | string | SQL configuration allowed values |
+| source | string | SQL configuration source |
+
+**References**
+
+- [Azure SQL documentation](https://learn.microsoft.com/en-us/azure/azure-sql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.sqlservice.database.md b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.database.md
new file mode 100644
index 000000000..b3a4634a2
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.database.md
@@ -0,0 +1,55 @@
+---
+title: azure.subscription.sqlService.database
+id: azure.subscription.sqlService.database
+sidebar_label: azure.subscription.sqlService.database
+displayed_sidebar: MQL
+description: Azure SQL server database
+---
+
+# azure.subscription.sqlService.database
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure SQL server database
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
+| id | string | SQL database ID |
+| name | string | SQL database name |
+| type | string | SQL database type |
+| collation | string | SQL database collation |
+| creationDate | time | SQL database create date |
+| databaseId | string | Database ID |
+| earliestRestoreDate | time | SQL database earliest restore date |
+| createMode | string | SQL database create mode |
+| sourceDatabaseId | string | SQL database source database ID |
+| sourceDatabaseDeletionDate | time | SQL database deletion date |
+| restorePointInTime | time | SQL database restore point in time |
+| recoveryServicesRecoveryPointResourceId | string | SQL database recovery services recovery point ID |
+| edition | string | SQL database edition |
+| maxSizeBytes | int | SQL database maximum byte size |
+| requestedServiceObjectiveName | string | SQL database requested objective name |
+| serviceLevelObjective | string | SQL database service level objective |
+| status | string | SQL database status |
+| elasticPoolName | string | SQL database elastic pool name |
+| defaultSecondaryLocation | string | SQL database default secondary location |
+| failoverGroupId | string | SQL database failover group ID |
+| readScale | string | SQL database read scale |
+| sampleName | string | SQL database sample name |
+| zoneRedundant | bool | Whether SQL server is zone redundant |
+| transparentDataEncryption | dict | SQL database transparent data encryption |
+| advisor | []dict | SQL database advisor |
+| threatDetectionPolicy | dict | SQL database threat detection policy |
+| connectionPolicy | dict | SQL database connection policy |
+| auditingPolicy | dict | SQL database auditing policy |
+| usage | [][azure.subscription.sqlService.databaseusage](azure.subscription.sqlservice.databaseusage.md) | SQL database usage |
+
+**References**
+
+- [Azure SQL documentation](https://learn.microsoft.com/en-us/azure/azure-sql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.sqlservice.databaseusage.md b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.databaseusage.md
new file mode 100644
index 000000000..8be957ead
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.databaseusage.md
@@ -0,0 +1,33 @@
+---
+title: azure.subscription.sqlService.databaseusage
+id: azure.subscription.sqlService.databaseusage
+sidebar_label: azure.subscription.sqlService.databaseusage
+displayed_sidebar: MQL
+description: Azure SQL database usage
+---
+
+# azure.subscription.sqlService.databaseusage
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure SQL database usage
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ---------------------------- |
+| id | string | Database usage ID |
+| name | string | Database usage name |
+| resourceName | string | Database usage resource name |
+| displayName | string | Database usage display name |
+| currentValue | float | Database usage current value |
+| limit | float | Database usage limit |
+| unit | string | Database usage unit |
+
+**References**
+
+- [Azure SQL documentation](https://learn.microsoft.com/en-us/azure/azure-sql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.sqlservice.firewallrule.md b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.firewallrule.md
new file mode 100644
index 000000000..95687f0d2
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.firewallrule.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.sqlService.firewallrule
+id: azure.subscription.sqlService.firewallrule
+sidebar_label: azure.subscription.sqlService.firewallrule
+displayed_sidebar: MQL
+description: Azure SQL firewall rule
+---
+
+# azure.subscription.sqlService.firewallrule
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure SQL firewall rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------ | ---------------------------------- |
+| id | string | SQL firewall rule ID |
+| name | string | SQL firewall rule name |
+| type | string | SQL firewall rule type |
+| startIpAddress | string | SQL firewall rule start IP address |
+| endIpAddress | string | SQL firewall rule end IP address |
+
+**References**
+
+- [Azure SQL documentation](https://learn.microsoft.com/en-us/azure/azure-sql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.sqlservice.md b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.md
new file mode 100644
index 000000000..8c99296cc
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.md
@@ -0,0 +1,28 @@
+---
+title: azure.subscription.sqlService
+id: azure.subscription.sqlService
+sidebar_label: azure.subscription.sqlService
+displayed_sidebar: MQL
+description: Azure SQL
+---
+
+# azure.subscription.sqlService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure SQL
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ----------------------------------------------------------------------------------------- | ----------------------- |
+| subscriptionId | string | Subscription identifier |
+| servers | [][azure.subscription.sqlService.server](azure.subscription.sqlservice.server.md) | List of SQL servers |
+
+**References**
+
+- [Azure SQL documentation](https://learn.microsoft.com/en-us/azure/azure-sql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.sqlservice.server.administrator.md b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.server.administrator.md
new file mode 100644
index 000000000..a8fea1dcb
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.server.administrator.md
@@ -0,0 +1,33 @@
+---
+title: azure.subscription.sqlService.server.administrator
+id: azure.subscription.sqlService.server.administrator
+sidebar_label: azure.subscription.sqlService.server.administrator
+displayed_sidebar: MQL
+description: Azure SQL server administrator
+---
+
+# azure.subscription.sqlService.server.administrator
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure SQL server administrator
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------ | --------------------------------- |
+| id | string | SQL administrator ID |
+| name | string | SQL administrator name |
+| type | string | SQL administrator type |
+| administratorType | string | SQL administrator type |
+| login | string | SQL administrator login |
+| sid | string | SQL administrator subscription ID |
+| tenantId | string | SQL administrator tenant ID |
+
+**References**
+
+- [Azure SQL documentation](https://learn.microsoft.com/en-us/azure/azure-sql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.sqlservice.server.md b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.server.md
new file mode 100644
index 000000000..f02058b66
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.server.md
@@ -0,0 +1,42 @@
+---
+title: azure.subscription.sqlService.server
+id: azure.subscription.sqlService.server
+sidebar_label: azure.subscription.sqlService.server
+displayed_sidebar: MQL
+description: Azure SQL server
+---
+
+# azure.subscription.sqlService.server
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure SQL server
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- |
+| id | string | SQL server ID |
+| name | string | SQL server name |
+| location | string | SQL server location |
+| tags | map[string]string | SQL server tags |
+| type | string | SQL server type |
+| properties | dict | SQL server properties |
+| databases | [][azure.subscription.sqlService.database](azure.subscription.sqlservice.database.md) | SQL server databases |
+| firewallRules | [][azure.subscription.sqlService.firewallrule](azure.subscription.sqlservice.firewallrule.md) | SQL server firewall rules |
+| azureAdAdministrators | [][azure.subscription.sqlService.server.administrator](azure.subscription.sqlservice.server.administrator.md) | SQL server AD administrators |
+| connectionPolicy | dict | SQL server connection policy |
+| auditingPolicy | dict | SQL server auditing policy |
+| securityAlertPolicy | dict | SQL server security alert policy |
+| encryptionProtector | dict | SQL server encryption protector |
+| threatDetectionPolicy | dict | SQL server threat detection policy |
+| vulnerabilityAssessmentSettings | [azure.subscription.sqlService.server.vulnerabilityassessmentsettings](azure.subscription.sqlservice.server.vulnerabilityassessmentsettings.md) | SQL server vulnerability assessment settings |
+| virtualNetworkRules | [][azure.subscription.sqlService.virtualNetworkRule](azure.subscription.sqlservice.virtualnetworkrule.md) | |
+
+**References**
+
+- [Azure SQL documentation](https://learn.microsoft.com/en-us/azure/azure-sql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.sqlservice.server.vulnerabilityassessmentsettings.md b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.server.vulnerabilityassessmentsettings.md
new file mode 100644
index 000000000..a5133ef9a
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.server.vulnerabilityassessmentsettings.md
@@ -0,0 +1,35 @@
+---
+title: azure.subscription.sqlService.server.vulnerabilityassessmentsettings
+id: azure.subscription.sqlService.server.vulnerabilityassessmentsettings
+sidebar_label: azure.subscription.sqlService.server.vulnerabilityassessmentsettings
+displayed_sidebar: MQL
+description: Azure SQL server vulnerability assessment settings
+---
+
+# azure.subscription.sqlService.server.vulnerabilityassessmentsettings
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure SQL server vulnerability assessment settings
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------- |
+| id | string | ID of the vulnerability assessment |
+| name | string | Name of the vulnerability assessment |
+| type | string | Type of the vulnerability assessment |
+| storageContainerPath | string | Blob storage container path to hold the scan results |
+| storageAccountAccessKey | string | Identifier key of the storage account for vulnerability assessment scan results |
+| storageContainerSasKey | string | Shared access signature key that has write access to the blob container specified in 'storageContainerPath' |
+| recurringScanEnabled | bool | Whether recurring scan is enabled |
+| recurringScanEmails | []string | Array of email addresses to which the scan notification is sent |
+| mailSubscriptionAdmins | bool | Whether the schedule scan notification is also sent to the subscription administrators |
+
+**References**
+
+- [Azure SQL documentation](https://learn.microsoft.com/en-us/azure/azure-sql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.sqlservice.virtualnetworkrule.md b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.virtualnetworkrule.md
new file mode 100644
index 000000000..131afcdf6
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.sqlservice.virtualnetworkrule.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.sqlService.virtualNetworkRule
+id: azure.subscription.sqlService.virtualNetworkRule
+sidebar_label: azure.subscription.sqlService.virtualNetworkRule
+displayed_sidebar: MQL
+description: Azure SQL virtual network rule
+---
+
+# azure.subscription.sqlService.virtualNetworkRule
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure SQL virtual network rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ------ | ------------------------------- |
+| id | string | Virtual network rule ID |
+| name | string | Virtual network rule name |
+| type | string | Virtual network rule type |
+| properties | dict | Virtual network rule properties |
+| virtualNetworkSubnetId | string | Virtual network rule Subnet ID |
+
+**References**
+
+- [Azure SQL documentation](https://learn.microsoft.com/en-us/azure/azure-sql/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.container.md b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.container.md
new file mode 100644
index 000000000..19cf8c45d
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.container.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.storageService.account.container
+id: azure.subscription.storageService.account.container
+sidebar_label: azure.subscription.storageService.account.container
+displayed_sidebar: MQL
+description: Azure Storage container
+---
+
+# azure.subscription.storageService.account.container
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Storage container
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ---------------------------- |
+| id | string | Storage container ID |
+| name | string | Storage container name |
+| type | string | Storage container type |
+| etag | string | Storage container etag |
+| properties | dict | Storage container properties |
+
+**References**
+
+- [Azure Storage documentation](https://learn.microsoft.com/en-us/azure/storage/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.dataprotection.md b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.dataprotection.md
new file mode 100644
index 000000000..97be2c0ee
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.dataprotection.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.storageService.account.dataProtection
+id: azure.subscription.storageService.account.dataProtection
+sidebar_label: azure.subscription.storageService.account.dataProtection
+displayed_sidebar: MQL
+description: Azure Storage account data protection
+---
+
+# azure.subscription.storageService.account.dataProtection
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Storage account data protection
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------------- | ------ | ----------------------------------------------- |
+| storageAccountId | string | ID of the storage account |
+| blobSoftDeletionEnabled | bool | Whether soft deletion of blobs is enabled |
+| blobRetentionDays | int | Retention period in days for deleted blobs |
+| containerSoftDeletionEnabled | bool | Whether soft deletion of containers is enabled |
+| containerRetentionDays | int | Retention period in days for deleted containers |
+
+**References**
+
+- [Azure Storage documentation](https://learn.microsoft.com/en-us/azure/storage/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.md b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.md
new file mode 100644
index 000000000..6d2c0370b
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.md
@@ -0,0 +1,40 @@
+---
+title: azure.subscription.storageService.account
+id: azure.subscription.storageService.account
+sidebar_label: azure.subscription.storageService.account
+displayed_sidebar: MQL
+description: Azure Storage account
+---
+
+# azure.subscription.storageService.account
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Storage account
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
+| id | string | Storage account ID |
+| name | string | Storage account name |
+| location | string | Storage account location |
+| tags | map[string]string | Storage account tags |
+| type | string | Storage account type |
+| properties | dict | Storage account properties |
+| identity | dict | Storage account identity |
+| sku | dict | Storage account SKU |
+| kind | string | Storage account kind |
+| containers | [][azure.subscription.storageService.account.container](azure.subscription.storageservice.account.container.md) | Storage account containers |
+| queueProperties | [azure.subscription.storageService.account.service.properties](azure.subscription.storageservice.account.service.properties.md) | Storage account queue properties |
+| tableProperties | [azure.subscription.storageService.account.service.properties](azure.subscription.storageservice.account.service.properties.md) | Storage account table properties |
+| blobProperties | [azure.subscription.storageService.account.service.properties](azure.subscription.storageservice.account.service.properties.md) | Storage account blob properties |
+| dataProtection | [azure.subscription.storageService.account.dataProtection](azure.subscription.storageservice.account.dataprotection.md) | Storage account data protection |
+
+**References**
+
+- [Azure Storage documentation](https://learn.microsoft.com/en-us/azure/storage/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.logging.md b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.logging.md
new file mode 100644
index 000000000..e960d564e
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.logging.md
@@ -0,0 +1,32 @@
+---
+title: azure.subscription.storageService.account.service.properties.logging
+id: azure.subscription.storageService.account.service.properties.logging
+sidebar_label: azure.subscription.storageService.account.service.properties.logging
+displayed_sidebar: MQL
+description: Azure Storage account service properties logging
+---
+
+# azure.subscription.storageService.account.service.properties.logging
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Storage account service properties logging
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- |
+| id | string | ID of the logging configuration |
+| delete | bool | Whether delete requests are logged |
+| read | bool | Whether read requests are logged |
+| write | bool | Whether write requests are logged |
+| version | string | Logging version |
+| retentionPolicy | [azure.subscription.storageService.account.service.properties.retentionPolicy](azure.subscription.storageservice.account.service.properties.retentionpolicy.md) | Retention policy for the logging metrics |
+
+**References**
+
+- [Azure Storage documentation](https://learn.microsoft.com/en-us/azure/storage/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.md b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.md
new file mode 100644
index 000000000..6a934749b
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.md
@@ -0,0 +1,26 @@
+---
+title: azure.subscription.storageService.account.service.properties
+id: azure.subscription.storageService.account.service.properties
+sidebar_label: azure.subscription.storageService.account.service.properties
+displayed_sidebar: MQL
+description: Azure Storage account service properties
+---
+
+# azure.subscription.storageService.account.service.properties
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Storage account service properties
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
+| id | string | ID of the service |
+| hourMetrics | [azure.subscription.storageService.account.service.properties.metrics](azure.subscription.storageservice.account.service.properties.metrics.md) | Hourly metrics properties |
+| minuteMetrics | [azure.subscription.storageService.account.service.properties.metrics](azure.subscription.storageservice.account.service.properties.metrics.md) | Minute metrics properties |
+| logging | [azure.subscription.storageService.account.service.properties.logging](azure.subscription.storageservice.account.service.properties.logging.md) | Logging properties |
diff --git a/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.metrics.md b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.metrics.md
new file mode 100644
index 000000000..ef08fff16
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.metrics.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.storageService.account.service.properties.metrics
+id: azure.subscription.storageService.account.service.properties.metrics
+sidebar_label: azure.subscription.storageService.account.service.properties.metrics
+displayed_sidebar: MQL
+description: Azure Storage account service properties metrics
+---
+
+# azure.subscription.storageService.account.service.properties.metrics
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Storage account service properties metrics
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- |
+| id | string | ID of the metrics |
+| includeAPIs | bool | Whether metrics generate summary statistics for called API operations |
+| retentionPolicy | [azure.subscription.storageService.account.service.properties.retentionPolicy](azure.subscription.storageservice.account.service.properties.retentionpolicy.md) | Retention policy for the metrics |
+| enabled | bool | Whether the metrics are enabled |
+| version | string | Version of the metrics |
+
+**References**
+
+- [Azure Storage documentation](https://learn.microsoft.com/en-us/azure/storage/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.retentionpolicy.md b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.retentionpolicy.md
new file mode 100644
index 000000000..8f19ecc4f
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.storageservice.account.service.properties.retentionpolicy.md
@@ -0,0 +1,29 @@
+---
+title: azure.subscription.storageService.account.service.properties.retentionPolicy
+id: azure.subscription.storageService.account.service.properties.retentionPolicy
+sidebar_label: azure.subscription.storageService.account.service.properties.retentionPolicy
+displayed_sidebar: MQL
+description: Azure Storage account service properties retention policy
+---
+
+# azure.subscription.storageService.account.service.properties.retentionPolicy
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Storage account service properties retention policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------ | ----------------------------------------------------------- |
+| id | string | ID of the retention policy |
+| retentionDays | int | Number of days that metrics or logging data is retained |
+| enabled | bool | Whether a retention policy is enabled for the Azure Storage |
+
+**References**
+
+- [Azure Storage documentation](https://learn.microsoft.com/en-us/azure/storage/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.storageservice.md b/docs/mql/resources/azure-pack/azure.subscription.storageservice.md
new file mode 100644
index 000000000..53526d34b
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.storageservice.md
@@ -0,0 +1,28 @@
+---
+title: azure.subscription.storageService
+id: azure.subscription.storageService
+sidebar_label: azure.subscription.storageService
+displayed_sidebar: MQL
+description: Azure Storage
+---
+
+# azure.subscription.storageService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Storage
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | --------------------------------------------------------------------------------------------------- | ------------------------ |
+| subscriptionId | string | Subscription identifier |
+| accounts | [][azure.subscription.storageService.account](azure.subscription.storageservice.account.md) | List of storage accounts |
+
+**References**
+
+- [Azure Storage documentation](https://learn.microsoft.com/en-us/azure/storage/)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.webservice.appsite.md b/docs/mql/resources/azure-pack/azure.subscription.webservice.appsite.md
new file mode 100644
index 000000000..834090842
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.webservice.appsite.md
@@ -0,0 +1,40 @@
+---
+title: azure.subscription.webService.appsite
+id: azure.subscription.webService.appsite
+sidebar_label: azure.subscription.webService.appsite
+displayed_sidebar: MQL
+description: Azure Web app site
+---
+
+# azure.subscription.webService.appsite
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Web app site
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------- |
+| id | string | App site ID |
+| name | string | App site name |
+| kind | string | App site kind |
+| location | string | App site location |
+| type | string | App site type |
+| tags | map[string]string | App site tags |
+| properties | dict | App site properties |
+| identity | dict | App site identity |
+| configuration | [azure.subscription.webService.appsiteconfig](azure.subscription.webservice.appsiteconfig.md) | App site configuration |
+| authenticationSettings | [azure.subscription.webService.appsiteauthsettings](azure.subscription.webservice.appsiteauthsettings.md) | App site authentication settings |
+| metadata | dict | App site metadata |
+| applicationSettings | dict | App site application settings |
+| connectionSettings | dict | App site connection settings |
+| stack | dict | App site stack |
+
+**References**
+
+- [Azure Web documentation](https://learn.microsoft.com/en-us/azure/?product=web)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.webservice.appsiteauthsettings.md b/docs/mql/resources/azure-pack/azure.subscription.webservice.appsiteauthsettings.md
new file mode 100644
index 000000000..9cede40db
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.webservice.appsiteauthsettings.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.webService.appsiteauthsettings
+id: azure.subscription.webService.appsiteauthsettings
+sidebar_label: azure.subscription.webService.appsiteauthsettings
+displayed_sidebar: MQL
+description: Azure AppSite authentication settings
+---
+
+# azure.subscription.webService.appsiteauthsettings
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure AppSite authentication settings
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ------------------------ |
+| id | string | Auth settings ID |
+| name | string | Auth settings name |
+| kind | string | Auth settings kind |
+| type | string | Auth settings type |
+| properties | dict | Auth settings properties |
+
+**References**
+
+- [Azure Web documentation](https://learn.microsoft.com/en-us/azure/?product=web)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.webservice.appsiteconfig.md b/docs/mql/resources/azure-pack/azure.subscription.webservice.appsiteconfig.md
new file mode 100644
index 000000000..35ad81355
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.webservice.appsiteconfig.md
@@ -0,0 +1,31 @@
+---
+title: azure.subscription.webService.appsiteconfig
+id: azure.subscription.webService.appsiteconfig
+sidebar_label: azure.subscription.webService.appsiteconfig
+displayed_sidebar: MQL
+description: Azure AppSite config
+---
+
+# azure.subscription.webService.appsiteconfig
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure AppSite config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ------------------------- |
+| id | string | Appsite config ID |
+| name | string | Appsite config name |
+| kind | string | Appsite config kind |
+| type | string | Appsite config type |
+| properties | dict | Appsite config properties |
+
+**References**
+
+- [Azure Web documentation](https://learn.microsoft.com/en-us/azure/?product=web)
diff --git a/docs/mql/resources/azure-pack/azure.subscription.webservice.md b/docs/mql/resources/azure-pack/azure.subscription.webservice.md
new file mode 100644
index 000000000..d838618bb
--- /dev/null
+++ b/docs/mql/resources/azure-pack/azure.subscription.webservice.md
@@ -0,0 +1,29 @@
+---
+title: azure.subscription.webService
+id: azure.subscription.webService
+sidebar_label: azure.subscription.webService
+displayed_sidebar: MQL
+description: Azure Web
+---
+
+# azure.subscription.webService
+
+**Supported platform**
+
+- azure
+
+**Description**
+
+Azure Web
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------------------------------------------------------------------------------------------- | ----------------------- |
+| subscriptionId | string | Subscription identifier |
+| apps | [][azure.subscription.webService.appsite](azure.subscription.webservice.appsite.md) | List of web apps |
+| availableRuntimes | []dict | Available runtimes |
+
+**References**
+
+- [Azure Web documentation](https://learn.microsoft.com/en-us/azure/?product=web)
diff --git a/docs/mql/resources/core-pack/README.md b/docs/mql/resources/core-pack/README.md
new file mode 100644
index 000000000..1e32c23dc
--- /dev/null
+++ b/docs/mql/resources/core-pack/README.md
@@ -0,0 +1,22 @@
+---
+title: Core Resource Pack - MQL Resources
+id: core.pack
+sidebar_label: Core Resource Pack
+displayed_sidebar: MQL
+description: The Core pack provides basic MQL resources that let you query and assess the security.
+---
+
+# Mondoo Core Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ------------------------- | -------------------------------------------------------- |
+| [asset](asset.md) | General asset information |
+| [asset.eol](asset.eol.md) | Information about the assets platform end-of-life. |
+| [cpe](cpe.md) | Common Platform Enumeration (CPE) identifiers |
+| [mondoo](mondoo.md) | Contextual information about MQL runtime and environment |
+| [parse](parse.md) | Provides common parsers (json, ini, certs, etc) |
+| [regex](regex.md) | Built-in regular expression functions |
+| [time](time.md) | Date and time functions |
+| [uuid](uuid.md) | UUIDs based on RFC 4122 and DCE 1.1 |
diff --git a/docs/mql/resources/core-pack/asset.eol.md b/docs/mql/resources/core-pack/asset.eol.md
new file mode 100644
index 000000000..b04b32510
--- /dev/null
+++ b/docs/mql/resources/core-pack/asset.eol.md
@@ -0,0 +1,21 @@
+---
+title: asset.eol
+id: asset.eol
+sidebar_label: asset.eol
+displayed_sidebar: MQL
+description: Information about the assets platform end-of-life.
+---
+
+# asset.eol
+
+**Description**
+
+Information about the assets platform end-of-life.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | --------------- | ----------------- |
+| docsUrl | string | Documentation URL |
+| productUrl | string | Product URL |
+| date | [time](time.md) | End-of-Life date |
diff --git a/docs/mql/resources/core-pack/asset.md b/docs/mql/resources/core-pack/asset.md
new file mode 100644
index 000000000..66b3018d0
--- /dev/null
+++ b/docs/mql/resources/core-pack/asset.md
@@ -0,0 +1,30 @@
+---
+title: asset
+id: asset
+sidebar_label: asset
+displayed_sidebar: MQL
+description: General asset information
+---
+
+# asset
+
+**Description**
+
+General asset information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------- |
+| name | string | Human readable name of the asset |
+| ids | []string | All identifiers for this asset |
+| platform | string | Platform for this asset (redhat, windows, k8s-pod) |
+| kind | string | Kind of platform, for example:, api, baremetal, vm, vm-image, container, container-image, network, ... |
+| runtime | string | Runtime is the specific kind of the platform. Examples include:, docker-container, podman-container, aws-ec2-instance, ... |
+| version | string | Version of the platform |
+| arch | string | Architecture this OS is running on |
+| title | string | Human-readable title of the platform (e.g., "Red Hat 8, Container") |
+| family | []string | List of platform families that this platform belongs to |
+| fqdn | string | Fully qualified domain name (optional) |
+| build | string | Build version of the platform (optional) |
+| labels | map[string]string | Optional platform information |
diff --git a/docs/mql/resources/core-pack/cpe.md b/docs/mql/resources/core-pack/cpe.md
new file mode 100644
index 000000000..96d43b906
--- /dev/null
+++ b/docs/mql/resources/core-pack/cpe.md
@@ -0,0 +1,34 @@
+---
+title: cpe
+id: cpe
+sidebar_label: cpe
+displayed_sidebar: MQL
+description: Common Platform Enumeration (CPE) identifiers
+---
+
+# cpe
+
+**Description**
+
+Common Platform Enumeration (CPE) identifiers
+
+**Init**
+
+cpe(uri string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | --------------------------- |
+| uri | string | URI binding of the CPE |
+| part | string | Part of the CPE |
+| vendor | string | Vendor of the CPE |
+| product | string | Product of the CPE |
+| version | string | Version of the CPE |
+| update | string | Update of the CPE |
+| edition | string | Edition of the CPE |
+| language | string | Language of the CPE |
+| swEdition | string | Software edition of the CPE |
+| targetSw | string | Target software of the CPE |
+| targetHw | string | Target hardware of the CPE |
+| other | string | Other of the CPE |
diff --git a/docs/mql/resources/core-pack/mondoo.md b/docs/mql/resources/core-pack/mondoo.md
new file mode 100644
index 000000000..60758b361
--- /dev/null
+++ b/docs/mql/resources/core-pack/mondoo.md
@@ -0,0 +1,23 @@
+---
+title: mondoo
+id: mondoo
+sidebar_label: mondoo
+displayed_sidebar: MQL
+description: Contextual information about MQL runtime and environment
+---
+
+# mondoo
+
+**Description**
+
+Contextual information about MQL runtime and environment
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ---------------- | --------------------------------------------------- |
+| version | string | Version of the client running on the asset |
+| build | string | Build of the client (e.g., production, development) |
+| arch | string | Architecture of this client (e.g., linux-amd64) |
+| jobEnvironment | dict | Agent execution environment |
+| capabilities | []string | Connection capabilities |
diff --git a/docs/mql/resources/core-pack/parse.md b/docs/mql/resources/core-pack/parse.md
new file mode 100644
index 000000000..05e0c09ff
--- /dev/null
+++ b/docs/mql/resources/core-pack/parse.md
@@ -0,0 +1,13 @@
+---
+title: parse
+id: parse
+sidebar_label: parse
+displayed_sidebar: MQL
+description: Provides common parsers (json, ini, certs, etc)
+---
+
+# parse
+
+**Description**
+
+Provides common parsers (json, ini, certs, etc)
diff --git a/docs/mql/resources/core-pack/regex.md b/docs/mql/resources/core-pack/regex.md
new file mode 100644
index 000000000..808f8bb35
--- /dev/null
+++ b/docs/mql/resources/core-pack/regex.md
@@ -0,0 +1,27 @@
+---
+title: regex
+id: regex
+sidebar_label: regex
+displayed_sidebar: MQL
+description: Built-in regular expression functions
+---
+
+# regex
+
+**Description**
+
+Built-in regular expression functions
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------- | ---------------------------------- |
+| ipv4 | [regex](regex.md) | Matches IPv4 addresses |
+| ipv6 | [regex](regex.md) | Matches IPv6 addresses |
+| url | [regex](regex.md) | Matches URL addresses (HTTP/HTTPS) |
+| email | [regex](regex.md) | Matches email addresses |
+| mac | [regex](regex.md) | Matches MAC addresses |
+| uuid | [regex](regex.md) | Matches hyphen-deliminated UUIDs |
+| emoji | [regex](regex.md) | Matches emojis |
+| semver | [regex](regex.md) | Matches semantic version numbers |
+| creditCard | [regex](regex.md) | Matches credit card numbers |
diff --git a/docs/mql/resources/core-pack/time.md b/docs/mql/resources/core-pack/time.md
new file mode 100644
index 000000000..a534e15be
--- /dev/null
+++ b/docs/mql/resources/core-pack/time.md
@@ -0,0 +1,25 @@
+---
+title: time
+id: time
+sidebar_label: time
+displayed_sidebar: MQL
+description: Date and time functions
+---
+
+# time
+
+**Description**
+
+Date and time functions
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | --------------- | ------------------------------------ |
+| now | [time](time.md) | The current time on the local system |
+| second | [time](time.md) | One second, used for durations |
+| minute | [time](time.md) | One minute, used for durations |
+| hour | [time](time.md) | One hour, used for durations |
+| day | [time](time.md) | One day, used for durations |
+| today | [time](time.md) | The current day starting at midnight |
+| tomorrow | [time](time.md) | The next day starting at midnight |
diff --git a/docs/mql/resources/core-pack/uuid.md b/docs/mql/resources/core-pack/uuid.md
new file mode 100644
index 000000000..feb8b94a7
--- /dev/null
+++ b/docs/mql/resources/core-pack/uuid.md
@@ -0,0 +1,26 @@
+---
+title: uuid
+id: uuid
+sidebar_label: uuid
+displayed_sidebar: MQL
+description: UUIDs based on RFC 4122 and DCE 1.1
+---
+
+# uuid
+
+**Description**
+
+UUIDs based on RFC 4122 and DCE 1.1
+
+**Init**
+
+uuid(value string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | -------------------------------------------------------------------- |
+| value | string | Canonical string representation xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
+| urn | string | URN returns the RFC 2141 URN form of uuid |
+| version | int | Version of UUID |
+| variant | string | Variant encoded in UUID |
diff --git a/docs/mql/resources/equinix-pack/README.md b/docs/mql/resources/equinix-pack/README.md
new file mode 100644
index 000000000..1760d7d8d
--- /dev/null
+++ b/docs/mql/resources/equinix-pack/README.md
@@ -0,0 +1,19 @@
+---
+title: Equinix Resource Pack - MQL Resources
+id: equinix.pack
+sidebar_label: Equinix Resource Pack
+displayed_sidebar: MQL
+description: The Equinix resource pack lets you use MQL to query and assess the security of your Equinix Metal services.
+---
+
+# Mondoo Equinix Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ----------------------------------------------------------- | -------------------------- |
+| [equinix.metal.device](equinix.metal.device.md) | Equinix Metal device |
+| [equinix.metal.organization](equinix.metal.organization.md) | Equinix Metal organization |
+| [equinix.metal.project](equinix.metal.project.md) | Equinix Metal project |
+| [equinix.metal.sshkey](equinix.metal.sshkey.md) | Equinix Metal SSH key |
+| [equinix.metal.user](equinix.metal.user.md) | Equinix Metal user |
diff --git a/docs/mql/resources/equinix-pack/equinix.metal.device.md b/docs/mql/resources/equinix-pack/equinix.metal.device.md
new file mode 100644
index 000000000..477133c2e
--- /dev/null
+++ b/docs/mql/resources/equinix-pack/equinix.metal.device.md
@@ -0,0 +1,42 @@
+---
+title: equinix.metal.device
+id: equinix.metal.device
+sidebar_label: equinix.metal.device
+displayed_sidebar: MQL
+description: Equinix Metal device
+---
+
+# equinix.metal.device
+
+**Supported platform**
+
+- equinix
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Equinix Metal device
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ------------------------------------- |
+| id | string | Device ID |
+| shortID | string | Device's short ID |
+| url | string | Device URL |
+| hostname | string | Device hostname |
+| description | string | Description of the device |
+| state | string | Current state of the device |
+| createdAt | time | When the device was created |
+| updatedAt | time | When the device was last updated |
+| locked | bool | Whether the device is locked |
+| billingCycle | string | Billing cycle used for the device |
+| spotInstance | bool | Whether the device is a Spot instance |
+| os | dict | Operating system |
+
+**References**
+
+- [Equinix Metal docs](https://deploy.equinix.com/developers/docs/metal/)
diff --git a/docs/mql/resources/equinix-pack/equinix.metal.organization.md b/docs/mql/resources/equinix-pack/equinix.metal.organization.md
new file mode 100644
index 000000000..ef9f42456
--- /dev/null
+++ b/docs/mql/resources/equinix-pack/equinix.metal.organization.md
@@ -0,0 +1,44 @@
+---
+title: equinix.metal.organization
+id: equinix.metal.organization
+sidebar_label: equinix.metal.organization
+displayed_sidebar: MQL
+description: Equinix Metal organization
+---
+
+# equinix.metal.organization
+
+**Supported platform**
+
+- equinix
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Equinix Metal organization
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------------------------------- | ---------------------------------------- |
+| id | string | Organization ID |
+| name | string | Organization name |
+| description | string | Organization description |
+| website | string | Organization website URL |
+| twitter | string | Organization X (formerly Twitter) handle |
+| createdAt | time | When the organization was created |
+| updatedAt | time | When the organization was last updated |
+| address | dict | Address information for the organization |
+| taxId | string | Organization's tax ID |
+| mainPhone | string | Organization's main phone number |
+| billingPhone | string | Organization's billing phone number |
+| creditAmount | float | Organization's credit amount |
+| url | string | URL |
+| users | [][equinix.metal.user](equinix.metal.user.md) | Users in the organization |
+
+**References**
+
+- [Organizations](https://deploy.equinix.com/developers/docs/metal/accounts/organizations/)
diff --git a/docs/mql/resources/equinix-pack/equinix.metal.project.md b/docs/mql/resources/equinix-pack/equinix.metal.project.md
new file mode 100644
index 000000000..f161d41fb
--- /dev/null
+++ b/docs/mql/resources/equinix-pack/equinix.metal.project.md
@@ -0,0 +1,38 @@
+---
+title: equinix.metal.project
+id: equinix.metal.project
+sidebar_label: equinix.metal.project
+displayed_sidebar: MQL
+description: Equinix Metal project
+---
+
+# equinix.metal.project
+
+**Supported platform**
+
+- equinix
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Equinix Metal project
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------------------------------------- | ----------------------------------- |
+| id | string | Project ID |
+| name | string | Project name |
+| organization | [equinix.metal.organization](equinix.metal.organization.md) | Organization the project belongs to |
+| createdAt | time | When the project was created |
+| updatedAt | time | When the project was last updated |
+| url | string | URL |
+| sshKeys | [][equinix.metal.sshkey](equinix.metal.sshkey.md) | SSH keys |
+| devices | [][equinix.metal.device](equinix.metal.device.md) | Devices |
+
+**References**
+
+- [Creating a Project](https://deploy.equinix.com/developers/docs/metal/projects/creating-a-project/)
diff --git a/docs/mql/resources/equinix-pack/equinix.metal.sshkey.md b/docs/mql/resources/equinix-pack/equinix.metal.sshkey.md
new file mode 100644
index 000000000..7bf5ba9bf
--- /dev/null
+++ b/docs/mql/resources/equinix-pack/equinix.metal.sshkey.md
@@ -0,0 +1,37 @@
+---
+title: equinix.metal.sshkey
+id: equinix.metal.sshkey
+sidebar_label: equinix.metal.sshkey
+displayed_sidebar: MQL
+description: Equinix Metal SSH key
+---
+
+# equinix.metal.sshkey
+
+**Supported platform**
+
+- equinix
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Equinix Metal SSH key
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ----------------------------- |
+| id | string | ID of the SSH key |
+| label | string | label of the SSH key |
+| key | string | Key |
+| fingerPrint | string | Finger print |
+| createdAt | time | When the key was created |
+| updatedAt | time | When the key was last updated |
+| url | string | URL |
+
+**References**
+
+- [Project SSH Keys](https://deploy.equinix.com/developers/docs/metal/projects/project-ssh-keys/)
diff --git a/docs/mql/resources/equinix-pack/equinix.metal.user.md b/docs/mql/resources/equinix-pack/equinix.metal.user.md
new file mode 100644
index 000000000..e28e743a7
--- /dev/null
+++ b/docs/mql/resources/equinix-pack/equinix.metal.user.md
@@ -0,0 +1,45 @@
+---
+title: equinix.metal.user
+id: equinix.metal.user
+sidebar_label: equinix.metal.user
+displayed_sidebar: MQL
+description: Equinix Metal user
+---
+
+# equinix.metal.user
+
+**Supported platform**
+
+- equinix
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Equinix Metal user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------ | ---------------------------------- |
+| id | string | User ID |
+| firstName | string | User's first name |
+| lastName | string | User's last name |
+| fullName | string | User's full name |
+| email | string | User's email address |
+| twoFactorAuth | string | User's two-factor authentication |
+| avatarUrl | string | User's avatar |
+| twitter | string | User's X (formerly Twitter) handle |
+| facebook | string | User's facebook account |
+| linkedin | string | User's LinkedIn account |
+| createdAt | time | When the user was created |
+| updatedAt | time | When the user was last updated |
+| timezone | string | User's time zone |
+| phoneNumber | string | User's phone number |
+| url | string | URL |
+
+**References**
+
+- [User Accounts](https://deploy.equinix.com/developers/docs/metal/accounts/users/)
diff --git a/docs/mql/resources/gcp-pack/README.md b/docs/mql/resources/gcp-pack/README.md
new file mode 100644
index 000000000..04bbc6b2e
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/README.md
@@ -0,0 +1,136 @@
+---
+title: Google Cloud Platform (GCP) Resource Pack - MQL Resources
+id: google.cloud.platform.gcp.pack
+sidebar_label: Google Cloud Platform (GCP) Resource Pack
+displayed_sidebar: MQL
+description: The Google Cloud Platform (GCP) resource pack lets you use MQL to query and assess the security of your GCP cloud services.
+---
+
+# Mondoo Google Cloud Platform (GCP) Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
+| [gcp.accessApprovalSettings](gcp.accessapprovalsettings.md) | GCP access approval settings |
+| [gcp.essentialContact](gcp.essentialcontact.md) | GCP contact |
+| [gcp.folder](gcp.folder.md) | GCP folder |
+| [gcp.folders](gcp.folders.md) | GCP folders |
+| [gcp.organization](gcp.organization.md) | GCP cloud organization |
+| [gcp.project](gcp.project.md) | Google Cloud Platform project |
+| [gcp.project.apiKey](gcp.project.apikey.md) | GCP project API key |
+| [gcp.project.apiKey.restrictions](gcp.project.apikey.restrictions.md) | GCP project API key restrictions |
+| [gcp.project.bigqueryService](gcp.project.bigqueryservice.md) | GCP BigQuery resources |
+| [gcp.project.bigqueryService.dataset](gcp.project.bigqueryservice.dataset.md) | GCP BigQuery dataset |
+| [gcp.project.bigqueryService.dataset.accessEntry](gcp.project.bigqueryservice.dataset.accessentry.md) | GCP BigQuery dataset access entry |
+| [gcp.project.bigqueryService.model](gcp.project.bigqueryservice.model.md) | GCP BigQuery ML model |
+| [gcp.project.bigqueryService.routine](gcp.project.bigqueryservice.routine.md) | GCP BigQuery routine |
+| [gcp.project.bigqueryService.table](gcp.project.bigqueryservice.table.md) | GCP BigQuery table |
+| [gcp.project.cloudFunction](gcp.project.cloudfunction.md) | GCP cloud function |
+| [gcp.project.cloudRunService](gcp.project.cloudrunservice.md) | GCP Cloud Run resources |
+| [gcp.project.cloudRunService.condition](gcp.project.cloudrunservice.condition.md) | GCP Cloud Run condition |
+| [gcp.project.cloudRunService.container](gcp.project.cloudrunservice.container.md) | GCP Cloud Run service revision template container |
+| [gcp.project.cloudRunService.container.probe](gcp.project.cloudrunservice.container.probe.md) | GCP Cloud Run service revision template container probe |
+| [gcp.project.cloudRunService.job](gcp.project.cloudrunservice.job.md) | GCP Cloud Run job |
+| [gcp.project.cloudRunService.job.executionTemplate](gcp.project.cloudrunservice.job.executiontemplate.md) | GCP Cloud Run job execution template |
+| [gcp.project.cloudRunService.job.executionTemplate.taskTemplate](gcp.project.cloudrunservice.job.executiontemplate.tasktemplate.md) | GCP Cloud Run job execution template task template |
+| [gcp.project.cloudRunService.operation](gcp.project.cloudrunservice.operation.md) | GCP Cloud Run operation |
+| [gcp.project.cloudRunService.service](gcp.project.cloudrunservice.service.md) | GCP Cloud Run service |
+| [gcp.project.cloudRunService.service.revisionTemplate](gcp.project.cloudrunservice.service.revisiontemplate.md) | GCP Cloud Run service revision template |
+| [gcp.project.computeService](gcp.project.computeservice.md) | GCP Compute Engine |
+| [gcp.project.computeService.address](gcp.project.computeservice.address.md) | GCP Compute address |
+| [gcp.project.computeService.attachedDisk](gcp.project.computeservice.attacheddisk.md) | GCP Compute attached disk |
+| [gcp.project.computeService.backendService](gcp.project.computeservice.backendservice.md) | GCP Compute backend service |
+| [gcp.project.computeService.backendService.backend](gcp.project.computeservice.backendservice.backend.md) | GCP Compute backend service backend |
+| [gcp.project.computeService.backendService.cdnPolicy](gcp.project.computeservice.backendservice.cdnpolicy.md) | GCP Compute backend service CDN policy |
+| [gcp.project.computeService.disk](gcp.project.computeservice.disk.md) | GCP Compute persistent disk |
+| [gcp.project.computeService.firewall](gcp.project.computeservice.firewall.md) | GCP Compute firewall |
+| [gcp.project.computeService.forwardingRule](gcp.project.computeservice.forwardingrule.md) | GCP Compute forwarding rules |
+| [gcp.project.computeService.image](gcp.project.computeservice.image.md) | GCP Compute |
+| [gcp.project.computeService.instance](gcp.project.computeservice.instance.md) | GCP Compute instances |
+| [gcp.project.computeService.machineType](gcp.project.computeservice.machinetype.md) | GCP machine type |
+| [gcp.project.computeService.network](gcp.project.computeservice.network.md) | GCP Compute VPC network resource |
+| [gcp.project.computeService.region](gcp.project.computeservice.region.md) | GCP Compute region |
+| [gcp.project.computeService.router](gcp.project.computeservice.router.md) | GCP Compute cloud router |
+| [gcp.project.computeService.serviceaccount](gcp.project.computeservice.serviceaccount.md) | GCP Compute service account |
+| [gcp.project.computeService.snapshot](gcp.project.computeservice.snapshot.md) | GCP Compute persistent disk snapshot |
+| [gcp.project.computeService.subnetwork](gcp.project.computeservice.subnetwork.md) | GCP Compute VPC network partitioning |
+| [gcp.project.computeService.subnetwork.logConfig](gcp.project.computeservice.subnetwork.logconfig.md) | GCP Compute VPC network partitioning log configuration |
+| [gcp.project.computeService.zone](gcp.project.computeservice.zone.md) | GCP Compute zone |
+| [gcp.project.dataprocService](gcp.project.dataprocservice.md) | GCP Dataproc resources |
+| [gcp.project.dataprocService.cluster](gcp.project.dataprocservice.cluster.md) | GCP Dataproc cluster |
+| [gcp.project.dataprocService.cluster.config](gcp.project.dataprocservice.cluster.config.md) | GCP Dataproc cluster config |
+| [gcp.project.dataprocService.cluster.config.gceCluster](gcp.project.dataprocservice.cluster.config.gcecluster.md) | GCP Dataproc cluster endpoint config |
+| [gcp.project.dataprocService.cluster.config.gceCluster.reservationAffinity](gcp.project.dataprocservice.cluster.config.gcecluster.reservationaffinity.md) | GCP Dataproc cluster GCE cluster reservation affinity config |
+| [gcp.project.dataprocService.cluster.config.gceCluster.shieldedInstanceConfig](gcp.project.dataprocservice.cluster.config.gcecluster.shieldedinstanceconfig.md) | GCP Dataproc cluster GCE cluster shielded instance config |
+| [gcp.project.dataprocService.cluster.config.gkeCluster](gcp.project.dataprocservice.cluster.config.gkecluster.md) | GCP Dataproc cluster GKE cluster config |
+| [gcp.project.dataprocService.cluster.config.instance](gcp.project.dataprocservice.cluster.config.instance.md) | GCP Dataproc cluster instance config |
+| [gcp.project.dataprocService.cluster.config.instance.diskConfig](gcp.project.dataprocservice.cluster.config.instance.diskconfig.md) | GCP Dataproc cluster instance disk config |
+| [gcp.project.dataprocService.cluster.config.lifecycle](gcp.project.dataprocservice.cluster.config.lifecycle.md) | GCP Dataproc cluster lifecycle config |
+| [gcp.project.dataprocService.cluster.status](gcp.project.dataprocservice.cluster.status.md) | GCP Dataproc cluster status |
+| [gcp.project.dataprocService.cluster.virtualClusterConfig](gcp.project.dataprocservice.cluster.virtualclusterconfig.md) | GCP Dataproc cluster virtual cluster config |
+| [gcp.project.dnsService](gcp.project.dnsservice.md) | GCP Cloud DNS |
+| [gcp.project.dnsService.managedzone](gcp.project.dnsservice.managedzone.md) | Cloud DNS managed zone (a resource that represents a DNS zone hosted by the Cloud DNS service) |
+| [gcp.project.dnsService.policy](gcp.project.dnsservice.policy.md) | Cloud DNS rules applied to one or more Virtual Private Cloud resources |
+| [gcp.project.dnsService.recordset](gcp.project.dnsservice.recordset.md) | Cloud DNS record set |
+| [gcp.project.gkeService](gcp.project.gkeservice.md) | GCP GKE |
+| [gcp.project.gkeService.cluster](gcp.project.gkeservice.cluster.md) | GCP GKE cluster |
+| [gcp.project.gkeService.cluster.addonsConfig](gcp.project.gkeservice.cluster.addonsconfig.md) | GKE cluster addons config |
+| [gcp.project.gkeService.cluster.ipAllocationPolicy](gcp.project.gkeservice.cluster.ipallocationpolicy.md) | GKE cluster IP allocation policy |
+| [gcp.project.gkeService.cluster.networkConfig](gcp.project.gkeservice.cluster.networkconfig.md) | GKE cluster network config |
+| [gcp.project.gkeService.cluster.nodepool](gcp.project.gkeservice.cluster.nodepool.md) | GKE cluster node pool |
+| [gcp.project.gkeService.cluster.nodepool.config](gcp.project.gkeservice.cluster.nodepool.config.md) | GCP GKE node pool configuration |
+| [gcp.project.gkeService.cluster.nodepool.config.accelerator](gcp.project.gkeservice.cluster.nodepool.config.accelerator.md) | GCP GKE node pool hardware accelerators configuration |
+| [gcp.project.gkeService.cluster.nodepool.config.accelerator.gpuSharingConfig](gcp.project.gkeservice.cluster.nodepool.config.accelerator.gpusharingconfig.md) | GPU sharing configuration |
+| [gcp.project.gkeService.cluster.nodepool.config.advancedMachineFeatures](gcp.project.gkeservice.cluster.nodepool.config.advancedmachinefeatures.md) | GCP GKE node pool advanced machine features configuration |
+| [gcp.project.gkeService.cluster.nodepool.config.confidentialNodes](gcp.project.gkeservice.cluster.nodepool.config.confidentialnodes.md) | GCP GKE node pool confidential nodes configuration |
+| [gcp.project.gkeService.cluster.nodepool.config.gcfsConfig](gcp.project.gkeservice.cluster.nodepool.config.gcfsconfig.md) | GCP GKE node pool GCFS configuration |
+| [gcp.project.gkeService.cluster.nodepool.config.gvnicConfig](gcp.project.gkeservice.cluster.nodepool.config.gvnicconfig.md) | GCP GKE node pool gVNIC configuration |
+| [gcp.project.gkeService.cluster.nodepool.config.kubeletConfig](gcp.project.gkeservice.cluster.nodepool.config.kubeletconfig.md) | GCP GKE Node Pool kubelet configuration |
+| [gcp.project.gkeService.cluster.nodepool.config.linuxNodeConfig](gcp.project.gkeservice.cluster.nodepool.config.linuxnodeconfig.md) | GCP GKE node pool parameters that can be configured on Linux nodes |
+| [gcp.project.gkeService.cluster.nodepool.config.nodeTaint](gcp.project.gkeservice.cluster.nodepool.config.nodetaint.md) | GCP GKE Kubernetes node taint |
+| [gcp.project.gkeService.cluster.nodepool.config.sandboxConfig](gcp.project.gkeservice.cluster.nodepool.config.sandboxconfig.md) | GCP GKE node pool sandbox configuration |
+| [gcp.project.gkeService.cluster.nodepool.config.shieldedInstanceConfig](gcp.project.gkeservice.cluster.nodepool.config.shieldedinstanceconfig.md) | GCP GKE node pool shielded instance configuration |
+| [gcp.project.gkeService.cluster.nodepool.networkConfig](gcp.project.gkeservice.cluster.nodepool.networkconfig.md) | GCP GKE node pool-Level network configuration |
+| [gcp.project.gkeService.cluster.nodepool.networkConfig.performanceConfig](gcp.project.gkeservice.cluster.nodepool.networkconfig.performanceconfig.md) | GCP GKE node pool network performance configuration |
+| [gcp.project.iamService](gcp.project.iamservice.md) | GCP IAM resources |
+| [gcp.project.iamService.serviceAccount](gcp.project.iamservice.serviceaccount.md) | GCP service account |
+| [gcp.project.iamService.serviceAccount.key](gcp.project.iamservice.serviceaccount.key.md) | GCP service account keys |
+| [gcp.project.kmsService](gcp.project.kmsservice.md) | GCP KMS resources |
+| [gcp.project.kmsService.keyring](gcp.project.kmsservice.keyring.md) | GCP KMS keyring |
+| [gcp.project.kmsService.keyring.cryptokey](gcp.project.kmsservice.keyring.cryptokey.md) | GCP KMS crypto key |
+| [gcp.project.kmsService.keyring.cryptokey.version](gcp.project.kmsservice.keyring.cryptokey.version.md) | GCP KMS crypto key version |
+| [gcp.project.kmsService.keyring.cryptokey.version.attestation](gcp.project.kmsservice.keyring.cryptokey.version.attestation.md) | GCP KMS crypto key version attestation |
+| [gcp.project.kmsService.keyring.cryptokey.version.attestation.certificatechains](gcp.project.kmsservice.keyring.cryptokey.version.attestation.certificatechains.md) | GCP KMS crypto key version attestation certificate chains |
+| [gcp.project.kmsService.keyring.cryptokey.version.externalProtectionLevelOptions](gcp.project.kmsservice.keyring.cryptokey.version.externalprotectionleveloptions.md) | GCP KMS crypto key version external protection level options |
+| [gcp.project.loggingservice](gcp.project.loggingservice.md) | GCP Logging resources |
+| [gcp.project.loggingservice.bucket](gcp.project.loggingservice.bucket.md) | GCP Logging bucket |
+| [gcp.project.loggingservice.bucket.indexConfig](gcp.project.loggingservice.bucket.indexconfig.md) | GCP Logging bucket index config |
+| [gcp.project.loggingservice.metric](gcp.project.loggingservice.metric.md) | GCP Logging metric |
+| [gcp.project.loggingservice.sink](gcp.project.loggingservice.sink.md) | GCP Logging sink |
+| [gcp.project.monitoringService](gcp.project.monitoringservice.md) | GCP monitoring resources |
+| [gcp.project.monitoringService.alertPolicy](gcp.project.monitoringservice.alertpolicy.md) | GCP monitoring alert policy |
+| [gcp.project.pubsubService](gcp.project.pubsubservice.md) | GCP Pub/Sub resources |
+| [gcp.project.pubsubService.snapshot](gcp.project.pubsubservice.snapshot.md) | GCP Pub/Sub snapshot |
+| [gcp.project.pubsubService.subscription](gcp.project.pubsubservice.subscription.md) | GCP Pub/Sub subscription |
+| [gcp.project.pubsubService.subscription.config](gcp.project.pubsubservice.subscription.config.md) | GCP Pub/Sub subscription configuration |
+| [gcp.project.pubsubService.subscription.config.pushconfig](gcp.project.pubsubservice.subscription.config.pushconfig.md) | GCP Pub/Sub configuration for subscriptions that operate in push mode |
+| [gcp.project.pubsubService.topic](gcp.project.pubsubservice.topic.md) | GCP Pub/Sub topic |
+| [gcp.project.pubsubService.topic.config](gcp.project.pubsubservice.topic.config.md) | GCP Pub/Sub topic configuration |
+| [gcp.project.pubsubService.topic.config.messagestoragepolicy](gcp.project.pubsubservice.topic.config.messagestoragepolicy.md) | GCP Pub/Sub topic message storage policy |
+| [gcp.project.sqlService](gcp.project.sqlservice.md) | GCP Cloud SQL resources |
+| [gcp.project.sqlService.instance](gcp.project.sqlservice.instance.md) | GCP Cloud SQL instance |
+| [gcp.project.sqlService.instance.database](gcp.project.sqlservice.instance.database.md) | GCP Cloud SQL instance database |
+| [gcp.project.sqlService.instance.ipMapping](gcp.project.sqlservice.instance.ipmapping.md) | GCP Cloud SQL instance IP mapping |
+| [gcp.project.sqlService.instance.settings](gcp.project.sqlservice.instance.settings.md) | GCP Cloud SQL instance settings |
+| [gcp.project.sqlService.instance.settings.backupconfiguration](gcp.project.sqlservice.instance.settings.backupconfiguration.md) | GCP Cloud SQL instance settings backup configuration |
+| [gcp.project.sqlService.instance.settings.denyMaintenancePeriod](gcp.project.sqlservice.instance.settings.denymaintenanceperiod.md) | GCP Cloud SQL instance settings deny maintenance period |
+| [gcp.project.sqlService.instance.settings.ipConfiguration](gcp.project.sqlservice.instance.settings.ipconfiguration.md) | GCP Cloud SQL instance settings IP configuration |
+| [gcp.project.sqlService.instance.settings.maintenanceWindow](gcp.project.sqlservice.instance.settings.maintenancewindow.md) | GCP Cloud SQL instance settings maintenance window |
+| [gcp.project.sqlService.instance.settings.passwordValidationPolicy](gcp.project.sqlservice.instance.settings.passwordvalidationpolicy.md) | GCP Cloud SQL instance settings password validation policy |
+| [gcp.project.storageService](gcp.project.storageservice.md) | GCP Cloud Storage |
+| [gcp.project.storageService.bucket](gcp.project.storageservice.bucket.md) | GCP Cloud Storage bucket |
+| [gcp.projects](gcp.projects.md) | GCP projects |
+| [gcp.recommendation](gcp.recommendation.md) | GCP recommendation and suggested action |
+| [gcp.resourcemanager.binding](gcp.resourcemanager.binding.md) | GCP Resource Manager binding |
+| [gcp.service](gcp.service.md) | GCP service |
diff --git a/docs/mql/resources/gcp-pack/gcp.accessapprovalsettings.md b/docs/mql/resources/gcp-pack/gcp.accessapprovalsettings.md
new file mode 100644
index 000000000..b7e04e030
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.accessapprovalsettings.md
@@ -0,0 +1,33 @@
+---
+title: gcp.accessApprovalSettings
+id: gcp.accessApprovalSettings
+sidebar_label: gcp.accessApprovalSettings
+displayed_sidebar: MQL
+description: GCP access approval settings
+---
+
+# gcp.accessApprovalSettings
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP access approval settings
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------- | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| resourcePath | string | Resource path |
+| notificationEmails | []string | List of email addresses to which notifications relating to approval requests should be sent |
+| enrolledServices | []dict | List of Google Cloud services for which the given resource has access approval enrolled |
+| enrolledAncestor | bool | Whether at least one service is enrolled for access approval in one or more ancestors of the project or folder (unset for organizations since organizations do not have ancestors) |
+| activeKeyVersion | string | Asymmetric crypto key version to use for signing approval requests |
+| ancestorHasActiveKeyVersion | bool | Whether an ancestor of this project or folder has set active key version (unset for organizations since organizations do not have ancestors) |
+| invalidKeyVersion | bool | Whether there is some configuration issue with the active key version configured at this level of the resource hierarchy |
+
+**References**
+
+- [Access Approval documentation](https://cloud.google.com/assured-workloads/access-approval/docs)
diff --git a/docs/mql/resources/gcp-pack/gcp.essentialcontact.md b/docs/mql/resources/gcp-pack/gcp.essentialcontact.md
new file mode 100644
index 000000000..42f3473c7
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.essentialcontact.md
@@ -0,0 +1,32 @@
+---
+title: gcp.essentialContact
+id: gcp.essentialContact
+sidebar_label: gcp.essentialContact
+displayed_sidebar: MQL
+description: GCP contact
+---
+
+# gcp.essentialContact
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP contact
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ---------------- | --------------------------------------------------------------------------- |
+| resourcePath | string | Full resource path |
+| email | string | Email address to send notifications to |
+| languageTag | string | Preferred language for notifications, as a ISO 639-1 language code |
+| notificationCategories | []string | Categories of notifications that the contact will receive communication for |
+| validated | time | Last time the validation state was updated |
+| validationState | string | Validity of the contact |
+
+**References**
+
+- [Managing contacts for notifications](https://cloud.google.com/resource-manager/docs/managing-notification-contacts)
diff --git a/docs/mql/resources/gcp-pack/gcp.folder.md b/docs/mql/resources/gcp-pack/gcp.folder.md
new file mode 100644
index 000000000..ff6be877a
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.folder.md
@@ -0,0 +1,34 @@
+---
+title: gcp.folder
+id: gcp.folder
+sidebar_label: gcp.folder
+displayed_sidebar: MQL
+description: GCP folder
+---
+
+# gcp.folder
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP folder
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------------------------------- | ------------------ |
+| id | string | Folder ID |
+| name | string | Folder name |
+| created | time | Creation timestamp |
+| updated | time | Update timestamp |
+| parentId | string | Parent ID |
+| state | string | Folder state |
+| folders | [gcp.folders](gcp.folders.md) | List of folders |
+| projects | [gcp.projects](gcp.projects.md) | List of projects |
+
+**References**
+
+- [Creating and managing Folders](https://cloud.google.com/resource-manager/docs/creating-managing-folders)
diff --git a/docs/mql/resources/gcp-pack/gcp.folders.md b/docs/mql/resources/gcp-pack/gcp.folders.md
new file mode 100644
index 000000000..e7350b84c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.folders.md
@@ -0,0 +1,33 @@
+---
+title: gcp.folders
+id: gcp.folders
+sidebar_label: gcp.folders
+displayed_sidebar: MQL
+description: GCP folders
+---
+
+# gcp.folders
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP folders
+
+**List**
+
+[]gcp.folder
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------------------------------------- | ------------------------------------------------- |
+| parentId | string | Parent ID |
+| children | [][gcp.folder](gcp.folder.md) | List of the children folders only (non-recursive) |
+| list | [][gcp.folder](gcp.folder.md) | |
+
+**References**
+
+- [Creating and managing Folders](https://cloud.google.com/resource-manager/docs/creating-managing-folders)
diff --git a/docs/mql/resources/gcp-pack/gcp.organization.md b/docs/mql/resources/gcp-pack/gcp.organization.md
new file mode 100644
index 000000000..62d03dece
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.organization.md
@@ -0,0 +1,34 @@
+---
+title: gcp.organization
+id: gcp.organization
+sidebar_label: gcp.organization
+displayed_sidebar: MQL
+description: GCP cloud organization
+---
+
+# gcp.organization
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP cloud organization
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ----------------------------------------------------------------------- | -------------------------------- |
+| id | string | Organization ID |
+| name | string | Organization name |
+| state | string | Organization state |
+| lifecycleState | string | Deprecated. Use `state` instead. |
+| iamPolicy | [][gcp.resourcemanager.binding](gcp.resourcemanager.binding.md) | Organization IAM policy |
+| accessApprovalSettings | [gcp.accessApprovalSettings](gcp.accessapprovalsettings.md) | Access approval settings |
+| folders | [gcp.folders](gcp.folders.md) | List of folders |
+| projects | [gcp.projects](gcp.projects.md) | List of projects |
+
+**References**
+
+- [Resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.apikey.md b/docs/mql/resources/gcp-pack/gcp.project.apikey.md
new file mode 100644
index 000000000..9eadd773f
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.apikey.md
@@ -0,0 +1,36 @@
+---
+title: gcp.project.apiKey
+id: gcp.project.apiKey
+sidebar_label: gcp.project.apiKey
+displayed_sidebar: MQL
+description: GCP project API key
+---
+
+# gcp.project.apiKey
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP project API key
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | --------------------------------------------------------------------- | ------------------------------------------- |
+| id | string | The ID of the key |
+| projectId | string | Project ID |
+| name | string | Human-readable display name of this key |
+| resourcePath | string | Full resource path |
+| annotations | map[string]string | Annotations |
+| created | time | Creation timestamp |
+| deleted | time | Deletion timestamp |
+| keyString | string | Encrypted and signed value held by this key |
+| restrictions | [gcp.project.apiKey.restrictions](gcp.project.apikey.restrictions.md) | API key restrictions |
+| updated | time | Update timestamp |
+
+**References**
+
+- [API Keys Overview](https://cloud.google.com/api-keys/docs/overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.apikey.restrictions.md b/docs/mql/resources/gcp-pack/gcp.project.apikey.restrictions.md
new file mode 100644
index 000000000..24a7e0f40
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.apikey.restrictions.md
@@ -0,0 +1,32 @@
+---
+title: gcp.project.apiKey.restrictions
+id: gcp.project.apiKey.restrictions
+sidebar_label: gcp.project.apiKey.restrictions
+displayed_sidebar: MQL
+description: GCP project API key restrictions
+---
+
+# gcp.project.apiKey.restrictions
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP project API key restrictions
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | -------------- | -------------------------------------------------------------------------------- |
+| parentResourcePath | string | Parent resource path |
+| androidKeyRestrictions | dict | The Android apps that are allowed to use the key |
+| apiTargets | []dict | A restriction for a specific service and optionally one or more specific methods |
+| browserKeyRestrictions | dict | The HTTP referrers that are allowed to use the key |
+| iosKeyRestrictions | dict | The iOS apps that are allowed to use the key |
+| serverKeyRestrictions | dict | The IP addresses that are allowed to use the key |
+
+**References**
+
+- [Adding restrictions to API keys](https://cloud.google.com/api-keys/docs/add-restrictions-api-keys)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.dataset.accessentry.md b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.dataset.accessentry.md
new file mode 100644
index 000000000..da8b3f177
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.dataset.accessentry.md
@@ -0,0 +1,34 @@
+---
+title: gcp.project.bigqueryService.dataset.accessEntry
+id: gcp.project.bigqueryService.dataset.accessEntry
+sidebar_label: gcp.project.bigqueryService.dataset.accessEntry
+displayed_sidebar: MQL
+description: GCP BigQuery dataset access entry
+---
+
+# gcp.project.bigqueryService.dataset.accessEntry
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP BigQuery dataset access entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ----------------------------------------------------- |
+| id | string | Internal ID |
+| datasetId | string | Dataset ID |
+| role | string | Role of the entity |
+| entityType | string | Type of the entity |
+| entity | string | Entity (individual or group) granted access |
+| viewRef | dict | View granted access (entityType must be ViewEntity) |
+| routineRef | dict | Routine granted access (only UDF currently supported) |
+| datasetRef | dict | Resources within a dataset granted access |
+
+**References**
+
+- [Control access to resources](https://cloud.google.com/bigquery/docs/control-access-to-resources-iam)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.dataset.md b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.dataset.md
new file mode 100644
index 000000000..c0402a9e1
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.dataset.md
@@ -0,0 +1,40 @@
+---
+title: gcp.project.bigqueryService.dataset
+id: gcp.project.bigqueryService.dataset
+sidebar_label: gcp.project.bigqueryService.dataset
+displayed_sidebar: MQL
+description: GCP BigQuery dataset
+---
+
+# gcp.project.bigqueryService.dataset
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP BigQuery dataset
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- |
+| id | string | Dataset ID |
+| projectId | string | Project ID |
+| name | string | User-friendly name for this dataset |
+| description | string | User-friendly description of this dataset |
+| location | string | Geo location of the dataset |
+| labels | map[string]string | User-provided labels |
+| created | time | Creation timestamp |
+| modified | time | Modified timestamp |
+| tags | map[string]string | Tags associated with this dataset |
+| kmsName | string | Cloud KMS encryption key that will be used to protect BigQuery table |
+| access | [][gcp.project.bigqueryService.dataset.accessEntry](gcp.project.bigqueryservice.dataset.accessentry.md) | Access permissions |
+| tables | [][gcp.project.bigqueryService.table](gcp.project.bigqueryservice.table.md) | Returns tables in the Dataset |
+| models | [][gcp.project.bigqueryService.model](gcp.project.bigqueryservice.model.md) | Returns models in the Dataset |
+| routines | [][gcp.project.bigqueryService.routine](gcp.project.bigqueryservice.routine.md) | Returns routines in the Dataset |
+
+**References**
+
+- [Introduction to datasets](https://cloud.google.com/bigquery/docs/datasets-intro)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.md b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.md
new file mode 100644
index 000000000..374298572
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.bigqueryService
+id: gcp.project.bigqueryService
+sidebar_label: gcp.project.bigqueryService
+displayed_sidebar: MQL
+description: GCP BigQuery resources
+---
+
+# gcp.project.bigqueryService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP BigQuery resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | --------------------------------------------------------------------------------------- | ------------------------- |
+| projectId | string | Project ID |
+| datasets | [][gcp.project.bigqueryService.dataset](gcp.project.bigqueryservice.dataset.md) | List of BigQuery datasets |
+
+**References**
+
+- [BigQuery documentation](https://cloud.google.com/bigquery/docs)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.model.md b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.model.md
new file mode 100644
index 000000000..908a6bc7e
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.model.md
@@ -0,0 +1,38 @@
+---
+title: gcp.project.bigqueryService.model
+id: gcp.project.bigqueryService.model
+sidebar_label: gcp.project.bigqueryService.model
+displayed_sidebar: MQL
+description: GCP BigQuery ML model
+---
+
+# gcp.project.bigqueryService.model
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP BigQuery ML model
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ----------------- | --------------------------------------------------------------- |
+| id | string | Model ID |
+| datasetId | string | Dataset ID |
+| projectId | string | Project ID |
+| name | string | User-friendly name of the model |
+| location | string | Geographic location |
+| description | string | User-friendly description of the model |
+| labels | map[string]string | User-provided labels |
+| created | time | Creation timestamp |
+| modified | time | Modified timestamp |
+| type | string | Type of the mode |
+| expirationTime | time | Expiration time of the model |
+| kmsName | string | Cloud KMS encryption key that is used to protect BigQuery model |
+
+**References**
+
+- [Introduction to BigQuery ML](https://cloud.google.com/bigquery/docs/bqml-introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.routine.md b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.routine.md
new file mode 100644
index 000000000..57994014a
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.routine.md
@@ -0,0 +1,34 @@
+---
+title: gcp.project.bigqueryService.routine
+id: gcp.project.bigqueryService.routine
+sidebar_label: gcp.project.bigqueryService.routine
+displayed_sidebar: MQL
+description: GCP BigQuery routine
+---
+
+# gcp.project.bigqueryService.routine
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP BigQuery routine
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | -------------------------------------------------- |
+| id | string | Routine ID |
+| datasetId | string | Dataset ID |
+| projectId | string | Project ID |
+| language | string | Language of the routine, such as SQL or JAVASCRIPT |
+| description | string | User-friendly description of the routine |
+| created | time | Creation timestamp |
+| modified | time | Modified timestamp |
+| type | string | Type of routine |
+
+**References**
+
+- [Manage routines](https://cloud.google.com/bigquery/docs/routines)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.table.md b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.table.md
new file mode 100644
index 000000000..bcabd7bc7
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.bigqueryservice.table.md
@@ -0,0 +1,51 @@
+---
+title: gcp.project.bigqueryService.table
+id: gcp.project.bigqueryService.table
+sidebar_label: gcp.project.bigqueryService.table
+displayed_sidebar: MQL
+description: GCP BigQuery table
+---
+
+# gcp.project.bigqueryService.table
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP BigQuery table
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ----------------- | ---------------------------------------------------------------------------------------- |
+| id | string | Table ID |
+| projectId | string | Project ID |
+| datasetId | string | Dataset ID |
+| name | string | The user-friendly name for the table |
+| location | string | Location of the table |
+| description | string | User-friendly description of the table |
+| labels | map[string]string | User-provided labels |
+| useLegacySQL | bool | Indicates if Legacy SQL is used for the view query |
+| requirePartitionFilter | bool | Indicates if queries that reference this table must specify a partition filter |
+| created | time | Creation timestamp |
+| modified | time | Modified timestamp |
+| numBytes | int | Size of the table in bytes |
+| numLongTermBytes | int | Number of bytes in the table considered "long-term storage" for reduced billing purposes |
+| numRows | int | Number of rows of data in this table |
+| type | string | Table Type |
+| expirationTime | time | Time when this table expires |
+| kmsName | string | Cloud KMS encryption key that is used to protect BigQuery table |
+| snapshotTime | time | Indicates when the base table was snapshot |
+| viewQuery | string | Query to use for a logical view |
+| clusteringFields | dict | Data clustering configuration |
+| externalDataConfig | dict | Information about table stored outside of BigQuery. |
+| materializedView | dict | Information for materialized views |
+| rangePartitioning | dict | Integer-range-based partitioning on a table |
+| timePartitioning | dict | Time-based date partitioning on a table |
+| schema | []dict | Table schema |
+
+**References**
+
+- [Introduction to tables](https://cloud.google.com/bigquery/docs/tables-intro)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudfunction.md b/docs/mql/resources/gcp-pack/gcp.project.cloudfunction.md
new file mode 100644
index 000000000..5d9841824
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudfunction.md
@@ -0,0 +1,59 @@
+---
+title: gcp.project.cloudFunction
+id: gcp.project.cloudFunction
+sidebar_label: gcp.project.cloudFunction
+displayed_sidebar: MQL
+description: GCP cloud function
+---
+
+# gcp.project.cloudFunction
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP cloud function
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ----------------- | ----------------------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| name | string | Cloud function name |
+| description | string | Cloud function description |
+| sourceArchiveUrl | string | Location of the archive with the function's source code |
+| sourceRepository | dict | Repository reference for the function's source code |
+| sourceUploadUrl | string | Location of the upload with the function's source code |
+| httpsTrigger | dict | HTTPS endpoint of source that can be triggered via URL |
+| eventTrigger | dict | Source that fires events in response to a condition in another service |
+| status | string | Status of the function deployment |
+| entryPoint | string | Name of the function (as defined in source code) that is executed |
+| runtime | string | Runtime in which to run the function |
+| timeout | time | Function execution timeout |
+| availableMemoryMb | int | Amount of memory in MB available for a function |
+| serviceAccountEmail | string | Email of the function's service account |
+| updated | time | Update timestamp |
+| versionId | int | Version identifier of the cloud function |
+| labels | map[string]string | Labels associated with this cloud function |
+| envVars | map[string]string | Environment variables that are available during function execution |
+| buildEnvVars | map[string]string | Build environment variables that are available during build time |
+| network | string | VPC network that this cloud function can connect to |
+| maxInstances | int | Maximum number of function instances that may coexist at a given time |
+| minInstances | int | Lower bound for the number of function instances that may coexist at a given time |
+| vpcConnector | string | VPC network connector that this cloud function can connect to |
+| egressSettings | string | Egress settings for the connector controlling what traffic is diverted |
+| ingressSettings | string | Ingress settings for the function controlling what traffic can reach |
+| kmsKeyName | string | Resource name of a KMS crypto key used to encrypt/decrypt function resources |
+| buildWorkerPool | string | Name of the Cloud Build custom WorkerPool that should be used to build the function |
+| buildId | string | Cloud Build ID of the latest successful deployment of the function |
+| buildName | string | Cloud Build name of the function deployment |
+| secretEnvVars | map[string]dict | Secret environment variables |
+| secretVolumes | []dict | Secret volumes |
+| dockerRepository | string | User-managed repository created in Artifact Registry |
+| dockerRegistry | string | Docker registry to use for this deployment |
+
+**References**
+
+- [Cloud Functions](https://cloud.google.com/functions)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.condition.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.condition.md
new file mode 100644
index 000000000..ddaca8796
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.condition.md
@@ -0,0 +1,32 @@
+---
+title: gcp.project.cloudRunService.condition
+id: gcp.project.cloudRunService.condition
+sidebar_label: gcp.project.cloudRunService.condition
+displayed_sidebar: MQL
+description: GCP Cloud Run condition
+---
+
+# gcp.project.cloudRunService.condition
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run condition
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ------ | ------------------------------------------------------------------ |
+| id | string | Internal ID |
+| type | string | Status of the reconciliation process |
+| state | string | Condition state |
+| message | string | Human-readable message indicating details about the current status |
+| lastTransitionTime | time | Last time the condition transitioned from one status to another |
+| severity | string | How to interpret failures of this condition |
+
+**References**
+
+- [Condition](https://cloud.google.com/run/docs/reference/rest/v1/Condition)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.container.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.container.md
new file mode 100644
index 000000000..5646e993f
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.container.md
@@ -0,0 +1,38 @@
+---
+title: gcp.project.cloudRunService.container
+id: gcp.project.cloudRunService.container
+sidebar_label: gcp.project.cloudRunService.container
+displayed_sidebar: MQL
+description: GCP Cloud Run service revision template container
+---
+
+# gcp.project.cloudRunService.container
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run service revision template container
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| name | string | Container name |
+| image | string | URL of the container image in Google Container Registry or Google Artifact Registry |
+| command | []string | Entrypoint array |
+| args | []string | Arguments to the entrypoint |
+| env | []dict | Environment variables |
+| resources | dict | Compute resource requirements by the container |
+| ports | []dict | List of ports to expose from the container |
+| volumeMounts | []dict | Volumes to mount into the container's file system |
+| workingDir | string | Container's working directory |
+| livenessProbe | [gcp.project.cloudRunService.container.probe](gcp.project.cloudrunservice.container.probe.md) | Periodic probe of container liveness |
+| startupProbe | [gcp.project.cloudRunService.container.probe](gcp.project.cloudrunservice.container.probe.md) | Startup probe of application within the container |
+
+**References**
+
+- [Container](https://cloud.google.com/run/docs/reference/rest/v1/Container)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.container.probe.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.container.probe.md
new file mode 100644
index 000000000..ce7020689
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.container.probe.md
@@ -0,0 +1,33 @@
+---
+title: gcp.project.cloudRunService.container.probe
+id: gcp.project.cloudRunService.container.probe
+sidebar_label: gcp.project.cloudRunService.container.probe
+displayed_sidebar: MQL
+description: GCP Cloud Run service revision template container probe
+---
+
+# gcp.project.cloudRunService.container.probe
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run service revision template container probe
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ------ | ------------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| initialDelaySeconds | int | Number of seconds after the container has started before the probe is initiated |
+| timeoutSeconds | int | Number of seconds after which the probe times out |
+| periodSeconds | int | Number of seconds indicating how often to perform the probe |
+| failureThreshold | int | Minimum consecutive successes for the probe to be considered failed |
+| httpGet | dict | HTTP GET probe configuration |
+| tcpSocket | dict | TCP socket probe configuration |
+
+**References**
+
+- [Container](https://cloud.google.com/run/docs/reference/rest/v1/Container)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.job.executiontemplate.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.job.executiontemplate.md
new file mode 100644
index 000000000..aab70321c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.job.executiontemplate.md
@@ -0,0 +1,32 @@
+---
+title: gcp.project.cloudRunService.job.executionTemplate
+id: gcp.project.cloudRunService.job.executionTemplate
+sidebar_label: gcp.project.cloudRunService.job.executionTemplate
+displayed_sidebar: MQL
+description: GCP Cloud Run job execution template
+---
+
+# gcp.project.cloudRunService.job.executionTemplate
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run job execution template
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| labels | map[string]string | User-defined labels |
+| annotations | map[string]string | Unstructured key-value map that may be set by external tools to store an arbitrary metadata |
+| parallelism | int | Specifies the maximum desired number of tasks the execution should run at a given time |
+| taskCount | int | Specifies the desired number of tasks the execution should run |
+| template | [gcp.project.cloudRunService.job.executionTemplate.taskTemplate](gcp.project.cloudrunservice.job.executiontemplate.tasktemplate.md) | Describes the task that will be create when executing an execution |
+
+**References**
+
+- [Create jobs](https://cloud.google.com/run/docs/create-jobs)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.job.executiontemplate.tasktemplate.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.job.executiontemplate.tasktemplate.md
new file mode 100644
index 000000000..9dde76d3b
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.job.executiontemplate.tasktemplate.md
@@ -0,0 +1,37 @@
+---
+title: gcp.project.cloudRunService.job.executionTemplate.taskTemplate
+id: gcp.project.cloudRunService.job.executionTemplate.taskTemplate
+sidebar_label: gcp.project.cloudRunService.job.executionTemplate.taskTemplate
+displayed_sidebar: MQL
+description: GCP Cloud Run job execution template task template
+---
+
+# gcp.project.cloudRunService.job.executionTemplate.taskTemplate
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run job execution template task template
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| projectId | string | Project ID |
+| vpcAccess | dict | VPC access configuration |
+| timeout | time | Maximum allowed time for an instance to respond to a request |
+| serviceAccountEmail | string | Email address of the IAM service account associated with the revision of the service |
+| serviceAccount | [gcp.project.iamService.serviceAccount](gcp.project.iamservice.serviceaccount.md) | IAM service account associated with the revision of the service |
+| containers | [][gcp.project.cloudRunService.container](gcp.project.cloudrunservice.container.md) | Containers for this revision |
+| volumes | []dict | List of volumes to make available to containers |
+| executionEnvironment | string | Sandbox environment to host the revision |
+| encryptionKey | string | Reference to a customer-managed encryption key to use to encrypt this container image |
+| maxRetries | int | Number of retries allowed per task |
+
+**References**
+
+- [Create jobs](https://cloud.google.com/run/docs/create-jobs)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.job.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.job.md
new file mode 100644
index 000000000..48c08589d
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.job.md
@@ -0,0 +1,48 @@
+---
+title: gcp.project.cloudRunService.job
+id: gcp.project.cloudRunService.job
+sidebar_label: gcp.project.cloudRunService.job
+displayed_sidebar: MQL
+description: GCP Cloud Run job
+---
+
+# gcp.project.cloudRunService.job
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run job
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | --------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| id | string | Job identifier |
+| projectId | string | Project ID |
+| region | string | Region |
+| name | string | Job name |
+| generation | int | Number that monotonically increases every time the user modifies the desired state |
+| labels | map[string]string | User-defined labels |
+| annotations | map[string]string | Unstructured key-value map that may be set by external tools to store an arbitrary metadata |
+| created | time | Creation timestamp |
+| updated | time | Update timestamp |
+| deleted | time | Deletion timestamp |
+| expired | time | Timestamp after which a deleted service will be permanently deleted |
+| creator | string | Email address of the authenticated creator |
+| lastModifier | string | Email address of the last authenticated modifier |
+| client | string | Arbitrary identifier for the API client |
+| clientVersion | string | Arbitrary version identifier for the API client |
+| launchStage | string | Launch stage |
+| template | [gcp.project.cloudRunService.job.executionTemplate](gcp.project.cloudrunservice.job.executiontemplate.md) | Template used to create executions for this job |
+| observedGeneration | int | Generation of this service currently serving traffic |
+| terminalCondition | [gcp.project.cloudRunService.condition](gcp.project.cloudrunservice.condition.md) | Conditions of this service, containing its readiness status and detailed error information in case it did not reach a serving state |
+| conditions | [][gcp.project.cloudRunService.condition](gcp.project.cloudrunservice.condition.md) | Conditions of all other associated sub-resources |
+| executionCount | int | Number of executions created for this job |
+| reconciling | bool | Whether the service is currently being acted upon by the system to bring it into the desired state |
+
+**References**
+
+- [Cloud Run Jobs](https://cloud.google.com/run/docs/overview/what-is-cloud-run#jobs)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.md
new file mode 100644
index 000000000..5c733401e
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.md
@@ -0,0 +1,31 @@
+---
+title: gcp.project.cloudRunService
+id: gcp.project.cloudRunService
+sidebar_label: gcp.project.cloudRunService
+displayed_sidebar: MQL
+description: GCP Cloud Run resources
+---
+
+# gcp.project.cloudRunService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------------------------------------------------------------------------------------------- | ------------------------- |
+| projectId | string | Project ID |
+| regions | []string | List of available regions |
+| operations | [][gcp.project.cloudRunService.operation](gcp.project.cloudrunservice.operation.md) | List of operations |
+| services | [][gcp.project.cloudRunService.service](gcp.project.cloudrunservice.service.md) | List of services |
+| jobs | [][gcp.project.cloudRunService.job](gcp.project.cloudrunservice.job.md) | List of jobs |
+
+**References**
+
+- [What is Cloud Run](https://cloud.google.com/run/docs/overview/what-is-cloud-run)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.operation.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.operation.md
new file mode 100644
index 000000000..3088c80fa
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.operation.md
@@ -0,0 +1,25 @@
+---
+title: gcp.project.cloudRunService.operation
+id: gcp.project.cloudRunService.operation
+sidebar_label: gcp.project.cloudRunService.operation
+displayed_sidebar: MQL
+description: GCP Cloud Run operation
+---
+
+# gcp.project.cloudRunService.operation
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run operation
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ---------------------------------- |
+| projectId | string | Project ID |
+| name | string | Operation name |
+| done | bool | Whether the operation is completed |
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.service.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.service.md
new file mode 100644
index 000000000..d16aa918c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.service.md
@@ -0,0 +1,52 @@
+---
+title: gcp.project.cloudRunService.service
+id: gcp.project.cloudRunService.service
+sidebar_label: gcp.project.cloudRunService.service
+displayed_sidebar: MQL
+description: GCP Cloud Run service
+---
+
+# gcp.project.cloudRunService.service
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run service
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | --------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| id | string | Service identifier |
+| projectId | string | Project ID |
+| region | string | Region |
+| name | string | Service name |
+| description | string | Service description |
+| generation | int | Number that monotonically increases every time the user modifies the desired state |
+| labels | map[string]string | User-provided labels |
+| annotations | map[string]string | Unstructured key-value map that may be set by external tools to store an arbitrary metadata |
+| created | time | Creation timestamp |
+| updated | time | Update timestamp |
+| deleted | time | Deletion timestamp |
+| expired | time | Timestamp after which a deleted service will be permanently deleted |
+| creator | string | Email address of the authenticated creator |
+| lastModifier | string | Email address of the last authenticated modifier |
+| ingress | string | Ingress settings |
+| launchStage | string | Launch stage |
+| template | [gcp.project.cloudRunService.service.revisionTemplate](gcp.project.cloudrunservice.service.revisiontemplate.md) | Template used to create revisions for the service |
+| traffic | []dict | Specifies how to distribute traffic over a collection of revisions belonging to the service |
+| observedGeneration | int | Generation of this service currently serving traffic |
+| terminalCondition | [gcp.project.cloudRunService.condition](gcp.project.cloudrunservice.condition.md) | Conditions of this service, containing its readiness status and detailed error information in case it did not reach a serving state |
+| conditions | [][gcp.project.cloudRunService.condition](gcp.project.cloudrunservice.condition.md) | Conditions of all other associated sub-resources |
+| latestReadyRevision | string | Name of the latest revision that is serving traffic |
+| latestCreatedRevision | string | Name of the last created revision |
+| trafficStatuses | []dict | Detailed status information for corresponding traffic targets |
+| uri | string | Main URI in which this service is serving traffic |
+| reconciling | bool | Whether the service is currently being acted upon by the system to bring it into the desired state |
+
+**References**
+
+- [Cloud Run services](https://cloud.google.com/run/docs/resource-model#services)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.service.revisiontemplate.md b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.service.revisiontemplate.md
new file mode 100644
index 000000000..2e60d68e1
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.cloudrunservice.service.revisiontemplate.md
@@ -0,0 +1,41 @@
+---
+title: gcp.project.cloudRunService.service.revisionTemplate
+id: gcp.project.cloudRunService.service.revisionTemplate
+sidebar_label: gcp.project.cloudRunService.service.revisionTemplate
+displayed_sidebar: MQL
+description: GCP Cloud Run service revision template
+---
+
+# gcp.project.cloudRunService.service.revisionTemplate
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Run service revision template
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| projectId | string | Project ID |
+| name | string | Revision name |
+| labels | map[string]string | User-provided labels |
+| annotations | map[string]string | Unstructured key-value map that may be set by external tools to store an arbitrary metadata |
+| scaling | dict | Scaling settings |
+| vpcAccess | dict | VPC access configuration |
+| timeout | time | Maximum allowed time for an instance to respond to a request |
+| serviceAccountEmail | string | Email address of the IAM service account associated with the revision of the service |
+| serviceAccount | [gcp.project.iamService.serviceAccount](gcp.project.iamservice.serviceaccount.md) | IAM service account associated with the revision of the service |
+| containers | [][gcp.project.cloudRunService.container](gcp.project.cloudrunservice.container.md) | Containers for this revision |
+| volumes | []dict | List of volumes to make available to containers |
+| executionEnvironment | string | Sandbox environment to host the revision |
+| encryptionKey | string | Reference to a customer-managed encryption key to use to encrypt this container image |
+| maxInstanceRequestConcurrency | int | Maximum number of requests that each serving instance can receive |
+
+**References**
+
+- [Rollbacks, gradual rollouts, and traffic migration](https://cloud.google.com/run/docs/rollouts-rollbacks-traffic-migration)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.address.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.address.md
new file mode 100644
index 000000000..510d52ee4
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.address.md
@@ -0,0 +1,44 @@
+---
+title: gcp.project.computeService.address
+id: gcp.project.computeService.address
+sidebar_label: gcp.project.computeService.address
+displayed_sidebar: MQL
+description: GCP Compute address
+---
+
+# gcp.project.computeService.address
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute address
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------------------------------------------------- | ----------------------------------------------------- |
+| id | string | Unique identifier |
+| address | string | Static IP address |
+| addressType | string | Address type |
+| created | time | Creation timestamp |
+| description | string | Address description |
+| ipVersion | string | IP version |
+| ipv6EndpointType | string | Endpoint type |
+| name | string | Address name |
+| networkUrl | string | URL of the network in which to reserve the address |
+| network | [gcp.project.computeService.network](gcp.project.computeservice.network.md) | Network in which to reserve the address |
+| networkTier | string | Network tier used for configuring this address |
+| prefixLength | int | Prefix length if the resource represents an IP range |
+| purpose | string | Address purpose |
+| regionUrl | string | Region URL |
+| status | string | Address status |
+| subnetworkUrl | string | URL of the subnetwork in which to reserve the address |
+| subnetwork | [gcp.project.computeService.subnetwork](gcp.project.computeservice.subnetwork.md) | Subnetwork in which to reserve the address |
+| resourceUrls | []string | URLs of the resources that are using this address |
+
+**References**
+
+- [IP addresses](https://cloud.google.com/compute/docs/ip-addresses)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.attacheddisk.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.attacheddisk.md
new file mode 100644
index 000000000..9170e33a5
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.attacheddisk.md
@@ -0,0 +1,41 @@
+---
+title: gcp.project.computeService.attachedDisk
+id: gcp.project.computeService.attachedDisk
+sidebar_label: gcp.project.computeService.attachedDisk
+displayed_sidebar: MQL
+description: GCP Compute attached disk
+---
+
+# gcp.project.computeService.attachedDisk
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute attached disk
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------------------------- | --------------------------------------------------- |
+| id | string | Attached Disk ID |
+| projectId | string | Project ID |
+| architecture | string | Architecture of the attached disk |
+| autoDelete | bool | Indicates if disk will be auto-deleted |
+| boot | bool | Indicates that this is a boot disk |
+| deviceName | string | Unique device name |
+| diskSizeGb | int | Size of the disk in GB |
+| forceAttach | bool | Indicates whether to force attach the regional disk |
+| guestOsFeatures | []string | Features to enable on the guest operating |
+| index | int | Index to this disk |
+| interface | string | Disk interface |
+| licenses | []string | Publicly visible licenses |
+| mode | string | Mode in which to the disk is attached |
+| source | [gcp.project.computeService.disk](gcp.project.computeservice.disk.md) | Attached Persistent Disk resource |
+| type | string | Disk Type |
+
+**References**
+
+- [About Persistent Disk](https://cloud.google.com/compute/docs/disks/persistent-disks)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.backendservice.backend.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.backendservice.backend.md
new file mode 100644
index 000000000..e333a3e8b
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.backendservice.backend.md
@@ -0,0 +1,39 @@
+---
+title: gcp.project.computeService.backendService.backend
+id: gcp.project.computeService.backendService.backend
+sidebar_label: gcp.project.computeService.backendService.backend
+displayed_sidebar: MQL
+description: GCP Compute backend service backend
+---
+
+# gcp.project.computeService.backendService.backend
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute backend service backend
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------ |
+| id | string | Internal ID |
+| balancingMode | string | How to determine whether the backend of a load balancer can handle additional traffic or is fully loaded |
+| capacityScaler | float | Multiplier applied to the backend's target capacity of its balancing mode |
+| description | string | Backend description |
+| failover | bool | Whether this is a failover backend |
+| groupUrl | string | Fully-qualified URL of an instance group or network endpoint group determining what types of backends a load balancer supports |
+| maxConnections | int | Maximum number of simultaneous connections |
+| maxConnectionsPerEndpoint | int | Maximum number of simultaneous connections per endpoint |
+| maxConnectionsPerInstance | int | Maximum number of simultaneous connections per instance |
+| maxRate | int | Maximum number of HTTP requests per second |
+| maxRatePerEndpoint | float | Maximum number for requests per second per endpoint |
+| maxRatePerInstance | float | Maximum number for requests per second per instance |
+| maxUtilization | float | Target capacity for the utilization balancing mode |
+
+**References**
+
+- [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.backendservice.cdnpolicy.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.backendservice.cdnpolicy.md
new file mode 100644
index 000000000..ec261a918
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.backendservice.cdnpolicy.md
@@ -0,0 +1,39 @@
+---
+title: gcp.project.computeService.backendService.cdnPolicy
+id: gcp.project.computeService.backendService.cdnPolicy
+sidebar_label: gcp.project.computeService.backendService.cdnPolicy
+displayed_sidebar: MQL
+description: GCP Compute backend service CDN policy
+---
+
+# gcp.project.computeService.backendService.cdnPolicy
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute backend service CDN policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| id | string | Internal ID |
+| bypassCacheOnRequestHeaders | []dict | Bypass the cache when the specified request headers are matched |
+| cacheKeyPolicy | dict | Cache key policy |
+| cacheMode | string | Cache mode for all responses from this backend |
+| clientTtl | int | Client maximum TTL |
+| defaultTtl | int | Default TTL for cached content |
+| maxTtl | int | Maximum allowed TTL for cached content |
+| negativeCaching | bool | Whether negative caching allows per-status code TTLs to be set in order to apply fine-grained caching for common errors or redirects |
+| negativeCachingPolicy | []dict | Negative caching policy |
+| requestCoalescing | bool | Whether Cloud CDN combines multiple concurrent cache fill requests into a small number of requests to the origin |
+| serveWhileStale | int | Serve existing content from the cache when revalidating content with the origin |
+| signedUrlCacheMaxAgeSec | int | Maximum number of seconds the response to a signed URL request is considered fresh |
+| signedUrlKeyNames | []string | Names of the keys for signing request URLs |
+
+**References**
+
+- [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.backendservice.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.backendservice.md
new file mode 100644
index 000000000..3ea7a1bdf
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.backendservice.md
@@ -0,0 +1,59 @@
+---
+title: gcp.project.computeService.backendService
+id: gcp.project.computeService.backendService
+sidebar_label: gcp.project.computeService.backendService
+displayed_sidebar: MQL
+description: GCP Compute backend service
+---
+
+# gcp.project.computeService.backendService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute backend service
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
+| id | string | Unique identifier |
+| affinityCookieTtlSec | int | Lifetime of cookies in seconds |
+| backends | [][gcp.project.computeService.backendService.backend](gcp.project.computeservice.backendservice.backend.md) | List of backends that serve this backend service |
+| cdnPolicy | [gcp.project.computeService.backendService.cdnPolicy](gcp.project.computeservice.backendservice.cdnpolicy.md) | Cloud CDN configuration |
+| circuitBreakers | dict | Circuit breakers |
+| compressionMode | string | Compress text responses using Brotli or gzip compression, based on the client's Accept-Encoding header |
+| connectionDraining | dict | Connection draining configuration |
+| connectionTrackingPolicy | dict | Connection tracking configuration |
+| consistentHash | dict | Consistent hash-based load balancing used to provide soft session affinity based on HTTP headers, cookies or other properties |
+| created | time | Creation timestamp |
+| customRequestHeaders | []string | Headers that the load balancer adds to proxied requests |
+| customResponseHeaders | []string | Headers that the load balancer adds to proxied responses |
+| description | string | Backend service description |
+| edgeSecurityPolicy | string | Resource URL for the edge security policy associated with this backend service |
+| enableCDN | bool | Whether to enable Cloud CDN |
+| failoverPolicy | dict | Failover policy |
+| healthChecks | []string | List of URLs to the health checks |
+| iap | dict | Identity-aware proxy configuration |
+| loadBalancingScheme | string | Load balancer type |
+| localityLbPolicies | []dict | List of locality load balancing policies to be used in order of preference |
+| localityLbPolicy | string | Load balancing algorithm used within the scope of the locality |
+| logConfig | dict | Log configuration |
+| maxStreamDuration | time | Default maximum duration (timeout) for streams to this service |
+| name | string | Backend service name |
+| networkUrl | string | URL to the network to which this backend service belongs |
+| portName | string | Named port on a backend instance group representing the port for communication to the backend VMs in that group |
+| protocol | string | Protocol used for communication |
+| regionUrl | string | Region URL |
+| securityPolicyUrl | string | Security policy URL |
+| securitySettings | dict | Security settings |
+| serviceBindingUrls | []string | Service binding URLs |
+| sessionAffinity | string | Session affinity type |
+| timeoutSec | int | Backend service timeout in settings |
+
+**References**
+
+- [Backend services overview](https://cloud.google.com/load-balancing/docs/backend-service)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.disk.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.disk.md
new file mode 100644
index 000000000..a3ed59631
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.disk.md
@@ -0,0 +1,43 @@
+---
+title: gcp.project.computeService.disk
+id: gcp.project.computeService.disk
+sidebar_label: gcp.project.computeService.disk
+displayed_sidebar: MQL
+description: GCP Compute persistent disk
+---
+
+# gcp.project.computeService.disk
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute persistent disk
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | --------------------------------------------------------------------- | ------------------------------------------ |
+| id | string | Unique identifier for the resource |
+| name | string | User-friendly name for this disk |
+| architecture | string | The architecture of the disk |
+| description | string | Optional description |
+| guestOsFeatures | []string | Features to enable on the guest operating |
+| labels | map[string]string | Labels to apply to this disk |
+| lastAttachTimestamp | time | Last attach timestamp |
+| lastDetachTimestamp | time | Last detach timestamp |
+| licenses | []string | Publicly visible licenses |
+| locationHint | string | An opaque location hint |
+| physicalBlockSizeBytes | int | Physical block size of the persistent disk |
+| provisionedIops | int | How many IOPS to provision for the disk |
+| sizeGb | int | Size, in GB, of the persistent disk |
+| status | string | The status of disk creation |
+| zone | [gcp.project.computeService.zone](gcp.project.computeservice.zone.md) | Disk zone |
+| created | time | Creation timestamp |
+| diskEncryptionKey | dict | Disk encryption key |
+
+**References**
+
+- [Storage options](https://cloud.google.com/compute/docs/disks)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.firewall.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.firewall.md
new file mode 100644
index 000000000..29ff6d32c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.firewall.md
@@ -0,0 +1,41 @@
+---
+title: gcp.project.computeService.firewall
+id: gcp.project.computeService.firewall
+sidebar_label: gcp.project.computeService.firewall
+displayed_sidebar: MQL
+description: GCP Compute firewall
+---
+
+# gcp.project.computeService.firewall
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute firewall
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | ---------------- | ----------------------------------------------------------------------- |
+| id | string | Unique identifier |
+| projectId | string | Project ID |
+| name | string | User-provided name |
+| description | string | An optional description of this resource |
+| priority | int | Priority for this rule |
+| direction | string | Direction of traffic |
+| disabled | bool | Whether the firewall rule is disabled |
+| sourceRanges | []string | Source ranges |
+| sourceServiceAccounts | []string | Source service accounts |
+| sourceTags | []string | Source tags |
+| destinationRanges | []string | Range of destination IP addresses for which the rule applies to traffic |
+| targetServiceAccounts | []string | List of service accounts |
+| created | time | Creation timestamp |
+| allowed | []dict | List of ALLOW rules specified by this firewall |
+| denied | []dict | List of DENY rules specified by this firewall |
+
+**References**
+
+- [VPC firewall rules](https://cloud.google.com/firewall/docs/firewalls)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.forwardingrule.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.forwardingrule.md
new file mode 100644
index 000000000..f5d24b717
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.forwardingrule.md
@@ -0,0 +1,53 @@
+---
+title: gcp.project.computeService.forwardingRule
+id: gcp.project.computeService.forwardingRule
+sidebar_label: gcp.project.computeService.forwardingRule
+displayed_sidebar: MQL
+description: GCP Compute forwarding rules
+---
+
+# gcp.project.computeService.forwardingRule
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute forwarding rules
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------------- | --------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+| id | string | Unique identifier |
+| ipAddress | string | IP address for which this forwarding rule accepts traffic |
+| ipProtocol | string | IP protocol to which this rule applies |
+| allPorts | bool | Whether to use all ports for forwarding traffic |
+| allowGlobalAccess | bool | Whether to allow access to the load balancer from all regions |
+| backendService | string | Backend service to which the forwarding rule sends traffic |
+| created | time | Creation timestamp |
+| description | string | Optional resource description |
+| ipVersion | string | IP version that this forwarding rule uses |
+| isMirroringCollector | bool | Whether this load balancer can be used as a collector for packet mirroring |
+| labels | map[string]string | User-defined labels |
+| loadBalancingScheme | string | Forwarding rule type |
+| metadataFilters | []dict | Opaque filter criteria used by the load balancer to restrict routing configuration to a limited set of xDS-compliant clients |
+| name | string | Forwarding rule name |
+| networkUrl | string | URL of the network used for internal load balancing |
+| network | [gcp.project.computeService.network](gcp.project.computeservice.network.md) | Network used for internal load balancing |
+| networkTier | string | Network tier used for configuring this load balancer |
+| noAutomateDnsZone | bool | Whether the forwarding rule should try to auto-generate a DNS zone |
+| portRange | string | Port range to forward |
+| ports | []string | Ports to forward |
+| regionUrl | string | Region URL |
+| serviceDirectoryRegistrations | []dict | Service Directory resources with which to register this forwarding rule |
+| serviceLabel | string | Optional prefix to the service name for this forwarding rule |
+| serviceName | string | Internal fully qualified service name for this forwarding rule |
+| subnetworkUrl | string | URL of the subnetwork to which the load balanced IP belongs |
+| subnetwork | [gcp.project.computeService.subnetwork](gcp.project.computeservice.subnetwork.md) | Subnetwork to which the load balanced IP belongs |
+| targetUrl | string | URL of the target resource to receive the matched traffic |
+
+**References**
+
+- [Forwarding rules overview](https://cloud.google.com/load-balancing/docs/forwarding-rule-concepts)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.image.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.image.md
new file mode 100644
index 000000000..6dcb7977c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.image.md
@@ -0,0 +1,38 @@
+---
+title: gcp.project.computeService.image
+id: gcp.project.computeService.image
+sidebar_label: gcp.project.computeService.image
+displayed_sidebar: MQL
+description: GCP Compute
+---
+
+# gcp.project.computeService.image
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------- | -------------------------------------------------------------------------- |
+| id | string | Unique identifier |
+| projectId | string | Project ID |
+| name | string | Name of the resource |
+| description | string | Optional description |
+| architecture | string | Architecture of the snapshot |
+| archiveSizeBytes | int | Size of the image tar.gz archive stored in Google Cloud Storage (in bytes) |
+| diskSizeGb | int | Size of the image when restored onto a persistent disk (in GB) |
+| family | string | The name of the image family to which this image belongs |
+| licenses | []string | Public visible licenses |
+| labels | map[string]string | Snapshot Labels |
+| created | time | Creation timestamp |
+| status | string | The status of the image |
+
+**References**
+
+- [OS images](https://cloud.google.com/compute/docs/images)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.instance.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.instance.md
new file mode 100644
index 000000000..0a5f2ab2d
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.instance.md
@@ -0,0 +1,65 @@
+---
+title: gcp.project.computeService.instance
+id: gcp.project.computeService.instance
+sidebar_label: gcp.project.computeService.instance
+displayed_sidebar: MQL
+description: GCP Compute instances
+---
+
+# gcp.project.computeService.instance
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute instances
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- |
+| id | string | Unique identifier for the instance |
+| projectId | string | Project ID |
+| name | string | User-friendly name for this instance |
+| description | string | User-friendly name for this instance |
+| confidentialInstanceConfig | dict | Confidential instance configuration |
+| canIpForward | bool | Whether the instance is allowed to send and receive packets with non-matching destination or source IPs |
+| cpuPlatform | string | CPU platform used by this instance |
+| created | time | Creation timestamp |
+| deletionProtection | bool | Whether the instance is protected against deletion |
+| enableDisplay | bool | Whether the instance has display enabled |
+| guestAccelerators | []dict | Attached list of accelerator cards |
+| fingerprint | string | Instance fingerprint |
+| hostname | string | Hostname of the instance |
+| keyRevocationActionType | string | KeyRevocationActionType of the instance |
+| labels | map[string]string | User-provided labels |
+| lastStartTimestamp | time | Last start timestamp |
+| lastStopTimestamp | time | Last stop timestamp |
+| lastSuspendedTimestamp | time | Last suspended timestamp |
+| metadata | map[string]string | Instance metadata |
+| minCpuPlatform | string | Minimum CPU platform for the VM instance |
+| networkInterfaces | []dict | Network configurations for the instance |
+| privateIpv6GoogleAccess | string | private IPv6 google access type for the VM |
+| reservationAffinity | dict | Reservations from which this instance can consume |
+| resourcePolicies | []string | Resource policies applied to this instance |
+| physicalHostResourceStatus | string | Resource status for physical host |
+| scheduling | dict | Scheduling options |
+| enableIntegrityMonitoring | bool | Whether Shielded Instance integrity monitoring is enabled |
+| enableSecureBoot | bool | Whether Shielded Instance secure boot is enabled |
+| enableVtpm | bool | Whether Shielded Instance vTPM is enabled |
+| startRestricted | bool | Whether VM has been restricted from starting because Compute Engine has detected suspicious activity |
+| status | string | Instance status |
+| statusMessage | string | Human-readable explanation of the status |
+| sourceMachineImage | string | Source machine image |
+| tags | []string | Tags associated with this instance |
+| totalEgressBandwidthTier | string | Network performance configuration |
+| serviceAccounts | [][gcp.project.computeService.serviceaccount](gcp.project.computeservice.serviceaccount.md) | Service accounts authorized for this instance |
+| disks | [][gcp.project.computeService.attachedDisk](gcp.project.computeservice.attacheddisk.md) | Disks associated with the instance |
+| machineType | [gcp.project.computeService.machineType](gcp.project.computeservice.machinetype.md) | Machine type |
+| zone | [gcp.project.computeService.zone](gcp.project.computeservice.zone.md) | Instance zone |
+
+**References**
+
+- [Virtual machine instances](https://cloud.google.com/compute/docs/instances)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.machinetype.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.machinetype.md
new file mode 100644
index 000000000..84bf18d2e
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.machinetype.md
@@ -0,0 +1,37 @@
+---
+title: gcp.project.computeService.machineType
+id: gcp.project.computeService.machineType
+sidebar_label: gcp.project.computeService.machineType
+displayed_sidebar: MQL
+description: GCP machine type
+---
+
+# gcp.project.computeService.machineType
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP machine type
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------- |
+| id | string | Unique identifier |
+| projectId | string | Project ID |
+| name | string | Name of the resource |
+| description | string | Resource Description |
+| guestCpus | int | Number of virtual CPUs that are available to the instance |
+| isSharedCpu | bool | Whether the machine has a shared CPU |
+| maximumPersistentDisks | int | Maximum persistent disks allowed |
+| maximumPersistentDisksSizeGb | int | Maximum total persistent disks size (GB) allowed |
+| memoryMb | int | Physical memory available to the instance (MB) |
+| created | time | Creation timestamp |
+| zone | [gcp.project.computeService.zone](gcp.project.computeservice.zone.md) | The zone where the machine type resides |
+
+**References**
+
+- [Machine families resource and comparison guide](https://cloud.google.com/compute/docs/machine-resource)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.md
new file mode 100644
index 000000000..0f6fcdaf2
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.md
@@ -0,0 +1,41 @@
+---
+title: gcp.project.computeService
+id: gcp.project.computeService
+sidebar_label: gcp.project.computeService
+displayed_sidebar: MQL
+description: GCP Compute Engine
+---
+
+# gcp.project.computeService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute Engine
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
+| projectId | string | Project ID |
+| instances | [][gcp.project.computeService.instance](gcp.project.computeservice.instance.md) | Google Compute Engine instances in a project |
+| snapshots | [][gcp.project.computeService.snapshot](gcp.project.computeservice.snapshot.md) | Google Compute Engine snapshots in a project |
+| disks | [][gcp.project.computeService.disk](gcp.project.computeservice.disk.md) | Google Compute Engine disks in a project |
+| images | [][gcp.project.computeService.image](gcp.project.computeservice.image.md) | Google Compute Engine images in a project |
+| firewalls | [][gcp.project.computeService.firewall](gcp.project.computeservice.firewall.md) | Google Compute Engine firewalls in a project |
+| networks | [][gcp.project.computeService.network](gcp.project.computeservice.network.md) | Google Compute Engine VPC network in a project |
+| subnetworks | [][gcp.project.computeService.subnetwork](gcp.project.computeservice.subnetwork.md) | Logical partition of a VPC network |
+| routers | [][gcp.project.computeService.router](gcp.project.computeservice.router.md) | Cloud Routers in a project |
+| machineTypes | [][gcp.project.computeService.machineType](gcp.project.computeservice.machinetype.md) | Google Compute Engine machine types in a project |
+| regions | [][gcp.project.computeService.region](gcp.project.computeservice.region.md) | Project regions |
+| zones | [][gcp.project.computeService.zone](gcp.project.computeservice.zone.md) | Project zones |
+| backendServices | [][gcp.project.computeService.backendService](gcp.project.computeservice.backendservice.md) | List of backend services |
+| addresses | [][gcp.project.computeService.address](gcp.project.computeservice.address.md) | List of IP addresses |
+| forwardingRules | [][gcp.project.computeService.forwardingRule](gcp.project.computeservice.forwardingrule.md) | List of forwarding rules |
+
+**References**
+
+- [Compute Engine documentation](https://cloud.google.com/compute/docs)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.network.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.network.md
new file mode 100644
index 000000000..17487e66f
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.network.md
@@ -0,0 +1,41 @@
+---
+title: gcp.project.computeService.network
+id: gcp.project.computeService.network
+sidebar_label: gcp.project.computeService.network
+displayed_sidebar: MQL
+description: GCP Compute VPC network resource
+---
+
+# gcp.project.computeService.network
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute VPC network resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------------- | ------------------------------------------------------------------------------------------- | --------------------------------------------------------- |
+| id | string | Unique identifier |
+| projectId | string | Project ID |
+| name | string | Name of the resource |
+| description | string | An optional description of this resource |
+| autoCreateSubnetworks | bool | If not set, indicates a legacy network |
+| enableUlaInternalIpv6 | bool | Indicates if ULA internal IPv6 is enabled on this network |
+| gatewayIPv4 | string | Gateway address for default routing |
+| mtu | int | Maximum transmission unit size in bytes |
+| networkFirewallPolicyEnforcementOrder | string | Network firewall policy enforcement order |
+| created | time | Creation timestamp |
+| peerings | []dict | Network peerings for the resource |
+| routingMode | string | The network-wide routing mode to use |
+| mode | string | Network mode: legacy, custom or auto |
+| subnetworkUrls | []string | List of URLs for the subnetwork in the network |
+| subnetworks | [][gcp.project.computeService.subnetwork](gcp.project.computeservice.subnetwork.md) | Subnetworks in the network |
+
+**References**
+
+- [Create and manage VPC networks](https://cloud.google.com/vpc/docs/create-modify-vpc-networks)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.region.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.region.md
new file mode 100644
index 000000000..f6d1e8f34
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.region.md
@@ -0,0 +1,33 @@
+---
+title: gcp.project.computeService.region
+id: gcp.project.computeService.region
+sidebar_label: gcp.project.computeService.region
+displayed_sidebar: MQL
+description: GCP Compute region
+---
+
+# gcp.project.computeService.region
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute region
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ---------------- | ------------------------------ |
+| id | string | Unique identifier |
+| name | string | Name of the resource |
+| description | string | Resource description |
+| status | string | Status of the region |
+| created | time | Creation timestamp |
+| quotas | map[string]float | Quotas assigned to this region |
+| deprecated | dict | Deprecation status |
+
+**References**
+
+- [Regions and zones](https://cloud.google.com/compute/docs/regions-zones)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.router.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.router.md
new file mode 100644
index 000000000..19829b729
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.router.md
@@ -0,0 +1,34 @@
+---
+title: gcp.project.computeService.router
+id: gcp.project.computeService.router
+sidebar_label: gcp.project.computeService.router
+displayed_sidebar: MQL
+description: GCP Compute cloud router
+---
+
+# gcp.project.computeService.router
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute cloud router
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------- | -------------- | --------------------------------------------------------------------- |
+| id | string | Unique identifier |
+| name | string | Name of the resource |
+| description | string | An optional description of this resource |
+| bgp | dict | BGP information |
+| bgpPeers | []dict | BGP routing stack configuration to establish BGP peering |
+| encryptedInterconnectRouter | bool | Whether a router is dedicated for use with encrypted VLAN attachments |
+| nats | []dict | NAT services created in this router |
+| created | time | Creation timestamp |
+
+**References**
+
+- [Cloud Router overview](https://cloud.google.com/network-connectivity/docs/router/concepts/overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.serviceaccount.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.serviceaccount.md
new file mode 100644
index 000000000..03e0540e7
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.serviceaccount.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.computeService.serviceaccount
+id: gcp.project.computeService.serviceaccount
+sidebar_label: gcp.project.computeService.serviceaccount
+displayed_sidebar: MQL
+description: GCP Compute service account
+---
+
+# gcp.project.computeService.serviceaccount
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute service account
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ---------------- | ----------------------------- |
+| email | string | Service account email address |
+| scopes | []string | Service account scopes |
+
+**References**
+
+- [Service accounts](https://cloud.google.com/compute/docs/access/service-accounts)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.snapshot.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.snapshot.md
new file mode 100644
index 000000000..aece4aa1f
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.snapshot.md
@@ -0,0 +1,42 @@
+---
+title: gcp.project.computeService.snapshot
+id: gcp.project.computeService.snapshot
+sidebar_label: gcp.project.computeService.snapshot
+displayed_sidebar: MQL
+description: GCP Compute persistent disk snapshot
+---
+
+# gcp.project.computeService.snapshot
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute persistent disk snapshot
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ----------------- | --------------------------------------------------------------------------------- |
+| id | string | Unique identifier |
+| name | string | Name of the resource |
+| description | string | Optional description |
+| architecture | string | Architecture of the snapshot |
+| autoCreated | bool | Indicates if snapshot was automatically created |
+| chainName | string | Snapshot chain |
+| creationSizeBytes | int | Size in bytes of the snapshot at creation time |
+| diskSizeGb | int | Size of the source disk, specified in GB |
+| downloadBytes | int | Number of bytes downloaded to restore a snapshot to a disk |
+| storageBytes | int | Size of the storage used by the snapshot |
+| storageBytesStatus | string | An indicator whether storageBytes is in a stable state or in storage reallocation |
+| snapshotType | string | Indicates the type of the snapshot |
+| licenses | []string | Public visible licenses |
+| labels | map[string]string | Snapshot Labels |
+| created | time | Creation timestamp |
+| status | string | The status of the snapshot |
+
+**References**
+
+- [About archive and standard disk snapshots](https://cloud.google.com/compute/docs/disks/snapshots)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.subnetwork.logconfig.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.subnetwork.logconfig.md
new file mode 100644
index 000000000..7d08a0e45
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.subnetwork.logconfig.md
@@ -0,0 +1,33 @@
+---
+title: gcp.project.computeService.subnetwork.logConfig
+id: gcp.project.computeService.subnetwork.logConfig
+sidebar_label: gcp.project.computeService.subnetwork.logConfig
+displayed_sidebar: MQL
+description: GCP Compute VPC network partitioning log configuration
+---
+
+# gcp.project.computeService.subnetwork.logConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute VPC network partitioning log configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| id | string | Internal ID |
+| aggregationInterval | string | Toggles the aggregation interval for collecting flow logs |
+| enable | bool | Whether to enable flow logging for this subnetwork |
+| filterExpression | string | Which VPC flow logs are exported to Cloud Logging |
+| flowSampling | float | Sampling rate of VPC flow logs within the subnetwork (1.0 means all collected logs are reported and 0.0 means no logs are reported.) |
+| metadata | string | Whether all, none, or a subset of metadata are added to the reported VPC flow logs |
+| metadataFields | []string | Metadata fields to be added to the reported VPC flow logs |
+
+**References**
+
+- [Create and manage VPC networks](https://cloud.google.com/vpc/docs/create-modify-vpc-networks)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.subnetwork.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.subnetwork.md
new file mode 100644
index 000000000..73c75908d
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.subnetwork.md
@@ -0,0 +1,48 @@
+---
+title: gcp.project.computeService.subnetwork
+id: gcp.project.computeService.subnetwork
+sidebar_label: gcp.project.computeService.subnetwork
+displayed_sidebar: MQL
+description: GCP Compute VPC network partitioning
+---
+
+# gcp.project.computeService.subnetwork
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute VPC network partitioning
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
+| id | string | Unique identifier |
+| projectId | string | Project ID |
+| name | string | Name of the resource |
+| description | string | An optional description of this resource |
+| enableFlowLogs | bool | Whether flow logging is enabled for the subnetwork |
+| externalIpv6Prefix | string | External IPv6 address range |
+| fingerprint | string | Fingerprint of this resource |
+| gatewayAddress | string | Gateway address for default routes |
+| internalIpv6Prefix | string | Internal IPv6 address range |
+| ipCidrRange | string | Range of internal addresses |
+| ipv6AccessType | string | Access type of IPv6 address |
+| ipv6CidrRange | string | Range of internal IPv6 addresses |
+| logConfig | [gcp.project.computeService.subnetwork.logConfig](gcp.project.computeservice.subnetwork.logconfig.md) | VPC flow logging configuration |
+| privateIpGoogleAccess | bool | Whether VMs in this subnet can access Google services without assigned external IP addresses |
+| privateIpv6GoogleAccess | string | VMs in this subnet that can access Google services without assigned external IPv6 addresses |
+| purpose | string | Purpose of the resource |
+| region | [gcp.project.computeService.region](gcp.project.computeservice.region.md) | Region |
+| regionUrl | string | Region URL |
+| role | string | Role of subnetwork |
+| stackType | string | Stack type for the subnet |
+| state | string | State of the subnetwork |
+| created | time | Creation timestamp |
+
+**References**
+
+- [Create and manage VPC networks](https://cloud.google.com/vpc/docs/create-modify-vpc-networks)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.computeservice.zone.md b/docs/mql/resources/gcp-pack/gcp.project.computeservice.zone.md
new file mode 100644
index 000000000..81a36c634
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.computeservice.zone.md
@@ -0,0 +1,31 @@
+---
+title: gcp.project.computeService.zone
+id: gcp.project.computeService.zone
+sidebar_label: gcp.project.computeService.zone
+displayed_sidebar: MQL
+description: GCP Compute zone
+---
+
+# gcp.project.computeService.zone
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Compute zone
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | -------------------- |
+| id | string | Unique identifier |
+| name | string | Name of the resource |
+| description | string | Resource description |
+| status | string | Status of the zone |
+| created | time | Creation timestamp |
+
+**References**
+
+- [Regions and zones](https://cloud.google.com/compute/docs/regions-zones)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gcecluster.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gcecluster.md
new file mode 100644
index 000000000..4abf90bc7
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gcecluster.md
@@ -0,0 +1,42 @@
+---
+title: gcp.project.dataprocService.cluster.config.gceCluster
+id: gcp.project.dataprocService.cluster.config.gceCluster
+sidebar_label: gcp.project.dataprocService.cluster.config.gceCluster
+displayed_sidebar: MQL
+description: GCP Dataproc cluster endpoint config
+---
+
+# gcp.project.dataprocService.cluster.config.gceCluster
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster endpoint config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| projectId | string | Project ID |
+| confidentialInstance | dict | Confidential instance configuration |
+| internalIpOnly | bool | Whether the cluster has only internal IP addresses |
+| metadata | map[string]string | Compute Engine metadata entries |
+| networkUri | string | Compute Engine network to be used for machine communications |
+| nodeGroupAffinity | dict | Node group affinity for sole-tenant clusters |
+| privateIpv6GoogleAccess | string | Type of IPv6 access for the cluster |
+| reservationAffinity | [gcp.project.dataprocService.cluster.config.gceCluster.reservationAffinity](gcp.project.dataprocservice.cluster.config.gcecluster.reservationaffinity.md) | Reservation affinity for consuming zonal reservations |
+| serviceAccountEmail | string | Email of the service account used by the Dataproc cluster VM instances |
+| serviceAccount | [gcp.project.iamService.serviceAccount](gcp.project.iamservice.serviceaccount.md) | Service account used by the Dataproc cluster VM instances |
+| serviceAccountScopes | []string | URIs of service account scopes to be included in Compute Engine instances |
+| shieldedInstanceConfig | [gcp.project.dataprocService.cluster.config.gceCluster.shieldedInstanceConfig](gcp.project.dataprocservice.cluster.config.gcecluster.shieldedinstanceconfig.md) | Shielded instance config for clusters using Compute Engine Shielded VMs |
+| subnetworkUri | string | Compute Engine subnetwork to use for machine communications |
+| tags | []string | Compute Engine tags |
+| zoneUri | string | Zone where the Compute Engine cluster is located |
+
+**References**
+
+- [Create a cluster](https://cloud.google.com/dataproc/docs/guides/create-cluster)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gcecluster.reservationaffinity.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gcecluster.reservationaffinity.md
new file mode 100644
index 000000000..f96bfdb1c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gcecluster.reservationaffinity.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.dataprocService.cluster.config.gceCluster.reservationAffinity
+id: gcp.project.dataprocService.cluster.config.gceCluster.reservationAffinity
+sidebar_label: gcp.project.dataprocService.cluster.config.gceCluster.reservationAffinity
+displayed_sidebar: MQL
+description: GCP Dataproc cluster GCE cluster reservation affinity config
+---
+
+# gcp.project.dataprocService.cluster.config.gceCluster.reservationAffinity
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster GCE cluster reservation affinity config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ---------------- | ----------------------------------------------------------- |
+| id | string | Internal ID |
+| consumeReservationType | string | Type of reservation to consume |
+| key | string | Corresponds to the label key of the reservation resource |
+| values | []string | Corresponds to the label values of the reservation resource |
+
+**References**
+
+- [Create a cluster](https://cloud.google.com/dataproc/docs/guides/create-cluster)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gcecluster.shieldedinstanceconfig.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gcecluster.shieldedinstanceconfig.md
new file mode 100644
index 000000000..3f2d394cd
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gcecluster.shieldedinstanceconfig.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.dataprocService.cluster.config.gceCluster.shieldedInstanceConfig
+id: gcp.project.dataprocService.cluster.config.gceCluster.shieldedInstanceConfig
+sidebar_label: gcp.project.dataprocService.cluster.config.gceCluster.shieldedInstanceConfig
+displayed_sidebar: MQL
+description: GCP Dataproc cluster GCE cluster shielded instance config
+---
+
+# gcp.project.dataprocService.cluster.config.gceCluster.shieldedInstanceConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster GCE cluster shielded instance config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ------ | ------------------------------------------------------- |
+| id | string | Internal ID |
+| enableIntegrityMonitoring | bool | Whether the instances have integrity monitoring enabled |
+| enableSecureBoot | bool | Whether the instances have Secure Boot enabled |
+| enableVtpm | bool | Whether the instances have the vTPM enabled |
+
+**References**
+
+- [Create a cluster](https://cloud.google.com/dataproc/docs/guides/create-cluster)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gkecluster.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gkecluster.md
new file mode 100644
index 000000000..e29885d20
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.gkecluster.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.dataprocService.cluster.config.gkeCluster
+id: gcp.project.dataprocService.cluster.config.gkeCluster
+sidebar_label: gcp.project.dataprocService.cluster.config.gkeCluster
+displayed_sidebar: MQL
+description: GCP Dataproc cluster GKE cluster config
+---
+
+# gcp.project.dataprocService.cluster.config.gkeCluster
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster GKE cluster config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | -------------- | -------------------------------------------- |
+| id | string | Internal ID |
+| gkeClusterTarget | string | Target GKE cluster |
+| nodePoolTarget | []dict | GKE node pools where workloads are scheduled |
+
+**References**
+
+- [GKE cluster architecture](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.instance.diskconfig.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.instance.diskconfig.md
new file mode 100644
index 000000000..3689d3db8
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.instance.diskconfig.md
@@ -0,0 +1,27 @@
+---
+title: gcp.project.dataprocService.cluster.config.instance.diskConfig
+id: gcp.project.dataprocService.cluster.config.instance.diskConfig
+sidebar_label: gcp.project.dataprocService.cluster.config.instance.diskConfig
+displayed_sidebar: MQL
+description: GCP Dataproc cluster instance disk config
+---
+
+# gcp.project.dataprocService.cluster.config.instance.diskConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster instance disk config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------ | ---------------------------- |
+| id | string | Internal ID |
+| bootDiskSizeGb | int | Size in GB of the boot disk |
+| bootDiskType | string | Type of the boot disk |
+| localSsdInterface | string | Interface type of local SSDs |
+| numLocalSsds | int | Number of attached SSDs |
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.instance.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.instance.md
new file mode 100644
index 000000000..dcdc76dd5
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.instance.md
@@ -0,0 +1,38 @@
+---
+title: gcp.project.dataprocService.cluster.config.instance
+id: gcp.project.dataprocService.cluster.config.instance
+sidebar_label: gcp.project.dataprocService.cluster.config.instance
+displayed_sidebar: MQL
+description: GCP Dataproc cluster instance config
+---
+
+# gcp.project.dataprocService.cluster.config.instance
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster instance config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
+| id | string | Internal ID |
+| accelerators | []dict | Compute Engine accelerators |
+| diskConfig | [gcp.project.dataprocService.cluster.config.instance.diskConfig](gcp.project.dataprocservice.cluster.config.instance.diskconfig.md) | Disk options |
+| imageUri | string | Compute Engine imager resource used for cluster instances |
+| instanceNames | []string | List of instance names |
+| instanceReferences | []dict | List of references to Compute Engine instances |
+| isPreemptible | bool | Whether the instance group contains preemptible instances |
+| machineTypeUri | string | Compute Engine machine type used for cluster instances |
+| managedGroupConfig | dict | Config for Compute Engine Instance Group Manager that manages this group |
+| minCpuPlatform | string | Minimum CPU platform for the instance group |
+| numInstances | int | Number of VM instances in the instance group |
+| preemptibility | string | The preemptibility of the instance group |
+
+**References**
+
+- [Create a cluster](https://cloud.google.com/dataproc/docs/guides/create-cluster)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.lifecycle.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.lifecycle.md
new file mode 100644
index 000000000..d77d0b959
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.lifecycle.md
@@ -0,0 +1,31 @@
+---
+title: gcp.project.dataprocService.cluster.config.lifecycle
+id: gcp.project.dataprocService.cluster.config.lifecycle
+sidebar_label: gcp.project.dataprocService.cluster.config.lifecycle
+displayed_sidebar: MQL
+description: GCP Dataproc cluster lifecycle config
+---
+
+# gcp.project.dataprocService.cluster.config.lifecycle
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster lifecycle config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------ | ----------------------------------------------- |
+| id | string | Internal ID |
+| autoDeleteTime | string | Time when the cluster will be auto-deleted |
+| autoDeleteTtl | string | Lifetime duration of the cluster |
+| idleDeleteTtl | string | Duration to keep the cluster alive while idling |
+| idleStartTime | string | Time when the cluster will be auto-resumed |
+
+**References**
+
+- [Create a cluster](https://cloud.google.com/dataproc/docs/guides/create-cluster)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.md
new file mode 100644
index 000000000..f6e47acb5
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.config.md
@@ -0,0 +1,43 @@
+---
+title: gcp.project.dataprocService.cluster.config
+id: gcp.project.dataprocService.cluster.config
+sidebar_label: gcp.project.dataprocService.cluster.config
+displayed_sidebar: MQL
+description: GCP Dataproc cluster config
+---
+
+# gcp.project.dataprocService.cluster.config
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ |
+| parentResourcePath | string | Parent resource path |
+| autoscaling | dict | Autoscaling configuration for the policy associated with the cluster |
+| configBucket | string | Cloud Storage bucket used to stage job dependencies, config files, and job driver console output |
+| metrics | dict | Dataproc metrics configuration |
+| encryption | dict | Encryption configuration |
+| endpoint | dict | Port/endpoint configuration |
+| gceCluster | [gcp.project.dataprocService.cluster.config.gceCluster](gcp.project.dataprocservice.cluster.config.gcecluster.md) | Shared Compute Engine configuration |
+| gkeCluster | [gcp.project.dataprocService.cluster.config.gkeCluster](gcp.project.dataprocservice.cluster.config.gkecluster.md) | Kubernetes Engine config for Dataproc clusters deployed to Kubernetes |
+| initializationActions | []dict | Commands to execute on each node after config is completed |
+| lifecycle | [gcp.project.dataprocService.cluster.config.lifecycle](gcp.project.dataprocservice.cluster.config.lifecycle.md) | Lifecycle configuration |
+| master | [gcp.project.dataprocService.cluster.config.instance](gcp.project.dataprocservice.cluster.config.instance.md) | Compute Engine config for the cluster's master instance |
+| metastore | dict | Metastore configuration |
+| secondaryWorker | [gcp.project.dataprocService.cluster.config.instance](gcp.project.dataprocservice.cluster.config.instance.md) | Compute Engine configuration for the cluster's secondary worker instances |
+| security | dict | Security configuration |
+| software | dict | Cluster software configuration |
+| tempBucket | string | Cloud Storage bucket used to store ephemeral cluster and jobs data |
+| worker | [gcp.project.dataprocService.cluster.config.instance](gcp.project.dataprocservice.cluster.config.instance.md) | Compute Engine configuration for the cluster's worker instances |
+
+**References**
+
+- [Create a cluster](https://cloud.google.com/dataproc/docs/guides/create-cluster)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.md
new file mode 100644
index 000000000..935c03f12
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.md
@@ -0,0 +1,35 @@
+---
+title: gcp.project.dataprocService.cluster
+id: gcp.project.dataprocService.cluster
+sidebar_label: gcp.project.dataprocService.cluster
+displayed_sidebar: MQL
+description: GCP Dataproc cluster
+---
+
+# gcp.project.dataprocService.cluster
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| name | string | Cluster name |
+| uuid | string | Cluster UUID |
+| config | [gcp.project.dataprocService.cluster.config](gcp.project.dataprocservice.cluster.config.md) | Cluster configuration |
+| labels | map[string]string | Labels associated with the cluster |
+| metrics | dict | Contains cluster daemon metrics such as HDF and YARN stats |
+| status | [gcp.project.dataprocService.cluster.status](gcp.project.dataprocservice.cluster.status.md) | Cluster status |
+| statusHistory | [][gcp.project.dataprocService.cluster.status](gcp.project.dataprocservice.cluster.status.md) | Previous cluster status |
+| virtualClusterConfig | [gcp.project.dataprocService.cluster.virtualClusterConfig](gcp.project.dataprocservice.cluster.virtualclusterconfig.md) | Virtual cluster config used when creating a Dataproc cluster that does not directly control the underlying compute resources |
+
+**References**
+
+- [Create a cluster](https://cloud.google.com/dataproc/docs/guides/create-cluster)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.status.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.status.md
new file mode 100644
index 000000000..f99525945
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.status.md
@@ -0,0 +1,31 @@
+---
+title: gcp.project.dataprocService.cluster.status
+id: gcp.project.dataprocService.cluster.status
+sidebar_label: gcp.project.dataprocService.cluster.status
+displayed_sidebar: MQL
+description: GCP Dataproc cluster status
+---
+
+# gcp.project.dataprocService.cluster.status
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster status
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | ----------------------------------------------------------------------- |
+| id | string | Internal ID |
+| detail | string | Details of the cluster's state |
+| state | string | Cluster's state |
+| started | time | Started timestamp |
+| substate | string | Additional state information that includes status reported by the agent |
+
+**References**
+
+- [Create a cluster](https://cloud.google.com/dataproc/docs/guides/create-cluster)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.virtualclusterconfig.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.virtualclusterconfig.md
new file mode 100644
index 000000000..b8faf3962
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.cluster.virtualclusterconfig.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.dataprocService.cluster.virtualClusterConfig
+id: gcp.project.dataprocService.cluster.virtualClusterConfig
+sidebar_label: gcp.project.dataprocService.cluster.virtualClusterConfig
+displayed_sidebar: MQL
+description: GCP Dataproc cluster virtual cluster config
+---
+
+# gcp.project.dataprocService.cluster.virtualClusterConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc cluster virtual cluster config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ------ | ------------------------------------------------------------------------------------------------ |
+| parentResourcePath | string | Parent resource path |
+| auxiliaryServices | dict | Auxiliary services configuration |
+| kubernetesCluster | dict | Kubernetes cluster configuration |
+| stagingBucket | string | Cloud Storage bucket used to stage job dependencies, config files, and job driver console output |
+
+**References**
+
+- [Create a cluster](https://cloud.google.com/dataproc/docs/guides/create-cluster)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.md b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.md
new file mode 100644
index 000000000..9fc05f146
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dataprocservice.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.dataprocService
+id: gcp.project.dataprocService
+sidebar_label: gcp.project.dataprocService
+displayed_sidebar: MQL
+description: GCP Dataproc resources
+---
+
+# gcp.project.dataprocService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Dataproc resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | --------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| projectId | string | Project ID |
+| enabled | bool | Whether the DataProc service is enabled in the project or not |
+| regions | []string | List of available regions |
+| clusters | [][gcp.project.dataprocService.cluster](gcp.project.dataprocservice.cluster.md) | List of Dataproc clusters in the current project |
+
+**References**
+
+- [Dataproc documentation](https://cloud.google.com/dataproc/docs#docs)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dnsservice.managedzone.md b/docs/mql/resources/gcp-pack/gcp.project.dnsservice.managedzone.md
new file mode 100644
index 000000000..cff4d64c0
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dnsservice.managedzone.md
@@ -0,0 +1,37 @@
+---
+title: gcp.project.dnsService.managedzone
+id: gcp.project.dnsService.managedzone
+sidebar_label: gcp.project.dnsService.managedzone
+displayed_sidebar: MQL
+description: Cloud DNS managed zone (a resource that represents a DNS zone hosted by the Cloud DNS service)
+---
+
+# gcp.project.dnsService.managedzone
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+Cloud DNS managed zone (a resource that represents a DNS zone hosted by the Cloud DNS service)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------------------------------------------------------------------- | -------------------------------------------------------------- |
+| id | string | Managed zone ID |
+| projectId | string | Project ID |
+| name | string | User-friendly name of the resource |
+| description | string | User-friendly description of the resource |
+| dnssecConfig | dict | DNSSEC configuration |
+| dnsName | string | DNS name of this managed zone |
+| nameServerSet | string | Optionally specifies the name server set for this managed zone |
+| nameServers | []string | Delegated to these virtual name servers |
+| visibility | string | Zone's visibility |
+| created | time | Creation timestamp |
+| recordSets | [][gcp.project.dnsService.recordset](gcp.project.dnsservice.recordset.md) | Cloud DNS record set in the zone |
+
+**References**
+
+- [DNS zones overview](https://cloud.google.com/dns/docs/zones)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dnsservice.md b/docs/mql/resources/gcp-pack/gcp.project.dnsservice.md
new file mode 100644
index 000000000..8a227b4e8
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dnsservice.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.dnsService
+id: gcp.project.dnsService
+sidebar_label: gcp.project.dnsService
+displayed_sidebar: MQL
+description: GCP Cloud DNS
+---
+
+# gcp.project.dnsService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud DNS
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------------------------------------------------------------------------------------- | --------------------------------- |
+| projectId | string | Project ID |
+| managedZones | [][gcp.project.dnsService.managedzone](gcp.project.dnsservice.managedzone.md) | Cloud DNS managed zone in project |
+| policies | [][gcp.project.dnsService.policy](gcp.project.dnsservice.policy.md) | Cloud DNS rules in project |
+
+**References**
+
+- [Cloud DNS overview](https://cloud.google.com/dns/docs/overview/)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dnsservice.policy.md b/docs/mql/resources/gcp-pack/gcp.project.dnsservice.policy.md
new file mode 100644
index 000000000..b57f1cf03
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dnsservice.policy.md
@@ -0,0 +1,34 @@
+---
+title: gcp.project.dnsService.policy
+id: gcp.project.dnsService.policy
+sidebar_label: gcp.project.dnsService.policy
+displayed_sidebar: MQL
+description: Cloud DNS rules applied to one or more Virtual Private Cloud resources
+---
+
+# gcp.project.dnsService.policy
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+Cloud DNS rules applied to one or more Virtual Private Cloud resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| id | string | Managed Zone ID |
+| name | string | User-friendly name of the resource |
+| description | string | User-friendly description of the resource |
+| enableInboundForwarding | bool | Whether DNS queries sent by VMs or applications over VPN connections are allowed |
+| enableLogging | bool | Whether logging is enabled |
+| networkNames | []string | List of network names specifying networks to which this policy is applied |
+| networks | [][gcp.project.computeService.network](gcp.project.computeservice.network.md) | List of networks to which this policy is applied |
+
+**References**
+
+- [DNS policies overview](https://cloud.google.com/dns/docs/policies-overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.dnsservice.recordset.md b/docs/mql/resources/gcp-pack/gcp.project.dnsservice.recordset.md
new file mode 100644
index 000000000..7382d85c7
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.dnsservice.recordset.md
@@ -0,0 +1,32 @@
+---
+title: gcp.project.dnsService.recordset
+id: gcp.project.dnsService.recordset
+sidebar_label: gcp.project.dnsService.recordset
+displayed_sidebar: MQL
+description: Cloud DNS record set
+---
+
+# gcp.project.dnsService.recordset
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+Cloud DNS record set
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ---------------- | -------------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| name | string | User-friendly name of the resource |
+| rrdatas | []string | Rrdatas: As defined in RFC 1035 (section 5) and RFC 1034 (section 3.6.1) |
+| signatureRrdatas | []string | SignatureRrdatas: As defined in RFC 4034 |
+| ttl | int | Number of seconds that this resource record set can be cached by resolvers |
+| type | string | The identifier of a supported record type |
+
+**References**
+
+- [DNS records overview](https://cloud.google.com/dns/docs/records-overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.addonsconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.addonsconfig.md
new file mode 100644
index 000000000..4a04054b8
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.addonsconfig.md
@@ -0,0 +1,33 @@
+---
+title: gcp.project.gkeService.cluster.addonsConfig
+id: gcp.project.gkeService.cluster.addonsConfig
+sidebar_label: gcp.project.gkeService.cluster.addonsConfig
+displayed_sidebar: MQL
+description: GKE cluster addons config
+---
+
+# gcp.project.gkeService.cluster.addonsConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GKE cluster addons config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------------- | ------ | -------------------------------------------------------------------- |
+| id | string | Internal ID |
+| httpLoadBalancing | dict | Configuration for the HTTP (L7) load balancing controller addon |
+| horizontalPodAutoscaling | dict | Configuration for the horizontal pod autoscaling feature |
+| kubernetesDashboard | dict | Configuration for the Kubernetes Dashboard |
+| networkPolicyConfig | dict | Configuration for NetworkPolicy |
+| cloudRunConfig | dict | Configuration for the Cloud Run addon |
+| dnsCacheConfig | dict | Configuration for NodeLocalDNS, a DNS cache running on cluster nodes |
+| configConnectorConfig | dict | Configuration for the ConfigConnector addon |
+| gcePersistentDiskCsiDriverConfig | dict | Configuration for the Compute Engine Persistent Disk CSI driver |
+| gcpFilestoreCsiDriverConfig | dict | Configuration for the GCP Filestore CSI driver |
+| gkeBackupAgentConfig | dict | Configuration for the backup for GKE agent addon |
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.ipallocationpolicy.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.ipallocationpolicy.md
new file mode 100644
index 000000000..f1ea26abb
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.ipallocationpolicy.md
@@ -0,0 +1,39 @@
+---
+title: gcp.project.gkeService.cluster.ipAllocationPolicy
+id: gcp.project.gkeService.cluster.ipAllocationPolicy
+sidebar_label: gcp.project.gkeService.cluster.ipAllocationPolicy
+displayed_sidebar: MQL
+description: GKE cluster IP allocation policy
+---
+
+# gcp.project.gkeService.cluster.ipAllocationPolicy
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GKE cluster IP allocation policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------- | ------ | ------------------------------------------------------------------ |
+| id | string | Internal ID |
+| useIpAliases | bool | Whether alias IPs are used for pod IPs in the cluster |
+| createSubnetwork | bool | Whether a new subnetwork is created automatically for the cluster |
+| subnetworkName | string | Custom subnetwork name to be used if createSubnetwork is true |
+| clusterSecondaryRangeName | string | Name of the secondary range to be used for the cluster CIDR block |
+| servicesSecondaryRangeName | string | Name of the secondary range to be used for the services CIDR block |
+| clusterIpv4CidrBlock | string | IP address range for the cluster pod IPs |
+| nodeIpv4CidrBlock | string | IP address range of the instance IPs in this cluster |
+| servicesIpv4CidrBlock | string | IP address range of the services IPs in this cluster |
+| tpuIpv4CidrBlock | string | IP address range of the Cloud TPUs in this cluster |
+| useRoutes | bool | Whether routes will be used for pod IPs in this cluster |
+| stackType | string | IP stack type |
+| ipv6AccessType | string | IPv6 access type |
+
+**References**
+
+- [Plan the required IP address allotment](https://cloud.google.com/kubernetes-engine/docs/best-practices/networking#plan-ip-allotment)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.md
new file mode 100644
index 000000000..5372f1b94
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.md
@@ -0,0 +1,58 @@
+---
+title: gcp.project.gkeService.cluster
+id: gcp.project.gkeService.cluster
+sidebar_label: gcp.project.gkeService.cluster
+displayed_sidebar: MQL
+description: GCP GKE cluster
+---
+
+# gcp.project.gkeService.cluster
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE cluster
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------ | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| id | string | Unique identifier for the cluster |
+| name | string | The name of the cluster |
+| description | string | Optional description for the cluster |
+| loggingService | string | The logging service the cluster should use to write logs |
+| monitoringService | string | The monitoring service the cluster should use to write metrics |
+| network | string | The name of the Google Compute Engine network to which the cluster is connected |
+| clusterIpv4Cidr | string | The IP address range of the container pods in this cluster |
+| subnetwork | string | The name of the Google Compute Engine subnetwork to which the cluster is connected |
+| nodePools | [][gcp.project.gkeService.cluster.nodepool](gcp.project.gkeservice.cluster.nodepool.md) | The list of node pools for the cluster |
+| locations | []string | The list of Google Compute Engine zones in which the cluster's nodes should be located |
+| enableKubernetesAlpha | bool | Enable Kubernetes alpha features |
+| autopilotEnabled | bool | Whether Autopilot is enabled for the cluster |
+| zone | string | Deprecated; use location instead |
+| location | string | Name of the Google Compute Engine zone/region in which the cluster exists |
+| endpoint | string | The IP address of the cluster's master endpoint |
+| initialClusterVersion | string | The initial Kubernetes version for this cluster |
+| currentMasterVersion | string | The current software version of the master endpoint |
+| status | string | The current status of this cluster |
+| resourceLabels | map[string]string | The resource labels for the cluster to use to annotate any related Google Compute Engine resources |
+| created | time | Creation time |
+| expirationTime | time | The time the cluster will be automatically deleted in |
+| addonsConfig | [gcp.project.gkeService.cluster.addonsConfig](gcp.project.gkeservice.cluster.addonsconfig.md) | Configurations for the various addons available to run in the cluster |
+| workloadIdentityConfig | dict | Configuration for the use of Kubernetes Service Accounts in GCP IAM policies |
+| ipAllocationPolicy | [gcp.project.gkeService.cluster.ipAllocationPolicy](gcp.project.gkeservice.cluster.ipallocationpolicy.md) | Configuration for cluster IP allocation |
+| networkConfig | [gcp.project.gkeService.cluster.networkConfig](gcp.project.gkeservice.cluster.networkconfig.md) | Configuration for cluster networking |
+| binaryAuthorization | dict | Binary authorization configuration |
+| legacyAbac | dict | Legacy ABAC authorization configuration |
+| masterAuth | dict | Authentication information for accessing the master endpoint |
+| masterAuthorizedNetworksConfig | dict | Master authorized networks configuration |
+| privateClusterConfig | dict | Private cluster configuration |
+| databaseEncryption | dict | Etcd encryption configuration |
+
+**References**
+
+- [About cluster configuration choices](https://cloud.google.com/kubernetes-engine/docs/concepts/types-of-clusters)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.networkconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.networkconfig.md
new file mode 100644
index 000000000..7a7026e78
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.networkconfig.md
@@ -0,0 +1,38 @@
+---
+title: gcp.project.gkeService.cluster.networkConfig
+id: gcp.project.gkeService.cluster.networkConfig
+sidebar_label: gcp.project.gkeService.cluster.networkConfig
+displayed_sidebar: MQL
+description: GKE cluster network config
+---
+
+# gcp.project.gkeService.cluster.networkConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GKE cluster network config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | --------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| networkPath | string | Relative path of the network to which the cluster is connected |
+| network | [gcp.project.computeService.network](gcp.project.computeservice.network.md) | Network to which the cluster is connected |
+| subnetworkPath | string | Relative path of the subnetwork to which the cluster is connected |
+| subnetwork | [gcp.project.computeService.subnetwork](gcp.project.computeservice.subnetwork.md) | Subnetwork to which the cluster is connected |
+| enableIntraNodeVisibility | bool | Whether intra-node visibility is enabled for this cluster |
+| defaultSnatStatus | dict | Whether the cluster disables default in-node sNAT rules |
+| enableL4IlbSubsetting | bool | Whether L4ILB subsetting is enabled for this cluster |
+| datapathProvider | string | Desired datapath provider for this cluster |
+| privateIpv6GoogleAccess | string | Desired state of IPv6 connectivity to Google Services |
+| dnsConfig | dict | Cluster DNS configuration |
+| serviceExternalIpsConfig | dict | Configuration specifying whether services with externalIPs field are blocked |
+
+**References**
+
+- [Best practices for GKE networking](https://cloud.google.com/kubernetes-engine/docs/best-practices/networking)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.accelerator.gpusharingconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.accelerator.gpusharingconfig.md
new file mode 100644
index 000000000..47fdfbaf2
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.accelerator.gpusharingconfig.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.accelerator.gpuSharingConfig
+id: gcp.project.gkeService.cluster.nodepool.config.accelerator.gpuSharingConfig
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.accelerator.gpuSharingConfig
+displayed_sidebar: MQL
+description: GPU sharing configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.accelerator.gpuSharingConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GPU sharing configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ------ | ------------------------------------------------- |
+| id | string | Internal ID |
+| maxSharedClientsPerGpu | int | The max number of containers that can share a GPU |
+| strategy | string | The GPU sharing strategy |
+
+**References**
+
+- [Run GPUs in GKE Standard node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/gpus)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.accelerator.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.accelerator.md
new file mode 100644
index 000000000..e481e3d91
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.accelerator.md
@@ -0,0 +1,31 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.accelerator
+id: gcp.project.gkeService.cluster.nodepool.config.accelerator
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.accelerator
+displayed_sidebar: MQL
+description: GCP GKE node pool hardware accelerators configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.accelerator
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool hardware accelerators configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- |
+| id | string | Internal ID |
+| count | int | The number of the accelerator cards exposed to an instance |
+| type | string | The accelerator type resource name |
+| gpuPartitionSize | string | Size of partitions to create on the GPU |
+| gpuSharingConfig | [gcp.project.gkeService.cluster.nodepool.config.accelerator.gpuSharingConfig](gcp.project.gkeservice.cluster.nodepool.config.accelerator.gpusharingconfig.md) | The configuration for GPU sharing |
+
+**References**
+
+- [Run GPUs in GKE Standard node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/gpus)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.advancedmachinefeatures.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.advancedmachinefeatures.md
new file mode 100644
index 000000000..0f945b2b0
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.advancedmachinefeatures.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.advancedMachineFeatures
+id: gcp.project.gkeService.cluster.nodepool.config.advancedMachineFeatures
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.advancedMachineFeatures
+displayed_sidebar: MQL
+description: GCP GKE node pool advanced machine features configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.advancedMachineFeatures
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool advanced machine features configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------ |
+| id | string | Internal ID |
+| threadsPerCore | int | Number of threads per physical core (if unset, assumes the maximum number of threads supported per core by the underlying processor) |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.confidentialnodes.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.confidentialnodes.md
new file mode 100644
index 000000000..df2868bfe
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.confidentialnodes.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.confidentialNodes
+id: gcp.project.gkeService.cluster.nodepool.config.confidentialNodes
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.confidentialNodes
+displayed_sidebar: MQL
+description: GCP GKE node pool confidential nodes configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.confidentialNodes
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool confidential nodes configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | --------------------------------- |
+| id | string | Internal ID |
+| enabled | bool | Whether to use confidential nodes |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.gcfsconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.gcfsconfig.md
new file mode 100644
index 000000000..459b861d2
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.gcfsconfig.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.gcfsConfig
+id: gcp.project.gkeService.cluster.nodepool.config.gcfsConfig
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.gcfsConfig
+displayed_sidebar: MQL
+description: GCP GKE node pool GCFS configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.gcfsConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool GCFS configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | ------------------- |
+| id | string | Internal ID |
+| enabled | bool | Whether to use GCFS |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.gvnicconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.gvnicconfig.md
new file mode 100644
index 000000000..2f7632522
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.gvnicconfig.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.gvnicConfig
+id: gcp.project.gkeService.cluster.nodepool.config.gvnicConfig
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.gvnicConfig
+displayed_sidebar: MQL
+description: GCP GKE node pool gVNIC configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.gvnicConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool gVNIC configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | -------------------- |
+| id | string | Internal ID |
+| enabled | bool | Whether to use gVNIC |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.kubeletconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.kubeletconfig.md
new file mode 100644
index 000000000..7307af7b5
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.kubeletconfig.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.kubeletConfig
+id: gcp.project.gkeService.cluster.nodepool.config.kubeletConfig
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.kubeletConfig
+displayed_sidebar: MQL
+description: GCP GKE Node Pool kubelet configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.kubeletConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE Node Pool kubelet configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------ | ------------------------------------------------------ |
+| id | string | Internal ID |
+| cpuManagerPolicy | string | Control the CPU management policy on the node |
+| cpuCfsQuotaPeriod | string | Set the CPU CFS quota period value 'cpu.cfs_period_us' |
+| podPidsLimit | int | Set the Pod PID limits |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.linuxnodeconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.linuxnodeconfig.md
new file mode 100644
index 000000000..24b8634ac
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.linuxnodeconfig.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.linuxNodeConfig
+id: gcp.project.gkeService.cluster.nodepool.config.linuxNodeConfig
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.linuxNodeConfig
+displayed_sidebar: MQL
+description: GCP GKE node pool parameters that can be configured on Linux nodes
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.linuxNodeConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool parameters that can be configured on Linux nodes
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ----------------- | ------------------------------------------------------------------------------ |
+| id | string | Internal ID |
+| sysctls | map[string]string | The Linux kernel parameters to apply to the nodes and all pods running on them |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.md
new file mode 100644
index 000000000..72d3c12e4
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.md
@@ -0,0 +1,54 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config
+id: gcp.project.gkeService.cluster.nodepool.config
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config
+displayed_sidebar: MQL
+description: GCP GKE node pool configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
+| id | string | Internal ID |
+| projectId | string | Project ID |
+| machineType | string | The name of a Google Compute Engine machine type |
+| diskSizeGb | int | Size of the disk attached to each node, specified in GB |
+| oauthScopes | []string | The set of Google API scopes to be made available on all of the node VMs under the "default" service account |
+| serviceAccountEmail | string | Email of the Google Cloud Platform Service Account to be used by the node VMs |
+| serviceAccount | [gcp.project.iamService.serviceAccount](gcp.project.iamservice.serviceaccount.md) | Google Cloud Platform Service Account to be used by the node VMs |
+| metadata | map[string]string | The metadata key/value pairs assigned to instances in the cluster |
+| imageType | string | The image type to use for this node |
+| labels | map[string]string | The map of Kubernetes labels to be applied to each node |
+| localSsdCount | int | The number of local SSD disks to be attached to the node |
+| tags | []string | The list of instance tags applied to all nodes |
+| preemptible | bool | Whether the nodes are created as preemptible VM instances. |
+| accelerators | [][gcp.project.gkeService.cluster.nodepool.config.accelerator](gcp.project.gkeservice.cluster.nodepool.config.accelerator.md) | A list of hardware accelerators to attach to each node |
+| diskType | string | Type of the disk attached to each node |
+| minCpuPlatform | string | Minimum CPU platform to be used by this instance |
+| workloadMetadataMode | string | The workload metadata mode for this node |
+| taints | [][gcp.project.gkeService.cluster.nodepool.config.nodeTaint](gcp.project.gkeservice.cluster.nodepool.config.nodetaint.md) | List of Kubernetes taints to be applied to each node |
+| sandboxConfig | [gcp.project.gkeService.cluster.nodepool.config.sandboxConfig](gcp.project.gkeservice.cluster.nodepool.config.sandboxconfig.md) | Sandbox configuration for this node |
+| shieldedInstanceConfig | [gcp.project.gkeService.cluster.nodepool.config.shieldedInstanceConfig](gcp.project.gkeservice.cluster.nodepool.config.shieldedinstanceconfig.md) | Shielded instance configuration |
+| linuxNodeConfig | [gcp.project.gkeService.cluster.nodepool.config.linuxNodeConfig](gcp.project.gkeservice.cluster.nodepool.config.linuxnodeconfig.md) | Parameters that can be configured on Linux nodes |
+| kubeletConfig | [gcp.project.gkeService.cluster.nodepool.config.kubeletConfig](gcp.project.gkeservice.cluster.nodepool.config.kubeletconfig.md) | Node kubelet configs |
+| bootDiskKmsKey | string | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node |
+| gcfsConfig | [gcp.project.gkeService.cluster.nodepool.config.gcfsConfig](gcp.project.gkeservice.cluster.nodepool.config.gcfsconfig.md) | Google Container File System (image streaming) configuration |
+| advancedMachineFeatures | [gcp.project.gkeService.cluster.nodepool.config.advancedMachineFeatures](gcp.project.gkeservice.cluster.nodepool.config.advancedmachinefeatures.md) | Advanced features for the Compute Engine VM |
+| gvnicConfig | [gcp.project.gkeService.cluster.nodepool.config.gvnicConfig](gcp.project.gkeservice.cluster.nodepool.config.gvnicconfig.md) | gVNIC configuration |
+| spot | bool | Spot flag for enabling Spot VM, which is a rebrand of the existing preemptible flag |
+| confidentialNodes | [gcp.project.gkeService.cluster.nodepool.config.confidentialNodes](gcp.project.gkeservice.cluster.nodepool.config.confidentialnodes.md) | Confidential nodes configuration |
+
+**References**
+
+- [About node pools](https://cloud.google.com/kubernetes-engine/docs/concepts/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.nodetaint.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.nodetaint.md
new file mode 100644
index 000000000..7b6725aa9
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.nodetaint.md
@@ -0,0 +1,26 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.nodeTaint
+id: gcp.project.gkeService.cluster.nodepool.config.nodeTaint
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.nodeTaint
+displayed_sidebar: MQL
+description: GCP GKE Kubernetes node taint
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.nodeTaint
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE Kubernetes node taint
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------ | -------------------- |
+| id | string | Internal ID |
+| key | string | Key for the taint |
+| value | string | Value for the taint |
+| effect | string | Effect for the taint |
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.sandboxconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.sandboxconfig.md
new file mode 100644
index 000000000..72be042c3
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.sandboxconfig.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.sandboxConfig
+id: gcp.project.gkeService.cluster.nodepool.config.sandboxConfig
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.sandboxConfig
+displayed_sidebar: MQL
+description: GCP GKE node pool sandbox configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.sandboxConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool sandbox configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------ | ---------------------------------------- |
+| id | string | Internal ID |
+| type | string | Type of the sandbox to use for this node |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.shieldedinstanceconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.shieldedinstanceconfig.md
new file mode 100644
index 000000000..f27936cd8
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.config.shieldedinstanceconfig.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.config.shieldedInstanceConfig
+id: gcp.project.gkeService.cluster.nodepool.config.shieldedInstanceConfig
+sidebar_label: gcp.project.gkeService.cluster.nodepool.config.shieldedInstanceConfig
+displayed_sidebar: MQL
+description: GCP GKE node pool shielded instance configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.config.shieldedInstanceConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool shielded instance configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ------ | ----------------------------------------------------- |
+| id | string | Internal ID |
+| enableSecureBoot | bool | Whether the instance has Secure Boot enabled |
+| enableIntegrityMonitoring | bool | Whether the instance has integrity monitoring enabled |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.md
new file mode 100644
index 000000000..e7e3acbaf
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.md
@@ -0,0 +1,36 @@
+---
+title: gcp.project.gkeService.cluster.nodepool
+id: gcp.project.gkeService.cluster.nodepool
+sidebar_label: gcp.project.gkeService.cluster.nodepool
+displayed_sidebar: MQL
+description: GKE cluster node pool
+---
+
+# gcp.project.gkeService.cluster.nodepool
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GKE cluster node pool
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| name | string | The name of the node pool |
+| config | [gcp.project.gkeService.cluster.nodepool.config](gcp.project.gkeservice.cluster.nodepool.config.md) | The node configuration of the pool |
+| initialNodeCount | int | The initial node count for the pool |
+| locations | []string | The list of Google Compute Engine zones in which the NodePool's nodes should be located |
+| networkConfig | [gcp.project.gkeService.cluster.nodepool.networkConfig](gcp.project.gkeservice.cluster.nodepool.networkconfig.md) | Networking configuration for this node pool |
+| version | string | The Kubernetes version |
+| instanceGroupUrls | []string | The resource URLs of the managed instance groups associated with this node pool |
+| status | string | The current status of this node pool |
+| management | dict | Node management configuration |
+
+**References**
+
+- [About node pools](https://cloud.google.com/kubernetes-engine/docs/concepts/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.networkconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.networkconfig.md
new file mode 100644
index 000000000..c87b55c6c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.networkconfig.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.networkConfig
+id: gcp.project.gkeService.cluster.nodepool.networkConfig
+sidebar_label: gcp.project.gkeService.cluster.nodepool.networkConfig
+displayed_sidebar: MQL
+description: GCP GKE node pool-Level network configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.networkConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool-Level network configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
+| id | string | Internal ID |
+| podRange | string | The ID of the secondary range for pod IPs |
+| podIpv4CidrBlock | string | The IP address range for pod IPs in this node pool |
+| performanceConfig | [gcp.project.gkeService.cluster.nodepool.networkConfig.performanceConfig](gcp.project.gkeservice.cluster.nodepool.networkconfig.performanceconfig.md) | Network performance tier configuration |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.networkconfig.performanceconfig.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.networkconfig.performanceconfig.md
new file mode 100644
index 000000000..fa7faadb6
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.cluster.nodepool.networkconfig.performanceconfig.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.gkeService.cluster.nodepool.networkConfig.performanceConfig
+id: gcp.project.gkeService.cluster.nodepool.networkConfig.performanceConfig
+sidebar_label: gcp.project.gkeService.cluster.nodepool.networkConfig.performanceConfig
+displayed_sidebar: MQL
+description: GCP GKE node pool network performance configuration
+---
+
+# gcp.project.gkeService.cluster.nodepool.networkConfig.performanceConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE node pool network performance configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ------ | ------------------------------------------------------------ |
+| id | string | Internal ID |
+| totalEgressBandwidthTier | string | Specifies the total network bandwidth tier for the node pool |
+
+**References**
+
+- [Add and manage node pools](https://cloud.google.com/kubernetes-engine/docs/how-to/node-pools)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.gkeservice.md b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.md
new file mode 100644
index 000000000..1ba540a39
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.gkeservice.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.gkeService
+id: gcp.project.gkeService
+sidebar_label: gcp.project.gkeService
+displayed_sidebar: MQL
+description: GCP GKE
+---
+
+# gcp.project.gkeService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP GKE
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------------------------------------------------------------------- | ------------------------------------------- |
+| projectId | string | Project ID |
+| clusters | [][gcp.project.gkeService.cluster](gcp.project.gkeservice.cluster.md) | List of GKE clusters in the current project |
+
+**References**
+
+- [GKE overview](https://cloud.google.com/kubernetes-engine/docs/concepts/kubernetes-engine-overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.iamservice.md b/docs/mql/resources/gcp-pack/gcp.project.iamservice.md
new file mode 100644
index 000000000..9c5dbb619
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.iamservice.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.iamService
+id: gcp.project.iamService
+sidebar_label: gcp.project.iamService
+displayed_sidebar: MQL
+description: GCP IAM resources
+---
+
+# gcp.project.iamService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP IAM resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------------------------------------------------------------------------------- | ------------------------ |
+| projectId | string | Project ID |
+| serviceAccounts | [][gcp.project.iamService.serviceAccount](gcp.project.iamservice.serviceaccount.md) | List of service accounts |
+
+**References**
+
+- [IAM overview](https://cloud.google.com/iam/docs/overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.iamservice.serviceaccount.key.md b/docs/mql/resources/gcp-pack/gcp.project.iamservice.serviceaccount.key.md
new file mode 100644
index 000000000..f938b8a3f
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.iamservice.serviceaccount.key.md
@@ -0,0 +1,33 @@
+---
+title: gcp.project.iamService.serviceAccount.key
+id: gcp.project.iamService.serviceAccount.key
+sidebar_label: gcp.project.iamService.serviceAccount.key
+displayed_sidebar: MQL
+description: GCP service account keys
+---
+
+# gcp.project.iamService.serviceAccount.key
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP service account keys
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------ | -------------------------------------------- |
+| name | string | Service account key name |
+| keyAlgorithm | string | Algorithm (and possibly key size) of the key |
+| validAfterTime | time | Key can be used after this timestamp |
+| validBeforeTime | time | Key can be used before this timestamp |
+| keyOrigin | string | Key origin |
+| keyType | string | Key type |
+| disabled | bool | Whether the key is disabled |
+
+**References**
+
+- [Create and delete service account keys](https://cloud.google.com/iam/docs/keys-create-delete)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.iamservice.serviceaccount.md b/docs/mql/resources/gcp-pack/gcp.project.iamservice.serviceaccount.md
new file mode 100644
index 000000000..422891b0e
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.iamservice.serviceaccount.md
@@ -0,0 +1,35 @@
+---
+title: gcp.project.iamService.serviceAccount
+id: gcp.project.iamService.serviceAccount
+sidebar_label: gcp.project.iamService.serviceAccount
+displayed_sidebar: MQL
+description: GCP service account
+---
+
+# gcp.project.iamService.serviceAccount
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP service account
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- |
+| projectId | string | Project ID |
+| name | string | Service account name |
+| uniqueId | string | Unique, stable, numeric ID for the service account |
+| email | string | Email address of the service account |
+| displayName | string | User-specified, human-readable name for the service account |
+| description | string | Service account description |
+| oauth2ClientId | string | OAuth 2.0 client ID |
+| disabled | bool | Whether the service account is disabled |
+| keys | [][gcp.project.iamService.serviceAccount.key](gcp.project.iamservice.serviceaccount.key.md) | Service account keys |
+
+**References**
+
+- [Identities for workloads](https://cloud.google.com/iam/docs/workload-identities)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.md b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.md
new file mode 100644
index 000000000..ddf7a3e28
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.md
@@ -0,0 +1,40 @@
+---
+title: gcp.project.kmsService.keyring.cryptokey
+id: gcp.project.kmsService.keyring.cryptokey
+sidebar_label: gcp.project.kmsService.keyring.cryptokey
+displayed_sidebar: MQL
+description: GCP KMS crypto key
+---
+
+# gcp.project.kmsService.keyring.cryptokey
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP KMS crypto key
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
+| resourcePath | string | Full resource path |
+| name | string | Crypto key name |
+| primary | [gcp.project.kmsService.keyring.cryptokey.version](gcp.project.kmsservice.keyring.cryptokey.version.md) | Primary version for encrypt to use for this crypto key |
+| purpose | string | Crypto key purpose |
+| created | time | Creation timestamp |
+| nextRotation | time | Time at which KMS will create a new version of this key and mark it as primary |
+| rotationPeriod | time | Rotation period |
+| versionTemplate | dict | Template describing the settings for new crypto key versions |
+| labels | map[string]string | User-defined labels |
+| importOnly | bool | Whether this key may contain imported versions only |
+| destroyScheduledDuration | time | Period of time that versions of this key spend in DESTROY_SCHEDULED state before being destroyed |
+| cryptoKeyBackend | string | Resource name of the backend environment where the key material for all crypto key versions reside |
+| versions | [][gcp.project.kmsService.keyring.cryptokey.version](gcp.project.kmsservice.keyring.cryptokey.version.md) | List of cryptokey versions |
+| iamPolicy | [][gcp.resourcemanager.binding](gcp.resourcemanager.binding.md) | Crypto key IAM policy |
+
+**References**
+
+- [Create a key ring](https://cloud.google.com/kms/docs/create-key-ring)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.attestation.certificatechains.md b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.attestation.certificatechains.md
new file mode 100644
index 000000000..a49b69831
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.attestation.certificatechains.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.kmsService.keyring.cryptokey.version.attestation.certificatechains
+id: gcp.project.kmsService.keyring.cryptokey.version.attestation.certificatechains
+sidebar_label: gcp.project.kmsService.keyring.cryptokey.version.attestation.certificatechains
+displayed_sidebar: MQL
+description: GCP KMS crypto key version attestation certificate chains
+---
+
+# gcp.project.kmsService.keyring.cryptokey.version.attestation.certificatechains
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP KMS crypto key version attestation certificate chains
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ---------------- | ------------------------------------------------------------------- |
+| cryptoKeyVersionName | string | Crypto key version name |
+| caviumCerts | []string | Cavium certificate chain corresponding to the attestation |
+| googleCardCerts | []string | Google card certificate chain corresponding to the attestation |
+| googlePartitionCerts | []string | Google partition certificate chain corresponding to the attestation |
+
+**References**
+
+- [Create a key ring](https://cloud.google.com/kms/docs/create-key-ring)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.attestation.md b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.attestation.md
new file mode 100644
index 000000000..524a47992
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.attestation.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.kmsService.keyring.cryptokey.version.attestation
+id: gcp.project.kmsService.keyring.cryptokey.version.attestation
+sidebar_label: gcp.project.kmsService.keyring.cryptokey.version.attestation
+displayed_sidebar: MQL
+description: GCP KMS crypto key version attestation
+---
+
+# gcp.project.kmsService.keyring.cryptokey.version.attestation
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP KMS crypto key version attestation
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- |
+| cryptoKeyVersionName | string | Crypto key version name |
+| format | string | Format of the attestation data |
+| certificateChains | [gcp.project.kmsService.keyring.cryptokey.version.attestation.certificatechains](gcp.project.kmsservice.keyring.cryptokey.version.attestation.certificatechains.md) | Certificate chains needed to validate the attestation |
+
+**References**
+
+- [Create a key ring](https://cloud.google.com/kms/docs/create-key-ring)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.externalprotectionleveloptions.md b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.externalprotectionleveloptions.md
new file mode 100644
index 000000000..b70188d86
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.externalprotectionleveloptions.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.kmsService.keyring.cryptokey.version.externalProtectionLevelOptions
+id: gcp.project.kmsService.keyring.cryptokey.version.externalProtectionLevelOptions
+sidebar_label: gcp.project.kmsService.keyring.cryptokey.version.externalProtectionLevelOptions
+displayed_sidebar: MQL
+description: GCP KMS crypto key version external protection level options
+---
+
+# gcp.project.kmsService.keyring.cryptokey.version.externalProtectionLevelOptions
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP KMS crypto key version external protection level options
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------ | ---------------------------------------------------------------------- |
+| cryptoKeyVersionName | string | Crypto key version name |
+| externalKeyUri | string | URI for an external resource that the crypto key version represents |
+| ekmConnectionKeyPath | string | Path to the external key material on the EKM when using EKM connection |
+
+**References**
+
+- [Create a key ring](https://cloud.google.com/kms/docs/create-key-ring)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.md b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.md
new file mode 100644
index 000000000..27c809575
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.cryptokey.version.md
@@ -0,0 +1,41 @@
+---
+title: gcp.project.kmsService.keyring.cryptokey.version
+id: gcp.project.kmsService.keyring.cryptokey.version
+sidebar_label: gcp.project.kmsService.keyring.cryptokey.version
+displayed_sidebar: MQL
+description: GCP KMS crypto key version
+---
+
+# gcp.project.kmsService.keyring.cryptokey.version
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP KMS crypto key version
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- |
+| resourcePath | string | Full resource path |
+| name | string | Crypto key version name |
+| state | string | Crypto key version's current state |
+| protectionLevel | string | Protection level describing how crypto operations perform with this crypto key version |
+| algorithm | string | Algorithm that the crypto key version supports |
+| attestation | [gcp.project.kmsService.keyring.cryptokey.version.attestation](gcp.project.kmsservice.keyring.cryptokey.version.attestation.md) | Statement generated and signed by HSM at key creation time |
+| created | time | Time created |
+| generated | time | Time generated |
+| destroyed | time | Time destroyed |
+| destroyEventTime | time | Destroy event timestamp |
+| importJob | string | Name of the import job used in the most recent import of the crypto key version |
+| importTime | time | Time at which this crypto key version's key material was imported |
+| importFailureReason | string | The root cause of an import failure |
+| externalProtectionLevelOptions | [gcp.project.kmsService.keyring.cryptokey.version.externalProtectionLevelOptions](gcp.project.kmsservice.keyring.cryptokey.version.externalprotectionleveloptions.md) | Additional fields for configuring external protection level |
+| reimportEligible | bool | Whether the crypto key version is eligible for reimport |
+
+**References**
+
+- [Create a key ring](https://cloud.google.com/kms/docs/create-key-ring)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.md b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.md
new file mode 100644
index 000000000..dad0e0ea5
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.keyring.md
@@ -0,0 +1,32 @@
+---
+title: gcp.project.kmsService.keyring
+id: gcp.project.kmsService.keyring
+sidebar_label: gcp.project.kmsService.keyring
+displayed_sidebar: MQL
+description: GCP KMS keyring
+---
+
+# gcp.project.kmsService.keyring
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP KMS keyring
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------------------------------------------------------------------------------------------------- | ----------------------------------------- |
+| projectId | string | Project ID |
+| resourcePath | string | Full resource path |
+| name | string | Keyring name |
+| created | time | Time created |
+| location | string | Keyring location |
+| cryptokeys | [][gcp.project.kmsService.keyring.cryptokey](gcp.project.kmsservice.keyring.cryptokey.md) | List of cryptokeys in the current keyring |
+
+**References**
+
+- [Create a key ring](https://cloud.google.com/kms/docs/create-key-ring)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.kmsservice.md b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.md
new file mode 100644
index 000000000..ed71bb024
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.kmsservice.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.kmsService
+id: gcp.project.kmsService
+sidebar_label: gcp.project.kmsService
+displayed_sidebar: MQL
+description: GCP KMS resources
+---
+
+# gcp.project.kmsService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP KMS resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------------------------------------------------------------------- | --------------------------------------- |
+| projectId | string | Project ID |
+| locations | []string | Available locations for the service |
+| keyrings | [][gcp.project.kmsService.keyring](gcp.project.kmsservice.keyring.md) | List of keyrings in the current project |
+
+**References**
+
+- [Cloud KMS resources](https://cloud.google.com/kms/docs/resource-hierarchy)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.loggingservice.bucket.indexconfig.md b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.bucket.indexconfig.md
new file mode 100644
index 000000000..961b4f528
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.bucket.indexconfig.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.loggingservice.bucket.indexConfig
+id: gcp.project.loggingservice.bucket.indexConfig
+sidebar_label: gcp.project.loggingservice.bucket.indexConfig
+displayed_sidebar: MQL
+description: GCP Logging bucket index config
+---
+
+# gcp.project.loggingservice.bucket.indexConfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Logging bucket index config
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ----------------------------- |
+| id | string | Internal ID |
+| created | time | Creation timestamp |
+| fieldPath | string | Log entry field path to index |
+| type | string | Type of data in this index |
+
+**References**
+
+- [Cloud Logging overview](https://cloud.google.com/logging/docs/overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.loggingservice.bucket.md b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.bucket.md
new file mode 100644
index 000000000..f42e3df24
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.bucket.md
@@ -0,0 +1,37 @@
+---
+title: gcp.project.loggingservice.bucket
+id: gcp.project.loggingservice.bucket
+sidebar_label: gcp.project.loggingservice.bucket
+displayed_sidebar: MQL
+description: GCP Logging bucket
+---
+
+# gcp.project.loggingservice.bucket
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Logging bucket
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| cmekSettings | dict | CMEK settings of the log bucket |
+| created | time | Creation timestamp |
+| description | string | Description of the bucket |
+| indexConfigs | [][gcp.project.loggingservice.bucket.indexConfig](gcp.project.loggingservice.bucket.indexconfig.md) | List of indexed fields and related configuration data |
+| lifecycleState | string | Bucket lifecycle state |
+| locked | bool | Whether the bucket is locked |
+| name | string | Bucket name |
+| restrictedFields | []string | Log entry field paths that are denied access in this bucket |
+| retentionDays | int | Amount of time for which logs will be retained by default, after which they're' automatically deleted |
+| updated | time | Last update timestamp of the bucket |
+
+**References**
+
+- [Cloud Logging overview](https://cloud.google.com/logging/docs/overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.loggingservice.md b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.md
new file mode 100644
index 000000000..44fd258f3
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.loggingservice
+id: gcp.project.loggingservice
+sidebar_label: gcp.project.loggingservice
+displayed_sidebar: MQL
+description: GCP Logging resources
+---
+
+# gcp.project.loggingservice
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Logging resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------------------------------------------------------------------------- | ----------------------- |
+| projectId | string | Project ID |
+| buckets | [][gcp.project.loggingservice.bucket](gcp.project.loggingservice.bucket.md) | List of logging buckets |
+| metrics | [][gcp.project.loggingservice.metric](gcp.project.loggingservice.metric.md) | List of metrics |
+| sinks | [][gcp.project.loggingservice.sink](gcp.project.loggingservice.sink.md) | List of log sinks |
+
+**References**
+
+- [Cloud Logging overview](https://cloud.google.com/logging/docs/overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.loggingservice.metric.md b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.metric.md
new file mode 100644
index 000000000..3bf60dd20
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.metric.md
@@ -0,0 +1,31 @@
+---
+title: gcp.project.loggingservice.metric
+id: gcp.project.loggingservice.metric
+sidebar_label: gcp.project.loggingservice.metric
+displayed_sidebar: MQL
+description: GCP Logging metric
+---
+
+# gcp.project.loggingservice.metric
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Logging metric
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------------------------------------------------------------------------------------- | ------------------------------ |
+| id | string | Metric ID |
+| projectId | string | Project ID |
+| description | string | Metric description |
+| filter | string | Advanced log filter |
+| alertPolicies | [][gcp.project.monitoringService.alertPolicy](gcp.project.monitoringservice.alertpolicy.md) | Alert policies for this metric |
+
+**References**
+
+- [Cloud Logging overview](https://cloud.google.com/logging/docs/overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.loggingservice.sink.md b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.sink.md
new file mode 100644
index 000000000..b7c47fc5b
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.loggingservice.sink.md
@@ -0,0 +1,33 @@
+---
+title: gcp.project.loggingservice.sink
+id: gcp.project.loggingservice.sink
+sidebar_label: gcp.project.loggingservice.sink
+displayed_sidebar: MQL
+description: GCP Logging sink
+---
+
+# gcp.project.loggingservice.sink
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Logging sink
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| id | string | Sink ID |
+| projectId | string | Project ID |
+| destination | string | Export destination |
+| storageBucket | [gcp.project.storageService.bucket](gcp.project.storageservice.bucket.md) | Storage bucket to which the sink exports (only set for sinks with a destination storage bucket) |
+| filter | string | Optional advanced logs filter |
+| writerIdentity | string | When exporting logs, logging adopts this identity for authorization |
+| includeChildren | bool | Whether to allow the sink to export log entries from the organization or folder, plus (recursively) from any contained folders, billings accounts, or projects |
+
+**References**
+
+- [Cloud Logging overview](https://cloud.google.com/logging/docs/overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.md b/docs/mql/resources/gcp-pack/gcp.project.md
new file mode 100644
index 000000000..148ba50e8
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.md
@@ -0,0 +1,55 @@
+---
+title: gcp.project
+id: gcp.project
+sidebar_label: gcp.project
+displayed_sidebar: MQL
+description: Google Cloud Platform project
+---
+
+# gcp.project
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+Google Cloud Platform project
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | ----------------------------------------------------------------------- | ------------------------------------------------------ |
+| id | string | Unique, user-assigned ID of the project |
+| name | string | Unique resource name |
+| parentId | string | Parent ID |
+| number | string | Deprecated. Use `id` instead. |
+| state | string | Project lifecycle state |
+| lifecycleState | string | Deprecated. Use `state` instead. |
+| createTime | time | Creation time |
+| labels | map[string]string | Labels associated with this project |
+| iamPolicy | [][gcp.resourcemanager.binding](gcp.resourcemanager.binding.md) | IAM policy |
+| services | [][gcp.service](gcp.service.md) | List of available and enabled services for the project |
+| recommendations | [][gcp.recommendation](gcp.recommendation.md) | List of recommendations |
+| gke | [gcp.project.gkeService](gcp.project.gkeservice.md) | GCP GKE resources |
+| compute | [gcp.project.computeService](gcp.project.computeservice.md) | GCP Compute resources for the project |
+| pubsub | [gcp.project.pubsubService](gcp.project.pubsubservice.md) | GCP pub/sub-related resources |
+| kms | [gcp.project.kmsService](gcp.project.kmsservice.md) | KMS-related resources |
+| essentialContacts | [][gcp.essentialContact](gcp.essentialcontact.md) | GCP contacts for the project |
+| apiKeys | [][gcp.project.apiKey](gcp.project.apikey.md) | API keys |
+| logging | [gcp.project.loggingservice](gcp.project.loggingservice.md) | Logging resources |
+| sql | [gcp.project.sqlService](gcp.project.sqlservice.md) | GCP Cloud SQL resources |
+| iam | [gcp.project.iamService](gcp.project.iamservice.md) | GCP IAM resources |
+| commonInstanceMetadata | map[string]string | Common instance metadata for the project |
+| dns | [gcp.project.dnsService](gcp.project.dnsservice.md) | GCP Cloud DNS |
+| bigquery | [gcp.project.bigqueryService](gcp.project.bigqueryservice.md) | GCP BigQuery resources |
+| cloudFunctions | [][gcp.project.cloudFunction](gcp.project.cloudfunction.md) | GCP Cloud Functions |
+| dataproc | [gcp.project.dataprocService](gcp.project.dataprocservice.md) | GCP Dataproc resources |
+| cloudRun | [gcp.project.cloudRunService](gcp.project.cloudrunservice.md) | GCP Cloud Run resources |
+| accessApprovalSettings | [gcp.accessApprovalSettings](gcp.accessapprovalsettings.md) | Access approval settings |
+| storage | [gcp.project.storageService](gcp.project.storageservice.md) | GCP Storage resources |
+| monitoring | [gcp.project.monitoringService](gcp.project.monitoringservice.md) | Monitoring resources |
+
+**References**
+
+- [Creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.monitoringservice.alertpolicy.md b/docs/mql/resources/gcp-pack/gcp.project.monitoringservice.alertpolicy.md
new file mode 100644
index 000000000..46c87d565
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.monitoringservice.alertpolicy.md
@@ -0,0 +1,41 @@
+---
+title: gcp.project.monitoringService.alertPolicy
+id: gcp.project.monitoringService.alertPolicy
+sidebar_label: gcp.project.monitoringService.alertPolicy
+displayed_sidebar: MQL
+description: GCP monitoring alert policy
+---
+
+# gcp.project.monitoringService.alertPolicy
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP monitoring alert policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ----------------- | --------------------------------------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| name | string | Alert policy name |
+| displayName | string | Display name |
+| documentation | dict | Documentation included with notifications and incidents related to this policy |
+| labels | map[string]string | User-defined labels |
+| conditions | []dict | List of conditions for the policy |
+| combiner | string | How to combine the results of multiple conditions to determine if an incident should be opened |
+| enabled | bool | Whether the policy is enabled |
+| validity | dict | Description of how the alert policy is invalid |
+| notificationChannelUrls | []string | Notification channel URLs to which notifications should be sent when incidents are opened or closed |
+| created | time | Creation timestamp |
+| createdBy | string | Email address of the user who created the alert policy |
+| updated | time | Update timestamp |
+| updatedBy | string | Email address of the user who last updated the alert policy |
+| alertStrategy | dict | Configuration for notification channels notifications |
+
+**References**
+
+- [Alerting overview](https://cloud.google.com/monitoring/alerts)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.monitoringservice.md b/docs/mql/resources/gcp-pack/gcp.project.monitoringservice.md
new file mode 100644
index 000000000..8fe3a67f5
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.monitoringservice.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.monitoringService
+id: gcp.project.monitoringService
+sidebar_label: gcp.project.monitoringService
+displayed_sidebar: MQL
+description: GCP monitoring resources
+---
+
+# gcp.project.monitoringService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP monitoring resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------------------------------------------------------------------------------------- | ---------------------- |
+| projectId | string | Project ID |
+| alertPolicies | [][gcp.project.monitoringService.alertPolicy](gcp.project.monitoringservice.alertpolicy.md) | List of alert policies |
+
+**References**
+
+- [Cloud Monitoring overview](https://cloud.google.com/monitoring/docs/monitoring-overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.md b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.md
new file mode 100644
index 000000000..a296d482c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.pubsubService
+id: gcp.project.pubsubService
+sidebar_label: gcp.project.pubsubService
+displayed_sidebar: MQL
+description: GCP Pub/Sub resources
+---
+
+# gcp.project.pubsubService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Pub/Sub resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------------------------------------------------------------------------------- | -------------------------------------------- |
+| projectId | string | Project ID |
+| topics | [][gcp.project.pubsubService.topic](gcp.project.pubsubservice.topic.md) | List of topics in the current project |
+| subscriptions | [][gcp.project.pubsubService.subscription](gcp.project.pubsubservice.subscription.md) | List of subscriptions in the current project |
+| snapshots | [][gcp.project.pubsubService.snapshot](gcp.project.pubsubservice.snapshot.md) | List of snapshots in the current project |
+
+**References**
+
+- [Alerting overview](https://cloud.google.com/monitoring/alerts)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.snapshot.md b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.snapshot.md
new file mode 100644
index 000000000..897aa1d11
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.snapshot.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.pubsubService.snapshot
+id: gcp.project.pubsubService.snapshot
+sidebar_label: gcp.project.pubsubService.snapshot
+displayed_sidebar: MQL
+description: GCP Pub/Sub snapshot
+---
+
+# gcp.project.pubsubService.snapshot
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Pub/Sub snapshot
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | --------------------------------------------------------------------- | ----------------------------------- |
+| projectId | string | Project ID |
+| name | string | Subscription name |
+| topic | [gcp.project.pubsubService.topic](gcp.project.pubsubservice.topic.md) | The topic for which the snapshot is |
+| expiration | time | When the snapshot expires |
+
+**References**
+
+- [Overview of the Pub/Sub service](https://cloud.google.com/pubsub/docs/pubsub-basics)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.subscription.config.md b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.subscription.config.md
new file mode 100644
index 000000000..dd804be80
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.subscription.config.md
@@ -0,0 +1,35 @@
+---
+title: gcp.project.pubsubService.subscription.config
+id: gcp.project.pubsubService.subscription.config
+sidebar_label: gcp.project.pubsubService.subscription.config
+displayed_sidebar: MQL
+description: GCP Pub/Sub subscription configuration
+---
+
+# gcp.project.pubsubService.subscription.config
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Pub/Sub subscription configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| subscriptionName | string | Subscription name |
+| topic | [gcp.project.pubsubService.topic](gcp.project.pubsubservice.topic.md) | Topic to which the subscription points |
+| pushConfig | [gcp.project.pubsubService.subscription.config.pushconfig](gcp.project.pubsubservice.subscription.config.pushconfig.md) | Configuration for subscriptions that operate in push mode |
+| ackDeadline | time | Default maximum time a subscriber can take to acknowledge a message after receiving it |
+| retainAckedMessages | bool | Whether to retain acknowledged messages |
+| retentionDuration | time | How long to retain messages in the backlog after they're published |
+| expirationPolicy | time | Conditions for a subscription's expiration |
+| labels | map[string]string | The labels associated with this subscription |
+
+**References**
+
+- [Subscription overview](https://cloud.google.com/pubsub/docs/subscription-overview)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.subscription.config.pushconfig.md b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.subscription.config.pushconfig.md
new file mode 100644
index 000000000..2eaf5883b
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.subscription.config.pushconfig.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.pubsubService.subscription.config.pushconfig
+id: gcp.project.pubsubService.subscription.config.pushconfig
+sidebar_label: gcp.project.pubsubService.subscription.config.pushconfig
+displayed_sidebar: MQL
+description: GCP Pub/Sub configuration for subscriptions that operate in push mode
+---
+
+# gcp.project.pubsubService.subscription.config.pushconfig
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Pub/Sub configuration for subscriptions that operate in push mode
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------- | --------------------------------------------- |
+| configId | string | Parent configuration ID |
+| endpoint | string | URL of the endpoint to which to push messages |
+| attributes | map[string]string | Endpoint configuration attributes |
+
+**References**
+
+- [Push subscriptions](https://cloud.google.com/pubsub/docs/push)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.subscription.md b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.subscription.md
new file mode 100644
index 000000000..b9c1eacc5
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.subscription.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.pubsubService.subscription
+id: gcp.project.pubsubService.subscription
+sidebar_label: gcp.project.pubsubService.subscription
+displayed_sidebar: MQL
+description: GCP Pub/Sub subscription
+---
+
+# gcp.project.pubsubService.subscription
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Pub/Sub subscription
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------------------------------------------------------------------------------- | -------------------------- |
+| projectId | string | Project ID |
+| name | string | Subscription name |
+| config | [gcp.project.pubsubService.subscription.config](gcp.project.pubsubservice.subscription.config.md) | Subscription configuration |
+
+**References**
+
+- [Overview of the Pub/Sub service](https://cloud.google.com/pubsub/docs/pubsub-basics)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.topic.config.md b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.topic.config.md
new file mode 100644
index 000000000..ae132f54f
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.topic.config.md
@@ -0,0 +1,31 @@
+---
+title: gcp.project.pubsubService.topic.config
+id: gcp.project.pubsubService.topic.config
+sidebar_label: gcp.project.pubsubService.topic.config
+displayed_sidebar: MQL
+description: GCP Pub/Sub topic configuration
+---
+
+# gcp.project.pubsubService.topic.config
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Pub/Sub topic configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| topicName | string | Topic name |
+| labels | map[string]string | Labels associated with this topic |
+| kmsKeyName | string | Cloud KMS key used to protect access to messages published to the topic |
+| messageStoragePolicy | [gcp.project.pubsubService.topic.config.messagestoragepolicy](gcp.project.pubsubservice.topic.config.messagestoragepolicy.md) | Message storage policy |
+
+**References**
+
+- [Monitor topics within Pub/Sub](https://cloud.google.com/pubsub/docs/monitor-topic)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.topic.config.messagestoragepolicy.md b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.topic.config.messagestoragepolicy.md
new file mode 100644
index 000000000..e3b212e8c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.topic.config.messagestoragepolicy.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.pubsubService.topic.config.messagestoragepolicy
+id: gcp.project.pubsubService.topic.config.messagestoragepolicy
+sidebar_label: gcp.project.pubsubService.topic.config.messagestoragepolicy
+displayed_sidebar: MQL
+description: GCP Pub/Sub topic message storage policy
+---
+
+# gcp.project.pubsubService.topic.config.messagestoragepolicy
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Pub/Sub topic message storage policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ---------------- | -------------------------------------------------------------------------------- |
+| configId | string | Parent configuration ID |
+| allowedPersistenceRegions | []string | List of GCP regions where messages published to the topic can persist in storage |
+
+**References**
+
+- [Monitor topics within Pub/Sub](https://cloud.google.com/pubsub/docs/monitor-topic)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.topic.md b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.topic.md
new file mode 100644
index 000000000..10036578f
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.pubsubservice.topic.md
@@ -0,0 +1,29 @@
+---
+title: gcp.project.pubsubService.topic
+id: gcp.project.pubsubService.topic
+sidebar_label: gcp.project.pubsubService.topic
+displayed_sidebar: MQL
+description: GCP Pub/Sub topic
+---
+
+# gcp.project.pubsubService.topic
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Pub/Sub topic
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------------------------------------------------------------------------- | ------------------- |
+| projectId | string | Project ID |
+| name | string | Topic name |
+| config | [gcp.project.pubsubService.topic.config](gcp.project.pubsubservice.topic.config.md) | Topic configuration |
+
+**References**
+
+- [Monitor topics within Pub/Sub](https://cloud.google.com/pubsub/docs/monitor-topic)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.database.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.database.md
new file mode 100644
index 000000000..d987b922d
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.database.md
@@ -0,0 +1,32 @@
+---
+title: gcp.project.sqlService.instance.database
+id: gcp.project.sqlService.instance.database
+sidebar_label: gcp.project.sqlService.instance.database
+displayed_sidebar: MQL
+description: GCP Cloud SQL instance database
+---
+
+# gcp.project.sqlService.instance.database
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL instance database
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ------ | ------------------------------ |
+| projectId | string | Project ID |
+| charset | string | Character set value |
+| collation | string | Collation |
+| instance | string | Name of the Cloud SQL instance |
+| name | string | Name of the database |
+| sqlserverDatabaseDetails | dict | SQL Server database details |
+
+**References**
+
+- [Cloud SQL overview](https://cloud.google.com/sql/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.ipmapping.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.ipmapping.md
new file mode 100644
index 000000000..1285c9b9e
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.ipmapping.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.sqlService.instance.ipMapping
+id: gcp.project.sqlService.instance.ipMapping
+sidebar_label: gcp.project.sqlService.instance.ipMapping
+displayed_sidebar: MQL
+description: GCP Cloud SQL instance IP mapping
+---
+
+# gcp.project.sqlService.instance.ipMapping
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL instance IP mapping
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ------------------------------ |
+| id | string | Internal ID |
+| ipAddress | string | Assigned IP address |
+| timeToRetire | time | Due time for this IP to retire |
+| type | string | Type of this IP address |
+
+**References**
+
+- [Cloud SQL overview](https://cloud.google.com/sql/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.md
new file mode 100644
index 000000000..4324500c0
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.md
@@ -0,0 +1,51 @@
+---
+title: gcp.project.sqlService.instance
+id: gcp.project.sqlService.instance
+sidebar_label: gcp.project.sqlService.instance
+displayed_sidebar: MQL
+description: GCP Cloud SQL instance
+---
+
+# gcp.project.sqlService.instance
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL instance
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------------- | --------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
+| projectId | string | Project ID |
+| availableMaintenanceVersions | []string | All maintenance versions applicable on the instance |
+| backendType | string | Backend type |
+| connectionName | string | Connection name of the instance used in connection strings |
+| created | time | Creation timestamp |
+| currentDiskSize | int | Deprecated |
+| databaseInstalledVersion | string | Current database version running on the instance |
+| databaseVersion | string | Database engine type and version |
+| diskEncryptionConfiguration | dict | Disk encryption configuration |
+| diskEncryptionStatus | dict | Disk encryption status |
+| failoverReplica | dict | Name and status of the failover replica |
+| gceZone | string | Compute Engine zone that the instance is currently serviced from |
+| instanceType | string | Instance type |
+| ipAddresses | [][gcp.project.sqlService.instance.ipMapping](gcp.project.sqlservice.instance.ipmapping.md) | Assigned IP addresses |
+| maintenanceVersion | string | Current software version on the instance |
+| masterInstanceName | string | Name of the instance that acts as primary in the replica |
+| maxDiskSize | int | Maximum disk size in bytes |
+| name | string | Instance name |
+| project | string | This is deprecated; use projectId instead. |
+| region | string | Region |
+| replicaNames | []string | Replicas |
+| settings | [gcp.project.sqlService.instance.settings](gcp.project.sqlservice.instance.settings.md) | Settings |
+| serviceAccountEmailAddress | string | Service account email address |
+| state | string | Instance state |
+| databases | [][gcp.project.sqlService.instance.database](gcp.project.sqlservice.instance.database.md) | List of the databases in the current SQL instance |
+
+**References**
+
+- [Cloud SQL overview](https://cloud.google.com/sql/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.backupconfiguration.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.backupconfiguration.md
new file mode 100644
index 000000000..df5bc7394
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.backupconfiguration.md
@@ -0,0 +1,34 @@
+---
+title: gcp.project.sqlService.instance.settings.backupconfiguration
+id: gcp.project.sqlService.instance.settings.backupconfiguration
+sidebar_label: gcp.project.sqlService.instance.settings.backupconfiguration
+displayed_sidebar: MQL
+description: GCP Cloud SQL instance settings backup configuration
+---
+
+# gcp.project.sqlService.instance.settings.backupconfiguration
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL instance settings backup configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------- | ------ | -------------------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| backupRetentionSettings | dict | Backup retention settings |
+| binaryLogEnabled | bool | Whether binary log is enabled |
+| enabled | bool | Whether this configuration is enabled |
+| location | string | Location of the backup |
+| pointInTimeRecoveryEnabled | bool | Whether point-in-time recovery is enabled |
+| startTime | string | Start time for the daily backup configuration (in UTC timezone, in the 24 hour format) |
+| transactionLogRetentionDays | int | Number of days of transaction logs retained for point-in-time restore |
+
+**References**
+
+- [Cloud SQL overview](https://cloud.google.com/sql/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.denymaintenanceperiod.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.denymaintenanceperiod.md
new file mode 100644
index 000000000..39431cfb8
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.denymaintenanceperiod.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.sqlService.instance.settings.denyMaintenancePeriod
+id: gcp.project.sqlService.instance.settings.denyMaintenancePeriod
+sidebar_label: gcp.project.sqlService.instance.settings.denyMaintenancePeriod
+displayed_sidebar: MQL
+description: GCP Cloud SQL instance settings deny maintenance period
+---
+
+# gcp.project.sqlService.instance.settings.denyMaintenancePeriod
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL instance settings deny maintenance period
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ------------------------------------------------------------ |
+| id | string | Internal ID |
+| endDate | string | Deny maintenance period end date |
+| startDate | string | Deny maintenance period start date |
+| time | string | Time in UTC when the deny maintenance period starts and ends |
+
+**References**
+
+- [Cloud SQL overview](https://cloud.google.com/sql/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.ipconfiguration.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.ipconfiguration.md
new file mode 100644
index 000000000..0acc8799c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.ipconfiguration.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.sqlService.instance.settings.ipConfiguration
+id: gcp.project.sqlService.instance.settings.ipConfiguration
+sidebar_label: gcp.project.sqlService.instance.settings.ipConfiguration
+displayed_sidebar: MQL
+description: GCP Cloud SQL instance settings IP configuration
+---
+
+# gcp.project.sqlService.instance.settings.ipConfiguration
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL instance settings IP configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | -------------- | ---------------------------------------------------------------------------------------------- |
+| id | string | Internal ID |
+| allocatedIpRange | string | Name of the allocated IP range for the private IP Cloud SQL instance |
+| authorizedNetworks | []dict | List of external networks that are allowed to connect to the instance using the IP |
+| ipv4Enabled | bool | Whether the instance is assigned a public IP address |
+| privateNetwork | string | Resource link for the VPC network from which the private IPs can access the Cloud SQL instance |
+| requireSsl | bool | Whether SSL connections over IP are enforced |
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.maintenancewindow.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.maintenancewindow.md
new file mode 100644
index 000000000..79340ff73
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.maintenancewindow.md
@@ -0,0 +1,30 @@
+---
+title: gcp.project.sqlService.instance.settings.maintenanceWindow
+id: gcp.project.sqlService.instance.settings.maintenanceWindow
+sidebar_label: gcp.project.sqlService.instance.settings.maintenanceWindow
+displayed_sidebar: MQL
+description: GCP Cloud SQL instance settings maintenance window
+---
+
+# gcp.project.sqlService.instance.settings.maintenanceWindow
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL instance settings maintenance window
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ------------------------------------------------------------ |
+| id | string | Internal ID |
+| day | int | Day of week (1-7, 1 is Monday) |
+| hour | int | Hour of day (0 to 23) |
+| updateTrack | string | Maintenance time setting: canary (earlier) or stable (later) |
+
+**References**
+
+- [Cloud SQL overview](https://cloud.google.com/sql/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.md
new file mode 100644
index 000000000..7b088048f
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.md
@@ -0,0 +1,55 @@
+---
+title: gcp.project.sqlService.instance.settings
+id: gcp.project.sqlService.instance.settings
+sidebar_label: gcp.project.sqlService.instance.settings
+displayed_sidebar: MQL
+description: GCP Cloud SQL instance settings
+---
+
+# gcp.project.sqlService.instance.settings
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL instance settings
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
+| projectId | string | Project ID |
+| instanceName | string | Instance name |
+| activationPolicy | string | When the instance is activated |
+| activeDirectoryConfig | dict | Entra ID (formerly Active Directory) configuration (relevant only for Cloud SQL for SQL Server) |
+| availabilityType | string | Availability type |
+| backupConfiguration | [gcp.project.sqlService.instance.settings.backupconfiguration](gcp.project.sqlservice.instance.settings.backupconfiguration.md) | Daily backup configuration for the instance |
+| collation | string | Name of the server collation |
+| connectorEnforcement | string | Whether connections must use Cloud SQL connectors |
+| crashSafeReplicationEnabled | bool | Whether database flags for crash-safe replication are enabled |
+| dataDiskSizeGb | int | Size of the data disk, in GB |
+| dataDiskType | string | Type of the data disk |
+| databaseFlags | map[string]string | Database flags passed to the instance at startup |
+| databaseReplicationEnabled | bool | Whether replication is enabled |
+| deletionProtectionEnabled | bool | Whether to protect against accidental instance deletion |
+| denyMaintenancePeriods | [][gcp.project.sqlService.instance.settings.denyMaintenancePeriod](gcp.project.sqlservice.instance.settings.denymaintenanceperiod.md) | Deny maintenance periods |
+| insightsConfig | dict | Insights configuration |
+| ipConfiguration | [gcp.project.sqlService.instance.settings.ipConfiguration](gcp.project.sqlservice.instance.settings.ipconfiguration.md) | IP management settings |
+| locationPreference | dict | Location preference settings |
+| maintenanceWindow | [gcp.project.sqlService.instance.settings.maintenanceWindow](gcp.project.sqlservice.instance.settings.maintenancewindow.md) | Maintenance window |
+| passwordValidationPolicy | [gcp.project.sqlService.instance.settings.passwordValidationPolicy](gcp.project.sqlservice.instance.settings.passwordvalidationpolicy.md) | Local user password validation policy |
+| pricingPlan | string | Pricing plan |
+| replicationType | string | Replication type |
+| settingsVersion | int | Instance settings version |
+| sqlServerAuditConfig | dict | SQL-server-specific audit configuration |
+| storageAutoResize | bool | Configuration to increase storage size automatically |
+| storageAutoResizeLimit | int | Maximum size to which storage capacity can be automatically increased |
+| tier | string | Service tier for this instance |
+| timeZone | string | Server timezone |
+| userLabels | map[string]string | User-provided labels |
+
+**References**
+
+- [Cloud SQL overview](https://cloud.google.com/sql/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.passwordvalidationpolicy.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.passwordvalidationpolicy.md
new file mode 100644
index 000000000..7446f7d27
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.instance.settings.passwordvalidationpolicy.md
@@ -0,0 +1,33 @@
+---
+title: gcp.project.sqlService.instance.settings.passwordValidationPolicy
+id: gcp.project.sqlService.instance.settings.passwordValidationPolicy
+sidebar_label: gcp.project.sqlService.instance.settings.passwordValidationPolicy
+displayed_sidebar: MQL
+description: GCP Cloud SQL instance settings password validation policy
+---
+
+# gcp.project.sqlService.instance.settings.passwordValidationPolicy
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL instance settings password validation policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ------ | -------------------------------------------------------- |
+| id | string | Internal ID |
+| complexity | string | Password complexity |
+| disallowUsernameSubstring | bool | Whether username is forbidden as a part of the password |
+| enabledPasswordPolicy | bool | Whether the password policy is enabled |
+| minLength | int | Minimum number of characters required in passwords |
+| passwordChangeInterval | string | Minimum interval after which the password can be changed |
+| reuseInterval | int | Number of previous passwords that cannot be reused |
+
+**References**
+
+- [Cloud SQL overview](https://cloud.google.com/sql/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.sqlservice.md b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.md
new file mode 100644
index 000000000..e44dc52a2
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.sqlservice.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.sqlService
+id: gcp.project.sqlService
+sidebar_label: gcp.project.sqlService
+displayed_sidebar: MQL
+description: GCP Cloud SQL resources
+---
+
+# gcp.project.sqlService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud SQL resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------------------------------------------------------------- | -------------------------------------------------- |
+| projectId | string | Project ID |
+| instances | [][gcp.project.sqlService.instance](gcp.project.sqlservice.instance.md) | List of Cloud SQL instances in the current project |
+
+**References**
+
+- [Cloud SQL overview](https://cloud.google.com/sql/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.storageservice.bucket.md b/docs/mql/resources/gcp-pack/gcp.project.storageservice.bucket.md
new file mode 100644
index 000000000..7673cabd2
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.storageservice.bucket.md
@@ -0,0 +1,39 @@
+---
+title: gcp.project.storageService.bucket
+id: gcp.project.storageService.bucket
+sidebar_label: gcp.project.storageService.bucket
+displayed_sidebar: MQL
+description: GCP Cloud Storage bucket
+---
+
+# gcp.project.storageService.bucket
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Storage bucket
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------------------------------------------------------------- | --------------------- |
+| id | string | Bucket ID |
+| projectId | string | Project ID |
+| name | string | Bucket name |
+| labels | map[string]string | User-defined labels |
+| location | string | Bucket location |
+| locationType | string | Bucket location type |
+| projectNumber | string | Project number |
+| storageClass | string | Default storage class |
+| created | time | Creation timestamp |
+| updated | time | Update timestamp |
+| iamPolicy | [][gcp.resourcemanager.binding](gcp.resourcemanager.binding.md) | IAM policy |
+| iamConfiguration | dict | IAM configuration |
+| retentionPolicy | dict | Retention policy |
+
+**References**
+
+- [About Cloud Storage buckets](https://cloud.google.com/storage/docs/buckets)
diff --git a/docs/mql/resources/gcp-pack/gcp.project.storageservice.md b/docs/mql/resources/gcp-pack/gcp.project.storageservice.md
new file mode 100644
index 000000000..af321c5a5
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.project.storageservice.md
@@ -0,0 +1,28 @@
+---
+title: gcp.project.storageService
+id: gcp.project.storageService
+sidebar_label: gcp.project.storageService
+displayed_sidebar: MQL
+description: GCP Cloud Storage
+---
+
+# gcp.project.storageService
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Cloud Storage
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------------------------------------------------------------------------- | ---------------- |
+| projectId | string | Project ID |
+| buckets | [][gcp.project.storageService.bucket](gcp.project.storageservice.bucket.md) | List all buckets |
+
+**References**
+
+- [Product overview of Cloud Storage](https://cloud.google.com/storage/docs/introduction)
diff --git a/docs/mql/resources/gcp-pack/gcp.projects.md b/docs/mql/resources/gcp-pack/gcp.projects.md
new file mode 100644
index 000000000..368f11720
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.projects.md
@@ -0,0 +1,33 @@
+---
+title: gcp.projects
+id: gcp.projects
+sidebar_label: gcp.projects
+displayed_sidebar: MQL
+description: GCP projects
+---
+
+# gcp.projects
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP projects
+
+**List**
+
+[]gcp.project
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | --------------------------------------- | -------------------------------------------------- |
+| parentId | string | Parent ID |
+| children | [][gcp.project](gcp.project.md) | List of the children projects only (non-recursive) |
+| list | [][gcp.project](gcp.project.md) | |
+
+**References**
+
+- [Creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
diff --git a/docs/mql/resources/gcp-pack/gcp.recommendation.md b/docs/mql/resources/gcp-pack/gcp.recommendation.md
new file mode 100644
index 000000000..96c53c99c
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.recommendation.md
@@ -0,0 +1,38 @@
+---
+title: gcp.recommendation
+id: gcp.recommendation
+sidebar_label: gcp.recommendation
+displayed_sidebar: MQL
+description: GCP recommendation and suggested action
+---
+
+# gcp.recommendation
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP recommendation and suggested action
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | -------------- | ------------------------------------------------------------------- |
+| id | string | ID of recommendation |
+| projectId | string | Project ID |
+| zoneName | string | Zone name |
+| name | string | Description of the recommendation |
+| recommender | string | Recommender |
+| primaryImpact | dict | The primary impact that this recommendation can have |
+| additionalImpact | []dict | Optional set of additional impact that this recommendation can have |
+| content | dict | Recommended changes to resources |
+| category | string | Category of primary impact |
+| priority | string | Recommendation's priority |
+| lastRefreshTime | time | Last time this recommendation was refreshed |
+| state | dict | State and metadata of recommendation |
+
+**References**
+
+- [Recommendations](https://cloud.google.com/recommender/docs/key-concepts)
diff --git a/docs/mql/resources/gcp-pack/gcp.resourcemanager.binding.md b/docs/mql/resources/gcp-pack/gcp.resourcemanager.binding.md
new file mode 100644
index 000000000..adfeb9670
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.resourcemanager.binding.md
@@ -0,0 +1,29 @@
+---
+title: gcp.resourcemanager.binding
+id: gcp.resourcemanager.binding
+sidebar_label: gcp.resourcemanager.binding
+displayed_sidebar: MQL
+description: GCP Resource Manager binding
+---
+
+# gcp.resourcemanager.binding
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP Resource Manager binding
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ---------------- | -------------------------------------------------------- |
+| id | string | Internal ID |
+| members | []string | Principals requesting access for a Google Cloud resource |
+| role | string | Role assigned to the list of members or principals |
+
+**References**
+
+- [Creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
diff --git a/docs/mql/resources/gcp-pack/gcp.service.md b/docs/mql/resources/gcp-pack/gcp.service.md
new file mode 100644
index 000000000..adffd8217
--- /dev/null
+++ b/docs/mql/resources/gcp-pack/gcp.service.md
@@ -0,0 +1,28 @@
+---
+title: gcp.service
+id: gcp.service
+sidebar_label: gcp.service
+displayed_sidebar: MQL
+description: GCP service
+---
+
+# gcp.service
+
+**Supported platform**
+
+- gcp
+
+**Description**
+
+GCP service
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ------------------------------ |
+| projectId | string | Project ID |
+| name | string | Service name |
+| parentName | string | Service parent name |
+| title | string | Service title |
+| state | string | Service state |
+| enabled | bool | Whether the service is enabled |
diff --git a/docs/mql/resources/github-pack/README.md b/docs/mql/resources/github-pack/README.md
new file mode 100644
index 000000000..a5ea4a2ea
--- /dev/null
+++ b/docs/mql/resources/github-pack/README.md
@@ -0,0 +1,38 @@
+---
+title: GitHub Resource Pack - MQL Resources
+id: github.pack
+sidebar_label: GitHub Resource Pack
+displayed_sidebar: MQL
+description: The GitHub resource pack lets you use MQL to query and assess the security of your GitHub organization and repositories.
+---
+
+# Mondoo GitHub Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ----------------------------------------------------- | ----------------------------------- |
+| [git.commit](git.commit.md) | Git commit |
+| [git.commitAuthor](git.commitauthor.md) | Git commit author |
+| [git.gpgSignature](git.gpgsignature.md) | Git GPG signature |
+| [github](github.md) | |
+| [github.branch](github.branch.md) | GitHub repository branch |
+| [github.branchprotection](github.branchprotection.md) | GitHub repository branch protection |
+| [github.collaborator](github.collaborator.md) | GitHub collaborator |
+| [github.commit](github.commit.md) | GitHub repository commit |
+| [github.file](github.file.md) | GitHub repository file |
+| [github.gist](github.gist.md) | GitHub gist |
+| [github.gistfile](github.gistfile.md) | GitHub gist file |
+| [github.installation](github.installation.md) | GitHub application installation |
+| [github.issue](github.issue.md) | GitHub issue |
+| [github.license](github.license.md) | GitHub license |
+| [github.mergeRequest](github.mergerequest.md) | GitHub repository pull request |
+| [github.organization](github.organization.md) | GitHub organization |
+| [github.package](github.package.md) | GitHub package |
+| [github.release](github.release.md) | GitHub release |
+| [github.repository](github.repository.md) | GitHub repository |
+| [github.review](github.review.md) | GitHub repository review |
+| [github.team](github.team.md) | GitHub team |
+| [github.user](github.user.md) | GitHub user |
+| [github.webhook](github.webhook.md) | GitHub webhook |
+| [github.workflow](github.workflow.md) | GitHub workflow |
diff --git a/docs/mql/resources/github-pack/git.commit.md b/docs/mql/resources/github-pack/git.commit.md
new file mode 100644
index 000000000..147f3102c
--- /dev/null
+++ b/docs/mql/resources/github-pack/git.commit.md
@@ -0,0 +1,23 @@
+---
+title: git.commit
+id: git.commit
+sidebar_label: git.commit
+displayed_sidebar: MQL
+description: Git commit
+---
+
+# git.commit
+
+**Description**
+
+Git commit
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | --------------------------------------- | ----------------------------------------------- |
+| sha | string | Git commit SHA |
+| message | string | Git commit message |
+| author | [git.commitAuthor](git.commitauthor.md) | Git commit author |
+| committer | [git.commitAuthor](git.commitauthor.md) | Git commit committer |
+| signatureVerification | [git.gpgSignature](git.gpgsignature.md) | The GPG signature of the commit if there is one |
diff --git a/docs/mql/resources/github-pack/git.commitauthor.md b/docs/mql/resources/github-pack/git.commitauthor.md
new file mode 100644
index 000000000..f95a0c6dd
--- /dev/null
+++ b/docs/mql/resources/github-pack/git.commitauthor.md
@@ -0,0 +1,22 @@
+---
+title: git.commitAuthor
+id: git.commitAuthor
+sidebar_label: git.commitAuthor
+displayed_sidebar: MQL
+description: Git commit author
+---
+
+# git.commitAuthor
+
+**Description**
+
+Git commit author
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----- | ------ | -------------- |
+| sha | string | Author shasum |
+| name | string | Author name |
+| email | string | Author email |
+| date | time | Date of commit |
diff --git a/docs/mql/resources/github-pack/git.gpgsignature.md b/docs/mql/resources/github-pack/git.gpgsignature.md
new file mode 100644
index 000000000..7af884c09
--- /dev/null
+++ b/docs/mql/resources/github-pack/git.gpgsignature.md
@@ -0,0 +1,23 @@
+---
+title: git.gpgSignature
+id: git.gpgSignature
+sidebar_label: git.gpgSignature
+displayed_sidebar: MQL
+description: Git GPG signature
+---
+
+# git.gpgSignature
+
+**Description**
+
+Git GPG signature
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | --------------------------------- |
+| sha | string | GPG signature shasum |
+| reason | string | GPG signature reason |
+| verified | bool | Whether GPG signature is verified |
+| payload | string | GPG signature payload |
+| signature | string | GPG signature |
diff --git a/docs/mql/resources/github-pack/github.branch.md b/docs/mql/resources/github-pack/github.branch.md
new file mode 100644
index 000000000..f8852550a
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.branch.md
@@ -0,0 +1,26 @@
+---
+title: github.branch
+id: github.branch
+sidebar_label: github.branch
+displayed_sidebar: MQL
+description: GitHub repository branch
+---
+
+# github.branch
+
+**Description**
+
+GitHub repository branch
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------- | ---------------------------------------- |
+| name | string | Repository branch name |
+| protected | bool | Deprecated; use isProtected instead |
+| isProtected | bool | Whether branch protection is enabled |
+| headCommit | [github.commit](github.commit.md) | Repository branch HEAD commit |
+| protectionRules | [github.branchprotection](github.branchprotection.md) | Repository branch protection rules |
+| repoName | string | Repository branch repository name |
+| owner | [github.user](github.user.md) | Repository branch owner |
+| isDefault | bool | Whether the branch is the default branch |
diff --git a/docs/mql/resources/github-pack/github.branchprotection.md b/docs/mql/resources/github-pack/github.branchprotection.md
new file mode 100644
index 000000000..4ec1bae9a
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.branchprotection.md
@@ -0,0 +1,28 @@
+---
+title: github.branchprotection
+id: github.branchprotection
+sidebar_label: github.branchprotection
+displayed_sidebar: MQL
+description: GitHub repository branch protection
+---
+
+# github.branchprotection
+
+**Description**
+
+GitHub repository branch protection
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------ | ------ | ---------------------------------------------- |
+| id | string | Repository branch protection ID |
+| requiredStatusChecks | dict | Require status checks to pass before merging |
+| requiredPullRequestReviews | dict | Require a pull request before merging |
+| requiredConversationResolution | dict | Require conversation resolution before merging |
+| requiredSignatures | bool | Require signed commits |
+| requireLinearHistory | dict | Require linear history |
+| enforceAdmins | dict | Include administrators |
+| restrictions | dict | Restrict who can push to matching branches |
+| allowForcePushes | dict | Allow force pushes |
+| allowDeletions | dict | Allow deletions |
diff --git a/docs/mql/resources/github-pack/github.collaborator.md b/docs/mql/resources/github-pack/github.collaborator.md
new file mode 100644
index 000000000..2958c2ebc
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.collaborator.md
@@ -0,0 +1,21 @@
+---
+title: github.collaborator
+id: github.collaborator
+sidebar_label: github.collaborator
+displayed_sidebar: MQL
+description: GitHub collaborator
+---
+
+# github.collaborator
+
+**Description**
+
+GitHub collaborator
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------------------- | ------------------------------- |
+| id | int | Collaborator ID |
+| user | [github.user](github.user.md) | Collaborator's user information |
+| permissions | []string | Collaborator's permissions |
diff --git a/docs/mql/resources/github-pack/github.commit.md b/docs/mql/resources/github-pack/github.commit.md
new file mode 100644
index 000000000..4cc29ffe0
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.commit.md
@@ -0,0 +1,26 @@
+---
+title: github.commit
+id: github.commit
+sidebar_label: github.commit
+displayed_sidebar: MQL
+description: GitHub repository commit
+---
+
+# github.commit
+
+**Description**
+
+GitHub repository commit
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------------------- | ---------------------- |
+| owner | string | Commit owner |
+| repository | string | Commit repository |
+| sha | string | Commit SHA |
+| url | string | Commit URL |
+| author | [github.user](github.user.md) | Commit author |
+| committer | [github.user](github.user.md) | Commit committer |
+| commit | [git.commit](git.commit.md) | Commit resource object |
+| stats | dict | Commit stats |
diff --git a/docs/mql/resources/github-pack/github.file.md b/docs/mql/resources/github-pack/github.file.md
new file mode 100644
index 000000000..471532bf6
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.file.md
@@ -0,0 +1,27 @@
+---
+title: github.file
+id: github.file
+sidebar_label: github.file
+displayed_sidebar: MQL
+description: GitHub repository file
+---
+
+# github.file
+
+**Description**
+
+GitHub repository file
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | --------------------------------------- | ------------------------------ |
+| path | string | File path |
+| name | string | File name |
+| type | string | File type |
+| sha | string | File shasum |
+| isBinary | bool | Whether the file is a binary |
+| files | [][github.file](github.file.md) | List of files in the directory |
+| ownerName | string | File owner |
+| repoName | string | File repository name |
+| content | string | File content |
diff --git a/docs/mql/resources/github-pack/github.gist.md b/docs/mql/resources/github-pack/github.gist.md
new file mode 100644
index 000000000..12415d623
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.gist.md
@@ -0,0 +1,25 @@
+---
+title: github.gist
+id: github.gist
+sidebar_label: github.gist
+displayed_sidebar: MQL
+description: GitHub gist
+---
+
+# github.gist
+
+**Description**
+
+GitHub gist
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------------------------------------- | -------------------------- |
+| id | string | Gist ID |
+| description | string | Gist description |
+| createdAt | time | Gist create time |
+| updatedAt | time | Gist update time |
+| owner | [github.user](github.user.md) | Gist owner |
+| public | bool | Whether the gist is public |
+| files | [][github.gistfile](github.gistfile.md) | Gist files |
diff --git a/docs/mql/resources/github-pack/github.gistfile.md b/docs/mql/resources/github-pack/github.gistfile.md
new file mode 100644
index 000000000..ae150b3cb
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.gistfile.md
@@ -0,0 +1,25 @@
+---
+title: github.gistfile
+id: github.gistfile
+sidebar_label: github.gistfile
+displayed_sidebar: MQL
+description: GitHub gist file
+---
+
+# github.gistfile
+
+**Description**
+
+GitHub gist file
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | ------------------ |
+| gistId | string | Gist ID |
+| filename | string | Gist file name |
+| type | string | Gist file type |
+| language | string | Gist file language |
+| rawUrl | string | Gist file raw URL |
+| size | int | Gist file size |
+| content | string | Gist file content |
diff --git a/docs/mql/resources/github-pack/github.installation.md b/docs/mql/resources/github-pack/github.installation.md
new file mode 100644
index 000000000..b6d096c64
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.installation.md
@@ -0,0 +1,23 @@
+---
+title: github.installation
+id: github.installation
+sidebar_label: github.installation
+displayed_sidebar: MQL
+description: GitHub application installation
+---
+
+# github.installation
+
+**Description**
+
+GitHub application installation
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ------------------------------------ |
+| id | int | Application installation ID |
+| appId | int | Application configured ID |
+| appSlug | string | Application configured slug |
+| createdAt | time | Application installation create time |
+| updatedAt | time | Application installation update time |
diff --git a/docs/mql/resources/github-pack/github.issue.md b/docs/mql/resources/github-pack/github.issue.md
new file mode 100644
index 000000000..ef55ea7aa
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.issue.md
@@ -0,0 +1,29 @@
+---
+title: github.issue
+id: github.issue
+sidebar_label: github.issue
+displayed_sidebar: MQL
+description: GitHub issue
+---
+
+# github.issue
+
+**Description**
+
+GitHub issue
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | --------------------------------------- | ----------------------------------- |
+| id | int | Issue ID |
+| number | int | Issue number |
+| title | string | Issue title |
+| state | string | Issue state |
+| body | string | Issue body |
+| url | string | Issue URL |
+| createdAt | time | Issue create time |
+| updatedAt | time | Issue update time |
+| closedAt | time | Issue closed time |
+| assignees | [][github.user](github.user.md) | Users to whom the issue is assigned |
+| closedBy | [github.user](github.user.md) | User who closed the issue |
diff --git a/docs/mql/resources/github-pack/github.license.md b/docs/mql/resources/github-pack/github.license.md
new file mode 100644
index 000000000..2111358a3
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.license.md
@@ -0,0 +1,22 @@
+---
+title: github.license
+id: github.license
+sidebar_label: github.license
+displayed_sidebar: MQL
+description: GitHub license
+---
+
+# github.license
+
+**Description**
+
+GitHub license
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------ | --------------- |
+| key | string | License key |
+| name | string | License name |
+| url | string | License URL |
+| spdxId | string | License spdx ID |
diff --git a/docs/mql/resources/github-pack/github.md b/docs/mql/resources/github-pack/github.md
new file mode 100644
index 000000000..535e03730
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.md
@@ -0,0 +1,8 @@
+---
+title: github
+id: github
+sidebar_label: github
+displayed_sidebar: MQL
+---
+
+# github
diff --git a/docs/mql/resources/github-pack/github.mergerequest.md b/docs/mql/resources/github-pack/github.mergerequest.md
new file mode 100644
index 000000000..5ff1565ae
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.mergerequest.md
@@ -0,0 +1,29 @@
+---
+title: github.mergeRequest
+id: github.mergeRequest
+sidebar_label: github.mergeRequest
+displayed_sidebar: MQL
+description: GitHub repository pull request
+---
+
+# github.mergeRequest
+
+**Description**
+
+GitHub repository pull request
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------------------------- | ----------------------------------- |
+| id | int | Pull request ID |
+| number | int | Pull request number |
+| state | string | Pull request state |
+| createdAt | time | Pull request creation time (in UTC) |
+| labels | []dict | Pull request labels |
+| title | string | Pull request title |
+| owner | [github.user](github.user.md) | Pull request owner |
+| assignees | [][github.user](github.user.md) | Pull request assignees |
+| commits | [][github.commit](github.commit.md) | Pull request commits |
+| reviews | [][github.review](github.review.md) | Pull request reviews |
+| repoName | string | Pull request repository name |
diff --git a/docs/mql/resources/github-pack/github.organization.md b/docs/mql/resources/github-pack/github.organization.md
new file mode 100644
index 000000000..d4fb3f8f0
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.organization.md
@@ -0,0 +1,58 @@
+---
+title: github.organization
+id: github.organization
+sidebar_label: github.organization
+displayed_sidebar: MQL
+description: GitHub organization
+---
+
+# github.organization
+
+**Description**
+
+GitHub organization
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------------ | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| login | string | Organization login |
+| id | int | Organization ID |
+| nodeId | string | Organization global node ID |
+| name | string | Organization name |
+| company | string | Organization company |
+| blog | string | Organization blog |
+| location | string | Organization location |
+| email | string | Organization email |
+| twitterUsername | string | Organization Twitter handle |
+| avatarUrl | string | Organization profile picture URL |
+| followers | int | Organization's number of followers |
+| following | int | Number of organizations the organization is following |
+| description | string | Organization description |
+| createdAt | time | Create time for the organization |
+| updatedAt | time | Update time for the organization |
+| totalPrivateRepos | int | Number of private repositories |
+| ownedPrivateRepos | int | Number of owned private repositories for the organization |
+| privateGists | int | Number of private gists |
+| diskUsage | int | Disk usage for the organization |
+| collaborators | int | Number of collaborators for the organization |
+| billingEmail | string | Organization billing email |
+| plan | dict | GitHub plan the organization is subscribed to |
+| twoFactorRequirementEnabled | bool | Whether two-factor authentication is required for all members. This value will be null if the API token does not have owner access on the organization. |
+| isVerified | bool | Whether the organization is verified by GitHub |
+| defaultRepositoryPermission | string | The default repository permission |
+| membersCanCreateRepositories | bool | Whether members can create repositories |
+| membersCanCreatePublicRepositories | bool | Whether members can create public repositories |
+| membersCanCreatePrivateRepositories | bool | Whether members can create private repositories |
+| membersCanCreateInternalRepositories | bool | Whether members can create internal repositories |
+| membersCanCreatePages | bool | Whether members can create pages |
+| membersCanCreatePublicPages | bool | Whether members can create public pages |
+| membersCanCreatePrivatePages | bool | Whether members can create private pages |
+| membersCanForkPrivateRepos | bool | Whether members can fork private repositories to their own GitHub account |
+| owners | [][github.user](github.user.md) | List of users that are part of the owners group |
+| members | [][github.user](github.user.md) | List of users that are part of the members group |
+| teams | [][github.team](github.team.md) | List of users that are part of the teams group |
+| repositories | [][github.repository](github.repository.md) | List of repositories |
+| installations | [][github.installation](github.installation.md) | List of GitHub installations |
+| webhooks | [][github.webhook](github.webhook.md) | List of webhooks |
+| packages | [][github.package](github.package.md) | List of packages |
diff --git a/docs/mql/resources/github-pack/github.package.md b/docs/mql/resources/github-pack/github.package.md
new file mode 100644
index 000000000..d318bf583
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.package.md
@@ -0,0 +1,27 @@
+---
+title: github.package
+id: github.package
+sidebar_label: github.package
+displayed_sidebar: MQL
+description: GitHub package
+---
+
+# github.package
+
+**Description**
+
+GitHub package
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------------------- | ------------------------------ |
+| id | int | Package ID |
+| name | string | Package name |
+| packageType | string | Package type |
+| owner | [github.user](github.user.md) | Package owner |
+| createdAt | time | Package create time |
+| updatedAt | time | Package update time |
+| versionCount | int | Package version numbers |
+| visibility | string | Package visibility |
+| repository | [github.repository](github.repository.md) | Package repository information |
diff --git a/docs/mql/resources/github-pack/github.release.md b/docs/mql/resources/github-pack/github.release.md
new file mode 100644
index 000000000..b68d7bb43
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.release.md
@@ -0,0 +1,22 @@
+---
+title: github.release
+id: github.release
+sidebar_label: github.release
+displayed_sidebar: MQL
+description: GitHub release
+---
+
+# github.release
+
+**Description**
+
+GitHub release
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ------------------------------------ |
+| url | string | Release url |
+| name | string | Release name |
+| tagName | string | Release tag name |
+| preRelease | bool | Whether the release is a pre-release |
diff --git a/docs/mql/resources/github-pack/github.repository.md b/docs/mql/resources/github-pack/github.repository.md
new file mode 100644
index 000000000..9de583887
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.repository.md
@@ -0,0 +1,73 @@
+---
+title: github.repository
+id: github.repository
+sidebar_label: github.repository
+displayed_sidebar: MQL
+description: GitHub repository
+---
+
+# github.repository
+
+**Description**
+
+GitHub repository
+
+**Init**
+
+github.repository(name string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ------------------------------------------------------- | ------------------------------------------------------------------ |
+| id | int | can only be used when logged in to github as a user, Repository ID |
+| name | string | Repository name |
+| fullName | string | Repository full name |
+| description | string | Repository description |
+| cloneUrl | string | Repository clone URL |
+| sshUrl | string | Repository SSH URL |
+| homepage | string | Repository homepage |
+| topics | []string | Repository topics |
+| language | string | Repository language |
+| watchersCount | int | Number of users watching the repository |
+| forksCount | int | Number of repository forks |
+| stargazersCount | int | Number of repository stargazers |
+| openIssuesCount | int | Number of open issues in repository |
+| createdAt | time | Repository create time |
+| updatedAt | time | Repository update time |
+| pushedAt | time | Repository pushed time |
+| archived | bool | Whether the repository is archived |
+| disabled | bool | Whether the repository is disabled |
+| private | bool | Whether the repository is private |
+| isFork | bool | Whether the repository is a fork |
+| visibility | string | Repository visibility |
+| allowAutoMerge | bool | Whether the repository allows auto merging |
+| allowForking | bool | Whether the repository allows forking |
+| allowMergeCommit | bool | Whether the repository allows merge commit |
+| allowRebaseMerge | bool | Whether the repository allows rebase merge |
+| allowSquashMerge | bool | Whether the repository allows squash merge |
+| hasIssues | bool | Whether the repository has open issues |
+| hasProjects | bool | Whether the repository has projects |
+| hasWiki | bool | Whether the repository has a wiki |
+| hasPages | bool | Whether the repository has pages |
+| hasDownloads | bool | Whether the repository has downloads |
+| hasDiscussions | bool | Whether the repository has discussions |
+| isTemplate | bool | Whether the repository is an organization repository template |
+| openMergeRequests | [][github.mergeRequest](github.mergerequest.md) | List of open merge requests for the repository |
+| closedMergeRequests | [][github.mergeRequest](github.mergerequest.md) | List of closed merge requests for the repository |
+| allMergeRequests | [][github.mergeRequest](github.mergerequest.md) | List of all merge requests for the repository |
+| branches | [][github.branch](github.branch.md) | List of branches for the repository |
+| defaultBranchName | string | Default branch name for the repository |
+| commits | [][github.commit](github.commit.md) | List of commits for the repository |
+| contributors | [][github.user](github.user.md) | List of contributors for the repository |
+| collaborators | [][github.collaborator](github.collaborator.md) | List of collaborators for the repository |
+| files | [][github.file](github.file.md) | List of files in the repository |
+| releases | [][github.release](github.release.md) | List of releases for the repository |
+| owner | [github.user](github.user.md) | Repository owner |
+| webhooks | [][github.webhook](github.webhook.md) | List of webhooks for the repository |
+| workflows | [][github.workflow](github.workflow.md) | List of workflows for the repository |
+| forks | [][github.repository](github.repository.md) | List of repository forks |
+| stargazers | [][github.user](github.user.md) | List of repository stargazers |
+| openIssues | [][github.issue](github.issue.md) | List of repository open issues |
+| closedIssues | [][github.issue](github.issue.md) | List of repository closed issues |
+| license | [github.license](github.license.md) | Repository license |
diff --git a/docs/mql/resources/github-pack/github.review.md b/docs/mql/resources/github-pack/github.review.md
new file mode 100644
index 000000000..93d3e736f
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.review.md
@@ -0,0 +1,22 @@
+---
+title: github.review
+id: github.review
+sidebar_label: github.review
+displayed_sidebar: MQL
+description: GitHub repository review
+---
+
+# github.review
+
+**Description**
+
+GitHub repository review
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------------------- | ----------------------- |
+| url | string | Review URL |
+| state | string | Review state |
+| authorAssociation | string | Author association |
+| user | [github.user](github.user.md) | Review user information |
diff --git a/docs/mql/resources/github-pack/github.team.md b/docs/mql/resources/github-pack/github.team.md
new file mode 100644
index 000000000..3afbd66e0
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.team.md
@@ -0,0 +1,27 @@
+---
+title: github.team
+id: github.team
+sidebar_label: github.team
+displayed_sidebar: MQL
+description: GitHub team
+---
+
+# github.team
+
+**Description**
+
+GitHub team
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | --------------------------------------------------- | -------------------------- |
+| id | int | Team ID |
+| name | string | Team name |
+| description | string | Team description |
+| slug | string | Team slug |
+| privacy | string | Team privacy configuration |
+| defaultPermission | string | Team default permission |
+| members | [][github.user](github.user.md) | Team members |
+| repositories | [][github.repository](github.repository.md) | Team owned repositories |
+| organization | [github.organization](github.organization.md) | Team organization |
diff --git a/docs/mql/resources/github-pack/github.user.md b/docs/mql/resources/github-pack/github.user.md
new file mode 100644
index 000000000..a40957298
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.user.md
@@ -0,0 +1,35 @@
+---
+title: github.user
+id: github.user
+sidebar_label: github.user
+displayed_sidebar: MQL
+description: GitHub user
+---
+
+# github.user
+
+**Description**
+
+GitHub user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------- | ---------------------------- |
+| id | int | User ID |
+| login | string | User login |
+| name | string | User name |
+| email | string | User email |
+| bio | string | User bio |
+| blog | string | User blog URL |
+| location | string | User location |
+| avatarUrl | string | User profile picture URL |
+| followers | int | User followers |
+| following | int | User following |
+| twitterUsername | string | User Twitter handle |
+| createdAt | time | User create time in UTC |
+| updatedAt | time | Last user update time in UTC |
+| suspendedAt | time | When the user was suspended |
+| company | string | User's company |
+| repositories | [][github.repository](github.repository.md) | User's repositories |
+| gists | [][github.gist](github.gist.md) | User gists |
diff --git a/docs/mql/resources/github-pack/github.webhook.md b/docs/mql/resources/github-pack/github.webhook.md
new file mode 100644
index 000000000..2d040feac
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.webhook.md
@@ -0,0 +1,24 @@
+---
+title: github.webhook
+id: github.webhook
+sidebar_label: github.webhook
+displayed_sidebar: MQL
+description: GitHub webhook
+---
+
+# github.webhook
+
+**Description**
+
+GitHub webhook
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ---------------- | ------------------------------ |
+| id | int | Webhook ID |
+| name | string | Webhook name |
+| url | string | Webhook URL |
+| events | []string | List of events for the webhook |
+| config | dict | Webhook config |
+| active | bool | Whether the webhook is active |
diff --git a/docs/mql/resources/github-pack/github.workflow.md b/docs/mql/resources/github-pack/github.workflow.md
new file mode 100644
index 000000000..ab4a36c34
--- /dev/null
+++ b/docs/mql/resources/github-pack/github.workflow.md
@@ -0,0 +1,26 @@
+---
+title: github.workflow
+id: github.workflow
+sidebar_label: github.workflow
+displayed_sidebar: MQL
+description: GitHub workflow
+---
+
+# github.workflow
+
+**Description**
+
+GitHub workflow
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------- | ---------------------- |
+| id | int | Workflow ID |
+| name | string | Workflow name |
+| path | string | Workflow path |
+| state | string | Workflow state |
+| createdAt | time | Workflow create time |
+| updatedAt | time | Workflow update time |
+| file | [github.file](github.file.md) | Workflow file |
+| configuration | dict | Workflow configuration |
diff --git a/docs/mql/resources/gitlab-pack/README.md b/docs/mql/resources/gitlab-pack/README.md
new file mode 100644
index 000000000..47812ab30
--- /dev/null
+++ b/docs/mql/resources/gitlab-pack/README.md
@@ -0,0 +1,16 @@
+---
+title: GitLab Resource Pack - MQL Resources
+id: gitlab.pack
+sidebar_label: GitLab Resource Pack
+displayed_sidebar: MQL
+description: The GitLab resource pack lets you use MQL to query and assess the security of your GitLab organization and repositories.
+---
+
+# Mondoo GitLab Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ----------------------------------- | -------------- |
+| [gitlab.group](gitlab.group.md) | GitLab group |
+| [gitlab.project](gitlab.project.md) | GitLab project |
diff --git a/docs/mql/resources/gitlab-pack/gitlab.group.md b/docs/mql/resources/gitlab-pack/gitlab.group.md
new file mode 100644
index 000000000..981d1b774
--- /dev/null
+++ b/docs/mql/resources/gitlab-pack/gitlab.group.md
@@ -0,0 +1,34 @@
+---
+title: gitlab.group
+id: gitlab.group
+sidebar_label: gitlab.group
+displayed_sidebar: MQL
+description: GitLab group
+---
+
+# gitlab.group
+
+**Maturity**
+
+experimental
+
+**Description**
+
+GitLab group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------ | --------------------------------------------- | -------------------------------------------------------------------------------- |
+| id | int | Group ID |
+| name | string | Group name |
+| path | string | Group path |
+| createdAt | time | Create date of the group |
+| description | string | Group description |
+| webURL | string | URL of the group |
+| visibility | string | The group's visibility level: private, internal, or public |
+| requireTwoFactorAuthentication | bool | Whether all users in this group are required to set up two-factor authentication |
+| preventForkingOutsideGroup | bool | Whether forking projects outside this group is forbidden |
+| emailsDisabled | bool | Whether group email notifications are disabled |
+| mentionsDisabled | bool | Whether group mentions within issues and merge requests are disabled |
+| projects | [][gitlab.project](gitlab.project.md) | List of all projects that belong to the group |
diff --git a/docs/mql/resources/gitlab-pack/gitlab.project.md b/docs/mql/resources/gitlab-pack/gitlab.project.md
new file mode 100644
index 000000000..3deac57c0
--- /dev/null
+++ b/docs/mql/resources/gitlab-pack/gitlab.project.md
@@ -0,0 +1,46 @@
+---
+title: gitlab.project
+id: gitlab.project
+sidebar_label: gitlab.project
+displayed_sidebar: MQL
+description: GitLab project
+---
+
+# gitlab.project
+
+**Maturity**
+
+experimental
+
+**Description**
+
+GitLab project
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------------------------- | ------ | ------------------------------------------------------------------------------ |
+| id | int | Project ID |
+| name | string | Project name |
+| fullName | string | The full name of the project, including the namespace |
+| path | string | Project path |
+| createdAt | time | Create date of the project |
+| description | string | Project description |
+| defaultBranch | string | Default Git branch |
+| visibility | string | The project's visibility level: private, internal, or public |
+| archived | bool | Whether the project is archived |
+| mirror | bool | Whether the project is a mirror |
+| webURL | string | URL of the project |
+| emailsDisabled | bool | Whether project email notifications are disabled |
+| allowMergeOnSkippedPipeline | bool | Whether merging merge requests is allowed when a pipeline is skipped |
+| onlyAllowMergeIfPipelineSucceeds | bool | Whether merging merge requests is allowed only if the pipelines succeed |
+| onlyAllowMergeIfAllDiscussionsAreResolved | bool | Whether merging merge requests is allowed only if all discussions are resolved |
+| issuesEnabled | bool | Whether the issues feature is enabled |
+| mergeRequestsEnabled | bool | Whether the merge request feature is enabled |
+| wikiEnabled | bool | Whether the wiki feature is enabled |
+| snippetsEnabled | bool | Whether the snippets feature is enabled |
+| containerRegistryEnabled | bool | Whether the container registry feature is enabled |
+| serviceDeskEnabled | bool | Whether the Service Desk feature is enabled |
+| packagesEnabled | bool | Whether the packages feature is enabled |
+| autoDevopsEnabled | bool | Whether the Auto DevOps feature is enabled |
+| requirementsEnabled | bool | Whether the requirements feature is enabled |
diff --git a/docs/mql/resources/google-workspace-pack/README.md b/docs/mql/resources/google-workspace-pack/README.md
new file mode 100644
index 000000000..a859b9681
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/README.md
@@ -0,0 +1,27 @@
+---
+title: Google Workspace Resource Pack - MQL Resources
+id: google.workspace.pack
+sidebar_label: Google Workspace Resource Pack
+displayed_sidebar: MQL
+description: The Google Workspace resource pack lets you use MQL to query and assess the security of your Google Workspace identities and configuration.
+---
+
+# Mondoo Google Workspace Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| --------------------------------------------------------------------- | ------------------------------------------- |
+| [googleworkspace](googleworkspace.md) | Google Workspace |
+| [googleworkspace.connectedApp](googleworkspace.connectedapp.md) | Google Workspace third-party connected apps |
+| [googleworkspace.domain](googleworkspace.domain.md) | Google Workspace domain |
+| [googleworkspace.group](googleworkspace.group.md) | Google Workspace group |
+| [googleworkspace.member](googleworkspace.member.md) | Google Workspace group member |
+| [googleworkspace.orgUnit](googleworkspace.orgunit.md) | Google Workspace organizational unit |
+| [googleworkspace.report.activity](googleworkspace.report.activity.md) | Google Workspace app reports activity |
+| [googleworkspace.report.apps](googleworkspace.report.apps.md) | Google Workspace apps reports |
+| [googleworkspace.report.usage](googleworkspace.report.usage.md) | Google workspace usage report |
+| [googleworkspace.report.users](googleworkspace.report.users.md) | Google Workspace user usage reports |
+| [googleworkspace.role](googleworkspace.role.md) | Google Workspace role |
+| [googleworkspace.token](googleworkspace.token.md) | Google Workspace token |
+| [googleworkspace.user](googleworkspace.user.md) | Google Workspace user accounts |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.connectedapp.md b/docs/mql/resources/google-workspace-pack/googleworkspace.connectedapp.md
new file mode 100644
index 000000000..52c426cef
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.connectedapp.md
@@ -0,0 +1,23 @@
+---
+title: googleworkspace.connectedApp
+id: googleworkspace.connectedApp
+sidebar_label: googleworkspace.connectedApp
+displayed_sidebar: MQL
+description: Google Workspace third-party connected apps
+---
+
+# googleworkspace.connectedApp
+
+**Description**
+
+Google Workspace third-party connected apps
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ----------------------------------------------------------- | ------------------------------------------------------------- |
+| clientId | string | The unique ID of the application |
+| name | string | The application's name |
+| scopes | []string | Aggregated scopes across all tokens issued to the application |
+| users | [][googleworkspace.user](googleworkspace.user.md) | Google Workspace User that use the 3rd-party application |
+| tokens | [][googleworkspace.token](googleworkspace.token.md) | Returns the user-issued tokens to 3rd party applications |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.domain.md b/docs/mql/resources/google-workspace-pack/googleworkspace.domain.md
new file mode 100644
index 000000000..b19c9f0bc
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.domain.md
@@ -0,0 +1,22 @@
+---
+title: googleworkspace.domain
+id: googleworkspace.domain
+sidebar_label: googleworkspace.domain
+displayed_sidebar: MQL
+description: Google Workspace domain
+---
+
+# googleworkspace.domain
+
+**Description**
+
+Google Workspace domain
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | -------------------------------------------- |
+| domainName | string | The domain name of the customer |
+| isPrimary | bool | Indicates if the domain is a primary domain |
+| verified | bool | Indicates the verification state of a domain |
+| creationTime | time | Creation time of the domain |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.group.md b/docs/mql/resources/google-workspace-pack/googleworkspace.group.md
new file mode 100644
index 000000000..5b73fb525
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.group.md
@@ -0,0 +1,28 @@
+---
+title: googleworkspace.group
+id: googleworkspace.group
+sidebar_label: googleworkspace.group
+displayed_sidebar: MQL
+description: Google Workspace group
+---
+
+# googleworkspace.group
+
+**Description**
+
+Google Workspace group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ------------------------------------------------------------- | -------------------------------------------------------------------------- |
+| id | string | The unique ID of a group |
+| name | string | The group's display name |
+| email | string | The group's email address |
+| description | string | Purpose of the group |
+| aliases | []string | A list of a group's alias email addresses |
+| directMembersCount | int | The number of users that are direct members of the group |
+| adminCreated | bool | Indicates if this group was created by an administrator rather than a user |
+| members | [][googleworkspace.member](googleworkspace.member.md) | Retrieve members of the group |
+| settings | dict | Group settings |
+| securitySettings | dict | Group security settings |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.md b/docs/mql/resources/google-workspace-pack/googleworkspace.md
new file mode 100644
index 000000000..c9515748a
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.md
@@ -0,0 +1,24 @@
+---
+title: googleworkspace
+id: googleworkspace
+sidebar_label: googleworkspace
+displayed_sidebar: MQL
+description: Google Workspace
+---
+
+# googleworkspace
+
+**Description**
+
+Google Workspace
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------------------------------------------------------------------------- | ----------------------------------------------------------------------------- |
+| orgUnits | [][googleworkspace.orgUnit](googleworkspace.orgunit.md) | Retrieves a list of all organizational units for the Google Workspace account |
+| users | [][googleworkspace.user](googleworkspace.user.md) | Retrieves a list of all users for the Google Workspace account |
+| domains | [][googleworkspace.domain](googleworkspace.domain.md) | Retrieves a list of domains for the Google Workspace account |
+| groups | [][googleworkspace.group](googleworkspace.group.md) | Retrieves a list of all groups for the Google Workspace account |
+| roles | [][googleworkspace.role](googleworkspace.role.md) | Retrieves a list of all roles for the Google Workspace account |
+| connectedApps | [][googleworkspace.connectedApp](googleworkspace.connectedapp.md) | Retrieves a list of all apps for the Google Workspace account |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.member.md b/docs/mql/resources/google-workspace-pack/googleworkspace.member.md
new file mode 100644
index 000000000..8ac1f7deb
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.member.md
@@ -0,0 +1,23 @@
+---
+title: googleworkspace.member
+id: googleworkspace.member
+sidebar_label: googleworkspace.member
+displayed_sidebar: MQL
+description: Google Workspace group member
+---
+
+# googleworkspace.member
+
+**Description**
+
+Google Workspace group member
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ----------------------------------------------- | --------------------------------- |
+| id | string | The unique ID of the group member |
+| email | string | The member's email address |
+| status | string | Status of member |
+| type | string | The type of group member |
+| user | [googleworkspace.user](googleworkspace.user.md) | Linked user account |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.orgunit.md b/docs/mql/resources/google-workspace-pack/googleworkspace.orgunit.md
new file mode 100644
index 000000000..85f22bc9c
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.orgunit.md
@@ -0,0 +1,21 @@
+---
+title: googleworkspace.orgUnit
+id: googleworkspace.orgUnit
+sidebar_label: googleworkspace.orgUnit
+displayed_sidebar: MQL
+description: Google Workspace organizational unit
+---
+
+# googleworkspace.orgUnit
+
+**Description**
+
+Google Workspace organizational unit
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ---------------------------------------- |
+| id | string | The unique ID of the organizational unit |
+| name | string | The organizational unit's path name |
+| description | string | Description of the organizational unit |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.report.activity.md b/docs/mql/resources/google-workspace-pack/googleworkspace.report.activity.md
new file mode 100644
index 000000000..c20d5289d
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.report.activity.md
@@ -0,0 +1,23 @@
+---
+title: googleworkspace.report.activity
+id: googleworkspace.report.activity
+sidebar_label: googleworkspace.report.activity
+displayed_sidebar: MQL
+description: Google Workspace app reports activity
+---
+
+# googleworkspace.report.activity
+
+**Description**
+
+Google Workspace app reports activity
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | -------------- | ----------- |
+| id | int | |
+| ipAddress | string | |
+| ownerDomain | string | |
+| actor | dict | |
+| events | []dict | |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.report.apps.md b/docs/mql/resources/google-workspace-pack/googleworkspace.report.apps.md
new file mode 100644
index 000000000..294e0fa3e
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.report.apps.md
@@ -0,0 +1,19 @@
+---
+title: googleworkspace.report.apps
+id: googleworkspace.report.apps
+sidebar_label: googleworkspace.report.apps
+displayed_sidebar: MQL
+description: Google Workspace apps reports
+---
+
+# googleworkspace.report.apps
+
+**Description**
+
+Google Workspace apps reports
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----- | ------------------------------------------------------------------------------- | ----------- |
+| drive | [][googleworkspace.report.activity](googleworkspace.report.activity.md) | |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.report.usage.md b/docs/mql/resources/google-workspace-pack/googleworkspace.report.usage.md
new file mode 100644
index 000000000..cb11f3ff2
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.report.usage.md
@@ -0,0 +1,28 @@
+---
+title: googleworkspace.report.usage
+id: googleworkspace.report.usage
+sidebar_label: googleworkspace.report.usage
+displayed_sidebar: MQL
+description: Google workspace usage report
+---
+
+# googleworkspace.report.usage
+
+**Description**
+
+Google workspace usage report
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | -------------- | ----------------------------------------------- |
+| customerId | string | The unique identifier of the customer's account |
+| entityId | string | Google Workspace entity ID |
+| profileId | string | Google Workspace profile identifier |
+| type | string | Entity type |
+| userEmail | string | Email of user |
+| date | time | Date of the report |
+| parameters | []dict | Parameter value pairs |
+| account | dict | Account Settings |
+| security | dict | Security Settings |
+| appUsage | dict | App Usage |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.report.users.md b/docs/mql/resources/google-workspace-pack/googleworkspace.report.users.md
new file mode 100644
index 000000000..c639eefd2
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.report.users.md
@@ -0,0 +1,23 @@
+---
+title: googleworkspace.report.users
+id: googleworkspace.report.users
+sidebar_label: googleworkspace.report.users
+displayed_sidebar: MQL
+description: Google Workspace user usage reports
+---
+
+# googleworkspace.report.users
+
+**Description**
+
+Google Workspace user usage reports
+
+**List**
+
+[]googleworkspace.report.usage
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------------------------------------------------------------------------- | ----------- |
+| list | [][googleworkspace.report.usage](googleworkspace.report.usage.md) | |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.role.md b/docs/mql/resources/google-workspace-pack/googleworkspace.role.md
new file mode 100644
index 000000000..fd3629290
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.role.md
@@ -0,0 +1,24 @@
+---
+title: googleworkspace.role
+id: googleworkspace.role
+sidebar_label: googleworkspace.role
+displayed_sidebar: MQL
+description: Google Workspace role
+---
+
+# googleworkspace.role
+
+**Description**
+
+Google Workspace role
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | -------------- | ---------------------------------------------- |
+| id | int | ID of the role |
+| name | string | Name of the role |
+| description | string | A short description of the role |
+| isSystemRole | bool | Indicates if this is a pre-defined system role |
+| isSuperAdminRole | bool | Indicates if the role is a super admin role |
+| privileges | []dict | The set of privileges |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.token.md b/docs/mql/resources/google-workspace-pack/googleworkspace.token.md
new file mode 100644
index 000000000..32577020c
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.token.md
@@ -0,0 +1,24 @@
+---
+title: googleworkspace.token
+id: googleworkspace.token
+sidebar_label: googleworkspace.token
+displayed_sidebar: MQL
+description: Google Workspace token
+---
+
+# googleworkspace.token
+
+**Description**
+
+Google Workspace token
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ---------------- | ------------------------------------------------------------ |
+| anonymous | bool | Indicates if the application is registered with Google |
+| clientId | string | The Client ID of the application |
+| displayText | string | The displayable name of the application token |
+| nativeApp | bool | Indicates if the token is issued to an installed application |
+| scopes | []string | A list of granted authorization scopes the application |
+| userKey | string | The unique ID of the user that issued the token |
diff --git a/docs/mql/resources/google-workspace-pack/googleworkspace.user.md b/docs/mql/resources/google-workspace-pack/googleworkspace.user.md
new file mode 100644
index 000000000..ba71d6c5d
--- /dev/null
+++ b/docs/mql/resources/google-workspace-pack/googleworkspace.user.md
@@ -0,0 +1,38 @@
+---
+title: googleworkspace.user
+id: googleworkspace.user
+sidebar_label: googleworkspace.user
+displayed_sidebar: MQL
+description: Google Workspace user accounts
+---
+
+# googleworkspace.user
+
+**Description**
+
+Google Workspace user accounts
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------------------------------- | -------------------------------------------------------- |
+| id | string | The unique ID for the user |
+| familyName | string | The user's last name |
+| givenName | string | The user's first names |
+| fullName | string | The user's full name |
+| primaryEmail | string | The user's primary email address |
+| recoveryEmail | string | Recovery email of the user |
+| recoveryPhone | string | Recovery phone of the user |
+| agreedToTerms | bool | User accepted the Terms of Service agreement |
+| aliases | []string | A list of the user's alias email addresses |
+| suspended | bool | Indicates if user is suspended |
+| suspensionReason | string | The reason a user account is suspended |
+| archived | bool | Indicates if user is archived |
+| isAdmin | bool | Indicates a user with super administrator privileges |
+| isEnforcedIn2Sv | bool | Is 2-step verification enforced |
+| isEnrolledIn2Sv | bool | Is enrolled in 2-step verification |
+| isMailboxSetup | bool | Indicates if the user's Google mailbox is created |
+| lastLoginTime | time | User's last login time |
+| creationTime | time | User's account creation time |
+| usageReport | [googleworkspace.report.usage](googleworkspace.report.usage.md) | Retrieves latest report for the user |
+| tokens | [][googleworkspace.token](googleworkspace.token.md) | Returns the user-issued tokens to 3rd party applications |
diff --git a/docs/mql/resources/ipmi-pack/README.md b/docs/mql/resources/ipmi-pack/README.md
new file mode 100644
index 000000000..5d55425b7
--- /dev/null
+++ b/docs/mql/resources/ipmi-pack/README.md
@@ -0,0 +1,16 @@
+---
+title: IPMI Resource Pack - MQL Resources
+id: ipmi.pack
+sidebar_label: IPMI Resource Pack
+displayed_sidebar: MQL
+description: The IPMI resource pack lets you use MQL to query and assess the security of your IPMI devices.
+---
+
+# Mondoo IPMI Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ------------------------------- | --------------------------------------------------------- |
+| [ipmi](ipmi.md) | Intelligent Platform Management Interface (IPMI) resource |
+| [ipmi.chassis](ipmi.chassis.md) | IPMI system chassis resource |
diff --git a/docs/mql/resources/ipmi-pack/ipmi.chassis.md b/docs/mql/resources/ipmi-pack/ipmi.chassis.md
new file mode 100644
index 000000000..739d0be0f
--- /dev/null
+++ b/docs/mql/resources/ipmi-pack/ipmi.chassis.md
@@ -0,0 +1,24 @@
+---
+title: ipmi.chassis
+id: ipmi.chassis
+sidebar_label: ipmi.chassis
+displayed_sidebar: MQL
+description: IPMI system chassis resource
+---
+
+# ipmi.chassis
+
+**Maturity**
+
+experimental
+
+**Description**
+
+IPMI system chassis resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ---- | ---------------------------------------------------------------- |
+| status | dict | High-level status of the system chassis and main power subsystem |
+| systemBootOptions | dict | System boot options |
diff --git a/docs/mql/resources/ipmi-pack/ipmi.md b/docs/mql/resources/ipmi-pack/ipmi.md
new file mode 100644
index 000000000..b90857fe9
--- /dev/null
+++ b/docs/mql/resources/ipmi-pack/ipmi.md
@@ -0,0 +1,24 @@
+---
+title: ipmi
+id: ipmi
+sidebar_label: ipmi
+displayed_sidebar: MQL
+description: Intelligent Platform Management Interface (IPMI) resource
+---
+
+# ipmi
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Intelligent Platform Management Interface (IPMI) resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | --------------------------------------------------- |
+| deviceID | dict | The hardware & firmware device ID |
+| guid | string | GUID (Globally Unique ID) for management controller |
diff --git a/docs/mql/resources/k8s-pack/README.md b/docs/mql/resources/k8s-pack/README.md
new file mode 100644
index 000000000..80fb7d999
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/README.md
@@ -0,0 +1,49 @@
+---
+title: Kubernetes (K8s) Resource Pack - MQL Resources
+id: kubernetes.k8s.pack
+sidebar_label: Kubernetes (K8s) Resource Pack
+displayed_sidebar: MQL
+description: The Kubernetes resource pack lets you use MQL to query and assess the security of your Kubernetes cluster and workloads.
+---
+
+# Mondoo Kubernetes (K8s) Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ------------------------------------------------------------- | ---------------------------------------------------------------- |
+| [k8s](k8s.md) | Kubernetes cluster |
+| [k8s.admissionrequest](k8s.admissionrequest.md) | Kubernetes AdmissionRequest |
+| [k8s.admissionreview](k8s.admissionreview.md) | Kubernetes AdmissionReview |
+| [k8s.apiresource](k8s.apiresource.md) | Kubernetes API resources |
+| [k8s.configmap](k8s.configmap.md) | Kubernetes ConfigMap |
+| [k8s.container](k8s.container.md) | Kubernetes workload container |
+| [k8s.cronjob](k8s.cronjob.md) | Kubernetes CronJob |
+| [k8s.customresource](k8s.customresource.md) | Kubernetes CustomResource |
+| [k8s.daemonset](k8s.daemonset.md) | Kubernetes DaemonSet |
+| [k8s.deployment](k8s.deployment.md) | Kubernetes Deployment |
+| [k8s.ephemeralContainer](k8s.ephemeralcontainer.md) | Kubernetes ephemeral container |
+| [k8s.ingress](k8s.ingress.md) | Kubernetes Ingress |
+| [k8s.ingressbackend](k8s.ingressbackend.md) | Kubernetes Ingress backend |
+| [k8s.ingresshttprulepath](k8s.ingresshttprulepath.md) | Kubernetes Ingress HTTP rule |
+| [k8s.ingressresourceref](k8s.ingressresourceref.md) | Kubernetes Ingress resource backend |
+| [k8s.ingressrule](k8s.ingressrule.md) | Kubernetes Ingress rule |
+| [k8s.ingressservicebackend](k8s.ingressservicebackend.md) | Kubernetes Ingress service backend |
+| [k8s.ingresstls](k8s.ingresstls.md) | Kubernetes Ingress TLS |
+| [k8s.initContainer](k8s.initcontainer.md) | Kubernetes init container |
+| [k8s.job](k8s.job.md) | Kubernetes Job |
+| [k8s.namespace](k8s.namespace.md) | Kubernetes namespace |
+| [k8s.networkpolicy](k8s.networkpolicy.md) | Kubernetes Network Policy |
+| [k8s.node](k8s.node.md) | Kubernetes node |
+| [k8s.pod](k8s.pod.md) | Kubernetes Pod |
+| [k8s.podsecuritypolicy](k8s.podsecuritypolicy.md) | Kubernetes PodSecurityPolicy (deprecated as of Kubernetes v1.21) |
+| [k8s.rbac.clusterrole](k8s.rbac.clusterrole.md) | Kubernetes ClusterRole |
+| [k8s.rbac.clusterrolebinding](k8s.rbac.clusterrolebinding.md) | Kubernetes ClusterRoleBinding |
+| [k8s.rbac.role](k8s.rbac.role.md) | Kubernetes Role |
+| [k8s.rbac.rolebinding](k8s.rbac.rolebinding.md) | Kubernetes RoleBinding |
+| [k8s.replicaset](k8s.replicaset.md) | Kubernetes ReplicaSet |
+| [k8s.secret](k8s.secret.md) | Kubernetes Secret |
+| [k8s.service](k8s.service.md) | Kubernetes Service |
+| [k8s.serviceaccount](k8s.serviceaccount.md) | Kubernetes service account |
+| [k8s.statefulset](k8s.statefulset.md) | Kubernetes StatefulSet |
+| [k8s.userinfo](k8s.userinfo.md) | Kubernetes UserInfo |
diff --git a/docs/mql/resources/k8s-pack/k8s.admissionrequest.md b/docs/mql/resources/k8s-pack/k8s.admissionrequest.md
new file mode 100644
index 000000000..4c5de47f1
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.admissionrequest.md
@@ -0,0 +1,28 @@
+---
+title: k8s.admissionrequest
+id: k8s.admissionrequest
+sidebar_label: k8s.admissionrequest
+displayed_sidebar: MQL
+description: Kubernetes AdmissionRequest
+---
+
+# k8s.admissionrequest
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes AdmissionRequest
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------------- | ------------------------------------------------------------------- |
+| name | string | The name of the object presented in the request |
+| namespace | string | The namespace associated with the request (if any) |
+| operation | string | The operation being performed |
+| userInfo | [k8s.userinfo](k8s.userinfo.md) | Information about the requesting user |
+| object | dict | The incoming object from the request |
+| oldObject | dict | The existing object (only populated for UPDATE and DELETE requests) |
diff --git a/docs/mql/resources/k8s-pack/k8s.admissionreview.md b/docs/mql/resources/k8s-pack/k8s.admissionreview.md
new file mode 100644
index 000000000..589871491
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.admissionreview.md
@@ -0,0 +1,23 @@
+---
+title: k8s.admissionreview
+id: k8s.admissionreview
+sidebar_label: k8s.admissionreview
+displayed_sidebar: MQL
+description: Kubernetes AdmissionReview
+---
+
+# k8s.admissionreview
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes AdmissionReview
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ----------------------------------------------- | ----------------------- |
+| request | [k8s.admissionrequest](k8s.admissionrequest.md) | The requested admission |
diff --git a/docs/mql/resources/k8s-pack/k8s.apiresource.md b/docs/mql/resources/k8s-pack/k8s.apiresource.md
new file mode 100644
index 000000000..5e5a3e1fc
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.apiresource.md
@@ -0,0 +1,30 @@
+---
+title: k8s.apiresource
+id: k8s.apiresource
+sidebar_label: k8s.apiresource
+displayed_sidebar: MQL
+description: Kubernetes API resources
+---
+
+# k8s.apiresource
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes API resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ---------------- | --------------------------------------------- |
+| name | string | Plural name of the resource |
+| singularName | string | Singular name of the resource |
+| namespaced | bool | Whether a resource is namespaced or not |
+| group | string | Preferred group of the resource |
+| version | string | Preferred version of the resource |
+| kind | string | Kubernetes object type |
+| shortNames | []string | List of suggested short names of the resource |
+| categories | []string | List of the grouped resources |
diff --git a/docs/mql/resources/k8s-pack/k8s.configmap.md b/docs/mql/resources/k8s-pack/k8s.configmap.md
new file mode 100644
index 000000000..dc8e862e4
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.configmap.md
@@ -0,0 +1,33 @@
+---
+title: k8s.configmap
+id: k8s.configmap
+sidebar_label: k8s.configmap
+displayed_sidebar: MQL
+description: Kubernetes ConfigMap
+---
+
+# k8s.configmap
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes ConfigMap
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| data | map[string]string | Configuration data |
diff --git a/docs/mql/resources/k8s-pack/k8s.container.md b/docs/mql/resources/k8s-pack/k8s.container.md
new file mode 100644
index 000000000..9c9485e39
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.container.md
@@ -0,0 +1,40 @@
+---
+title: k8s.container
+id: k8s.container
+sidebar_label: k8s.container
+displayed_sidebar: MQL
+description: Kubernetes workload container
+---
+
+# k8s.container
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes workload container
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------ | ------------------------------------------------------- |
+| uid | string | Kubernetes object UID |
+| name | string | Name of the container |
+| imageName | string | Container image name |
+| image | string | Deprecated; use `imageName` instead |
+| containerImage | os.container.image | Container image |
+| command | []string | Entry point array |
+| args | []string | Arguments to the entry point |
+| resources | dict | Compute resources required by this container |
+| volumeMounts | []dict | Pod volumes to mount into the container's file system |
+| volumeDevices | []dict | List of block devices to be used by the container |
+| livenessProbe | dict | Periodic probe of container liveness |
+| readinessProbe | dict | Periodic probe of container service readiness |
+| imagePullPolicy | string | Image pull policyL Always, Never, or IfNotPresent |
+| securityContext | dict | Security options the pod should run with |
+| workingDir | string | Container's working directory |
+| tty | bool | Whether this container should allocate a TTY for itself |
+| env | dict | env variables |
+| envFrom | dict | envFrom settings |
diff --git a/docs/mql/resources/k8s-pack/k8s.cronjob.md b/docs/mql/resources/k8s-pack/k8s.cronjob.md
new file mode 100644
index 000000000..d0002e38c
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.cronjob.md
@@ -0,0 +1,35 @@
+---
+title: k8s.cronjob
+id: k8s.cronjob
+sidebar_label: k8s.cronjob
+displayed_sidebar: MQL
+description: Kubernetes CronJob
+---
+
+# k8s.cronjob
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes CronJob
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| podSpec | dict | Pod description |
+| initContainers | [][k8s.initContainer](k8s.initcontainer.md) | Init containers |
+| containers | [][k8s.container](k8s.container.md) | Contained containers |
diff --git a/docs/mql/resources/k8s-pack/k8s.customresource.md b/docs/mql/resources/k8s-pack/k8s.customresource.md
new file mode 100644
index 000000000..6bf4b1a8a
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.customresource.md
@@ -0,0 +1,32 @@
+---
+title: k8s.customresource
+id: k8s.customresource
+sidebar_label: k8s.customresource
+displayed_sidebar: MQL
+description: Kubernetes CustomResource
+---
+
+# k8s.customresource
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes CustomResource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
diff --git a/docs/mql/resources/k8s-pack/k8s.daemonset.md b/docs/mql/resources/k8s-pack/k8s.daemonset.md
new file mode 100644
index 000000000..f98eddb3b
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.daemonset.md
@@ -0,0 +1,35 @@
+---
+title: k8s.daemonset
+id: k8s.daemonset
+sidebar_label: k8s.daemonset
+displayed_sidebar: MQL
+description: Kubernetes DaemonSet
+---
+
+# k8s.daemonset
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes DaemonSet
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| podSpec | dict | Pod description |
+| initContainers | [][k8s.initContainer](k8s.initcontainer.md) | Init containers |
+| containers | [][k8s.container](k8s.container.md) | Contained containers |
diff --git a/docs/mql/resources/k8s-pack/k8s.deployment.md b/docs/mql/resources/k8s-pack/k8s.deployment.md
new file mode 100644
index 000000000..f4b325298
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.deployment.md
@@ -0,0 +1,35 @@
+---
+title: k8s.deployment
+id: k8s.deployment
+sidebar_label: k8s.deployment
+displayed_sidebar: MQL
+description: Kubernetes Deployment
+---
+
+# k8s.deployment
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Deployment
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| podSpec | dict | Pod description |
+| initContainers | [][k8s.initContainer](k8s.initcontainer.md) | Init containers |
+| containers | [][k8s.container](k8s.container.md) | Contained containers |
diff --git a/docs/mql/resources/k8s-pack/k8s.ephemeralcontainer.md b/docs/mql/resources/k8s-pack/k8s.ephemeralcontainer.md
new file mode 100644
index 000000000..58e854977
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.ephemeralcontainer.md
@@ -0,0 +1,37 @@
+---
+title: k8s.ephemeralContainer
+id: k8s.ephemeralContainer
+sidebar_label: k8s.ephemeralContainer
+displayed_sidebar: MQL
+description: Kubernetes ephemeral container
+---
+
+# k8s.ephemeralContainer
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes ephemeral container
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------ | ------------------------------------------------------- |
+| uid | string | Kubernetes object UID |
+| name | string | Name of the container |
+| imageName | string | Container image name |
+| image | string | Deprecated; use `imageName` instead |
+| containerImage | os.container.image | Container image |
+| command | []string | Entry point array |
+| args | []string | Arguments to the entry point |
+| volumeMounts | []dict | Pod volumes to mount into the container's file system |
+| volumeDevices | []dict | List of block devices to be used by the container |
+| imagePullPolicy | string | Image pull policy: Always, Never, or IfNotPresent |
+| securityContext | dict | Security options the Pod should run with |
+| workingDir | string | Container's working directory |
+| tty | bool | Whether this container should allocate a TTY for itself |
+| env | dict | env variables |
+| envFrom | dict | envFrom settings |
diff --git a/docs/mql/resources/k8s-pack/k8s.ingress.md b/docs/mql/resources/k8s-pack/k8s.ingress.md
new file mode 100644
index 000000000..98d7777d8
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.ingress.md
@@ -0,0 +1,34 @@
+---
+title: k8s.ingress
+id: k8s.ingress
+sidebar_label: k8s.ingress
+displayed_sidebar: MQL
+description: Kubernetes Ingress
+---
+
+# k8s.ingress
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Ingress
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| rules | [][k8s.ingressrule](k8s.ingressrule.md) | Ingress rules |
+| tls | [][k8s.ingresstls](k8s.ingresstls.md) | Ingress TLS data |
diff --git a/docs/mql/resources/k8s-pack/k8s.ingressbackend.md b/docs/mql/resources/k8s-pack/k8s.ingressbackend.md
new file mode 100644
index 000000000..bf9666df4
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.ingressbackend.md
@@ -0,0 +1,25 @@
+---
+title: k8s.ingressbackend
+id: k8s.ingressbackend
+sidebar_label: k8s.ingressbackend
+displayed_sidebar: MQL
+description: Kubernetes Ingress backend
+---
+
+# k8s.ingressbackend
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Ingress backend
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------------------------------------- | ------------------------------------------------- |
+| id | string | Mondoo ID for object |
+| service | [k8s.ingressservicebackend](k8s.ingressservicebackend.md) | Kubernetes service for Ingress backend |
+| resourceRef | [k8s.ingressresourceref](k8s.ingressresourceref.md) | Kubernetes resource reference for Ingress backend |
diff --git a/docs/mql/resources/k8s-pack/k8s.ingresshttprulepath.md b/docs/mql/resources/k8s-pack/k8s.ingresshttprulepath.md
new file mode 100644
index 000000000..881cafcff
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.ingresshttprulepath.md
@@ -0,0 +1,26 @@
+---
+title: k8s.ingresshttprulepath
+id: k8s.ingresshttprulepath
+sidebar_label: k8s.ingresshttprulepath
+displayed_sidebar: MQL
+description: Kubernetes Ingress HTTP rule
+---
+
+# k8s.ingresshttprulepath
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Ingress HTTP rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------------------------------------------- | ------------------------------------------- |
+| id | string | Mondoo ID for object |
+| path | string | HTTP path for Ingress rule |
+| pathType | string | PathType for Ingress rule |
+| backend | [k8s.ingressbackend](k8s.ingressbackend.md) | Backend to forward matching Ingress traffic |
diff --git a/docs/mql/resources/k8s-pack/k8s.ingressresourceref.md b/docs/mql/resources/k8s-pack/k8s.ingressresourceref.md
new file mode 100644
index 000000000..b2532545d
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.ingressresourceref.md
@@ -0,0 +1,26 @@
+---
+title: k8s.ingressresourceref
+id: k8s.ingressresourceref
+sidebar_label: k8s.ingressresourceref
+displayed_sidebar: MQL
+description: Kubernetes Ingress resource backend
+---
+
+# k8s.ingressresourceref
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Ingress resource backend
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | ---------------------------------------------------- |
+| id | string | Mondoo ID for object |
+| apiGroup | string | APIGroup specified as part of the resource reference |
+| kind | string | Kubernetes object type |
+| name | string | Kubernetes object name |
diff --git a/docs/mql/resources/k8s-pack/k8s.ingressrule.md b/docs/mql/resources/k8s-pack/k8s.ingressrule.md
new file mode 100644
index 000000000..e5944bcfe
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.ingressrule.md
@@ -0,0 +1,25 @@
+---
+title: k8s.ingressrule
+id: k8s.ingressrule
+sidebar_label: k8s.ingressrule
+displayed_sidebar: MQL
+description: Kubernetes Ingress rule
+---
+
+# k8s.ingressrule
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Ingress rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | --------------------------------------------------------------- | ---------------------------------- |
+| id | string | Mondoo ID for object |
+| host | string | Hostname to match for Ingress rule |
+| httpPaths | [][k8s.ingresshttprulepath](k8s.ingresshttprulepath.md) | HTTP paths to manage Ingress for |
diff --git a/docs/mql/resources/k8s-pack/k8s.ingressservicebackend.md b/docs/mql/resources/k8s-pack/k8s.ingressservicebackend.md
new file mode 100644
index 000000000..e06c05b73
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.ingressservicebackend.md
@@ -0,0 +1,26 @@
+---
+title: k8s.ingressservicebackend
+id: k8s.ingressservicebackend
+sidebar_label: k8s.ingressservicebackend
+displayed_sidebar: MQL
+description: Kubernetes Ingress service backend
+---
+
+# k8s.ingressservicebackend
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Ingress service backend
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ------------------------------ |
+| id | string | Mondoo ID for object |
+| name | string | Kubernetes service name |
+| portName | string | Kubernetes service port name |
+| portNumber | int | Kubernetes service port number |
diff --git a/docs/mql/resources/k8s-pack/k8s.ingresstls.md b/docs/mql/resources/k8s-pack/k8s.ingresstls.md
new file mode 100644
index 000000000..09701e889
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.ingresstls.md
@@ -0,0 +1,25 @@
+---
+title: k8s.ingresstls
+id: k8s.ingresstls
+sidebar_label: k8s.ingresstls
+displayed_sidebar: MQL
+description: Kubernetes Ingress TLS
+---
+
+# k8s.ingresstls
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Ingress TLS
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------- | --------------------------------------------- |
+| id | string | Mondoo ID for object |
+| hosts | []string | List of hosts associated with TLS certificate |
+| certificates | []network.certificate | Certificates data from the TLS Secret |
diff --git a/docs/mql/resources/k8s-pack/k8s.initcontainer.md b/docs/mql/resources/k8s-pack/k8s.initcontainer.md
new file mode 100644
index 000000000..4190849ca
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.initcontainer.md
@@ -0,0 +1,38 @@
+---
+title: k8s.initContainer
+id: k8s.initContainer
+sidebar_label: k8s.initContainer
+displayed_sidebar: MQL
+description: Kubernetes init container
+---
+
+# k8s.initContainer
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes init container
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------ | ------------------------------------------------------- |
+| uid | string | Kubernetes object UID |
+| name | string | Name of the container |
+| imageName | string | Container image name |
+| image | string | Deprecated. Use `imageName` instead. |
+| containerImage | os.container.image | Container image |
+| command | []string | Entrypoint array |
+| args | []string | Arguments to the entrypoint |
+| resources | dict | Compute resources required by this container |
+| volumeMounts | []dict | Pod volumes to mount into the container's file system |
+| volumeDevices | []dict | List of block devices to be used by the container |
+| imagePullPolicy | string | Image pull policy: Always, Never, or IfNotPresent |
+| securityContext | dict | Security options the pod should run with |
+| workingDir | string | Container's working directory |
+| tty | bool | Whether this container should allocate a TTY for itself |
+| env | dict | env variables |
+| envFrom | dict | envFrom settings |
diff --git a/docs/mql/resources/k8s-pack/k8s.job.md b/docs/mql/resources/k8s-pack/k8s.job.md
new file mode 100644
index 000000000..1bc01cfda
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.job.md
@@ -0,0 +1,35 @@
+---
+title: k8s.job
+id: k8s.job
+sidebar_label: k8s.job
+displayed_sidebar: MQL
+description: Kubernetes Job
+---
+
+# k8s.job
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Job
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| podSpec | dict | Pod description |
+| initContainers | [][k8s.initContainer](k8s.initcontainer.md) | Init containers |
+| containers | [][k8s.container](k8s.container.md) | Contained containers |
diff --git a/docs/mql/resources/k8s-pack/k8s.md b/docs/mql/resources/k8s-pack/k8s.md
new file mode 100644
index 000000000..0c4ce25ae
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.md
@@ -0,0 +1,95 @@
+---
+title: k8s
+id: k8s
+sidebar_label: k8s
+displayed_sidebar: MQL
+description: Kubernetes cluster
+---
+
+# k8s
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes cluster
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ----------------------------------------------------------------------- | ----------------------------------- |
+| serverVersion | dict | Cluster version |
+| apiResources | [][k8s.apiresource](k8s.apiresource.md) | Available resource types |
+| namespaces | [][k8s.namespace](k8s.namespace.md) | Cluster namespaces |
+| nodes | [][k8s.node](k8s.node.md) | Cluster nodes |
+| pods | [][k8s.pod](k8s.pod.md) | Cluster Pods |
+| deployments | [][k8s.deployment](k8s.deployment.md) | Cluster deployments |
+| daemonsets | [][k8s.daemonset](k8s.daemonset.md) | Cluster DaemonSets |
+| statefulsets | [][k8s.statefulset](k8s.statefulset.md) | Cluster StatefulSets |
+| replicasets | [][k8s.replicaset](k8s.replicaset.md) | Cluster ReplicaSets |
+| jobs | [][k8s.job](k8s.job.md) | Cluster Jobs |
+| cronjobs | [][k8s.cronjob](k8s.cronjob.md) | Cluster CronJobs |
+| secrets | [][k8s.secret](k8s.secret.md) | Cluster Secrets |
+| configmaps | [][k8s.configmap](k8s.configmap.md) | ConfigMaps |
+| services | [][k8s.service](k8s.service.md) | Kubernetes Services |
+| ingresses | [][k8s.ingress](k8s.ingress.md) | Kubernetes Ingresses |
+| serviceaccounts | [][k8s.serviceaccount](k8s.serviceaccount.md) | Kubernetes service accounts |
+| clusterroles | [][k8s.rbac.clusterrole](k8s.rbac.clusterrole.md) | Kubernetes RBAC ClusterRoles |
+| clusterrolebindings | [][k8s.rbac.clusterrolebinding](k8s.rbac.clusterrolebinding.md) | Kubernetes RBAC ClusterRoleBindings |
+| roles | [][k8s.rbac.role](k8s.rbac.role.md) | Kubernetes RBAC roles |
+| rolebindings | [][k8s.rbac.rolebinding](k8s.rbac.rolebinding.md) | Kubernetes RBAC RoleBindings |
+| podSecurityPolicies | [][k8s.podsecuritypolicy](k8s.podsecuritypolicy.md) | Kubernetes PodSecurityPolicies |
+| networkPolicies | [][k8s.networkpolicy](k8s.networkpolicy.md) | Kubernetes network policies |
+| customresources | [][k8s.customresource](k8s.customresource.md) | Kubernetes custom resources |
+
+**Examples**
+
+List kubernetes pods with privileged containers
+
+```coffee
+k8s.pods { containers.where(securityContext["privileged"] == true) name }
+```
+
+Check if the default namespace is used
+
+```coffee
+k8s.pods.all( namespace != "default")
+```
+
+Query services accounts
+
+```coffee
+k8s.serviceaccounts { name namespace secrets }
+```
+
+Query RBAC cluster roles
+
+```coffee
+k8s.roles { name namespace rules }
+```
+
+Query RBAC role bindings
+
+```coffee
+k8s.rolebindings { name namespace subjects }
+```
+
+Query RBAC cluster role bindings
+
+```coffee
+k8s.clusterrolebindings { name subjects }
+```
+
+Query pod security policies
+
+```coffee
+k8s.podSecurityPolicies { name manifest }
+```
+
+Query network policies
+
+```coffee
+k8s.networkPolicies { name manifest }
+```
diff --git a/docs/mql/resources/k8s-pack/k8s.namespace.md b/docs/mql/resources/k8s-pack/k8s.namespace.md
new file mode 100644
index 000000000..aa244caf3
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.namespace.md
@@ -0,0 +1,30 @@
+---
+title: k8s.namespace
+id: k8s.namespace
+sidebar_label: k8s.namespace
+displayed_sidebar: MQL
+description: Kubernetes namespace
+---
+
+# k8s.namespace
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes namespace
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| name | string | Kubernetes object name |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| kind | string | Kubernetes object type |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
diff --git a/docs/mql/resources/k8s-pack/k8s.networkpolicy.md b/docs/mql/resources/k8s-pack/k8s.networkpolicy.md
new file mode 100644
index 000000000..d799dfe75
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.networkpolicy.md
@@ -0,0 +1,33 @@
+---
+title: k8s.networkpolicy
+id: k8s.networkpolicy
+sidebar_label: k8s.networkpolicy
+displayed_sidebar: MQL
+description: Kubernetes Network Policy
+---
+
+# k8s.networkpolicy
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Network Policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| spec | dict | Network policy spec |
diff --git a/docs/mql/resources/k8s-pack/k8s.node.md b/docs/mql/resources/k8s-pack/k8s.node.md
new file mode 100644
index 000000000..48af3ee3a
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.node.md
@@ -0,0 +1,29 @@
+---
+title: k8s.node
+id: k8s.node
+sidebar_label: k8s.node
+displayed_sidebar: MQL
+description: Kubernetes node
+---
+
+# k8s.node
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes node
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | ----------------------------------- |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| resourceVersion | string | Kubernetes resource version |
+| name | string | Plural name of the resource |
+| kind | string | Kubernetes object type |
diff --git a/docs/mql/resources/k8s-pack/k8s.pod.md b/docs/mql/resources/k8s-pack/k8s.pod.md
new file mode 100644
index 000000000..189d71898
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.pod.md
@@ -0,0 +1,38 @@
+---
+title: k8s.pod
+id: k8s.pod
+sidebar_label: k8s.pod
+displayed_sidebar: MQL
+description: Kubernetes Pod
+---
+
+# k8s.pod
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Pod
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ------------------------------------------------------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| apiVersion | string | Kubernetes object version |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| podSpec | dict | Pod description |
+| ephemeralContainers | [][k8s.ephemeralContainer](k8s.ephemeralcontainer.md) | Ephemeral containers |
+| initContainers | [][k8s.initContainer](k8s.initcontainer.md) | Init containers |
+| containers | [][k8s.container](k8s.container.md) | Contained containers |
+| node | [k8s.node](k8s.node.md) | Node the pod runs on |
diff --git a/docs/mql/resources/k8s-pack/k8s.podsecuritypolicy.md b/docs/mql/resources/k8s-pack/k8s.podsecuritypolicy.md
new file mode 100644
index 000000000..efb66be36
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.podsecuritypolicy.md
@@ -0,0 +1,32 @@
+---
+title: k8s.podsecuritypolicy
+id: k8s.podsecuritypolicy
+sidebar_label: k8s.podsecuritypolicy
+displayed_sidebar: MQL
+description: Kubernetes PodSecurityPolicy (deprecated as of Kubernetes v1.21)
+---
+
+# k8s.podsecuritypolicy
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes PodSecurityPolicy (deprecated as of Kubernetes v1.21)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| spec | dict | Policy Spec |
diff --git a/docs/mql/resources/k8s-pack/k8s.rbac.clusterrole.md b/docs/mql/resources/k8s-pack/k8s.rbac.clusterrole.md
new file mode 100644
index 000000000..2c443561d
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.rbac.clusterrole.md
@@ -0,0 +1,33 @@
+---
+title: k8s.rbac.clusterrole
+id: k8s.rbac.clusterrole
+sidebar_label: k8s.rbac.clusterrole
+displayed_sidebar: MQL
+description: Kubernetes ClusterRole
+---
+
+# k8s.rbac.clusterrole
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes ClusterRole
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| rules | []dict | ClusterRole rules |
+| aggregationRule | dict | ClusterRole aggregation rule |
diff --git a/docs/mql/resources/k8s-pack/k8s.rbac.clusterrolebinding.md b/docs/mql/resources/k8s-pack/k8s.rbac.clusterrolebinding.md
new file mode 100644
index 000000000..6e76e23c4
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.rbac.clusterrolebinding.md
@@ -0,0 +1,33 @@
+---
+title: k8s.rbac.clusterrolebinding
+id: k8s.rbac.clusterrolebinding
+sidebar_label: k8s.rbac.clusterrolebinding
+displayed_sidebar: MQL
+description: Kubernetes ClusterRoleBinding
+---
+
+# k8s.rbac.clusterrolebinding
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes ClusterRoleBinding
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | --------------------------------------------- |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| subjects | []dict | References to the objects the role applies to |
+| roleRef | dict | ClusterRole in the global namespace |
diff --git a/docs/mql/resources/k8s-pack/k8s.rbac.role.md b/docs/mql/resources/k8s-pack/k8s.rbac.role.md
new file mode 100644
index 000000000..40e4ccb58
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.rbac.role.md
@@ -0,0 +1,33 @@
+---
+title: k8s.rbac.role
+id: k8s.rbac.role
+sidebar_label: k8s.rbac.role
+displayed_sidebar: MQL
+description: Kubernetes Role
+---
+
+# k8s.rbac.role
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Role
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| rules | []dict | Cluster Role Rules |
diff --git a/docs/mql/resources/k8s-pack/k8s.rbac.rolebinding.md b/docs/mql/resources/k8s-pack/k8s.rbac.rolebinding.md
new file mode 100644
index 000000000..46b4f7354
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.rbac.rolebinding.md
@@ -0,0 +1,34 @@
+---
+title: k8s.rbac.rolebinding
+id: k8s.rbac.rolebinding
+sidebar_label: k8s.rbac.rolebinding
+displayed_sidebar: MQL
+description: Kubernetes RoleBinding
+---
+
+# k8s.rbac.rolebinding
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes RoleBinding
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | ---------------------------------------------------------------- |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| subjects | []dict | Subjects holds references to the objects the role applies to |
+| roleRef | dict | RoleRef can only reference a ClusterRole in the global namespace |
diff --git a/docs/mql/resources/k8s-pack/k8s.replicaset.md b/docs/mql/resources/k8s-pack/k8s.replicaset.md
new file mode 100644
index 000000000..ff40fc7a2
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.replicaset.md
@@ -0,0 +1,35 @@
+---
+title: k8s.replicaset
+id: k8s.replicaset
+sidebar_label: k8s.replicaset
+displayed_sidebar: MQL
+description: Kubernetes ReplicaSet
+---
+
+# k8s.replicaset
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes ReplicaSet
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| podSpec | dict | Pod description |
+| initContainers | [][k8s.initContainer](k8s.initcontainer.md) | Init containers |
+| containers | [][k8s.container](k8s.container.md) | Contained containers |
diff --git a/docs/mql/resources/k8s-pack/k8s.secret.md b/docs/mql/resources/k8s-pack/k8s.secret.md
new file mode 100644
index 000000000..692052274
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.secret.md
@@ -0,0 +1,34 @@
+---
+title: k8s.secret
+id: k8s.secret
+sidebar_label: k8s.secret
+displayed_sidebar: MQL
+description: Kubernetes Secret
+---
+
+# k8s.secret
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Secret
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| type | string | Secret type |
+| certificates | []network.certificate | Secret certificates |
diff --git a/docs/mql/resources/k8s-pack/k8s.service.md b/docs/mql/resources/k8s-pack/k8s.service.md
new file mode 100644
index 000000000..0e621bfda
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.service.md
@@ -0,0 +1,33 @@
+---
+title: k8s.service
+id: k8s.service
+sidebar_label: k8s.service
+displayed_sidebar: MQL
+description: Kubernetes Service
+---
+
+# k8s.service
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes Service
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| spec | dict | Service Spec |
diff --git a/docs/mql/resources/k8s-pack/k8s.serviceaccount.md b/docs/mql/resources/k8s-pack/k8s.serviceaccount.md
new file mode 100644
index 000000000..ebfa5d7da
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.serviceaccount.md
@@ -0,0 +1,35 @@
+---
+title: k8s.serviceaccount
+id: k8s.serviceaccount
+sidebar_label: k8s.serviceaccount
+displayed_sidebar: MQL
+description: Kubernetes service account
+---
+
+# k8s.serviceaccount
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes service account
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------------- | ----------------- | ------------------------------------------------------------------------------------------- |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| secrets | []dict | List of secrets that Pods running using this service account are allowed to use |
+| imagePullSecrets | []dict | List of references to secrets in the same namespace to use for pulling any images |
+| automountServiceAccountToken | bool | Whether pods running as this service account should have an API token automatically mounted |
diff --git a/docs/mql/resources/k8s-pack/k8s.statefulset.md b/docs/mql/resources/k8s-pack/k8s.statefulset.md
new file mode 100644
index 000000000..78ff61bdc
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.statefulset.md
@@ -0,0 +1,35 @@
+---
+title: k8s.statefulset
+id: k8s.statefulset
+sidebar_label: k8s.statefulset
+displayed_sidebar: MQL
+description: Kubernetes StatefulSet
+---
+
+# k8s.statefulset
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes StatefulSet
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------------- | ------------------------------------ |
+| id | string | Mondoo ID for the Kubernetes object |
+| uid | string | Kubernetes object UID |
+| resourceVersion | string | Kubernetes resource version |
+| labels | map[string]string | Kubernetes labels |
+| annotations | map[string]string | Kubernetes annotations |
+| name | string | Kubernetes object name |
+| namespace | string | Kubernetes object namespace |
+| kind | string | Kubernetes object type |
+| created | time | Kubernetes object creation timestamp |
+| manifest | dict | Full resource manifest |
+| podSpec | dict | Pod description |
+| initContainers | [][k8s.initContainer](k8s.initcontainer.md) | Init containers |
+| containers | [][k8s.container](k8s.container.md) | Contained containers |
diff --git a/docs/mql/resources/k8s-pack/k8s.userinfo.md b/docs/mql/resources/k8s-pack/k8s.userinfo.md
new file mode 100644
index 000000000..5ef929bcd
--- /dev/null
+++ b/docs/mql/resources/k8s-pack/k8s.userinfo.md
@@ -0,0 +1,24 @@
+---
+title: k8s.userinfo
+id: k8s.userinfo
+sidebar_label: k8s.userinfo
+displayed_sidebar: MQL
+description: Kubernetes UserInfo
+---
+
+# k8s.userinfo
+
+**Supported platform**
+
+- kubernetes
+
+**Description**
+
+Kubernetes UserInfo
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | ------------------------ |
+| username | string | The username of the user |
+| uid | string | The UID of the user |
diff --git a/docs/mql/resources/ms365-pack/README.md b/docs/mql/resources/ms365-pack/README.md
new file mode 100644
index 000000000..f82442e86
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/README.md
@@ -0,0 +1,40 @@
+---
+title: Microsoft 365 (MS365) Resource Pack - MQL Resources
+id: microsoft.365.ms365.pack
+sidebar_label: Microsoft 365 (MS365) Resource Pack
+displayed_sidebar: MQL
+description: The Microsoft 365 (MS365) resource pack lets you use MQL to query and assess the security of your Microsoft 365 identities and configuration.
+---
+
+# Mondoo Microsoft 365 (MS365) Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| --------------------------------------------------------------------------------------------------------- | --------------------------------------------------- |
+| [microsoft](microsoft.md) | Microsoft |
+| [microsoft.application](microsoft.application.md) | Microsoft application |
+| [microsoft.devicemanagement](microsoft.devicemanagement.md) | Microsoft device management |
+| [microsoft.devicemanagement.devicecompliancepolicy](microsoft.devicemanagement.devicecompliancepolicy.md) | Microsoft device compliance policy |
+| [microsoft.devicemanagement.deviceconfiguration](microsoft.devicemanagement.deviceconfiguration.md) | Microsoft device configuration |
+| [microsoft.domain](microsoft.domain.md) | Microsoft domain |
+| [microsoft.domaindnsrecord](microsoft.domaindnsrecord.md) | Microsoft domain DNS record |
+| [microsoft.group](microsoft.group.md) | Microsoft group |
+| [microsoft.organization](microsoft.organization.md) | Microsoft organization |
+| [microsoft.policies](microsoft.policies.md) | Microsoft policies |
+| [microsoft.rolemanagement](microsoft.rolemanagement.md) | Microsoft role management |
+| [microsoft.rolemanagement.roleassignment](microsoft.rolemanagement.roleassignment.md) | Microsoft role assignment |
+| [microsoft.rolemanagement.roledefinition](microsoft.rolemanagement.roledefinition.md) | Microsoft role definition |
+| [microsoft.security](microsoft.security.md) | Microsoft Security |
+| [microsoft.security.securityscore](microsoft.security.securityscore.md) | Microsoft Secure Score |
+| [microsoft.serviceprincipal](microsoft.serviceprincipal.md) | Microsoft service principal |
+| [microsoft.serviceprincipal.assignment](microsoft.serviceprincipal.assignment.md) | Microsoft Service Principal Assignment |
+| [microsoft.user](microsoft.user.md) | Microsoft user |
+| [ms365.exchangeonline](ms365.exchangeonline.md) | Microsoft 365 Exchange Online |
+| [ms365.exchangeonline.exoMailbox](ms365.exchangeonline.exomailbox.md) | Microsoft 365 Exchange Online Mailbox |
+| [ms365.exchangeonline.externalSender](ms365.exchangeonline.externalsender.md) | Microsoft 365 Exchange Online External Sender |
+| [ms365.sharepointonline](ms365.sharepointonline.md) | Microsoft 365 SharePoint Online |
+| [ms365.sharepointonline.site](ms365.sharepointonline.site.md) | Microsoft 365 SharePoint Site |
+| [ms365.teams](ms365.teams.md) | Microsoft 365 Teams |
+| [ms365.teams.teamsMeetingPolicyConfig](ms365.teams.teamsmeetingpolicyconfig.md) | Teams meeting policy configuration |
+| [ms365.teams.tenantFederationConfig](ms365.teams.tenantfederationconfig.md) | Microsoft 365 Teams tenant federation configuration |
diff --git a/docs/mql/resources/ms365-pack/microsoft.application.md b/docs/mql/resources/ms365-pack/microsoft.application.md
new file mode 100644
index 000000000..a1cc56068
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.application.md
@@ -0,0 +1,25 @@
+---
+title: microsoft.application
+id: microsoft.application
+sidebar_label: microsoft.application
+displayed_sidebar: MQL
+description: Microsoft application
+---
+
+# microsoft.application
+
+**Description**
+
+Microsoft application
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ---------------- | ---------------------------- |
+| id | string | Application ID |
+| appId | string | Application app ID |
+| createdDateTime | time | Application creation date |
+| identifierUris | []string | Application identifier URIs |
+| displayName | string | Application display name |
+| publisherDomain | string | Application publisher domain |
+| signInAudience | string | Application sign-in audience |
diff --git a/docs/mql/resources/ms365-pack/microsoft.devicemanagement.devicecompliancepolicy.md b/docs/mql/resources/ms365-pack/microsoft.devicemanagement.devicecompliancepolicy.md
new file mode 100644
index 000000000..4557dbca9
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.devicemanagement.devicecompliancepolicy.md
@@ -0,0 +1,26 @@
+---
+title: microsoft.devicemanagement.devicecompliancepolicy
+id: microsoft.devicemanagement.devicecompliancepolicy
+sidebar_label: microsoft.devicemanagement.devicecompliancepolicy
+displayed_sidebar: MQL
+description: Microsoft device compliance policy
+---
+
+# microsoft.devicemanagement.devicecompliancepolicy
+
+**Description**
+
+Microsoft device compliance policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | -------------- | -------------------------------------------- |
+| id | string | Device compliance policy ID |
+| createdDateTime | time | Device compliance policy creation date |
+| description | string | Device compliance policy description |
+| displayName | string | Device compliance policy display name |
+| lastModifiedDateTime | time | Device compliance policy last modified date |
+| version | int | Device compliance policy version |
+| assignments | []dict | Device compliance policy assignments |
+| properties | dict | Deprecated; kept for backwards compatibility |
diff --git a/docs/mql/resources/ms365-pack/microsoft.devicemanagement.deviceconfiguration.md b/docs/mql/resources/ms365-pack/microsoft.devicemanagement.deviceconfiguration.md
new file mode 100644
index 000000000..6720b128e
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.devicemanagement.deviceconfiguration.md
@@ -0,0 +1,25 @@
+---
+title: microsoft.devicemanagement.deviceconfiguration
+id: microsoft.devicemanagement.deviceconfiguration
+sidebar_label: microsoft.devicemanagement.deviceconfiguration
+displayed_sidebar: MQL
+description: Microsoft device configuration
+---
+
+# microsoft.devicemanagement.deviceconfiguration
+
+**Description**
+
+Microsoft device configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------ | -------------------------------------------- |
+| id | string | Device configuration ID |
+| lastModifiedDateTime | time | Device configuration last modify date |
+| createdDateTime | time | Device configuration creation date |
+| description | string | Device configuration description |
+| displayName | string | Device configuration display name |
+| version | int | Device configuration version |
+| properties | dict | Deprecated; kept for backwards compatibility |
diff --git a/docs/mql/resources/ms365-pack/microsoft.devicemanagement.md b/docs/mql/resources/ms365-pack/microsoft.devicemanagement.md
new file mode 100644
index 000000000..d5f37209c
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.devicemanagement.md
@@ -0,0 +1,20 @@
+---
+title: microsoft.devicemanagement
+id: microsoft.devicemanagement
+sidebar_label: microsoft.devicemanagement
+displayed_sidebar: MQL
+description: Microsoft device management
+---
+
+# microsoft.devicemanagement
+
+**Description**
+
+Microsoft device management
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------- | ---------------------------------- |
+| deviceConfigurations | [][microsoft.devicemanagement.deviceconfiguration](microsoft.devicemanagement.deviceconfiguration.md) | List of device configurations |
+| deviceCompliancePolicies | [][microsoft.devicemanagement.devicecompliancepolicy](microsoft.devicemanagement.devicecompliancepolicy.md) | List of device compliance policies |
diff --git a/docs/mql/resources/ms365-pack/microsoft.domain.md b/docs/mql/resources/ms365-pack/microsoft.domain.md
new file mode 100644
index 000000000..d9c77e348
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.domain.md
@@ -0,0 +1,30 @@
+---
+title: microsoft.domain
+id: microsoft.domain
+sidebar_label: microsoft.domain
+displayed_sidebar: MQL
+description: Microsoft domain
+---
+
+# microsoft.domain
+
+**Description**
+
+Microsoft domain
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------------- | ------------------------------------------------------------------- | ------------------------------------------ |
+| id | string | Domain ID |
+| authenticationType | string | Domain authentication type |
+| availabilityStatus | string | Domain availability status |
+| isAdminManaged | bool | Whether the domain is admin managed |
+| isDefault | bool | Whether the domain is the default domain |
+| isInitial | bool | Whether the domain is the initial domain |
+| isRoot | bool | Whether the domain is a root domain |
+| isVerified | bool | Whether the domain is verified |
+| passwordNotificationWindowInDays | int | Domain password notification window (days) |
+| passwordValidityPeriodInDays | int | Domain password validity period (days) |
+| supportedServices | []string | List of supported services |
+| serviceConfigurationRecords | [][microsoft.domaindnsrecord](microsoft.domaindnsrecord.md) | List of service configuration records |
diff --git a/docs/mql/resources/ms365-pack/microsoft.domaindnsrecord.md b/docs/mql/resources/ms365-pack/microsoft.domaindnsrecord.md
new file mode 100644
index 000000000..c2fbe0288
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.domaindnsrecord.md
@@ -0,0 +1,25 @@
+---
+title: microsoft.domaindnsrecord
+id: microsoft.domaindnsrecord
+sidebar_label: microsoft.domaindnsrecord
+displayed_sidebar: MQL
+description: Microsoft domain DNS record
+---
+
+# microsoft.domaindnsrecord
+
+**Description**
+
+Microsoft domain DNS record
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | -------------------------------------------- |
+| id | string | Domain record ID |
+| isOptional | bool | Whether the domain record is optional |
+| label | string | Domain record label |
+| recordType | string | Domain record type |
+| supportedService | string | Domain record supported service |
+| ttl | int | Domain record TTL |
+| properties | dict | Deprecated; kept for backwards compatibility |
diff --git a/docs/mql/resources/ms365-pack/microsoft.group.md b/docs/mql/resources/ms365-pack/microsoft.group.md
new file mode 100644
index 000000000..7130c873b
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.group.md
@@ -0,0 +1,26 @@
+---
+title: microsoft.group
+id: microsoft.group
+sidebar_label: microsoft.group
+displayed_sidebar: MQL
+description: Microsoft group
+---
+
+# microsoft.group
+
+**Description**
+
+Microsoft group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------------------------- | ----------------------------- |
+| id | string | Group ID |
+| displayName | string | Group display name |
+| securityEnabled | bool | Group security enabled status |
+| mailEnabled | bool | Group email enabled status |
+| mailNickname | string | Group email nickname |
+| mail | string | Group email |
+| visibility | string | Group visibility state |
+| members | [][microsoft.user](microsoft.user.md) | List of group members |
diff --git a/docs/mql/resources/ms365-pack/microsoft.md b/docs/mql/resources/ms365-pack/microsoft.md
new file mode 100644
index 000000000..92bbdf747
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.md
@@ -0,0 +1,27 @@
+---
+title: microsoft
+id: microsoft
+sidebar_label: microsoft
+displayed_sidebar: MQL
+description: Microsoft
+---
+
+# microsoft
+
+**Description**
+
+Microsoft
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------------- | --------------------------------------------------------------------- | ------------------------------------------ |
+| organizations | [][microsoft.organization](microsoft.organization.md) | List of organizations |
+| users | [][microsoft.user](microsoft.user.md) | List of users |
+| groups | [][microsoft.group](microsoft.group.md) | List of groups |
+| domains | [][microsoft.domain](microsoft.domain.md) | List of domains |
+| applications | [][microsoft.application](microsoft.application.md) | List of applications |
+| serviceprincipals | [][microsoft.serviceprincipal](microsoft.serviceprincipal.md) | List of service principals |
+| enterpriseApplications | [][microsoft.serviceprincipal](microsoft.serviceprincipal.md) | List of enterprise applications |
+| settings | dict | Microsoft 365 settings |
+| tenantDomainName | string | The connected tenant's default domain name |
diff --git a/docs/mql/resources/ms365-pack/microsoft.organization.md b/docs/mql/resources/ms365-pack/microsoft.organization.md
new file mode 100644
index 000000000..41b67b63e
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.organization.md
@@ -0,0 +1,24 @@
+---
+title: microsoft.organization
+id: microsoft.organization
+sidebar_label: microsoft.organization
+displayed_sidebar: MQL
+description: Microsoft organization
+---
+
+# microsoft.organization
+
+**Description**
+
+Microsoft organization
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | -------------- | ------------------------------------------------------------ |
+| id | string | Organization ID |
+| assignedPlans | []dict | Organization assigned plans |
+| createdDateTime | time | Organization creation date |
+| displayName | string | Organization display name |
+| verifiedDomains | []dict | Organization verified domains |
+| onPremisesSyncEnabled | bool | Whether password hash sync is enabled for hybrid deployments |
diff --git a/docs/mql/resources/ms365-pack/microsoft.policies.md b/docs/mql/resources/ms365-pack/microsoft.policies.md
new file mode 100644
index 000000000..9e4125c6b
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.policies.md
@@ -0,0 +1,22 @@
+---
+title: microsoft.policies
+id: microsoft.policies
+sidebar_label: microsoft.policies
+displayed_sidebar: MQL
+description: Microsoft policies
+---
+
+# microsoft.policies
+
+**Description**
+
+Microsoft policies
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------------------------- | -------------- | -------------------------------------------- |
+| authorizationPolicy | dict | Authorization policy |
+| identitySecurityDefaultsEnforcementPolicy | dict | Identity security default enforcement policy |
+| adminConsentRequestPolicy | dict | Admin consent request policy |
+| permissionGrantPolicies | []dict | Permission grant policies |
diff --git a/docs/mql/resources/ms365-pack/microsoft.rolemanagement.md b/docs/mql/resources/ms365-pack/microsoft.rolemanagement.md
new file mode 100644
index 000000000..a00a56966
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.rolemanagement.md
@@ -0,0 +1,19 @@
+---
+title: microsoft.rolemanagement
+id: microsoft.rolemanagement
+sidebar_label: microsoft.rolemanagement
+displayed_sidebar: MQL
+description: Microsoft role management
+---
+
+# microsoft.rolemanagement
+
+**Description**
+
+Microsoft role management
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------------------------------------------------- | ------------------------ |
+| roleDefinitions | [][microsoft.rolemanagement.roledefinition](microsoft.rolemanagement.roledefinition.md) | List of role definitions |
diff --git a/docs/mql/resources/ms365-pack/microsoft.rolemanagement.roleassignment.md b/docs/mql/resources/ms365-pack/microsoft.rolemanagement.roleassignment.md
new file mode 100644
index 000000000..1b16d7be3
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.rolemanagement.roleassignment.md
@@ -0,0 +1,22 @@
+---
+title: microsoft.rolemanagement.roleassignment
+id: microsoft.rolemanagement.roleassignment
+sidebar_label: microsoft.rolemanagement.roleassignment
+displayed_sidebar: MQL
+description: Microsoft role assignment
+---
+
+# microsoft.rolemanagement.roleassignment
+
+**Description**
+
+Microsoft role assignment
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | -------------------- |
+| id | string | Role assignment ID |
+| roleDefinitionId | string | Role definition ID |
+| principalId | string | Service principal ID |
+| principal | dict | Service principal |
diff --git a/docs/mql/resources/ms365-pack/microsoft.rolemanagement.roledefinition.md b/docs/mql/resources/ms365-pack/microsoft.rolemanagement.roledefinition.md
new file mode 100644
index 000000000..86759057c
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.rolemanagement.roledefinition.md
@@ -0,0 +1,27 @@
+---
+title: microsoft.rolemanagement.roledefinition
+id: microsoft.rolemanagement.roledefinition
+sidebar_label: microsoft.rolemanagement.roledefinition
+displayed_sidebar: MQL
+description: Microsoft role definition
+---
+
+# microsoft.rolemanagement.roledefinition
+
+**Description**
+
+Microsoft role definition
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------------------------------------------------- | ----------------------------------- |
+| id | string | Role definition ID |
+| description | string | Role definition description |
+| displayName | string | Role definition display name |
+| isBuiltIn | bool | Whether the role is built in |
+| isEnabled | bool | Whether the role is enabled |
+| rolePermissions | []dict | Role definition permissions |
+| templateId | string | Role definition template ID |
+| version | string | Role definition version |
+| assignments | [][microsoft.rolemanagement.roleassignment](microsoft.rolemanagement.roleassignment.md) | List of role definition assignments |
diff --git a/docs/mql/resources/ms365-pack/microsoft.security.md b/docs/mql/resources/ms365-pack/microsoft.security.md
new file mode 100644
index 000000000..8aefdfbdf
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.security.md
@@ -0,0 +1,20 @@
+---
+title: microsoft.security
+id: microsoft.security
+sidebar_label: microsoft.security
+displayed_sidebar: MQL
+description: Microsoft Security
+---
+
+# microsoft.security
+
+**Description**
+
+Microsoft Security
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | --------------------------------------------------------------------------------- | ----------------------- |
+| secureScores | [][microsoft.security.securityscore](microsoft.security.securityscore.md) | List of security scores |
+| latestSecureScores | [microsoft.security.securityscore](microsoft.security.securityscore.md) | Latest security score |
diff --git a/docs/mql/resources/ms365-pack/microsoft.security.securityscore.md b/docs/mql/resources/ms365-pack/microsoft.security.securityscore.md
new file mode 100644
index 000000000..6a1502571
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.security.securityscore.md
@@ -0,0 +1,29 @@
+---
+title: microsoft.security.securityscore
+id: microsoft.security.securityscore
+sidebar_label: microsoft.security.securityscore
+displayed_sidebar: MQL
+description: Microsoft Secure Score
+---
+
+# microsoft.security.securityscore
+
+**Description**
+
+Microsoft Secure Score
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ---------------- | -------------------------------------- |
+| id | string | Secure Score ID |
+| activeUserCount | int | Secure Score active user count |
+| averageComparativeScores | []dict | Secure Score average comparative score |
+| azureTenantId | string | Secure Score tenant ID |
+| controlScores | []dict | Secure Score control scores |
+| createdDateTime | time | Secure Score creation time |
+| currentScore | float | Secure Score current score |
+| enabledServices | []string | Secure Score enabled services |
+| licensedUserCount | int | Secure Score licensed user count |
+| maxScore | float | Secure Score max score |
+| vendorInformation | dict | Secure Score vendor information |
diff --git a/docs/mql/resources/ms365-pack/microsoft.serviceprincipal.assignment.md b/docs/mql/resources/ms365-pack/microsoft.serviceprincipal.assignment.md
new file mode 100644
index 000000000..70a5d3180
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.serviceprincipal.assignment.md
@@ -0,0 +1,21 @@
+---
+title: microsoft.serviceprincipal.assignment
+id: microsoft.serviceprincipal.assignment
+sidebar_label: microsoft.serviceprincipal.assignment
+displayed_sidebar: MQL
+description: Microsoft Service Principal Assignment
+---
+
+# microsoft.serviceprincipal.assignment
+
+**Description**
+
+Microsoft Service Principal Assignment
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | --------------------------------- |
+| id | string | Service Principal Assignment ID |
+| displayName | string | Service Principal Assignment name |
+| type | string | Service Principal Assignment type |
diff --git a/docs/mql/resources/ms365-pack/microsoft.serviceprincipal.md b/docs/mql/resources/ms365-pack/microsoft.serviceprincipal.md
new file mode 100644
index 000000000..5ff8143eb
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.serviceprincipal.md
@@ -0,0 +1,30 @@
+---
+title: microsoft.serviceprincipal
+id: microsoft.serviceprincipal
+sidebar_label: microsoft.serviceprincipal
+displayed_sidebar: MQL
+description: Microsoft service principal
+---
+
+# microsoft.serviceprincipal
+
+**Description**
+
+Microsoft service principal
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- |
+| id | string | Service principal ID |
+| type | string | Service principal type |
+| name | string | Service principal name |
+| tags | []string | Service principal tags |
+| enabled | bool | Whether users can sign into the service principal (application) |
+| homepageUrl | string | Service principal homepage URL |
+| termsOfServiceUrl | string | Service principal terms of service URL |
+| replyUrls | []string | Service principal reply URLs |
+| assignmentRequired | bool | Whether users or other apps must be assigned to this service principal before using it |
+| visibleToUsers | bool | Whether the service principal is visible to users |
+| notes | string | Service principal notes |
+| assignments | [][microsoft.serviceprincipal.assignment](microsoft.serviceprincipal.assignment.md) | List of assignments (users and groups) this service principal has |
diff --git a/docs/mql/resources/ms365-pack/microsoft.user.md b/docs/mql/resources/ms365-pack/microsoft.user.md
new file mode 100644
index 000000000..99ae5bd82
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/microsoft.user.md
@@ -0,0 +1,40 @@
+---
+title: microsoft.user
+id: microsoft.user
+sidebar_label: microsoft.user
+displayed_sidebar: MQL
+description: Microsoft user
+---
+
+# microsoft.user
+
+**Description**
+
+Microsoft user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ---------------- | ----------------------------- |
+| id | string | User ID |
+| accountEnabled | bool | User account status |
+| city | string | User city |
+| companyName | string | User company name |
+| country | string | User country |
+| createdDateTime | time | User create time |
+| department | string | User department |
+| displayName | string | User display name |
+| employeeId | string | User employee ID |
+| givenName | string | User given name |
+| jobTitle | string | User job title |
+| mail | string | User email |
+| mobilePhone | string | User mobile phone |
+| otherMails | []string | List of other email addresses |
+| officeLocation | string | User office location |
+| postalCode | string | User postal code |
+| state | string | User state |
+| streetAddress | string | User street address |
+| surname | string | User surname |
+| userPrincipalName | string | User service principal name |
+| userType | string | User type |
+| settings | dict | User settings |
diff --git a/docs/mql/resources/ms365-pack/ms365.exchangeonline.exomailbox.md b/docs/mql/resources/ms365-pack/ms365.exchangeonline.exomailbox.md
new file mode 100644
index 000000000..3ea73984b
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/ms365.exchangeonline.exomailbox.md
@@ -0,0 +1,21 @@
+---
+title: ms365.exchangeonline.exoMailbox
+id: ms365.exchangeonline.exoMailbox
+sidebar_label: ms365.exchangeonline.exoMailbox
+displayed_sidebar: MQL
+description: Microsoft 365 Exchange Online Mailbox
+---
+
+# ms365.exchangeonline.exoMailbox
+
+**Description**
+
+Microsoft 365 Exchange Online Mailbox
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------- | ----------------------------------- | ---------------------------------------------------------- |
+| identity | string | The identity of the mailbox |
+| user | [microsoft.user](microsoft.user.md) | The user linked to this mailbox |
+| externalDirectoryObjectId | string | The identity of the external object linked to this mailbox |
diff --git a/docs/mql/resources/ms365-pack/ms365.exchangeonline.externalsender.md b/docs/mql/resources/ms365-pack/ms365.exchangeonline.externalsender.md
new file mode 100644
index 000000000..31ceee943
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/ms365.exchangeonline.externalsender.md
@@ -0,0 +1,21 @@
+---
+title: ms365.exchangeonline.externalSender
+id: ms365.exchangeonline.externalSender
+sidebar_label: ms365.exchangeonline.externalSender
+displayed_sidebar: MQL
+description: Microsoft 365 Exchange Online External Sender
+---
+
+# ms365.exchangeonline.externalSender
+
+**Description**
+
+Microsoft 365 Exchange Online External Sender
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ---------------- | ----------------------------------------------------------------------------------------------- |
+| identity | string | The identity of the external sender |
+| allowList | []string | The list of specified senders that do not receive the External icon in the area of subject line |
+| enabled | bool | Whether the feature is enabled |
diff --git a/docs/mql/resources/ms365-pack/ms365.exchangeonline.md b/docs/mql/resources/ms365-pack/ms365.exchangeonline.md
new file mode 100644
index 000000000..e4a2b6dba
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/ms365.exchangeonline.md
@@ -0,0 +1,37 @@
+---
+title: ms365.exchangeonline
+id: ms365.exchangeonline
+sidebar_label: ms365.exchangeonline
+displayed_sidebar: MQL
+description: Microsoft 365 Exchange Online
+---
+
+# ms365.exchangeonline
+
+**Description**
+
+Microsoft 365 Exchange Online
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------ | --------------------------------------------------------------------------------------- | -------------------------------------------- |
+| malwareFilterPolicy | []dict | List of malware filter policies |
+| hostedOutboundSpamFilterPolicy | []dict | List of hosted outbound spam filter policies |
+| transportRule | []dict | Transport rules |
+| remoteDomain | []dict | List of remote domains |
+| safeLinksPolicy | []dict | List of safe links policies |
+| safeAttachmentPolicy | []dict | List of safe attachment policies |
+| organizationConfig | dict | Organization configurations |
+| authenticationPolicy | []dict | List of authentication policies |
+| antiPhishPolicy | []dict | List of anti-phishing policies |
+| dkimSigningConfig | []dict | List of dkim signing configurations |
+| owaMailboxPolicy | []dict | List of OWA mailbox policies |
+| adminAuditLogConfig | dict | Admin audit log configuration |
+| phishFilterPolicy | []dict | List of phishing filter policies |
+| mailbox | []dict | List of mailboxes |
+| atpPolicyForO365 | []dict | List of APT policies for Office 365 |
+| sharingPolicy | []dict | List of sharing policies |
+| roleAssignmentPolicy | []dict | List of role assignment policies |
+| externalInOutlook | [][ms365.exchangeonline.externalSender](ms365.exchangeonline.externalsender.md) | List of external sender configurations |
+| sharedMailboxes | [][ms365.exchangeonline.exoMailbox](ms365.exchangeonline.exomailbox.md) | List of shared mailboxes |
diff --git a/docs/mql/resources/ms365-pack/ms365.sharepointonline.md b/docs/mql/resources/ms365-pack/ms365.sharepointonline.md
new file mode 100644
index 000000000..adb93308c
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/ms365.sharepointonline.md
@@ -0,0 +1,21 @@
+---
+title: ms365.sharepointonline
+id: ms365.sharepointonline
+sidebar_label: ms365.sharepointonline
+displayed_sidebar: MQL
+description: Microsoft 365 SharePoint Online
+---
+
+# ms365.sharepointonline
+
+**Description**
+
+Microsoft 365 SharePoint Online
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------ | ----------------------------------------------------------------------- | ------------------------------------------------ |
+| spoTenant | dict | SharePoint Online tenant |
+| spoTenantSyncClientRestriction | dict | SharePoint Online tenant sync client restriction |
+| spoSites | [][ms365.sharepointonline.site](ms365.sharepointonline.site.md) | SharePoint Online tenant sites |
diff --git a/docs/mql/resources/ms365-pack/ms365.sharepointonline.site.md b/docs/mql/resources/ms365-pack/ms365.sharepointonline.site.md
new file mode 100644
index 000000000..4162b2023
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/ms365.sharepointonline.site.md
@@ -0,0 +1,20 @@
+---
+title: ms365.sharepointonline.site
+id: ms365.sharepointonline.site
+sidebar_label: ms365.sharepointonline.site
+displayed_sidebar: MQL
+description: Microsoft 365 SharePoint Site
+---
+
+# ms365.sharepointonline.site
+
+**Description**
+
+Microsoft 365 SharePoint Site
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ------ | ------------------------------------------------------------- |
+| url | string | The site URL |
+| denyAddAndCustomizePages | bool | Whether custom script execution on a particulate site allowed |
diff --git a/docs/mql/resources/ms365-pack/ms365.teams.md b/docs/mql/resources/ms365-pack/ms365.teams.md
new file mode 100644
index 000000000..5a2f77099
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/ms365.teams.md
@@ -0,0 +1,21 @@
+---
+title: ms365.teams
+id: ms365.teams
+sidebar_label: ms365.teams
+displayed_sidebar: MQL
+description: Microsoft 365 Teams
+---
+
+# ms365.teams
+
+**Description**
+
+Microsoft 365 Teams
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------- | ------------------------------------------------------------------------------- | --------------------------------------- |
+| csTeamsClientConfiguration | dict | CS Teams client configuration |
+| csTenantFederationConfiguration | [ms365.teams.tenantFederationConfig](ms365.teams.tenantfederationconfig.md) | CS Teams tenant federated configuration |
+| csTeamsMeetingPolicy | [ms365.teams.teamsMeetingPolicyConfig](ms365.teams.teamsmeetingpolicyconfig.md) | CS Teams meeting policy configuration |
diff --git a/docs/mql/resources/ms365-pack/ms365.teams.teamsmeetingpolicyconfig.md b/docs/mql/resources/ms365-pack/ms365.teams.teamsmeetingpolicyconfig.md
new file mode 100644
index 000000000..92b1ac347
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/ms365.teams.teamsmeetingpolicyconfig.md
@@ -0,0 +1,26 @@
+---
+title: ms365.teams.teamsMeetingPolicyConfig
+id: ms365.teams.teamsMeetingPolicyConfig
+sidebar_label: ms365.teams.teamsMeetingPolicyConfig
+displayed_sidebar: MQL
+description: Teams meeting policy configuration
+---
+
+# ms365.teams.teamsMeetingPolicyConfig
+
+**Description**
+
+Teams meeting policy configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------------------ | ------ | --------------------------------------------------------------------------- |
+| allowAnonymousUsersToJoinMeeting | bool | Whether anonymous users are allowed to join |
+| allowAnonymousUsersToStartMeeting | bool | Whether anonymous users are allowed to start the meeting |
+| autoAdmittedUsers | string | Who can bypass the lobby |
+| allowPSTNUsersToBypassLobby | bool | Whether public switched telephone network (PSTN) users can bypass the lobby |
+| meetingChatEnabledType | string | Whether meeting chat is enabled |
+| designatedPresenterRoleMode | string | Designated presenter role mode |
+| allowExternalParticipantGiveRequestControl | bool | Whether external participants can give or request control of the meeting |
+| allowSecurityEndUserReporting | bool | Whether users can report security concerns |
diff --git a/docs/mql/resources/ms365-pack/ms365.teams.tenantfederationconfig.md b/docs/mql/resources/ms365-pack/ms365.teams.tenantfederationconfig.md
new file mode 100644
index 000000000..9e5519c64
--- /dev/null
+++ b/docs/mql/resources/ms365-pack/ms365.teams.tenantfederationconfig.md
@@ -0,0 +1,27 @@
+---
+title: ms365.teams.tenantFederationConfig
+id: ms365.teams.tenantFederationConfig
+sidebar_label: ms365.teams.tenantFederationConfig
+displayed_sidebar: MQL
+description: Microsoft 365 Teams tenant federation configuration
+---
+
+# ms365.teams.tenantFederationConfig
+
+**Description**
+
+Microsoft 365 Teams tenant federation configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------------------- | ------ | -------------------------------------------------------------------- |
+| identity | string | ID of the collection of tenant federation configuration settings |
+| blockedDomains | dict | Blocked domains |
+| allowFederatedUsers | bool | Whether federated users are allowed |
+| allowPublicUsers | bool | Whether public users are allowed |
+| allowTeamsConsumer | bool | Whether to allow external Teams consumers |
+| allowTeamsConsumerInbound | bool | Whether to allow inbound communication with external Teams consumers |
+| treatDiscoveredPartnersAsUnverified | bool | Whether to treat discovered partners as unverified |
+| sharedSipAddressSpace | bool | Whether shared SIP address space is enabled |
+| restrictTeamsConsumerToExternalUserProfiles | bool | Whether to restrict Teams consumer to external user profiles |
diff --git a/docs/mql/resources/network-pack/README.md b/docs/mql/resources/network-pack/README.md
new file mode 100644
index 000000000..8d4c96283
--- /dev/null
+++ b/docs/mql/resources/network-pack/README.md
@@ -0,0 +1,39 @@
+---
+title: Network Resource Pack - MQL Resources
+id: network.pack
+sidebar_label: Network Resource Pack
+displayed_sidebar: MQL
+description: The network resource pack lets you use MQL to query and assess the security of domains and network services.
+---
+
+# Mondoo Network Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| --------------------------------------------------------- | ------------------------------------------------------------------------- |
+| [certificate](certificate.md) | x509 certificate resource |
+| [certificates](certificates.md) | x509 certificates resource |
+| [dns](dns.md) | DNS resource |
+| [dns.dkimRecord](dns.dkimrecord.md) | DKIM public key representation as defined in RFC 6376 |
+| [dns.mxRecord](dns.mxrecord.md) | DNS MX record |
+| [dns.record](dns.record.md) | DNS record |
+| [domainName](domainname.md) | Domain name |
+| [http](http.md) | HTTP endpoint |
+| [http.get](http.get.md) | HTTP GET requests |
+| [http.header](http.header.md) | HTTP header |
+| [http.header.contentType](http.header.contenttype.md) | Content-Type header |
+| [http.header.setCookie](http.header.setcookie.md) | Set-Cookie header |
+| [http.header.sts](http.header.sts.md) | HTTP header for Strict-Transport-Security |
+| [http.header.xssProtection](http.header.xssprotection.md) | HTTP header for X-XSS-Protection, which is now outdated (replaced by CSP) |
+| [openpgp.entities](openpgp.entities.md) | |
+| [openpgp.entity](openpgp.entity.md) | OpenPGP entity |
+| [openpgp.identity](openpgp.identity.md) | OpenPGP identity |
+| [openpgp.publicKey](openpgp.publickey.md) | OpenPGP public key |
+| [openpgp.signature](openpgp.signature.md) | OpenPGP signature |
+| [pkix.extension](pkix.extension.md) | x509 certificate PKIX extension |
+| [pkix.name](pkix.name.md) | x509 certificate PKIX name |
+| [pkix.sanExtension](pkix.sanextension.md) | x509 certificate PKIX Subject Alternative Name (SAN) extension |
+| [socket](socket.md) | Socket |
+| [tls](tls.md) | TLS |
+| [url](url.md) | URL resource, generally represented as: |
diff --git a/docs/mql/resources/network-pack/certificate.md b/docs/mql/resources/network-pack/certificate.md
new file mode 100644
index 000000000..05cf9b034
--- /dev/null
+++ b/docs/mql/resources/network-pack/certificate.md
@@ -0,0 +1,43 @@
+---
+title: certificate
+id: certificate
+sidebar_label: certificate
+displayed_sidebar: MQL
+description: x509 certificate resource
+---
+
+# certificate
+
+**Description**
+
+x509 certificate resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | --------------------------------------------- | ----------------------------------------------------- |
+| pem | string | PEM content |
+| fingerprints | map[string]string | Certificate fingerprints |
+| serial | string | Serial number |
+| subjectKeyID | string | Subject unique identifier |
+| authorityKeyID | string | Authority key identifier |
+| subject | [pkix.name](pkix.name.md) | Subject |
+| issuer | [pkix.name](pkix.name.md) | Issuer |
+| version | int | Version number |
+| notBefore | time | Validity period validity period |
+| notAfter | time | Validity period not after |
+| expiresIn | time | Expiration duration |
+| signature | string | Signature |
+| signingAlgorithm | string | Signature algorithm ID |
+| isCA | bool | Flag if certificate authority |
+| keyUsage | []string | Key usage |
+| extendedKeyUsage | []string | Extended key usage |
+| extensions | [][pkix.extension](pkix.extension.md) | Extensions |
+| policyIdentifier | []string | Policy identifier |
+| crlDistributionPoints | []string | CRL distribution points |
+| ocspServer | []string | OCSP |
+| issuingCertificateUrl | []string | Issuing certificate URL |
+| isRevoked | bool | Whether this certificate has been revoked |
+| revokedAt | time | The time at which this certificate was revoked |
+| isVerified | bool | Whether the certificate is valid (based on its chain) |
+| sanExtension | [pkix.sanExtension](pkix.sanextension.md) | SAN extension value params |
diff --git a/docs/mql/resources/network-pack/certificates.md b/docs/mql/resources/network-pack/certificates.md
new file mode 100644
index 000000000..a88df9316
--- /dev/null
+++ b/docs/mql/resources/network-pack/certificates.md
@@ -0,0 +1,24 @@
+---
+title: certificates
+id: certificates
+sidebar_label: certificates
+displayed_sidebar: MQL
+description: x509 certificates resource
+---
+
+# certificates
+
+**Description**
+
+x509 certificates resource
+
+**List**
+
+[]certificate
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | --------------------------------------- | ----------- |
+| pem | string | PEM content |
+| list | [][certificate](certificate.md) | |
diff --git a/docs/mql/resources/network-pack/dns.dkimrecord.md b/docs/mql/resources/network-pack/dns.dkimrecord.md
new file mode 100644
index 000000000..3dfdf436d
--- /dev/null
+++ b/docs/mql/resources/network-pack/dns.dkimrecord.md
@@ -0,0 +1,28 @@
+---
+title: dns.dkimRecord
+id: dns.dkimRecord
+sidebar_label: dns.dkimRecord
+displayed_sidebar: MQL
+description: DKIM public key representation as defined in RFC 6376
+---
+
+# dns.dkimRecord
+
+**Description**
+
+DKIM public key representation as defined in RFC 6376
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ---------------- | ---------------------------------------------- |
+| dnsTxt | string | DNS text representation |
+| domain | string | DKIM selector domain |
+| version | string | Version |
+| hashAlgorithms | []string | Acceptable hash algorithms |
+| keyType | string | Key type |
+| notes | string | Notes |
+| publicKeyData | string | Public key data base64-encoded |
+| serviceTypes | []string | Service types |
+| flags | []string | Flags |
+| valid | bool | Whether the DKIM entry and public key is valid |
diff --git a/docs/mql/resources/network-pack/dns.md b/docs/mql/resources/network-pack/dns.md
new file mode 100644
index 000000000..68671042e
--- /dev/null
+++ b/docs/mql/resources/network-pack/dns.md
@@ -0,0 +1,31 @@
+---
+title: dns
+id: dns
+sidebar_label: dns
+displayed_sidebar: MQL
+description: DNS resource
+---
+
+# dns
+
+**Maturity**
+
+experimental
+
+**Description**
+
+DNS resource
+
+**Init**
+
+dns(fqdn string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | --------------------------------------------- | ----------------------------------------------- |
+| fqdn | string | Fully qualified domain name (FQDN) |
+| params | dict | Params is a list of all parameters for DNS FQDN |
+| records | [][dns.record](dns.record.md) | Successful DNS records |
+| mx | [][dns.mxRecord](dns.mxrecord.md) | Successful DNS MX records |
+| dkim | [][dns.dkimRecord](dns.dkimrecord.md) | DKIM TXT records |
diff --git a/docs/mql/resources/network-pack/dns.mxrecord.md b/docs/mql/resources/network-pack/dns.mxrecord.md
new file mode 100644
index 000000000..30ad2b35c
--- /dev/null
+++ b/docs/mql/resources/network-pack/dns.mxrecord.md
@@ -0,0 +1,25 @@
+---
+title: dns.mxRecord
+id: dns.mxRecord
+sidebar_label: dns.mxRecord
+displayed_sidebar: MQL
+description: DNS MX record
+---
+
+# dns.mxRecord
+
+**Maturity**
+
+experimental
+
+**Description**
+
+DNS MX record
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | --------------------------------------------------- |
+| name | string | Record name |
+| preference | int | Which mail server used if multiple MX records exist |
+| domainName | string | Domain name |
diff --git a/docs/mql/resources/network-pack/dns.record.md b/docs/mql/resources/network-pack/dns.record.md
new file mode 100644
index 000000000..9daf6bc70
--- /dev/null
+++ b/docs/mql/resources/network-pack/dns.record.md
@@ -0,0 +1,27 @@
+---
+title: dns.record
+id: dns.record
+sidebar_label: dns.record
+displayed_sidebar: MQL
+description: DNS record
+---
+
+# dns.record
+
+**Maturity**
+
+experimental
+
+**Description**
+
+DNS record
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----- | ---------------- | ----------------------------- |
+| name | string | DNS name |
+| ttl | int | Time-to-live (TTL) in seconds |
+| class | string | DNS class |
+| type | string | DNS type |
+| rdata | []string | Resource data |
diff --git a/docs/mql/resources/network-pack/domainname.md b/docs/mql/resources/network-pack/domainname.md
new file mode 100644
index 000000000..f7aaa7625
--- /dev/null
+++ b/docs/mql/resources/network-pack/domainname.md
@@ -0,0 +1,27 @@
+---
+title: domainName
+id: domainName
+sidebar_label: domainName
+displayed_sidebar: MQL
+description: Domain name
+---
+
+# domainName
+
+**Description**
+
+Domain name
+
+**Init**
+
+domainName(fqdn string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ---------------- | ------------------------------------------------------------------------------ |
+| fqdn | string | Fully qualified domain name (FQDN) |
+| effectiveTLDPlusOne | string | effectiveTLDPlusOne returns the effective top level domain plus one more label |
+| tld | string | Top-level domain |
+| tldIcannManaged | bool | Flag indicates if the TLD is ICANN managed |
+| labels | []string | Domain labels |
diff --git a/docs/mql/resources/network-pack/http.get.md b/docs/mql/resources/network-pack/http.get.md
new file mode 100644
index 000000000..77ec5fe7a
--- /dev/null
+++ b/docs/mql/resources/network-pack/http.get.md
@@ -0,0 +1,27 @@
+---
+title: http.get
+id: http.get
+sidebar_label: http.get
+displayed_sidebar: MQL
+description: HTTP GET requests
+---
+
+# http.get
+
+**Description**
+
+HTTP GET requests
+
+**Init**
+
+http.get(rawUrl string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------------------- | ---------------------------------------- |
+| url | [url](url.md) | URL for this request |
+| header | [http.header](http.header.md) | Header returned from this request |
+| statusCode | int | Status returned from this request |
+| version | string | Version of the HTTP request, (e.g., 1.1) |
+| body | string | Body returned from this request |
diff --git a/docs/mql/resources/network-pack/http.header.contenttype.md b/docs/mql/resources/network-pack/http.header.contenttype.md
new file mode 100644
index 000000000..9ea2afaac
--- /dev/null
+++ b/docs/mql/resources/network-pack/http.header.contenttype.md
@@ -0,0 +1,24 @@
+---
+title: http.header.contentType
+id: http.header.contentType
+sidebar_label: http.header.contentType
+displayed_sidebar: MQL
+description: Content-Type header
+---
+
+# http.header.contentType
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Content-Type header
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ----------------- | ------------------------------------------- |
+| type | string | MIME type for the content |
+| params | map[string]string | Additional parameters for this content type |
diff --git a/docs/mql/resources/network-pack/http.header.md b/docs/mql/resources/network-pack/http.header.md
new file mode 100644
index 000000000..e95f0b808
--- /dev/null
+++ b/docs/mql/resources/network-pack/http.header.md
@@ -0,0 +1,31 @@
+---
+title: http.header
+id: http.header
+sidebar_label: http.header
+displayed_sidebar: MQL
+description: HTTP header
+---
+
+# http.header
+
+**Maturity**
+
+experimental
+
+**Description**
+
+HTTP header
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | --------------------------------------------------------- | ------------------------------------------------------------------------- |
+| params | map[string][]string | Raw list of parameters for this header |
+| sts | [http.header.sts](http.header.sts.md) | HTTP Strict-Transport-Security (HSTS) header |
+| xFrameOptions | string | X-Frame-Options header: DENY, SAMEORIGIN, or ALLOW-FROM origin (obsolete) |
+| xXssProtection | [http.header.xssProtection](http.header.xssprotection.md) | X-XSS-Protection header |
+| xContentTypeOptions | string | X-Content-Type-Options header: nosniff |
+| referrerPolicy | string | Referrer-Policy header |
+| contentType | [http.header.contentType](http.header.contenttype.md) | Content-Type header |
+| setCookie | [http.header.setCookie](http.header.setcookie.md) | Set-Cookie header |
+| csp | map[string]string | Content-Security-Policy header |
diff --git a/docs/mql/resources/network-pack/http.header.setcookie.md b/docs/mql/resources/network-pack/http.header.setcookie.md
new file mode 100644
index 000000000..1d029cbf5
--- /dev/null
+++ b/docs/mql/resources/network-pack/http.header.setcookie.md
@@ -0,0 +1,25 @@
+---
+title: http.header.setCookie
+id: http.header.setCookie
+sidebar_label: http.header.setCookie
+displayed_sidebar: MQL
+description: Set-Cookie header
+---
+
+# http.header.setCookie
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Set-Cookie header
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ----------------- | --------------------------------------------- |
+| name | string | Name of the cookie to set |
+| value | string | Value of the cookie to set |
+| params | map[string]string | Additional parameters for setting this cookie |
diff --git a/docs/mql/resources/network-pack/http.header.sts.md b/docs/mql/resources/network-pack/http.header.sts.md
new file mode 100644
index 000000000..e10a15304
--- /dev/null
+++ b/docs/mql/resources/network-pack/http.header.sts.md
@@ -0,0 +1,25 @@
+---
+title: http.header.sts
+id: http.header.sts
+sidebar_label: http.header.sts
+displayed_sidebar: MQL
+description: HTTP header for Strict-Transport-Security
+---
+
+# http.header.sts
+
+**Maturity**
+
+experimental
+
+**Description**
+
+HTTP header for Strict-Transport-Security
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ---- | ---------------------------------------------- |
+| maxAge | time | How long to cache HTTPS-only policy in seconds |
+| includeSubDomains | bool | Whether caching applies to subdomains |
+| preload | bool | Non-standard directive for preloading STS |
diff --git a/docs/mql/resources/network-pack/http.header.xssprotection.md b/docs/mql/resources/network-pack/http.header.xssprotection.md
new file mode 100644
index 000000000..d7267b666
--- /dev/null
+++ b/docs/mql/resources/network-pack/http.header.xssprotection.md
@@ -0,0 +1,25 @@
+---
+title: http.header.xssProtection
+id: http.header.xssProtection
+sidebar_label: http.header.xssProtection
+displayed_sidebar: MQL
+description: HTTP header for X-XSS-Protection, which is now outdated (replaced by CSP)
+---
+
+# http.header.xssProtection
+
+**Maturity**
+
+experimental
+
+**Description**
+
+HTTP header for X-XSS-Protection, which is now outdated (replaced by CSP)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | --------------------------------------------------------------- |
+| enabled | bool | Enabled when the header value is set to 1; disabled if set to 0 |
+| mode | string | Mode for XSS filtering |
+| report | string | Report endpoint for violations (Chromium only) |
diff --git a/docs/mql/resources/network-pack/http.md b/docs/mql/resources/network-pack/http.md
new file mode 100644
index 000000000..0a86ba403
--- /dev/null
+++ b/docs/mql/resources/network-pack/http.md
@@ -0,0 +1,13 @@
+---
+title: http
+id: http
+sidebar_label: http
+displayed_sidebar: MQL
+description: HTTP endpoint
+---
+
+# http
+
+**Description**
+
+HTTP endpoint
diff --git a/docs/mql/resources/network-pack/openpgp.entities.md b/docs/mql/resources/network-pack/openpgp.entities.md
new file mode 100644
index 000000000..df01e26d9
--- /dev/null
+++ b/docs/mql/resources/network-pack/openpgp.entities.md
@@ -0,0 +1,19 @@
+---
+title: openpgp.entities
+id: openpgp.entities
+sidebar_label: openpgp.entities
+displayed_sidebar: MQL
+---
+
+# openpgp.entities
+
+**List**
+
+[]openpgp.entity
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | --------------------------------------------- | ----------- |
+| content | string | |
+| list | [][openpgp.entity](openpgp.entity.md) | |
diff --git a/docs/mql/resources/network-pack/openpgp.entity.md b/docs/mql/resources/network-pack/openpgp.entity.md
new file mode 100644
index 000000000..37c0d9f14
--- /dev/null
+++ b/docs/mql/resources/network-pack/openpgp.entity.md
@@ -0,0 +1,20 @@
+---
+title: openpgp.entity
+id: openpgp.entity
+sidebar_label: openpgp.entity
+displayed_sidebar: MQL
+description: OpenPGP entity
+---
+
+# openpgp.entity
+
+**Description**
+
+OpenPGP entity
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------------------------------------------------- | ----------------------------------------------- |
+| primaryPublicKey | [openpgp.publicKey](openpgp.publickey.md) | Primary public key, which must be a signing key |
+| identities | [][openpgp.identity](openpgp.identity.md) | Entity's identities |
diff --git a/docs/mql/resources/network-pack/openpgp.identity.md b/docs/mql/resources/network-pack/openpgp.identity.md
new file mode 100644
index 000000000..77ea127f5
--- /dev/null
+++ b/docs/mql/resources/network-pack/openpgp.identity.md
@@ -0,0 +1,24 @@
+---
+title: openpgp.identity
+id: openpgp.identity
+sidebar_label: openpgp.identity
+displayed_sidebar: MQL
+description: OpenPGP identity
+---
+
+# openpgp.identity
+
+**Description**
+
+OpenPGP identity
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------------------------------- | -------------------------------------------------------------- |
+| fingerprint | string | Primary key fingerprint |
+| id | string | Full name in form of `Full Name (comment) ` |
+| name | string | Name |
+| email | string | Email |
+| comment | string | Comment |
+| signatures | [][openpgp.signature](openpgp.signature.md) | Identity signatures |
diff --git a/docs/mql/resources/network-pack/openpgp.publickey.md b/docs/mql/resources/network-pack/openpgp.publickey.md
new file mode 100644
index 000000000..d94158bd4
--- /dev/null
+++ b/docs/mql/resources/network-pack/openpgp.publickey.md
@@ -0,0 +1,24 @@
+---
+title: openpgp.publicKey
+id: openpgp.publicKey
+sidebar_label: openpgp.publicKey
+displayed_sidebar: MQL
+description: OpenPGP public key
+---
+
+# openpgp.publicKey
+
+**Description**
+
+OpenPGP public key
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ----------------- |
+| id | string | Key ID |
+| version | int | Key version |
+| fingerprint | string | Key fingerprint |
+| keyAlgorithm | string | Key algorithm |
+| bitLength | int | Key bit length |
+| creationTime | time | Key creation time |
diff --git a/docs/mql/resources/network-pack/openpgp.signature.md b/docs/mql/resources/network-pack/openpgp.signature.md
new file mode 100644
index 000000000..09dc94132
--- /dev/null
+++ b/docs/mql/resources/network-pack/openpgp.signature.md
@@ -0,0 +1,29 @@
+---
+title: openpgp.signature
+id: openpgp.signature
+sidebar_label: openpgp.signature
+displayed_sidebar: MQL
+description: OpenPGP signature
+---
+
+# openpgp.signature
+
+**Description**
+
+OpenPGP signature
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------ | ----------------------------- |
+| fingerprint | string | Primary key fingerprint |
+| identityName | string | Identity name |
+| hash | string | Signature hash |
+| version | int | Signature version |
+| signatureType | string | Signature type |
+| keyAlgorithm | string | Hash algorithm |
+| creationTime | time | Creation time |
+| lifetimeSecs | int | Signature lifetime in seconds |
+| expiresIn | time | Expiration duration |
+| keyLifetimeSecs | int | Key lifetime in seconds |
+| keyExpiresIn | time | Key expiration duration |
diff --git a/docs/mql/resources/network-pack/pkix.extension.md b/docs/mql/resources/network-pack/pkix.extension.md
new file mode 100644
index 000000000..15501cbca
--- /dev/null
+++ b/docs/mql/resources/network-pack/pkix.extension.md
@@ -0,0 +1,22 @@
+---
+title: pkix.extension
+id: pkix.extension
+sidebar_label: pkix.extension
+displayed_sidebar: MQL
+description: x509 certificate PKIX extension
+---
+
+# pkix.extension
+
+**Description**
+
+x509 certificate PKIX extension
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | --------------------------- |
+| id | string | ID |
+| identifier | string | Extension identifier |
+| critical | bool | Flag for critical extension |
+| value | string | Extension value |
diff --git a/docs/mql/resources/network-pack/pkix.name.md b/docs/mql/resources/network-pack/pkix.name.md
new file mode 100644
index 000000000..14998eba4
--- /dev/null
+++ b/docs/mql/resources/network-pack/pkix.name.md
@@ -0,0 +1,31 @@
+---
+title: pkix.name
+id: pkix.name
+sidebar_label: pkix.name
+displayed_sidebar: MQL
+description: x509 certificate PKIX name
+---
+
+# pkix.name
+
+**Description**
+
+x509 certificate PKIX name
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ----------------- | ---------------------------- |
+| id | string | ID |
+| dn | string | Distinguished name qualifier |
+| serialNumber | string | Serial number |
+| commonName | string | Common name |
+| country | []string | Country |
+| organization | []string | Organization |
+| organizationalUnit | []string | Organizational unit |
+| locality | []string | |
+| province | []string | State or province |
+| streetAddress | []string | Street address |
+| postalCode | []string | Postal code |
+| names | map[string]string | |
+| extraNames | map[string]string | |
diff --git a/docs/mql/resources/network-pack/pkix.sanextension.md b/docs/mql/resources/network-pack/pkix.sanextension.md
new file mode 100644
index 000000000..d395f6792
--- /dev/null
+++ b/docs/mql/resources/network-pack/pkix.sanextension.md
@@ -0,0 +1,23 @@
+---
+title: pkix.sanExtension
+id: pkix.sanExtension
+sidebar_label: pkix.sanExtension
+displayed_sidebar: MQL
+description: x509 certificate PKIX Subject Alternative Name (SAN) extension
+---
+
+# pkix.sanExtension
+
+**Description**
+
+x509 certificate PKIX Subject Alternative Name (SAN) extension
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ----------------------------------- | ------------------------------- |
+| extension | [pkix.extension](pkix.extension.md) | x509 certificate PKIX extension |
+| dnsNames | []string | DNS names |
+| ipAddresses | []string | IP addresses |
+| emailAddresses | []string | Email addresses |
+| uris | []string | URIs |
diff --git a/docs/mql/resources/network-pack/socket.md b/docs/mql/resources/network-pack/socket.md
new file mode 100644
index 000000000..0477e5d49
--- /dev/null
+++ b/docs/mql/resources/network-pack/socket.md
@@ -0,0 +1,21 @@
+---
+title: socket
+id: socket
+sidebar_label: socket
+displayed_sidebar: MQL
+description: Socket
+---
+
+# socket
+
+**Description**
+
+Socket
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | ------------------------ |
+| protocol | string | Protocol for this socket |
+| port | int | Port number |
+| address | string | Target address |
diff --git a/docs/mql/resources/network-pack/tls.md b/docs/mql/resources/network-pack/tls.md
new file mode 100644
index 000000000..1efafff7f
--- /dev/null
+++ b/docs/mql/resources/network-pack/tls.md
@@ -0,0 +1,30 @@
+---
+title: tls
+id: tls
+sidebar_label: tls
+displayed_sidebar: MQL
+description: TLS
+---
+
+# tls
+
+**Description**
+
+TLS
+
+**Init**
+
+tls(target string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | --------------------------------------- | ---------------------------------------------------------- |
+| socket | [socket](socket.md) | Socket of this connection |
+| domainName | string | An optional domain name to test |
+| params | dict | List of all parameters for this TLS/SSL connection |
+| versions | []string | Version of TLS/SSL that is being used |
+| ciphers | []string | Ciphers supported by this TLS/SSL connection |
+| extensions | []string | Extensions supported by this TLS/SSL connection |
+| certificates | [][certificate](certificate.md) | Certificates provided in this TLS/SSL connection |
+| nonSniCertificates | [][certificate](certificate.md) | Certificates provided without server name indication (SNI) |
diff --git a/docs/mql/resources/network-pack/url.md b/docs/mql/resources/network-pack/url.md
new file mode 100644
index 000000000..a4ab75984
--- /dev/null
+++ b/docs/mql/resources/network-pack/url.md
@@ -0,0 +1,32 @@
+---
+title: url
+id: url
+sidebar_label: url
+displayed_sidebar: MQL
+description: URL resource, generally represented as
+---
+
+# url
+
+**Description**
+
+URL resource, generally represented as:
+
+**Init**
+
+url(raw string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------- | ---------------------------------------------------------------------------- |
+| string | string | The full URL as a string |
+| scheme | string | Scheme (e.g., http, https, ssh) |
+| user | string | User component (can contain username or token but no password) |
+| password | string | Password, an additional optional component of the user info |
+| host | string | Host, either registered name or IP (e.g., mondoo.com) |
+| port | int | Port, optional decimal number (e.g., 80) |
+| path | string | Path, consisting of segments separated by '/' |
+| query | map[string]string | Query, optional, attached to path via '?', parsed via '&' and ';' delimiters |
+| rawQuery | string | Raw query, optional raw string attached to path after '?' |
+| rawFragment | string | Fragment, optional raw string attached to path after '#' |
diff --git a/docs/mql/resources/oci-pack/README.md b/docs/mql/resources/oci-pack/README.md
new file mode 100644
index 000000000..6ca5c54c7
--- /dev/null
+++ b/docs/mql/resources/oci-pack/README.md
@@ -0,0 +1,33 @@
+---
+title: Oracle Cloud Infrastructure (OCI) Resource Pack - MQL Resources
+id: oracle.cloud.infrastructure.oci.pack
+sidebar_label: Oracle Cloud Infrastructure (OCI) Resource Pack
+displayed_sidebar: MQL
+description: The Oracle Cloud Infrastructure (OCI) resource pack lets you use MQL to query and assess the security of your OCI cloud services.
+---
+
+# Mondoo Oracle Cloud Infrastructure (OCI) Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ------------------------------------------------------------------- | -------------------------------------------------------------------------------------- |
+| [oci](oci.md) | Oracle Cloud Infrastructure (OCI) tenancy |
+| [oci.compartment](oci.compartment.md) | Oracle Cloud Infrastructure (OCI) compartment |
+| [oci.compute](oci.compute.md) | Oracle Cloud Infrastructure (OCI) Compute |
+| [oci.compute.image](oci.compute.image.md) | Oracle Cloud Infrastructure (OCI) Compute image |
+| [oci.compute.instance](oci.compute.instance.md) | Oracle Cloud Infrastructure (OCI) Compute instance |
+| [oci.identity](oci.identity.md) | Oracle Cloud Infrastructure (OCI) identity |
+| [oci.identity.apiKey](oci.identity.apikey.md) | Oracle Cloud Infrastructure (OCI) API key (a PEM-format RSA credential) |
+| [oci.identity.authToken](oci.identity.authtoken.md) | Oracle Cloud Infrastructure (OCI) token string |
+| [oci.identity.customerSecretKey](oci.identity.customersecretkey.md) | Oracle Cloud Infrastructure (OCI) customer secret key for OCI Object Storage service |
+| [oci.identity.group](oci.identity.group.md) | Oracle Cloud Infrastructure (OCI) collection of users |
+| [oci.identity.policy](oci.identity.policy.md) | Policy that specifies the type of access a group has to the resources in a compartment |
+| [oci.identity.user](oci.identity.user.md) | Oracle Cloud Infrastructure (OCI) identity user |
+| [oci.network](oci.network.md) | Oracle Cloud Infrastructure (OCI) Networking |
+| [oci.network.securityList](oci.network.securitylist.md) | Oracle Cloud Infrastructure (OCI) VCN security list virtual firewall rules |
+| [oci.network.vcn](oci.network.vcn.md) | Oracle Cloud Infrastructure (OCI) virtual cloud network (VCN) |
+| [oci.objectStorage](oci.objectstorage.md) | Oracle Cloud Infrastructure (OCI) Object Storage |
+| [oci.objectStorage.bucket](oci.objectstorage.bucket.md) | Oracle Cloud Infrastructure (OCI) Object Storage bucket |
+| [oci.region](oci.region.md) | Oracle Cloud Infrastructure (OCI) region |
+| [oci.tenancy](oci.tenancy.md) | Oracle Cloud Infrastructure (OCI) tenancy |
diff --git a/docs/mql/resources/oci-pack/oci.compartment.md b/docs/mql/resources/oci-pack/oci.compartment.md
new file mode 100644
index 000000000..8a03ad80e
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.compartment.md
@@ -0,0 +1,23 @@
+---
+title: oci.compartment
+id: oci.compartment
+sidebar_label: oci.compartment
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) compartment
+---
+
+# oci.compartment
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) compartment
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ------------------------------------- |
+| id | string | Compartment ID |
+| name | string | Compartment name |
+| description | string | Description of the compartment |
+| created | time | Time when the compartment was created |
+| state | string | Compartment state |
diff --git a/docs/mql/resources/oci-pack/oci.compute.image.md b/docs/mql/resources/oci-pack/oci.compute.image.md
new file mode 100644
index 000000000..db71e4f83
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.compute.image.md
@@ -0,0 +1,23 @@
+---
+title: oci.compute.image
+id: oci.compute.image
+sidebar_label: oci.compute.image
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) Compute image
+---
+
+# oci.compute.image
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) Compute image
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | --------------------------- | ------------------------------- |
+| id | string | Image ID |
+| name | string | Image name |
+| region | [oci.region](oci.region.md) | Region |
+| created | time | Time when the image was created |
+| state | string | Image state |
diff --git a/docs/mql/resources/oci-pack/oci.compute.instance.md b/docs/mql/resources/oci-pack/oci.compute.instance.md
new file mode 100644
index 000000000..de7a37b08
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.compute.instance.md
@@ -0,0 +1,23 @@
+---
+title: oci.compute.instance
+id: oci.compute.instance
+sidebar_label: oci.compute.instance
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) Compute instance
+---
+
+# oci.compute.instance
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) Compute instance
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | --------------------------- | ---------------------------------- |
+| id | string | Instance ID |
+| name | string | Instance name |
+| region | [oci.region](oci.region.md) | Region |
+| created | time | Time when the instance was created |
+| state | string | Instance state |
diff --git a/docs/mql/resources/oci-pack/oci.compute.md b/docs/mql/resources/oci-pack/oci.compute.md
new file mode 100644
index 000000000..51d917e5e
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.compute.md
@@ -0,0 +1,20 @@
+---
+title: oci.compute
+id: oci.compute
+sidebar_label: oci.compute
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) Compute
+---
+
+# oci.compute
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) Compute
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | --------------------------------------------------------- | ----------- |
+| instances | [][oci.compute.instance](oci.compute.instance.md) | Instances |
+| images | [][oci.compute.image](oci.compute.image.md) | Images |
diff --git a/docs/mql/resources/oci-pack/oci.identity.apikey.md b/docs/mql/resources/oci-pack/oci.identity.apikey.md
new file mode 100644
index 000000000..a53e3b30a
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.identity.apikey.md
@@ -0,0 +1,23 @@
+---
+title: oci.identity.apiKey
+id: oci.identity.apiKey
+sidebar_label: oci.identity.apiKey
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) API key (a PEM-format RSA credential)
+---
+
+# oci.identity.apiKey
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) API key (a PEM-format RSA credential)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ----------------------------- |
+| id | string | Key ID |
+| value | string | Key value |
+| fingerprint | string | Key fingerprint |
+| created | time | Time when the key was created |
+| state | string | Key state |
diff --git a/docs/mql/resources/oci-pack/oci.identity.authtoken.md b/docs/mql/resources/oci-pack/oci.identity.authtoken.md
new file mode 100644
index 000000000..cca650204
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.identity.authtoken.md
@@ -0,0 +1,23 @@
+---
+title: oci.identity.authToken
+id: oci.identity.authToken
+sidebar_label: oci.identity.authToken
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) token string
+---
+
+# oci.identity.authToken
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) token string
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ------------------------------- |
+| id | string | Token ID |
+| description | string | Token description |
+| created | time | Time when the token was created |
+| expires | time | Time when the token will expire |
+| state | string | Key state |
diff --git a/docs/mql/resources/oci-pack/oci.identity.customersecretkey.md b/docs/mql/resources/oci-pack/oci.identity.customersecretkey.md
new file mode 100644
index 000000000..3c82b0294
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.identity.customersecretkey.md
@@ -0,0 +1,22 @@
+---
+title: oci.identity.customerSecretKey
+id: oci.identity.customerSecretKey
+sidebar_label: oci.identity.customerSecretKey
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) customer secret key for OCI Object Storage service
+---
+
+# oci.identity.customerSecretKey
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) customer secret key for OCI Object Storage service
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | ----------------------------- |
+| id | string | Key ID |
+| name | string | Key name |
+| created | time | Time when the key was created |
+| state | string | Key state |
diff --git a/docs/mql/resources/oci-pack/oci.identity.group.md b/docs/mql/resources/oci-pack/oci.identity.group.md
new file mode 100644
index 000000000..993b84571
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.identity.group.md
@@ -0,0 +1,24 @@
+---
+title: oci.identity.group
+id: oci.identity.group
+sidebar_label: oci.identity.group
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) collection of users
+---
+
+# oci.identity.group
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) collection of users
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------ | ------------------------------ |
+| id | string | User ID |
+| compartmentID | string | Tenancy containing the user |
+| name | string | Name of the user |
+| description | string | Description of the user |
+| created | time | Time when the user was created |
+| state | string | Instance state |
diff --git a/docs/mql/resources/oci-pack/oci.identity.md b/docs/mql/resources/oci-pack/oci.identity.md
new file mode 100644
index 000000000..23d0dfad3
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.identity.md
@@ -0,0 +1,21 @@
+---
+title: oci.identity
+id: oci.identity
+sidebar_label: oci.identity
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) identity
+---
+
+# oci.identity
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) identity
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------------------------------------------------------- | ----------- |
+| users | [][oci.identity.user](oci.identity.user.md) | Users |
+| groups | [][oci.identity.group](oci.identity.group.md) | Groups |
+| policies | [][oci.identity.policy](oci.identity.policy.md) | Policies |
diff --git a/docs/mql/resources/oci-pack/oci.identity.policy.md b/docs/mql/resources/oci-pack/oci.identity.policy.md
new file mode 100644
index 000000000..0d7a5d0e1
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.identity.policy.md
@@ -0,0 +1,25 @@
+---
+title: oci.identity.policy
+id: oci.identity.policy
+sidebar_label: oci.identity.policy
+displayed_sidebar: MQL
+description: Policy that specifies the type of access a group has to the resources in a compartment
+---
+
+# oci.identity.policy
+
+**Description**
+
+Policy that specifies the type of access a group has to the resources in a compartment
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ---------------- | -------------------------------- |
+| id | string | User ID |
+| compartmentID | string | Tenancy containing the policy |
+| name | string | Name of the policy |
+| description | string | Description of the policy |
+| created | time | Time when the policy was created |
+| state | string | Instance state |
+| statements | []string | Policy statements |
diff --git a/docs/mql/resources/oci-pack/oci.identity.user.md b/docs/mql/resources/oci-pack/oci.identity.user.md
new file mode 100644
index 000000000..bfd9a6164
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.identity.user.md
@@ -0,0 +1,34 @@
+---
+title: oci.identity.user
+id: oci.identity.user
+sidebar_label: oci.identity.user
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) identity user
+---
+
+# oci.identity.user
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) identity user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ----------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| id | string | User ID |
+| compartmentID | string | Tenancy containing the user |
+| name | string | Name of the user |
+| description | string | Description of the user |
+| created | time | Time when the user was created |
+| state | string | Instance state |
+| mfaActivated | bool | Whether MFA is activated |
+| email | string | User email address |
+| emailVerified | bool | Whether email is verified |
+| capabilities | map[string]bool | Properties indicating how the user is allowed to authenticate |
+| lastLogin | time | Most recent login |
+| previousLogin | time | Previous login |
+| apiKeys | [][oci.identity.apiKey](oci.identity.apikey.md) | API keys |
+| customerSecretKeys | [][oci.identity.customerSecretKey](oci.identity.customersecretkey.md) | Customer secret keys |
+| authTokens | [][oci.identity.authToken](oci.identity.authtoken.md) | Auth tokens |
+| groups | [][oci.identity.group](oci.identity.group.md) | User groups |
diff --git a/docs/mql/resources/oci-pack/oci.md b/docs/mql/resources/oci-pack/oci.md
new file mode 100644
index 000000000..e8784c1e6
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.md
@@ -0,0 +1,20 @@
+---
+title: oci
+id: oci
+sidebar_label: oci
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) tenancy
+---
+
+# oci
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) tenancy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------------------------- | ------------ |
+| regions | [][oci.region](oci.region.md) | Regions |
+| compartments | [][oci.compartment](oci.compartment.md) | Compartments |
diff --git a/docs/mql/resources/oci-pack/oci.network.md b/docs/mql/resources/oci-pack/oci.network.md
new file mode 100644
index 000000000..391a149fc
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.network.md
@@ -0,0 +1,20 @@
+---
+title: oci.network
+id: oci.network
+sidebar_label: oci.network
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) Networking
+---
+
+# oci.network
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) Networking
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------------------------------------------- | ---------------------- |
+| vcns | [][oci.network.vcn](oci.network.vcn.md) | Virtual Cloud Networks |
+| securityLists | [][oci.network.securityList](oci.network.securitylist.md) | VCN Security List |
diff --git a/docs/mql/resources/oci-pack/oci.network.securitylist.md b/docs/mql/resources/oci-pack/oci.network.securitylist.md
new file mode 100644
index 000000000..77e9493b1
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.network.securitylist.md
@@ -0,0 +1,25 @@
+---
+title: oci.network.securityList
+id: oci.network.securityList
+sidebar_label: oci.network.securityList
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) VCN security list virtual firewall rules
+---
+
+# oci.network.securityList
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) VCN security list virtual firewall rules
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | -------------- | ------------------------------------- |
+| id | string | SecurityList ID |
+| compartmentID | string | Tenancy containing the VCN |
+| name | string | VCN name |
+| created | time | Time when the VCN was created |
+| state | string | VCN state |
+| egressSecurityRules | []dict | Rules for allowing egress IP packets |
+| ingressSecurityRules | []dict | Rules for allowing ingress IP packets |
diff --git a/docs/mql/resources/oci-pack/oci.network.vcn.md b/docs/mql/resources/oci-pack/oci.network.vcn.md
new file mode 100644
index 000000000..213c24f90
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.network.vcn.md
@@ -0,0 +1,25 @@
+---
+title: oci.network.vcn
+id: oci.network.vcn
+sidebar_label: oci.network.vcn
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) virtual cloud network (VCN)
+---
+
+# oci.network.vcn
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) virtual cloud network (VCN)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ---------------- | ----------------------------- |
+| id | string | VCN ID |
+| compartmentID | string | Tenancy containing the VCN |
+| name | string | VCN name |
+| created | time | Time when the VCN was created |
+| state | string | VCN state |
+| cidrBlock | string | Deprecated |
+| cidrBlocks | []string | List of IPv4 CIDR blocks |
diff --git a/docs/mql/resources/oci-pack/oci.objectstorage.bucket.md b/docs/mql/resources/oci-pack/oci.objectstorage.bucket.md
new file mode 100644
index 000000000..20f76e05b
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.objectstorage.bucket.md
@@ -0,0 +1,29 @@
+---
+title: oci.objectStorage.bucket
+id: oci.objectStorage.bucket
+sidebar_label: oci.objectStorage.bucket
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) Object Storage bucket
+---
+
+# oci.objectStorage.bucket
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) Object Storage bucket
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | --------------------------- | --------------------------------------------------- |
+| namespace | string | Bucket namespace |
+| name | string | Bucket name |
+| compartmentID | string | Tenancy containing the bucket |
+| created | time | Time when the vcn was created |
+| region | [oci.region](oci.region.md) | Region |
+| publicAccessType | string | Type of public access enabled |
+| storageTier | string | Storage tier type |
+| autoTiering | string | auto tiering status |
+| versioning | string | Bucket versioning |
+| objectEventsEnabled | bool | Whether events are emitted for object state changes |
+| replicationEnabled | bool | Whether the bucket is a replication source |
diff --git a/docs/mql/resources/oci-pack/oci.objectstorage.md b/docs/mql/resources/oci-pack/oci.objectstorage.md
new file mode 100644
index 000000000..5a1b56d88
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.objectstorage.md
@@ -0,0 +1,20 @@
+---
+title: oci.objectStorage
+id: oci.objectStorage
+sidebar_label: oci.objectStorage
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) Object Storage
+---
+
+# oci.objectStorage
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) Object Storage
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ----------------------------------------------------------------- | ----------- |
+| namespace | string | Namespace |
+| buckets | [][oci.objectStorage.bucket](oci.objectstorage.bucket.md) | Buckets |
diff --git a/docs/mql/resources/oci-pack/oci.region.md b/docs/mql/resources/oci-pack/oci.region.md
new file mode 100644
index 000000000..aacb6ce37
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.region.md
@@ -0,0 +1,22 @@
+---
+title: oci.region
+id: oci.region
+sidebar_label: oci.region
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) region
+---
+
+# oci.region
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) region
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ------------------------------------- |
+| id | string | Region's key |
+| name | string | Region name |
+| isHomeRegion | bool | Whether the region is the home region |
+| status | string | Region subscription status |
diff --git a/docs/mql/resources/oci-pack/oci.tenancy.md b/docs/mql/resources/oci-pack/oci.tenancy.md
new file mode 100644
index 000000000..852c5bf97
--- /dev/null
+++ b/docs/mql/resources/oci-pack/oci.tenancy.md
@@ -0,0 +1,22 @@
+---
+title: oci.tenancy
+id: oci.tenancy
+sidebar_label: oci.tenancy
+displayed_sidebar: MQL
+description: Oracle Cloud Infrastructure (OCI) tenancy
+---
+
+# oci.tenancy
+
+**Description**
+
+Oracle Cloud Infrastructure (OCI) tenancy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------ | ------------------------------ |
+| id | string | Compartment ID |
+| name | string | Compartment name |
+| description | string | Description of the compartment |
+| retentionPeriod | time | Retention period duration |
diff --git a/docs/mql/resources/okta-pack/README.md b/docs/mql/resources/okta-pack/README.md
new file mode 100644
index 000000000..f959f3bf7
--- /dev/null
+++ b/docs/mql/resources/okta-pack/README.md
@@ -0,0 +1,29 @@
+---
+title: Okta Resource Pack - MQL Resources
+id: okta.pack
+sidebar_label: Okta Resource Pack
+displayed_sidebar: MQL
+description: The Okta resource pack lets you use MQL to query and assess the security of your Okta identities and configuration.
+---
+
+# Mondoo Okta Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| --------------------------------------------------------- | --------------------------- |
+| [okta](okta.md) | Okta |
+| [okta.application](okta.application.md) | Okta application |
+| [okta.customRole](okta.customrole.md) | Okta custom role |
+| [okta.domain](okta.domain.md) | Okta domain |
+| [okta.group](okta.group.md) | Okta group |
+| [okta.groupRule](okta.grouprule.md) | Okta group rule |
+| [okta.network](okta.network.md) | Okta network zone |
+| [okta.organization](okta.organization.md) | Okta organization |
+| [okta.policies](okta.policies.md) | Okta policy |
+| [okta.policy](okta.policy.md) | Okta policy |
+| [okta.policyRule](okta.policyrule.md) | Okta policy rule |
+| [okta.role](okta.role.md) | Okta role |
+| [okta.threatsConfiguration](okta.threatsconfiguration.md) | Okta ThreatInsight settings |
+| [okta.trustedOrigin](okta.trustedorigin.md) | Okta trusted origin |
+| [okta.user](okta.user.md) | Okta user |
diff --git a/docs/mql/resources/okta-pack/okta.application.md b/docs/mql/resources/okta-pack/okta.application.md
new file mode 100644
index 000000000..6e08bcec9
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.application.md
@@ -0,0 +1,31 @@
+---
+title: okta.application
+id: okta.application
+sidebar_label: okta.application
+displayed_sidebar: MQL
+description: Okta application
+---
+
+# okta.application
+
+**Description**
+
+Okta application
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ---------------- | ----------------------------------------------- |
+| id | string | Unique key for the application |
+| name | string | Unique key that defines the application |
+| label | string | User-defined display name for the application |
+| created | time | Timestamp when the application was created |
+| lastUpdated | time | Timestamp when the application was last updated |
+| credentials | dict | Credentials for the specified sign-on mode |
+| features | []string | Enabled app features |
+| licensing | dict | Okta licensing information |
+| profile | dict | Valid JSON schema for specifying properties |
+| settings | dict | Settings for the application |
+| signOnMode | string | Authentication mode of the application |
+| status | string | Status of the application |
+| visibility | dict | Visibility settings for the application |
diff --git a/docs/mql/resources/okta-pack/okta.customrole.md b/docs/mql/resources/okta-pack/okta.customrole.md
new file mode 100644
index 000000000..bc62868e1
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.customrole.md
@@ -0,0 +1,22 @@
+---
+title: okta.customRole
+id: okta.customRole
+sidebar_label: okta.customRole
+displayed_sidebar: MQL
+description: Okta custom role
+---
+
+# okta.customRole
+
+**Description**
+
+Okta custom role
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ---------------- | ------------------------------ |
+| id | string | Identifier for the custom role |
+| label | string | Name of the custom role |
+| description | string | Description of the custom role |
+| permissions | []string | Role permissions |
diff --git a/docs/mql/resources/okta-pack/okta.domain.md b/docs/mql/resources/okta-pack/okta.domain.md
new file mode 100644
index 000000000..cb7bedbd8
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.domain.md
@@ -0,0 +1,23 @@
+---
+title: okta.domain
+id: okta.domain
+sidebar_label: okta.domain
+displayed_sidebar: MQL
+description: Okta domain
+---
+
+# okta.domain
+
+**Description**
+
+Okta domain
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | -------------- | ---------------------------------------------------------------------- |
+| id | string | Domain ID |
+| domain | string | Domain name |
+| validationStatus | string | Status of the domain: NOT_STARTED, IN_PROGRESS, VERIFIED, or COMPLETED |
+| dnsRecords | []dict | TXT and CNAME records to be registered for the domain |
+| publicCertificate | dict | Certificate metadata for the domain |
diff --git a/docs/mql/resources/okta-pack/okta.group.md b/docs/mql/resources/okta-pack/okta.group.md
new file mode 100644
index 000000000..f12702eec
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.group.md
@@ -0,0 +1,28 @@
+---
+title: okta.group
+id: okta.group
+sidebar_label: okta.group
+displayed_sidebar: MQL
+description: Okta group
+---
+
+# okta.group
+
+**Description**
+
+Okta group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | ----------------------------------- | ------------------------------------------------------------ |
+| id | string | Unique key for the group |
+| name | string | Group name |
+| description | string | Group description |
+| type | dict | Determines how a group's profile and memberships are managed |
+| created | time | Timestamp when group was created |
+| lastMembershipUpdated | time | Timestamp when group's memberships were last updated |
+| lastUpdated | time | Timestamp when group's profile was last updated |
+| profile | dict | The group's profile properties |
+| members | [][okta.user](okta.user.md) | Group members |
+| roles | [][okta.role](okta.role.md) | Group roles |
diff --git a/docs/mql/resources/okta-pack/okta.grouprule.md b/docs/mql/resources/okta-pack/okta.grouprule.md
new file mode 100644
index 000000000..b82c2dfbe
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.grouprule.md
@@ -0,0 +1,22 @@
+---
+title: okta.groupRule
+id: okta.groupRule
+sidebar_label: okta.groupRule
+displayed_sidebar: MQL
+description: Okta group rule
+---
+
+# okta.groupRule
+
+**Description**
+
+Okta group rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------ | ----------------------------- |
+| id | string | Unique key for the group rule |
+| name | string | Group rule name |
+| status | string | Group rule status |
+| type | string | Group rule type |
diff --git a/docs/mql/resources/okta-pack/okta.md b/docs/mql/resources/okta-pack/okta.md
new file mode 100644
index 000000000..dbf890f24
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.md
@@ -0,0 +1,26 @@
+---
+title: okta
+id: okta
+sidebar_label: okta
+displayed_sidebar: MQL
+description: Okta
+---
+
+# okta
+
+**Description**
+
+Okta
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ----------------------------------------------------- | -------------------- |
+| users | [][okta.user](okta.user.md) | Okta users |
+| groups | [][okta.group](okta.group.md) | Okta groups |
+| groupRules | [][okta.groupRule](okta.grouprule.md) | Okta group rules |
+| domains | [][okta.domain](okta.domain.md) | Okta domains |
+| applications | [][okta.application](okta.application.md) | Okta applications |
+| trustedOrigins | [][okta.trustedOrigin](okta.trustedorigin.md) | Okta trusted origins |
+| networks | [][okta.network](okta.network.md) | Okta networks |
+| customRoles | [][okta.customRole](okta.customrole.md) | Okta custom roles |
diff --git a/docs/mql/resources/okta-pack/okta.network.md b/docs/mql/resources/okta-pack/okta.network.md
new file mode 100644
index 000000000..2ab3a51c3
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.network.md
@@ -0,0 +1,31 @@
+---
+title: okta.network
+id: okta.network
+sidebar_label: okta.network
+displayed_sidebar: MQL
+description: Okta network zone
+---
+
+# okta.network
+
+**Description**
+
+Okta network zone
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ---------------- | ------------------------------------------------------------------- |
+| id | string | Unique identifier for the network zone |
+| name | string | Name for the network zone |
+| type | string | Type of the network zone |
+| created | time | Timestamp when the network zone was created |
+| lastUpdated | time | Timestamp when the network zone was last updated |
+| status | string | Status of the network zone |
+| system | bool | Whether the network zone is system-defined |
+| asns | []string | ISP ASNs for the network zone |
+| usage | string | Usage of zone: POLICY or BLOCKLIST |
+| proxyType | string | IP type |
+| proxies | []dict | IP addresses that are allowed to forward a request from the gateway |
+| locations | []dict | Locations for the network zone |
+| gateways | []dict | IP addresses of this zone |
diff --git a/docs/mql/resources/okta-pack/okta.organization.md b/docs/mql/resources/okta-pack/okta.organization.md
new file mode 100644
index 000000000..26f1c2d2c
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.organization.md
@@ -0,0 +1,40 @@
+---
+title: okta.organization
+id: okta.organization
+sidebar_label: okta.organization
+displayed_sidebar: MQL
+description: Okta organization
+---
+
+# okta.organization
+
+**Description**
+
+Okta organization
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------- | --------------------------------------------------------- | --------------------------------------------------------------------------- |
+| id | string | ID of organization |
+| companyName | string | Name of the company |
+| status | string | Status of organization. Accepted values: ACTIVE, INACTIVE |
+| subdomain | string | Subdomain of organization |
+| address1 | string | Primary address of organization |
+| address2 | string | Secondary address of organization |
+| city | string | City of organization |
+| state | string | State of organization |
+| phoneNumber | string | Phone number of organization |
+| postalCode | string | Postal code of organization |
+| country | string | Country code of organization |
+| supportPhoneNumber | string | Support help phone of organization |
+| website | string | The organization's website |
+| endUserSupportHelpURL | string | Support link of organization |
+| created | time | Timestamp when organization was created |
+| lastUpdated | time | Timestamp when org was last updated |
+| expiresAt | time | Expiration of organization |
+| optOutCommunicationEmails | bool | Indicates whether the organization's users receive Okta communication email |
+| billingContact | [okta.user](okta.user.md) | Billing contact of organization |
+| technicalContact | [okta.user](okta.user.md) | Technical contact of organization |
+| securityNotificationEmails | dict | Security notification email |
+| threatInsightSettings | [okta.threatsConfiguration](okta.threatsconfiguration.md) | Okta ThreatInsight settings |
diff --git a/docs/mql/resources/okta-pack/okta.policies.md b/docs/mql/resources/okta-pack/okta.policies.md
new file mode 100644
index 000000000..f263f96f1
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.policies.md
@@ -0,0 +1,25 @@
+---
+title: okta.policies
+id: okta.policies
+sidebar_label: okta.policies
+displayed_sidebar: MQL
+description: Okta policy
+---
+
+# okta.policies
+
+**Description**
+
+Okta policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | --------------------------------------- | ---------------------------- |
+| password | [][okta.policy](okta.policy.md) | Password policies |
+| mfaEnroll | [][okta.policy](okta.policy.md) | MFA policies |
+| signOn | [][okta.policy](okta.policy.md) | Sign-on policies |
+| oauthAuthorizationPolicy | [][okta.policy](okta.policy.md) | OAuth authorization policies |
+| idpDiscovery | [][okta.policy](okta.policy.md) | IDP discovery policies |
+| accessPolicy | [][okta.policy](okta.policy.md) | Access policies |
+| profileEnrollment | [][okta.policy](okta.policy.md) | Profile enforcement policies |
diff --git a/docs/mql/resources/okta-pack/okta.policy.md b/docs/mql/resources/okta-pack/okta.policy.md
new file mode 100644
index 000000000..a9a518c98
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.policy.md
@@ -0,0 +1,30 @@
+---
+title: okta.policy
+id: okta.policy
+sidebar_label: okta.policy
+displayed_sidebar: MQL
+description: Okta policy
+---
+
+# okta.policy
+
+**Description**
+
+Okta policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------------------------------------- | ------------------------------------------- |
+| id | string | Identifier of the policy |
+| name | string | Name of the policy |
+| description | string | Description of the policy |
+| priority | int | Priority of the policy |
+| status | string | Status of the policy: ACTIVE or INACTIVE |
+| system | bool | Whether the policy is a system policy |
+| type | string | Specifies the type of policy |
+| conditions | dict | Conditions for policy |
+| settings | dict | Settings for the policy |
+| created | time | Timestamp when the policy was created |
+| lastUpdated | time | Timestamp when the policy was last modified |
+| rules | [][okta.policyRule](okta.policyrule.md) | Rules attached to the policy |
diff --git a/docs/mql/resources/okta-pack/okta.policyrule.md b/docs/mql/resources/okta-pack/okta.policyrule.md
new file mode 100644
index 000000000..f9efa2afb
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.policyrule.md
@@ -0,0 +1,28 @@
+---
+title: okta.policyRule
+id: okta.policyRule
+sidebar_label: okta.policyRule
+displayed_sidebar: MQL
+description: Okta policy rule
+---
+
+# okta.policyRule
+
+**Description**
+
+Okta policy rule
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ----------------------------------------- |
+| id | string | Identifier of the rule |
+| name | string | Name of the rule |
+| priority | int | Priority of the rule |
+| status | string | Status of the rule: ACTIVE or INACTIVE |
+| system | bool | Whether the rule is a system policy rule |
+| type | string | Rule type |
+| actions | dict | Actions for rule |
+| conditions | dict | Conditions for a rule |
+| created | time | Timestamp when the rule was created |
+| lastUpdated | time | Timestamp when the rule was last modified |
diff --git a/docs/mql/resources/okta-pack/okta.role.md b/docs/mql/resources/okta-pack/okta.role.md
new file mode 100644
index 000000000..1bbf46735
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.role.md
@@ -0,0 +1,25 @@
+---
+title: okta.role
+id: okta.role
+sidebar_label: okta.role
+displayed_sidebar: MQL
+description: Okta role
+---
+
+# okta.role
+
+**Description**
+
+Okta role
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------ | ---------------------------------------- |
+| id | string | The identifier of the role |
+| assignmentType | string | The assignment type of the role |
+| created | time | Timestamp when the role was created |
+| label | string | The label of the role |
+| lastUpdated | time | Timestamp when the role was last updated |
+| status | string | The status of the role |
+| type | string | The type of the role |
diff --git a/docs/mql/resources/okta-pack/okta.threatsconfiguration.md b/docs/mql/resources/okta-pack/okta.threatsconfiguration.md
new file mode 100644
index 000000000..7ad34dd2b
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.threatsconfiguration.md
@@ -0,0 +1,22 @@
+---
+title: okta.threatsConfiguration
+id: okta.threatsConfiguration
+sidebar_label: okta.threatsConfiguration
+displayed_sidebar: MQL
+description: Okta ThreatInsight settings
+---
+
+# okta.threatsConfiguration
+
+**Description**
+
+Okta ThreatInsight settings
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------------------- | ------------------------------------------------ |
+| action | string | Action |
+| excludeZones | [][okta.network](okta.network.md) | Exempt zones |
+| created | time | Timestamp when the network zone was created |
+| lastUpdated | time | Timestamp when the network zone was last updated |
diff --git a/docs/mql/resources/okta-pack/okta.trustedorigin.md b/docs/mql/resources/okta-pack/okta.trustedorigin.md
new file mode 100644
index 000000000..aec8857ae
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.trustedorigin.md
@@ -0,0 +1,27 @@
+---
+title: okta.trustedOrigin
+id: okta.trustedOrigin
+sidebar_label: okta.trustedOrigin
+displayed_sidebar: MQL
+description: Okta trusted origin
+---
+
+# okta.trustedOrigin
+
+**Description**
+
+Okta trusted origin
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | -------------- | ---------------------------------------------------------- |
+| id | string | Unique identifier for the trusted origin |
+| name | string | Name for the trusted origin |
+| origin | string | Unique origin URL for the trusted origin |
+| created | time | Timestamp when the trusted origin was created |
+| createdBy | string | ID of the entity that created the trusted origin |
+| lastUpdated | time | Timestamp when the trusted origin was last updated |
+| lastUpdatedBy | string | ID of entity that last updated the trusted origin |
+| scopes | []dict | Array of scope types for which this trusted origin is used |
+| status | string | Status of the trusted origin |
diff --git a/docs/mql/resources/okta-pack/okta.user.md b/docs/mql/resources/okta-pack/okta.user.md
new file mode 100644
index 000000000..6c4dcb779
--- /dev/null
+++ b/docs/mql/resources/okta-pack/okta.user.md
@@ -0,0 +1,32 @@
+---
+title: okta.user
+id: okta.user
+sidebar_label: okta.user
+displayed_sidebar: MQL
+description: Okta user
+---
+
+# okta.user
+
+**Description**
+
+Okta user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | ----------------------------------- | -------------------------------------------------------------- |
+| id | string | Unique key for user |
+| typeId | string | User's type identifier |
+| type | dict | User's type object |
+| credentials | dict | User credentials |
+| activated | time | Timestamp when the user was activated |
+| created | time | Timestamp when user was created |
+| lastLogin | time | Timestamp of last login |
+| lastUpdated | time | Timestamp when user was last updated |
+| passwordChanged | time | Timestamp when password last changed |
+| profile | dict | User profile properties |
+| status | string | Current status of user |
+| statusChanged | time | Timestamp when status last changed |
+| transitioningToStatus | string | Target status of an in-progress asynchronous status transition |
+| roles | [][okta.role](okta.role.md) | The roles assigned to the user |
diff --git a/docs/mql/resources/opcua-pack/README.md b/docs/mql/resources/opcua-pack/README.md
new file mode 100644
index 000000000..f1b17f144
--- /dev/null
+++ b/docs/mql/resources/opcua-pack/README.md
@@ -0,0 +1,18 @@
+---
+title: OPC UA Resource Pack - MQL Resources
+id: opc.ua.pack
+sidebar_label: OPC UA Resource Pack
+displayed_sidebar: MQL
+description: The OPC-UA resource pack lets you use MQL to query and assess the security of your OPC-UA servers.
+---
+
+# Mondoo OPC UA Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ------------------------------------- | ---------------- |
+| [opcua](opcua.md) | OPC UA |
+| [opcua.namespace](opcua.namespace.md) | OPC UA namespace |
+| [opcua.node](opcua.node.md) | OPC UA node |
+| [opcua.server](opcua.server.md) | Server object |
diff --git a/docs/mql/resources/opcua-pack/opcua.md b/docs/mql/resources/opcua-pack/opcua.md
new file mode 100644
index 000000000..fc3ac8924
--- /dev/null
+++ b/docs/mql/resources/opcua-pack/opcua.md
@@ -0,0 +1,21 @@
+---
+title: opcua
+id: opcua
+sidebar_label: opcua
+displayed_sidebar: MQL
+description: OPC UA
+---
+
+# opcua
+
+**Description**
+
+OPC UA
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------------------------------------- | ----------------- |
+| namespaces | [][opcua.namespace](opcua.namespace.md) | Namespaces |
+| root | [opcua.node](opcua.node.md) | Root node |
+| nodes | [][opcua.node](opcua.node.md) | List of all nodes |
diff --git a/docs/mql/resources/opcua-pack/opcua.namespace.md b/docs/mql/resources/opcua-pack/opcua.namespace.md
new file mode 100644
index 000000000..72ce3e340
--- /dev/null
+++ b/docs/mql/resources/opcua-pack/opcua.namespace.md
@@ -0,0 +1,20 @@
+---
+title: opcua.namespace
+id: opcua.namespace
+sidebar_label: opcua.namespace
+displayed_sidebar: MQL
+description: OPC UA namespace
+---
+
+# opcua.namespace
+
+**Description**
+
+OPC UA namespace
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------ | -------------- |
+| id | int | Namespace ID |
+| name | string | Namespace name |
diff --git a/docs/mql/resources/opcua-pack/opcua.node.md b/docs/mql/resources/opcua-pack/opcua.node.md
new file mode 100644
index 000000000..88e03dbbe
--- /dev/null
+++ b/docs/mql/resources/opcua-pack/opcua.node.md
@@ -0,0 +1,32 @@
+---
+title: opcua.node
+id: opcua.node
+sidebar_label: opcua.node
+displayed_sidebar: MQL
+description: OPC UA node
+---
+
+# opcua.node
+
+**Description**
+
+OPC UA node
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------------------------------------- | ------------------------------ |
+| id | string | Node ID |
+| name | string | Node browser name |
+| namespace | [opcua.namespace](opcua.namespace.md) | Namespace |
+| class | string | Node class |
+| description | string | Node description |
+| writeable | bool | Indicates if value is writable |
+| dataType | string | Data type |
+| min | string | Minimum value |
+| max | string | Maximum value |
+| unit | string | Node unit |
+| accessLevel | string | Access level |
+| properties | [][opcua.node](opcua.node.md) | Properties |
+| components | [][opcua.node](opcua.node.md) | Components |
+| organizes | [][opcua.node](opcua.node.md) | Organizes |
diff --git a/docs/mql/resources/opcua-pack/opcua.server.md b/docs/mql/resources/opcua-pack/opcua.server.md
new file mode 100644
index 000000000..a7c5f5542
--- /dev/null
+++ b/docs/mql/resources/opcua-pack/opcua.server.md
@@ -0,0 +1,23 @@
+---
+title: opcua.server
+id: opcua.server
+sidebar_label: opcua.server
+displayed_sidebar: MQL
+description: Server object
+---
+
+# opcua.server
+
+**Description**
+
+Server object
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------- | ---------------------------- |
+| node | [opcua.node](opcua.node.md) | Reference to node |
+| buildInfo | dict | Server build info |
+| currentTime | time | Current time on server |
+| startTime | time | Time when the server started |
+| state | string | Server state |
diff --git a/docs/mql/resources/os-pack/README.md b/docs/mql/resources/os-pack/README.md
new file mode 100644
index 000000000..b03e5865e
--- /dev/null
+++ b/docs/mql/resources/os-pack/README.md
@@ -0,0 +1,118 @@
+---
+title: Operating Systems (OS) Resource Pack - MQL Resources
+id: operating.systems.os.pack
+sidebar_label: Operating Systems (OS) Resource Pack
+displayed_sidebar: MQL
+description: The Operating Systems (OS) resource pack lets you use MQL to query and assess the security of your operating system packages and configuration.
+---
+
+# Mondoo Operating Systems (OS) Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ------------------------------------------------------- | ---------------------------------------------------------- |
+| [asset](asset.md) | |
+| [asset.eol](asset.eol.md) | |
+| [audit.advisory](audit.advisory.md) | Platform/package advisory |
+| [audit.cve](audit.cve.md) | Common Vulnerabilities and Exposures (CVEs) |
+| [audit.cvss](audit.cvss.md) | Common Vulnerability Scoring System (CVSS) score |
+| [auditpol](auditpol.md) | Windows audit policies |
+| [auditpol.entry](auditpol.entry.md) | Windows audit policy |
+| [authorizedkeys](authorizedkeys.md) | List of SSH authorized keys |
+| [authorizedkeys.entry](authorizedkeys.entry.md) | SSH authorized key |
+| [command](command.md) | Results of running a command on the system |
+| [container.image](container.image.md) | Container image |
+| [container.repository](container.repository.md) | Container registry repository |
+| [docker](docker.md) | Docker host resource |
+| [docker.container](docker.container.md) | Docker container |
+| [docker.image](docker.image.md) | Docker image |
+| [file](file.md) | File on the system |
+| [file.permissions](file.permissions.md) | Access permissions for a given file |
+| [files](files.md) | |
+| [files.find](files.find.md) | Find files on the system |
+| [group](group.md) | Group on this system |
+| [groups](groups.md) | Groups configured on this system |
+| [ip6tables](ip6tables.md) | IPv6 tables |
+| [iptables](iptables.md) | IPv4 tables |
+| [iptables.entry](iptables.entry.md) | |
+| [kernel](kernel.md) | System kernel information |
+| [kernel.module](kernel.module.md) | System kernel module information |
+| [kubelet](kubelet.md) | Kubernetes kubelet configuration |
+| [logindefs](logindefs.md) | Shadow password suite configuration |
+| [lsblk](lsblk.md) | Unix list block devices |
+| [lsblk.entry](lsblk.entry.md) | Unix block device |
+| [machine](machine.md) | |
+| [machine.baseboard](machine.baseboard.md) | SMBIOS baseboard (or module) information |
+| [machine.bios](machine.bios.md) | SMBIOS BIOS information |
+| [machine.chassis](machine.chassis.md) | SMBIOS system enclosure or chassis |
+| [machine.system](machine.system.md) | SMBIOS system information |
+| [macos](macos.md) | macOS specific resources |
+| [macos.alf](macos.alf.md) | macOS application layer firewall (ALF) service |
+| [macos.systemsetup](macos.systemsetup.md) | macOS machine settings |
+| [macos.timemachine](macos.timemachine.md) | macOS Time Machine |
+| [mondoo.eol](mondoo.eol.md) | Platform end-of-life information |
+| [mount](mount.md) | Unix mounted file system |
+| [mount.point](mount.point.md) | Unix mount point |
+| [npm.package](npm.package.md) | |
+| [npm.packages](npm.packages.md) | npm packages |
+| [ntp.conf](ntp.conf.md) | NTP service configuration |
+| [os](os.md) | Operating system information |
+| [os.base](os.base.md) | |
+| [os.linux](os.linux.md) | |
+| [os.rootCertificates](os.rootcertificates.md) | Operating system root certificates |
+| [os.unix](os.unix.md) | |
+| [os.update](os.update.md) | Operating system update information |
+| [package](package.md) | Package on the platform or OS |
+| [packages](packages.md) | List of packages on this system |
+| [pam.conf](pam.conf.md) | PAM configuration (pluggable authentication module) |
+| [pam.conf.serviceEntry](pam.conf.serviceentry.md) | |
+| [parse.certificates](parse.certificates.md) | Parse certificates from files |
+| [parse.ini](parse.ini.md) | Parse INI files |
+| [parse.json](parse.json.md) | Parse JSON files |
+| [parse.openpgp](parse.openpgp.md) | Parse OpenPGP from files |
+| [parse.plist](parse.plist.md) | Parse plist files |
+| [parse.yaml](parse.yaml.md) | Parse YAML files |
+| [pkgFileInfo](pkgfileinfo.md) | |
+| [platform](platform.md) | |
+| [platform.advisories](platform.advisories.md) | All platform/package advisories |
+| [platform.cves](platform.cves.md) | All platform/package CVEs |
+| [platform.eol](platform.eol.md) | Deprecated; will be removed in version 10.0 |
+| [port](port.md) | TCP/IP port on the system |
+| [ports](ports.md) | TCP/IP ports on the system |
+| [powershell](powershell.md) | Results of running a PowerShell script on the system |
+| [privatekey](privatekey.md) | Private key resource |
+| [process](process.md) | Process on this system |
+| [processes](processes.md) | Processes available on this system |
+| [python](python.md) | Python package details found on the operating system image |
+| [python.package](python.package.md) | Python package information |
+| [registrykey](registrykey.md) | Windows registry key |
+| [registrykey.property](registrykey.property.md) | Windows registry key property |
+| [rsyslog.conf](rsyslog.conf.md) | rsyslog service configuration |
+| [secpol](secpol.md) | Windows local security policy |
+| [service](service.md) | Service on this system |
+| [services](services.md) | Services configured on this system |
+| [shadow](shadow.md) | Shadowed password file |
+| [shadow.entry](shadow.entry.md) | Shadowed password file entry |
+| [sshd](sshd.md) | SSH server resource |
+| [sshd.config](sshd.config.md) | SSH server configuration |
+| [sshd.config.matchBlock](sshd.config.matchblock.md) | |
+| [user](user.md) | User on this system |
+| [users](users.md) | Users configured on this system |
+| [vuln.advisory](vuln.advisory.md) | Advisory information |
+| [vuln.cve](vuln.cve.md) | CVE information |
+| [vuln.package](vuln.package.md) | Package information relevant for vulnerability management |
+| [vulnmgmt](vulnmgmt.md) | Vulnerability Information |
+| [windows](windows.md) | Windows-specific resource to get operating system details |
+| [windows.bitlocker](windows.bitlocker.md) | Windows BitLocker |
+| [windows.bitlocker.volume](windows.bitlocker.volume.md) | Windows BitLocker volume |
+| [windows.feature](windows.feature.md) | Windows feature resource |
+| [windows.firewall](windows.firewall.md) | Windows Firewall resource |
+| [windows.firewall.profile](windows.firewall.profile.md) | Windows Firewall profile entry |
+| [windows.firewall.rule](windows.firewall.rule.md) | Windows Firewall rule entry |
+| [windows.hotfix](windows.hotfix.md) | Windows hotfix resource |
+| [windows.security](windows.security.md) | |
+| [windows.security.health](windows.security.health.md) | Health of the Windows security provider |
+| [windows.security.product](windows.security.product.md) | Private Windows security product |
+| [yum](yum.md) | Yum package manager resource |
+| [yum.repo](yum.repo.md) | Yum repository resource |
diff --git a/docs/mql/resources/os-pack/asset.eol.md b/docs/mql/resources/os-pack/asset.eol.md
new file mode 100644
index 000000000..506d82551
--- /dev/null
+++ b/docs/mql/resources/os-pack/asset.eol.md
@@ -0,0 +1,16 @@
+---
+title: asset.eol
+id: asset.eol
+sidebar_label: asset.eol
+displayed_sidebar: MQL
+---
+
+# asset.eol
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ----------------- |
+| docsUrl | string | Documentation URL |
+| productUrl | string | Product URL |
+| date | time | End-of-Life date |
diff --git a/docs/mql/resources/os-pack/asset.md b/docs/mql/resources/os-pack/asset.md
new file mode 100644
index 000000000..8358a7754
--- /dev/null
+++ b/docs/mql/resources/os-pack/asset.md
@@ -0,0 +1,15 @@
+---
+title: asset
+id: asset
+sidebar_label: asset
+displayed_sidebar: MQL
+---
+
+# asset
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ------------------ | -------------------------------------------------------------------------------------------------- |
+| cpes | []core.cpe | Common Platform Enumeration (CPE) for the asset |
+| vulnerabilityReport | dict | Advisory & vulnerability report, Deprecated; will be removed in version 10.0, use vulnmgmt instead |
diff --git a/docs/mql/resources/os-pack/audit.advisory.md b/docs/mql/resources/os-pack/audit.advisory.md
new file mode 100644
index 000000000..0b7a725a6
--- /dev/null
+++ b/docs/mql/resources/os-pack/audit.advisory.md
@@ -0,0 +1,25 @@
+---
+title: audit.advisory
+id: audit.advisory
+sidebar_label: audit.advisory
+displayed_sidebar: MQL
+description: Platform/package advisory
+---
+
+# audit.advisory
+
+**Description**
+
+Platform/package advisory
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------- | ------------------------------------- |
+| id | string | Advisory ID |
+| mrn | string | Mondoo advisory identifier |
+| title | string | Advisory title |
+| description | string | Advisory description |
+| published | time | Advisory publication date |
+| modified | time | Last modification date |
+| worstScore | [audit.cvss](audit.cvss.md) | Worst CVSS score of all assigned CVEs |
diff --git a/docs/mql/resources/os-pack/audit.cve.md b/docs/mql/resources/os-pack/audit.cve.md
new file mode 100644
index 000000000..0c7fcfaec
--- /dev/null
+++ b/docs/mql/resources/os-pack/audit.cve.md
@@ -0,0 +1,26 @@
+---
+title: audit.cve
+id: audit.cve
+sidebar_label: audit.cve
+displayed_sidebar: MQL
+description: Common Vulnerabilities and Exposures (CVEs)
+---
+
+# audit.cve
+
+**Description**
+
+Common Vulnerabilities and Exposures (CVEs)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | --------------------------- | ------------------------------------- |
+| id | string | CVE ID |
+| mrn | string | Mondoo CVE identifier |
+| state | string | CVE state |
+| summary | string | Summary description |
+| unscored | bool | Whether the CVE has a CVSS score |
+| published | time | Publication date |
+| modified | time | Last modification date |
+| worstScore | [audit.cvss](audit.cvss.md) | Worst CVSS score of all assigned CVEs |
diff --git a/docs/mql/resources/os-pack/audit.cvss.md b/docs/mql/resources/os-pack/audit.cvss.md
new file mode 100644
index 000000000..4a5077b73
--- /dev/null
+++ b/docs/mql/resources/os-pack/audit.cvss.md
@@ -0,0 +1,20 @@
+---
+title: audit.cvss
+id: audit.cvss
+sidebar_label: audit.cvss
+displayed_sidebar: MQL
+description: Common Vulnerability Scoring System (CVSS) score
+---
+
+# audit.cvss
+
+**Description**
+
+Common Vulnerability Scoring System (CVSS) score
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------ | ----------------------------------------- |
+| score | float | CVSS score ranging from 0.0 to 10.0 |
+| vector | string | CVSS score represented as a vector string |
diff --git a/docs/mql/resources/os-pack/auditpol.entry.md b/docs/mql/resources/os-pack/auditpol.entry.md
new file mode 100644
index 000000000..878cac83a
--- /dev/null
+++ b/docs/mql/resources/os-pack/auditpol.entry.md
@@ -0,0 +1,24 @@
+---
+title: auditpol.entry
+id: auditpol.entry
+sidebar_label: auditpol.entry
+displayed_sidebar: MQL
+description: Windows audit policy
+---
+
+# auditpol.entry
+
+**Description**
+
+Windows audit policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ------------------ |
+| machinename | string | Machine name |
+| policytarget | string | Policy target |
+| subcategory | string | Subcategory |
+| subcategoryguid | string | Subcategory GUID |
+| inclusionsetting | string | Inclusive setting |
+| exclusionsetting | string | Exclusive settings |
diff --git a/docs/mql/resources/os-pack/auditpol.md b/docs/mql/resources/os-pack/auditpol.md
new file mode 100644
index 000000000..8baeccafe
--- /dev/null
+++ b/docs/mql/resources/os-pack/auditpol.md
@@ -0,0 +1,23 @@
+---
+title: auditpol
+id: auditpol
+sidebar_label: auditpol
+displayed_sidebar: MQL
+description: Windows audit policies
+---
+
+# auditpol
+
+**Description**
+
+Windows audit policies
+
+**List**
+
+[]auditpol.entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | --------------------------------------------- | ----------- |
+| list | [][auditpol.entry](auditpol.entry.md) | |
diff --git a/docs/mql/resources/os-pack/authorizedkeys.entry.md b/docs/mql/resources/os-pack/authorizedkeys.entry.md
new file mode 100644
index 000000000..778f8d141
--- /dev/null
+++ b/docs/mql/resources/os-pack/authorizedkeys.entry.md
@@ -0,0 +1,24 @@
+---
+title: authorizedkeys.entry
+id: authorizedkeys.entry
+sidebar_label: authorizedkeys.entry
+displayed_sidebar: MQL
+description: SSH authorized key
+---
+
+# authorizedkeys.entry
+
+**Description**
+
+SSH authorized key
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ---------------- | --------------- |
+| line | int | Line of the key |
+| type | string | Type of key |
+| key | string | Key |
+| label | string | Key label |
+| options | []string | Key options |
+| file | [file](file.md) | Key file |
diff --git a/docs/mql/resources/os-pack/authorizedkeys.md b/docs/mql/resources/os-pack/authorizedkeys.md
new file mode 100644
index 000000000..a240ef68f
--- /dev/null
+++ b/docs/mql/resources/os-pack/authorizedkeys.md
@@ -0,0 +1,30 @@
+---
+title: authorizedkeys
+id: authorizedkeys
+sidebar_label: authorizedkeys
+displayed_sidebar: MQL
+description: List of SSH authorized keys
+---
+
+# authorizedkeys
+
+**Description**
+
+List of SSH authorized keys
+
+**Init**
+
+authorizedkeys(path string)
+
+**List**
+
+[]authorizedkeys.entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | --------------------------------------------------------- | -------------------- |
+| path | string | Path to the key file |
+| file | [file](file.md) | Key file |
+| content | string | Key file content |
+| list | [][authorizedkeys.entry](authorizedkeys.entry.md) | |
diff --git a/docs/mql/resources/os-pack/command.md b/docs/mql/resources/os-pack/command.md
new file mode 100644
index 000000000..c69675c34
--- /dev/null
+++ b/docs/mql/resources/os-pack/command.md
@@ -0,0 +1,26 @@
+---
+title: command
+id: command
+sidebar_label: command
+displayed_sidebar: MQL
+description: Results of running a command on the system
+---
+
+# command
+
+**Description**
+
+Results of running a command on the system
+
+**Init**
+
+command(command string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | ---------------------------------------------- |
+| command | string | Raw contents of the command |
+| stdout | string | Standard output from running the command |
+| stderr | string | Standard error output from running the command |
+| exitcode | int | Exit code the command returned |
diff --git a/docs/mql/resources/os-pack/container.image.md b/docs/mql/resources/os-pack/container.image.md
new file mode 100644
index 000000000..704fcf6a3
--- /dev/null
+++ b/docs/mql/resources/os-pack/container.image.md
@@ -0,0 +1,23 @@
+---
+title: container.image
+id: container.image
+sidebar_label: container.image
+displayed_sidebar: MQL
+description: Container image
+---
+
+# container.image
+
+**Description**
+
+Container image
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ----------------------------------------------- | ---------------------------------------------------------- |
+| reference | string | Image reference |
+| name | string | Fully-qualified reference name |
+| identifier | string | Identifier of type-specific portion of the image reference |
+| identifierType | string | Identifier type: tag or digest |
+| repository | [container.repository](container.repository.md) | Repository used for the container image |
diff --git a/docs/mql/resources/os-pack/container.repository.md b/docs/mql/resources/os-pack/container.repository.md
new file mode 100644
index 000000000..b707a31b7
--- /dev/null
+++ b/docs/mql/resources/os-pack/container.repository.md
@@ -0,0 +1,22 @@
+---
+title: container.repository
+id: container.repository
+sidebar_label: container.repository
+displayed_sidebar: MQL
+description: Container registry repository
+---
+
+# container.repository
+
+**Description**
+
+Container registry repository
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | ---------------------------------- |
+| name | string | Container registry repository name |
+| scheme | string | URL scheme |
+| fullName | string | Container registry repository URL |
+| registry | string | Container registry URL |
diff --git a/docs/mql/resources/os-pack/docker.container.md b/docs/mql/resources/os-pack/docker.container.md
new file mode 100644
index 000000000..0e801858a
--- /dev/null
+++ b/docs/mql/resources/os-pack/docker.container.md
@@ -0,0 +1,27 @@
+---
+title: docker.container
+id: docker.container
+sidebar_label: docker.container
+displayed_sidebar: MQL
+description: Docker container
+---
+
+# docker.container
+
+**Description**
+
+Docker container
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ----------------------- | --------------------- |
+| os | [os.linux](os.linux.md) | |
+| id | string | Container ID |
+| command | string | Container command |
+| image | string | Container image |
+| imageid | string | Image ID |
+| names | []string | Container names |
+| state | string | Container state |
+| status | string | Status message |
+| labels | map[string]string | Label key value pairs |
diff --git a/docs/mql/resources/os-pack/docker.image.md b/docs/mql/resources/os-pack/docker.image.md
new file mode 100644
index 000000000..d41c74b89
--- /dev/null
+++ b/docs/mql/resources/os-pack/docker.image.md
@@ -0,0 +1,23 @@
+---
+title: docker.image
+id: docker.image
+sidebar_label: docker.image
+displayed_sidebar: MQL
+description: Docker image
+---
+
+# docker.image
+
+**Description**
+
+Docker image
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------- | ------------------------------- |
+| id | string | Image ID |
+| size | int | Image size in kilobytes |
+| virtualsize | int | Virtual image size in kilobytes |
+| tags | []string | Tag key value pairs |
+| labels | map[string]string | Labels key value pairs |
diff --git a/docs/mql/resources/os-pack/docker.md b/docs/mql/resources/os-pack/docker.md
new file mode 100644
index 000000000..05bb5bdab
--- /dev/null
+++ b/docs/mql/resources/os-pack/docker.md
@@ -0,0 +1,20 @@
+---
+title: docker
+id: docker
+sidebar_label: docker
+displayed_sidebar: MQL
+description: Docker host resource
+---
+
+# docker
+
+**Description**
+
+Docker host resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------------------------------------------------- | -------------------------- |
+| images | [][docker.image](docker.image.md) | List all Docker images |
+| containers | [][docker.container](docker.container.md) | List all Docker containers |
diff --git a/docs/mql/resources/os-pack/file.md b/docs/mql/resources/os-pack/file.md
new file mode 100644
index 000000000..fd9d8021a
--- /dev/null
+++ b/docs/mql/resources/os-pack/file.md
@@ -0,0 +1,32 @@
+---
+title: file
+id: file
+sidebar_label: file
+displayed_sidebar: MQL
+description: File on the system
+---
+
+# file
+
+**Description**
+
+File on the system
+
+**Init**
+
+file(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------------------- | ------------------------------------------- |
+| path | string | Location of the file on the system |
+| basename | string | Filename without path prefix of this file |
+| dirname | string | Path to the folder containing this file |
+| content | string | Contents of this file |
+| exists | bool | Indicator if this file exists on the system |
+| permissions | [file.permissions](file.permissions.md) | Permissions for this file |
+| size | int | Size of this file on disk |
+| user | [user](user.md) | Ownership information about the user |
+| group | [group](group.md) | Ownership information about the group |
+| empty | bool | Whether the path is empty |
diff --git a/docs/mql/resources/os-pack/file.permissions.md b/docs/mql/resources/os-pack/file.permissions.md
new file mode 100644
index 000000000..395f12cd2
--- /dev/null
+++ b/docs/mql/resources/os-pack/file.permissions.md
@@ -0,0 +1,35 @@
+---
+title: file.permissions
+id: file.permissions
+sidebar_label: file.permissions
+displayed_sidebar: MQL
+description: Access permissions for a given file
+---
+
+# file.permissions
+
+**Description**
+
+Access permissions for a given file
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ------------------------------------------------------ |
+| mode | int | Raw POSIX mode for the permissions |
+| user_readable | bool | Whether the file is readable by its owner |
+| user_writeable | bool | Whether the file is writeable by its owner |
+| user_executable | bool | Whether the file is executable by its owner |
+| group_readable | bool | Whether the file is readable by members of the group |
+| group_writeable | bool | Whether the file is writeable by members of the group |
+| group_executable | bool | Whether the file is executable by members of the group |
+| other_readable | bool | Whether the file is readable by others |
+| other_writeable | bool | Whether the file is writeable by others |
+| other_executable | bool | Whether the file is executable by others |
+| suid | bool | SUID bit indicator |
+| sgid | bool | SGID bit indicator |
+| sticky | bool | Sticky bit indicator |
+| isDirectory | bool | Whether the file describes a directory |
+| isFile | bool | Whether the file describes a regular file |
+| isSymlink | bool | Whether the file is a symlink |
+| string | string | A simple printed string version of the permissions |
diff --git a/docs/mql/resources/os-pack/files.find.md b/docs/mql/resources/os-pack/files.find.md
new file mode 100644
index 000000000..1bc83c654
--- /dev/null
+++ b/docs/mql/resources/os-pack/files.find.md
@@ -0,0 +1,29 @@
+---
+title: files.find
+id: files.find
+sidebar_label: files.find
+displayed_sidebar: MQL
+description: Find files on the system
+---
+
+# files.find
+
+**Description**
+
+Find files on the system
+
+**List**
+
+[]file
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------------------------- | -------------------------------------------------------------- |
+| from | string | Sets the starting point for the search operation |
+| xdev | bool | Whether other devices to search |
+| type | string | What types of files to list (directories, files, devices, etc) |
+| regex | string | A regular expression for the file search |
+| permissions | int | What permissions the file matches |
+| name | string | Search name |
+| list | [][file](file.md) | |
diff --git a/docs/mql/resources/os-pack/files.md b/docs/mql/resources/os-pack/files.md
new file mode 100644
index 000000000..a3a325503
--- /dev/null
+++ b/docs/mql/resources/os-pack/files.md
@@ -0,0 +1,8 @@
+---
+title: files
+id: files
+sidebar_label: files
+displayed_sidebar: MQL
+---
+
+# files
diff --git a/docs/mql/resources/os-pack/group.md b/docs/mql/resources/os-pack/group.md
new file mode 100644
index 000000000..a6d712c98
--- /dev/null
+++ b/docs/mql/resources/os-pack/group.md
@@ -0,0 +1,26 @@
+---
+title: group
+id: group
+sidebar_label: group
+displayed_sidebar: MQL
+description: Group on this system
+---
+
+# group
+
+**Description**
+
+Group on this system
+
+**Init**
+
+group(id string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------------------------- | ------------------------------------- |
+| gid | int | Group ID |
+| sid | string | Group's security identifier (Windows) |
+| name | string | Name of this group |
+| members | [][user](user.md) | Users who are members of this group |
diff --git a/docs/mql/resources/os-pack/groups.md b/docs/mql/resources/os-pack/groups.md
new file mode 100644
index 000000000..fd731b795
--- /dev/null
+++ b/docs/mql/resources/os-pack/groups.md
@@ -0,0 +1,23 @@
+---
+title: groups
+id: groups
+sidebar_label: groups
+displayed_sidebar: MQL
+description: Groups configured on this system
+---
+
+# groups
+
+**Description**
+
+Groups configured on this system
+
+**List**
+
+[]group
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | --------------------------- | ----------- |
+| list | [][group](group.md) | |
diff --git a/docs/mql/resources/os-pack/ip6tables.md b/docs/mql/resources/os-pack/ip6tables.md
new file mode 100644
index 000000000..636400871
--- /dev/null
+++ b/docs/mql/resources/os-pack/ip6tables.md
@@ -0,0 +1,20 @@
+---
+title: ip6tables
+id: ip6tables
+sidebar_label: ip6tables
+displayed_sidebar: MQL
+description: IPv6 tables
+---
+
+# ip6tables
+
+**Description**
+
+IPv6 tables
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | --------------------------------------------- | ----------------------- |
+| input | [][iptables.entry](iptables.entry.md) | IPv6 input chain stats |
+| output | [][iptables.entry](iptables.entry.md) | IPv6 output chain stats |
diff --git a/docs/mql/resources/os-pack/iptables.entry.md b/docs/mql/resources/os-pack/iptables.entry.md
new file mode 100644
index 000000000..e4cbabfe9
--- /dev/null
+++ b/docs/mql/resources/os-pack/iptables.entry.md
@@ -0,0 +1,25 @@
+---
+title: iptables.entry
+id: iptables.entry
+sidebar_label: iptables.entry
+displayed_sidebar: MQL
+---
+
+# iptables.entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ---------------------------------------------------------------------------------------------- |
+| lineNumber | int | Line number of statistic, which is used to create the ID |
+| packets | int | Packets from iptable |
+| bytes | int | How large the packet is in octets, including headers and everything. |
+| target | string | What to do with the packet if it matches a rule |
+| protocol | string | Protocol of the next level layer (e.g., TCP, UDP, ICMP, etc) |
+| opt | string | IP options |
+| in | string | Input |
+| out | string | Output |
+| source | string | Source address field that tells the receiver where the packet came from |
+| destination | string | The destination IP address of the traffic, subnet of the traffic, or anywhere |
+| options | string | Optional settings within the header such as internet timestamps, SACK, or record route options |
+| chain | string | Input or output, which is used to create the ID |
diff --git a/docs/mql/resources/os-pack/iptables.md b/docs/mql/resources/os-pack/iptables.md
new file mode 100644
index 000000000..8a09d2472
--- /dev/null
+++ b/docs/mql/resources/os-pack/iptables.md
@@ -0,0 +1,20 @@
+---
+title: iptables
+id: iptables
+sidebar_label: iptables
+displayed_sidebar: MQL
+description: IPv4 tables
+---
+
+# iptables
+
+**Description**
+
+IPv4 tables
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | --------------------------------------------- | ----------------------- |
+| input | [][iptables.entry](iptables.entry.md) | IPv4 input chain stats |
+| output | [][iptables.entry](iptables.entry.md) | IPv4 output chain stats |
diff --git a/docs/mql/resources/os-pack/kernel.md b/docs/mql/resources/os-pack/kernel.md
new file mode 100644
index 000000000..6979f9431
--- /dev/null
+++ b/docs/mql/resources/os-pack/kernel.md
@@ -0,0 +1,22 @@
+---
+title: kernel
+id: kernel
+sidebar_label: kernel
+displayed_sidebar: MQL
+description: System kernel information
+---
+
+# kernel
+
+**Description**
+
+System kernel information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------------------------------------------- | ------------------------- |
+| info | dict | Active kernel information |
+| parameters | map[string]string | Kernel parameters map |
+| modules | [][kernel.module](kernel.module.md) | List of kernel modules |
+| installed | []dict | Installed versions |
diff --git a/docs/mql/resources/os-pack/kernel.module.md b/docs/mql/resources/os-pack/kernel.module.md
new file mode 100644
index 000000000..806a5b17d
--- /dev/null
+++ b/docs/mql/resources/os-pack/kernel.module.md
@@ -0,0 +1,25 @@
+---
+title: kernel.module
+id: kernel.module
+sidebar_label: kernel.module
+displayed_sidebar: MQL
+description: System kernel module information
+---
+
+# kernel.module
+
+**Description**
+
+System kernel module information
+
+**Init**
+
+kernel.module(name string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------ | ---------------------------- |
+| name | string | Name of the kernel module |
+| size | string | Size of the kernel module |
+| loaded | bool | Whether the module is loaded |
diff --git a/docs/mql/resources/os-pack/kubelet.md b/docs/mql/resources/os-pack/kubelet.md
new file mode 100644
index 000000000..60f7a6904
--- /dev/null
+++ b/docs/mql/resources/os-pack/kubelet.md
@@ -0,0 +1,21 @@
+---
+title: kubelet
+id: kubelet
+sidebar_label: kubelet
+displayed_sidebar: MQL
+description: Kubernetes kubelet configuration
+---
+
+# kubelet
+
+**Description**
+
+Kubernetes kubelet configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------- | -------------------------------------------------------- |
+| configFile | [file](file.md) | Kubelet config file |
+| process | [process](process.md) | Kubelet process |
+| configuration | dict | Combination of config file parameters and CLI parameters |
diff --git a/docs/mql/resources/os-pack/logindefs.md b/docs/mql/resources/os-pack/logindefs.md
new file mode 100644
index 000000000..5800a0b95
--- /dev/null
+++ b/docs/mql/resources/os-pack/logindefs.md
@@ -0,0 +1,25 @@
+---
+title: logindefs
+id: logindefs
+sidebar_label: logindefs
+displayed_sidebar: MQL
+description: Shadow password suite configuration
+---
+
+# logindefs
+
+**Description**
+
+Shadow password suite configuration
+
+**Init**
+
+logindefs(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ----------------- | --------------------------------------- |
+| file | [file](file.md) | Current configuration file for resource |
+| content | string | Content of the configuration file |
+| params | map[string]string | Parsed logindef parameter |
diff --git a/docs/mql/resources/os-pack/lsblk.entry.md b/docs/mql/resources/os-pack/lsblk.entry.md
new file mode 100644
index 000000000..eea87181d
--- /dev/null
+++ b/docs/mql/resources/os-pack/lsblk.entry.md
@@ -0,0 +1,23 @@
+---
+title: lsblk.entry
+id: lsblk.entry
+sidebar_label: lsblk.entry
+displayed_sidebar: MQL
+description: Unix block device
+---
+
+# lsblk.entry
+
+**Description**
+
+Unix block device
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ---------------- | --------------------------- |
+| name | string | Device name |
+| fstype | string | File system type |
+| label | string | Label for the file system |
+| uuid | string | UUID for the file system |
+| mountpoints | []string | Mount points for the device |
diff --git a/docs/mql/resources/os-pack/lsblk.md b/docs/mql/resources/os-pack/lsblk.md
new file mode 100644
index 000000000..8349ab00c
--- /dev/null
+++ b/docs/mql/resources/os-pack/lsblk.md
@@ -0,0 +1,23 @@
+---
+title: lsblk
+id: lsblk
+sidebar_label: lsblk
+displayed_sidebar: MQL
+description: Unix list block devices
+---
+
+# lsblk
+
+**Description**
+
+Unix list block devices
+
+**List**
+
+[]lsblk.entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | --------------------------------------- | ----------- |
+| list | [][lsblk.entry](lsblk.entry.md) | |
diff --git a/docs/mql/resources/os-pack/machine.baseboard.md b/docs/mql/resources/os-pack/machine.baseboard.md
new file mode 100644
index 000000000..3304ae7af
--- /dev/null
+++ b/docs/mql/resources/os-pack/machine.baseboard.md
@@ -0,0 +1,23 @@
+---
+title: machine.baseboard
+id: machine.baseboard
+sidebar_label: machine.baseboard
+displayed_sidebar: MQL
+description: SMBIOS baseboard (or module) information
+---
+
+# machine.baseboard
+
+**Description**
+
+SMBIOS baseboard (or module) information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ------------- |
+| manufacturer | string | Manufacturer |
+| product | string | Product |
+| version | string | Version |
+| serial | string | Serial number |
+| assetTag | string | Asset tag |
diff --git a/docs/mql/resources/os-pack/machine.bios.md b/docs/mql/resources/os-pack/machine.bios.md
new file mode 100644
index 000000000..6652e29e5
--- /dev/null
+++ b/docs/mql/resources/os-pack/machine.bios.md
@@ -0,0 +1,21 @@
+---
+title: machine.bios
+id: machine.bios
+sidebar_label: machine.bios
+displayed_sidebar: MQL
+description: SMBIOS BIOS information
+---
+
+# machine.bios
+
+**Description**
+
+SMBIOS BIOS information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ----------------- |
+| vendor | string | BIOS vendor |
+| version | string | BIOS version |
+| releaseDate | string | BIOS release date |
diff --git a/docs/mql/resources/os-pack/machine.chassis.md b/docs/mql/resources/os-pack/machine.chassis.md
new file mode 100644
index 000000000..de18a759d
--- /dev/null
+++ b/docs/mql/resources/os-pack/machine.chassis.md
@@ -0,0 +1,22 @@
+---
+title: machine.chassis
+id: machine.chassis
+sidebar_label: machine.chassis
+displayed_sidebar: MQL
+description: SMBIOS system enclosure or chassis
+---
+
+# machine.chassis
+
+**Description**
+
+SMBIOS system enclosure or chassis
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ---------------- |
+| manufacturer | string | Manufacturer |
+| version | string | Version |
+| serial | string | Serial number |
+| assetTag | string | Asset tag number |
diff --git a/docs/mql/resources/os-pack/machine.md b/docs/mql/resources/os-pack/machine.md
new file mode 100644
index 000000000..7d02701a8
--- /dev/null
+++ b/docs/mql/resources/os-pack/machine.md
@@ -0,0 +1,8 @@
+---
+title: machine
+id: machine
+sidebar_label: machine
+displayed_sidebar: MQL
+---
+
+# machine
diff --git a/docs/mql/resources/os-pack/machine.system.md b/docs/mql/resources/os-pack/machine.system.md
new file mode 100644
index 000000000..17fb20c8e
--- /dev/null
+++ b/docs/mql/resources/os-pack/machine.system.md
@@ -0,0 +1,25 @@
+---
+title: machine.system
+id: machine.system
+sidebar_label: machine.system
+displayed_sidebar: MQL
+description: SMBIOS system information
+---
+
+# machine.system
+
+**Description**
+
+SMBIOS system information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ------------- |
+| manufacturer | string | Manufacturer |
+| product | string | Product name |
+| version | string | Version |
+| serial | string | Serial number |
+| uuid | string | UUID |
+| sku | string | SKU number |
+| family | string | Family |
diff --git a/docs/mql/resources/os-pack/macos.alf.md b/docs/mql/resources/os-pack/macos.alf.md
new file mode 100644
index 000000000..d57713154
--- /dev/null
+++ b/docs/mql/resources/os-pack/macos.alf.md
@@ -0,0 +1,29 @@
+---
+title: macos.alf
+id: macos.alf
+sidebar_label: macos.alf
+displayed_sidebar: MQL
+description: macOS application layer firewall (ALF) service
+---
+
+# macos.alf
+
+**Description**
+
+macOS application layer firewall (ALF) service
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------- | ---------------- | --------------------------------------------------------------------------------------------------------- |
+| allowDownloadSignedEnabled | int | Whether the firewall service allows downloaded software to receive incoming connections |
+| allowSignedEnabled | int | Whether the firewall service allows built-in software to receive incoming connections for signed software |
+| firewallUnload | int | Whether the firewall is unloaded |
+| globalState | int | Whether the firewall is enabled |
+| loggingEnabled | int | Whether alf.log is used |
+| loggingOption | int | Logging flags |
+| stealthEnabled | int | Whether the firewall service is in stealth mode |
+| version | string | ALF version |
+| exceptions | []dict | Service exceptions |
+| explicitAuths | []string | Services explicitly allowed to perform networking |
+| applications | []dict | Applications with exceptions for network blocking |
diff --git a/docs/mql/resources/os-pack/macos.md b/docs/mql/resources/os-pack/macos.md
new file mode 100644
index 000000000..5a9c94151
--- /dev/null
+++ b/docs/mql/resources/os-pack/macos.md
@@ -0,0 +1,21 @@
+---
+title: macos
+id: macos
+sidebar_label: macos
+displayed_sidebar: MQL
+description: macOS specific resources
+---
+
+# macos
+
+**Description**
+
+macOS specific resources
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | --------------- | ------------------------------------ |
+| userPreferences | map[string]dict | macOS user defaults |
+| userHostPreferences | map[string]dict | macOS user defaults for current host |
+| globalAccountPolicies | dict | macOS global account policies |
diff --git a/docs/mql/resources/os-pack/macos.systemsetup.md b/docs/mql/resources/os-pack/macos.systemsetup.md
new file mode 100644
index 000000000..26e9b51b8
--- /dev/null
+++ b/docs/mql/resources/os-pack/macos.systemsetup.md
@@ -0,0 +1,38 @@
+---
+title: macos.systemsetup
+id: macos.systemsetup
+sidebar_label: macos.systemsetup
+displayed_sidebar: MQL
+description: macOS machine settings
+---
+
+# macos.systemsetup
+
+**Description**
+
+macOS machine settings
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------------------------- | ---------------- | ------------------------------------------------------------------------------ |
+| date | string | Current date |
+| time | string | Current time in 24-hour format |
+| timeZone | string | Current time zone |
+| usingNetworkTime | string | Whether network time is on or off |
+| networkTimeServer | string | Configured network time server |
+| sleep | []string | Amount of idle time until the machine sleeps |
+| displaySleep | string | Amount of idle time until the display sleeps |
+| harddiskSleep | string | Amount of idle time until the hard disk sleeps |
+| wakeOnModem | string | Whether wake on modem is on or off |
+| wakeOnNetworkAccess | string | Whether wake on network access is on or off |
+| restartPowerFailure | string | Whether restart on power failure is on or off |
+| restartFreeze | string | Whether restart on freeze is on or off |
+| allowPowerButtonToSleepComputer | string | Whether the power button can sleep the computer |
+| remoteLogin | string | Whether remote login (SSH) is on or off |
+| remoteAppleEvents | string | Whether remote Apple events are on or off |
+| computerName | string | Computer name |
+| localSubnetName | string | Local subnet name |
+| startupDisk | string | Current startup disk |
+| waitForStartupAfterPowerFailure | string | Number of seconds after which the computer will start up after a power failure |
+| disableKeyboardWhenEnclosureLockIsEngaged | string | Whether the keyboard is disabled when the X Serve enclosure lock is engaged |
diff --git a/docs/mql/resources/os-pack/macos.timemachine.md b/docs/mql/resources/os-pack/macos.timemachine.md
new file mode 100644
index 000000000..eac4cf767
--- /dev/null
+++ b/docs/mql/resources/os-pack/macos.timemachine.md
@@ -0,0 +1,19 @@
+---
+title: macos.timemachine
+id: macos.timemachine
+sidebar_label: macos.timemachine
+displayed_sidebar: MQL
+description: macOS Time Machine
+---
+
+# macos.timemachine
+
+**Description**
+
+macOS Time Machine
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ---- | ------------------------------ |
+| preferences | dict | macOS Time Machine preferences |
diff --git a/docs/mql/resources/os-pack/mondoo.eol.md b/docs/mql/resources/os-pack/mondoo.eol.md
new file mode 100644
index 000000000..8f60d5e87
--- /dev/null
+++ b/docs/mql/resources/os-pack/mondoo.eol.md
@@ -0,0 +1,21 @@
+---
+title: mondoo.eol
+id: mondoo.eol
+sidebar_label: mondoo.eol
+displayed_sidebar: MQL
+description: Platform end-of-life information
+---
+
+# mondoo.eol
+
+**Description**
+
+Platform end-of-life information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------ | -------------------------------- |
+| product | string | Product name |
+| version | string | Product version |
+| date | time | End-of-life date for the product |
diff --git a/docs/mql/resources/os-pack/mount.md b/docs/mql/resources/os-pack/mount.md
new file mode 100644
index 000000000..88d5067fd
--- /dev/null
+++ b/docs/mql/resources/os-pack/mount.md
@@ -0,0 +1,23 @@
+---
+title: mount
+id: mount
+sidebar_label: mount
+displayed_sidebar: MQL
+description: Unix mounted file system
+---
+
+# mount
+
+**Description**
+
+Unix mounted file system
+
+**List**
+
+[]mount.point
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | --------------------------------------- | ----------- |
+| list | [][mount.point](mount.point.md) | |
diff --git a/docs/mql/resources/os-pack/mount.point.md b/docs/mql/resources/os-pack/mount.point.md
new file mode 100644
index 000000000..194f81660
--- /dev/null
+++ b/docs/mql/resources/os-pack/mount.point.md
@@ -0,0 +1,27 @@
+---
+title: mount.point
+id: mount.point
+sidebar_label: mount.point
+displayed_sidebar: MQL
+description: Unix mount point
+---
+
+# mount.point
+
+**Description**
+
+Unix mount point
+
+**Init**
+
+mount.point(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ----------------- | ---------------------------------- |
+| device | string | Device |
+| path | string | Path |
+| fstype | string | File system type |
+| options | map[string]string | Mount options |
+| mounted | bool | Whether the mount point is mounted |
diff --git a/docs/mql/resources/os-pack/npm.package.md b/docs/mql/resources/os-pack/npm.package.md
new file mode 100644
index 000000000..4755ec03d
--- /dev/null
+++ b/docs/mql/resources/os-pack/npm.package.md
@@ -0,0 +1,19 @@
+---
+title: npm.package
+id: npm.package
+sidebar_label: npm.package
+displayed_sidebar: MQL
+---
+
+# npm.package
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | --------------------------------------- | ------------------------------------------------- |
+| id | string | ID is the npm.package unique identifier |
+| name | string | Name of the package |
+| version | string | Version of the package |
+| purl | string | Package URL |
+| cpes | []core.cpe | Common Platform Enumeration (CPE) for the package |
+| files | [][pkgFileInfo](pkgfileinfo.md) | Package files |
diff --git a/docs/mql/resources/os-pack/npm.packages.md b/docs/mql/resources/os-pack/npm.packages.md
new file mode 100644
index 000000000..afcb092bf
--- /dev/null
+++ b/docs/mql/resources/os-pack/npm.packages.md
@@ -0,0 +1,31 @@
+---
+title: npm.packages
+id: npm.packages
+sidebar_label: npm.packages
+displayed_sidebar: MQL
+description: npm packages
+---
+
+# npm.packages
+
+**Description**
+
+npm packages
+
+**Init**
+
+npm.packages(path string)
+
+**List**
+
+[]npm.package
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | --------------------------------------- | ------------------------------------ |
+| path | string | optional path to search for packages |
+| root | [npm.package](npm.package.md) | Root Package (may not exist) |
+| directDependencies | [][npm.package](npm.package.md) | List of direct dependencies |
+| files | [][pkgFileInfo](pkgfileinfo.md) | Files used to determine the packages |
+| list | [][npm.package](npm.package.md) | |
diff --git a/docs/mql/resources/os-pack/ntp.conf.md b/docs/mql/resources/os-pack/ntp.conf.md
new file mode 100644
index 000000000..5d009de0a
--- /dev/null
+++ b/docs/mql/resources/os-pack/ntp.conf.md
@@ -0,0 +1,28 @@
+---
+title: ntp.conf
+id: ntp.conf
+sidebar_label: ntp.conf
+displayed_sidebar: MQL
+description: NTP service configuration
+---
+
+# ntp.conf
+
+**Description**
+
+NTP service configuration
+
+**Init**
+
+ntp.conf(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ---------------- | ------------------------------------------------------- |
+| file | [file](file.md) | File of the NTP service configuration |
+| content | string | Raw contents of the NTP service configuration |
+| settings | []string | List of settings for the NTP service |
+| servers | []string | List of servers for the NTP service |
+| restrict | []string | List of access control restrictions for the NTP service |
+| fudge | []string | Additional information for clock drivers |
diff --git a/docs/mql/resources/os-pack/os.base.md b/docs/mql/resources/os-pack/os.base.md
new file mode 100644
index 000000000..5b2bd5b34
--- /dev/null
+++ b/docs/mql/resources/os-pack/os.base.md
@@ -0,0 +1,23 @@
+---
+title: os.base
+id: os.base
+sidebar_label: os.base
+displayed_sidebar: MQL
+---
+
+# os.base
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------------- | -------------------------------------------------------- |
+| machine | [machine](machine.md) | |
+| name | string | Pretty Hostname on macOS/Linux or device name on Windows |
+| env | map[string]string | ENV variable contents |
+| path | []string | PATH variable contents |
+| uptime | time | Current uptime |
+| updates | [][os.update](os.update.md) | List of available OS updates |
+| rebootpending | bool | Whether a reboot is pending |
+| hostname | string | Hostname for this OS |
+| groups | [groups](groups.md) | User groups |
+| users | [users](users.md) | Users |
diff --git a/docs/mql/resources/os-pack/os.linux.md b/docs/mql/resources/os-pack/os.linux.md
new file mode 100644
index 000000000..bb6ee2037
--- /dev/null
+++ b/docs/mql/resources/os-pack/os.linux.md
@@ -0,0 +1,16 @@
+---
+title: os.linux
+id: os.linux
+sidebar_label: os.linux
+displayed_sidebar: MQL
+---
+
+# os.linux
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------- | -------------------------- |
+| unix | [os.unix](os.unix.md) | |
+| iptables | [iptables](iptables.md) | iptables firewall for IPv4 |
+| ip6tables | [ip6tables](ip6tables.md) | iptables firewall for IPv6 |
diff --git a/docs/mql/resources/os-pack/os.md b/docs/mql/resources/os-pack/os.md
new file mode 100644
index 000000000..bd2b76495
--- /dev/null
+++ b/docs/mql/resources/os-pack/os.md
@@ -0,0 +1,26 @@
+---
+title: os
+id: os
+sidebar_label: os
+displayed_sidebar: MQL
+description: Operating system information
+---
+
+# os
+
+**Description**
+
+Operating system information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------------- | -------------------------------------------------------- |
+| name | string | Pretty hostname on macOS/Linux or device name on Windows |
+| env | map[string]string | ENV variable contents |
+| path | []string | PATH variable contents |
+| uptime | time | Current uptime |
+| updates | [][os.update](os.update.md) | List of available OS updates |
+| rebootpending | bool | Whether a reboot is pending |
+| hostname | string | Hostname for this OS |
+| machineid | string | Machine ID for this OS |
diff --git a/docs/mql/resources/os-pack/os.rootcertificates.md b/docs/mql/resources/os-pack/os.rootcertificates.md
new file mode 100644
index 000000000..2f9d7df46
--- /dev/null
+++ b/docs/mql/resources/os-pack/os.rootcertificates.md
@@ -0,0 +1,25 @@
+---
+title: os.rootCertificates
+id: os.rootCertificates
+sidebar_label: os.rootCertificates
+displayed_sidebar: MQL
+description: Operating system root certificates
+---
+
+# os.rootCertificates
+
+**Description**
+
+Operating system root certificates
+
+**List**
+
+[]certificate
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------------------------- | -------------------------------------------- |
+| files | [][file](file.md) | List of files that define these certificates |
+| content | []string | |
+| list | []certificate | |
diff --git a/docs/mql/resources/os-pack/os.unix.md b/docs/mql/resources/os-pack/os.unix.md
new file mode 100644
index 000000000..3c5914b88
--- /dev/null
+++ b/docs/mql/resources/os-pack/os.unix.md
@@ -0,0 +1,14 @@
+---
+title: os.unix
+id: os.unix
+sidebar_label: os.unix
+displayed_sidebar: MQL
+---
+
+# os.unix
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | --------------------- | ----------- |
+| base | [os.base](os.base.md) | |
diff --git a/docs/mql/resources/os-pack/os.update.md b/docs/mql/resources/os-pack/os.update.md
new file mode 100644
index 000000000..fe1390d1e
--- /dev/null
+++ b/docs/mql/resources/os-pack/os.update.md
@@ -0,0 +1,23 @@
+---
+title: os.update
+id: os.update
+sidebar_label: os.update
+displayed_sidebar: MQL
+description: Operating system update information
+---
+
+# os.update
+
+**Description**
+
+Operating system update information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | ------------------------------ |
+| name | string | Name of the update |
+| category | string | Category of the update |
+| severity | string | Severity of the update |
+| restart | bool | Whether a restart is required |
+| format | string | Package format for this update |
diff --git a/docs/mql/resources/os-pack/package.md b/docs/mql/resources/os-pack/package.md
new file mode 100644
index 000000000..e2e5b0559
--- /dev/null
+++ b/docs/mql/resources/os-pack/package.md
@@ -0,0 +1,36 @@
+---
+title: package
+id: package
+sidebar_label: package
+displayed_sidebar: MQL
+description: Package on the platform or OS
+---
+
+# package
+
+**Description**
+
+Package on the platform or OS
+
+**Init**
+
+package(name string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------------------- | ------------------------------------------------- |
+| name | string | Name of the package |
+| description | string | Package description |
+| version | string | Current version of the package |
+| arch | string | Architecture of this package |
+| epoch | string | Epoch of this package |
+| format | string | Format of this package (e.g., rpm, deb) |
+| status | string | Status of this package (e.g., if it is needed) |
+| purl | string | Package URL |
+| cpes | []core.cpe | Common Platform Enumeration (CPE) for the package |
+| origin | string | Package origin (optional) |
+| available | string | Available version |
+| installed | bool | Whether the package is installed |
+| outdated | bool | Whether the package is outdated |
+| files | [][pkgFileInfo](pkgfileinfo.md) | Package files |
diff --git a/docs/mql/resources/os-pack/packages.md b/docs/mql/resources/os-pack/packages.md
new file mode 100644
index 000000000..21c6eb895
--- /dev/null
+++ b/docs/mql/resources/os-pack/packages.md
@@ -0,0 +1,23 @@
+---
+title: packages
+id: packages
+sidebar_label: packages
+displayed_sidebar: MQL
+description: List of packages on this system
+---
+
+# packages
+
+**Description**
+
+List of packages on this system
+
+**List**
+
+[]package
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------------------------------- | ----------- |
+| list | [][package](package.md) | |
diff --git a/docs/mql/resources/os-pack/pam.conf.md b/docs/mql/resources/os-pack/pam.conf.md
new file mode 100644
index 000000000..ee553922c
--- /dev/null
+++ b/docs/mql/resources/os-pack/pam.conf.md
@@ -0,0 +1,26 @@
+---
+title: pam.conf
+id: pam.conf
+sidebar_label: pam.conf
+displayed_sidebar: MQL
+description: PAM configuration (pluggable authentication module)
+---
+
+# pam.conf
+
+**Description**
+
+PAM configuration (pluggable authentication module)
+
+**Init**
+
+pam.conf(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ---------------------------------------------------------------------- | ---------------------------------------------------------------- |
+| files | [][file](file.md) | List of files that make up the PAM configuration |
+| content | string | The raw PAM configuration (across all files) |
+| services | map[string][]string | Deprecated; list of services that are configured via PAM |
+| entries | map[string][][pam.conf.serviceEntry](pam.conf.serviceentry.md) | List of services with parsed entries that are configured via PAM |
diff --git a/docs/mql/resources/os-pack/pam.conf.serviceentry.md b/docs/mql/resources/os-pack/pam.conf.serviceentry.md
new file mode 100644
index 000000000..d6f177ec4
--- /dev/null
+++ b/docs/mql/resources/os-pack/pam.conf.serviceentry.md
@@ -0,0 +1,19 @@
+---
+title: pam.conf.serviceEntry
+id: pam.conf.serviceEntry
+sidebar_label: pam.conf.serviceEntry
+displayed_sidebar: MQL
+---
+
+# pam.conf.serviceEntry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ---------------- | --------------------------------------------------------- |
+| service | string | Service file that the entry is from |
+| lineNumber | int | Line number in service file (used for ID) |
+| pamType | string | Type for PAM entry, (i.e., auth, password, etc) |
+| control | string | Level of control, (i.e., required, requisite, sufficient) |
+| module | string | PAM module used |
+| options | []string | Configuration options for pam service entry |
diff --git a/docs/mql/resources/os-pack/parse.certificates.md b/docs/mql/resources/os-pack/parse.certificates.md
new file mode 100644
index 000000000..2f64c9267
--- /dev/null
+++ b/docs/mql/resources/os-pack/parse.certificates.md
@@ -0,0 +1,30 @@
+---
+title: parse.certificates
+id: parse.certificates
+sidebar_label: parse.certificates
+displayed_sidebar: MQL
+description: Parse certificates from files
+---
+
+# parse.certificates
+
+**Description**
+
+Parse certificates from files
+
+**Init**
+
+parse.certificates(path string)
+
+**List**
+
+[]network.certificate
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ----------------------------- | ------------------------ |
+| path | string | Certificate file path |
+| file | [file](file.md) | Certificate file |
+| content | string | Certificate file content |
+| list | []network.certificate | |
diff --git a/docs/mql/resources/os-pack/parse.ini.md b/docs/mql/resources/os-pack/parse.ini.md
new file mode 100644
index 000000000..2454085d7
--- /dev/null
+++ b/docs/mql/resources/os-pack/parse.ini.md
@@ -0,0 +1,28 @@
+---
+title: parse.ini
+id: parse.ini
+sidebar_label: parse.ini
+displayed_sidebar: MQL
+description: Parse INI files
+---
+
+# parse.ini
+
+**Description**
+
+Parse INI files
+
+**Init**
+
+parse.ini(path string)
+parse.ini(delimiter string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ---------------------------- | ----------------------------------------------- |
+| delimiter | string | Symbol that separates keys and values |
+| file | [file](file.md) | File that is parsed |
+| content | string | Raw content of the file that is parsed |
+| sections | map[string]map[string]string | Map of sections and key-value pairs |
+| params | map[string]string | Map of parameters that don't belong to sections |
diff --git a/docs/mql/resources/os-pack/parse.json.md b/docs/mql/resources/os-pack/parse.json.md
new file mode 100644
index 000000000..af53abf1a
--- /dev/null
+++ b/docs/mql/resources/os-pack/parse.json.md
@@ -0,0 +1,25 @@
+---
+title: parse.json
+id: parse.json
+sidebar_label: parse.json
+displayed_sidebar: MQL
+description: Parse JSON files
+---
+
+# parse.json
+
+**Description**
+
+Parse JSON files
+
+**Init**
+
+parse.json(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | --------------- | ------------------------------------------ |
+| file | [file](file.md) | File that is parsed |
+| content | string | Raw content of the file that is parsed |
+| params | dict | The parsed parameters defined in this file |
diff --git a/docs/mql/resources/os-pack/parse.openpgp.md b/docs/mql/resources/os-pack/parse.openpgp.md
new file mode 100644
index 000000000..7715f136f
--- /dev/null
+++ b/docs/mql/resources/os-pack/parse.openpgp.md
@@ -0,0 +1,30 @@
+---
+title: parse.openpgp
+id: parse.openpgp
+sidebar_label: parse.openpgp
+displayed_sidebar: MQL
+description: Parse OpenPGP from files
+---
+
+# parse.openpgp
+
+**Description**
+
+Parse OpenPGP from files
+
+**Init**
+
+parse.openpgp(path string)
+
+**List**
+
+[]network.openpgp.entity
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | -------------------------------- | --------------------------------- |
+| path | string | Deprecated; use file.path instead |
+| file | [file](file.md) | OpenPGP file |
+| content | string | OpenPGP file content |
+| list | []network.openpgp.entity | |
diff --git a/docs/mql/resources/os-pack/parse.plist.md b/docs/mql/resources/os-pack/parse.plist.md
new file mode 100644
index 000000000..87638b26f
--- /dev/null
+++ b/docs/mql/resources/os-pack/parse.plist.md
@@ -0,0 +1,25 @@
+---
+title: parse.plist
+id: parse.plist
+sidebar_label: parse.plist
+displayed_sidebar: MQL
+description: Parse plist files
+---
+
+# parse.plist
+
+**Description**
+
+Parse plist files
+
+**Init**
+
+parse.plist(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | --------------- | --------------------------------------------------- |
+| file | [file](file.md) | File that is parsed |
+| content | string | Raw content of the file that is parsed |
+| params | dict | The parsed parameters that are defined in this file |
diff --git a/docs/mql/resources/os-pack/parse.yaml.md b/docs/mql/resources/os-pack/parse.yaml.md
new file mode 100644
index 000000000..02eb8d963
--- /dev/null
+++ b/docs/mql/resources/os-pack/parse.yaml.md
@@ -0,0 +1,25 @@
+---
+title: parse.yaml
+id: parse.yaml
+sidebar_label: parse.yaml
+displayed_sidebar: MQL
+description: Parse YAML files
+---
+
+# parse.yaml
+
+**Description**
+
+Parse YAML files
+
+**Init**
+
+parse.yaml(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | --------------- | --------------------------------------------------- |
+| file | [file](file.md) | File that is parsed |
+| content | string | Raw content of the file that is parsed |
+| params | dict | The parsed parameters that are defined in this file |
diff --git a/docs/mql/resources/os-pack/pkgfileinfo.md b/docs/mql/resources/os-pack/pkgfileinfo.md
new file mode 100644
index 000000000..12fa3edea
--- /dev/null
+++ b/docs/mql/resources/os-pack/pkgfileinfo.md
@@ -0,0 +1,14 @@
+---
+title: pkgFileInfo
+id: pkgFileInfo
+sidebar_label: pkgFileInfo
+displayed_sidebar: MQL
+---
+
+# pkgFileInfo
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------ | ---------------- |
+| path | string | Path to the file |
diff --git a/docs/mql/resources/os-pack/platform.advisories.md b/docs/mql/resources/os-pack/platform.advisories.md
new file mode 100644
index 000000000..ce7e5d155
--- /dev/null
+++ b/docs/mql/resources/os-pack/platform.advisories.md
@@ -0,0 +1,25 @@
+---
+title: platform.advisories
+id: platform.advisories
+sidebar_label: platform.advisories
+displayed_sidebar: MQL
+description: All platform/package advisories
+---
+
+# platform.advisories
+
+**Description**
+
+All platform/package advisories
+
+**List**
+
+[]audit.advisory
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----- | --------------------------------------------- | -------------------------------------------------------------------------- |
+| cvss | [audit.cvss](audit.cvss.md) | Worst CVSS score for all advisories |
+| stats | dict | Statistical information: total, critical, high, medium, low, none, unknown |
+| list | [][audit.advisory](audit.advisory.md) | |
diff --git a/docs/mql/resources/os-pack/platform.cves.md b/docs/mql/resources/os-pack/platform.cves.md
new file mode 100644
index 000000000..36a1bc083
--- /dev/null
+++ b/docs/mql/resources/os-pack/platform.cves.md
@@ -0,0 +1,25 @@
+---
+title: platform.cves
+id: platform.cves
+sidebar_label: platform.cves
+displayed_sidebar: MQL
+description: All platform/package CVEs
+---
+
+# platform.cves
+
+**Description**
+
+All platform/package CVEs
+
+**List**
+
+[]audit.cve
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----- | ----------------------------------- | -------------------------------------------------------------------------- |
+| cvss | [audit.cvss](audit.cvss.md) | Worst CVSS score for all CVEs |
+| stats | dict | Statistical information: total, critical, high, medium, low, none, unknown |
+| list | [][audit.cve](audit.cve.md) | |
diff --git a/docs/mql/resources/os-pack/platform.eol.md b/docs/mql/resources/os-pack/platform.eol.md
new file mode 100644
index 000000000..520ac288e
--- /dev/null
+++ b/docs/mql/resources/os-pack/platform.eol.md
@@ -0,0 +1,21 @@
+---
+title: platform.eol
+id: platform.eol
+sidebar_label: platform.eol
+displayed_sidebar: MQL
+description: Deprecated; will be removed in version 10.0
+---
+
+# platform.eol
+
+**Description**
+
+Deprecated; will be removed in version 10.0
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ----------------- |
+| docsUrl | string | Documentation URL |
+| productUrl | string | Product URL |
+| date | time | End-of-life date |
diff --git a/docs/mql/resources/os-pack/platform.md b/docs/mql/resources/os-pack/platform.md
new file mode 100644
index 000000000..94e4c4f23
--- /dev/null
+++ b/docs/mql/resources/os-pack/platform.md
@@ -0,0 +1,14 @@
+---
+title: platform
+id: platform
+sidebar_label: platform
+displayed_sidebar: MQL
+---
+
+# platform
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ---- | ----------------------------------------------------------------- |
+| vulnerabilityReport | dict | Deprecated; will be removed in version 10.0, use vulnmgmt instead |
diff --git a/docs/mql/resources/os-pack/port.md b/docs/mql/resources/os-pack/port.md
new file mode 100644
index 000000000..7a263a529
--- /dev/null
+++ b/docs/mql/resources/os-pack/port.md
@@ -0,0 +1,27 @@
+---
+title: port
+id: port
+sidebar_label: port
+displayed_sidebar: MQL
+description: TCP/IP port on the system
+---
+
+# port
+
+**Description**
+
+TCP/IP port on the system
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | --------------------- | -------------------------------------- |
+| protocol | string | Protocol of this port |
+| port | int | Port number |
+| address | string | Local address of this port |
+| user | [user](user.md) | User configured for this port |
+| process | [process](process.md) | Process that is connected to this port |
+| state | string | State of this open port |
+| remoteAddress | string | Remote address connected to this port |
+| remotePort | int | Remote port connected to this port |
+| tls | network.tls | TLS on this port, if it is available |
diff --git a/docs/mql/resources/os-pack/ports.md b/docs/mql/resources/os-pack/ports.md
new file mode 100644
index 000000000..645634d91
--- /dev/null
+++ b/docs/mql/resources/os-pack/ports.md
@@ -0,0 +1,24 @@
+---
+title: ports
+id: ports
+sidebar_label: ports
+displayed_sidebar: MQL
+description: TCP/IP ports on the system
+---
+
+# ports
+
+**Description**
+
+TCP/IP ports on the system
+
+**List**
+
+[]port
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------------------------- | ------------------- |
+| listening | [][port](port.md) | All listening ports |
+| list | [][port](port.md) | |
diff --git a/docs/mql/resources/os-pack/powershell.md b/docs/mql/resources/os-pack/powershell.md
new file mode 100644
index 000000000..76212bf16
--- /dev/null
+++ b/docs/mql/resources/os-pack/powershell.md
@@ -0,0 +1,26 @@
+---
+title: powershell
+id: powershell
+sidebar_label: powershell
+displayed_sidebar: MQL
+description: Results of running a PowerShell script on the system
+---
+
+# powershell
+
+**Description**
+
+Results of running a PowerShell script on the system
+
+**Init**
+
+powershell(script string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------ | --------------------------------------------- |
+| script | string | Raw contents of the script |
+| stdout | string | Standard output from running the script |
+| stderr | string | Standard error output from running the script |
+| exitcode | int | Exit code the script returned |
diff --git a/docs/mql/resources/os-pack/privatekey.md b/docs/mql/resources/os-pack/privatekey.md
new file mode 100644
index 000000000..bf7bfceed
--- /dev/null
+++ b/docs/mql/resources/os-pack/privatekey.md
@@ -0,0 +1,22 @@
+---
+title: privatekey
+id: privatekey
+sidebar_label: privatekey
+displayed_sidebar: MQL
+description: Private key resource
+---
+
+# privatekey
+
+**Description**
+
+Private key resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | --------------- | --------------------------------- |
+| pem | string | PEM data |
+| path | string | Deprecated; use file instead |
+| file | [file](file.md) | File on disk for this private key |
+| encrypted | bool | Whether the file is encrypted |
diff --git a/docs/mql/resources/os-pack/process.md b/docs/mql/resources/os-pack/process.md
new file mode 100644
index 000000000..c88abdbb7
--- /dev/null
+++ b/docs/mql/resources/os-pack/process.md
@@ -0,0 +1,27 @@
+---
+title: process
+id: process
+sidebar_label: process
+displayed_sidebar: MQL
+description: Process on this system
+---
+
+# process
+
+**Description**
+
+Process on this system
+
+**Init**
+
+process(pid int)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------- | --------------------------------------------------- |
+| pid | int | PID (process ID) |
+| state | string | State of the process (i.e., sleeping, running, etc) |
+| executable | string | Executable that is running this process |
+| command | string | Full command used to run this process |
+| flags | map[string]string | Map of additional flags |
diff --git a/docs/mql/resources/os-pack/processes.md b/docs/mql/resources/os-pack/processes.md
new file mode 100644
index 000000000..b637f9fa3
--- /dev/null
+++ b/docs/mql/resources/os-pack/processes.md
@@ -0,0 +1,23 @@
+---
+title: processes
+id: processes
+sidebar_label: processes
+displayed_sidebar: MQL
+description: Processes available on this system
+---
+
+# processes
+
+**Description**
+
+Processes available on this system
+
+**List**
+
+[]process
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------------------------------- | ----------- |
+| list | [][process](process.md) | |
diff --git a/docs/mql/resources/os-pack/python.md b/docs/mql/resources/os-pack/python.md
new file mode 100644
index 000000000..f39e41232
--- /dev/null
+++ b/docs/mql/resources/os-pack/python.md
@@ -0,0 +1,25 @@
+---
+title: python
+id: python
+sidebar_label: python
+displayed_sidebar: MQL
+description: Python package details found on the operating system image
+---
+
+# python
+
+**Description**
+
+Python package details found on the operating system image
+
+**Init**
+
+python(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | --------------------------------------------- | -------------------------------------------------------------------------------------------------- |
+| path | string | Path to a specific site-packages location to exclusively scan (empty means scan default locations) |
+| packages | [][python.package](python.package.md) | List of all discovered packages |
+| toplevel | [][python.package](python.package.md) | List of all packages that were specifically installed (i.e., not auto-installed as a dependency) |
diff --git a/docs/mql/resources/os-pack/python.package.md b/docs/mql/resources/os-pack/python.package.md
new file mode 100644
index 000000000..5ca23efb4
--- /dev/null
+++ b/docs/mql/resources/os-pack/python.package.md
@@ -0,0 +1,33 @@
+---
+title: python.package
+id: python.package
+sidebar_label: python.package
+displayed_sidebar: MQL
+description: Python package information
+---
+
+# python.package
+
+**Description**
+
+Python package information
+
+**Init**
+
+python.package(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | --------------------------------------------- | ------------------------------------------------- |
+| id | string | ID is the python.package unique identifier |
+| name | string | Name of the package |
+| file | [file](file.md) | File containing the package metadata |
+| version | string | Version of the package |
+| license | string | License of the package |
+| author | string | Author of the package |
+| authorEmail | string | Author email of the package |
+| summary | string | Short package description |
+| purl | string | Package URL |
+| cpes | []core.cpe | Common Platform Enumeration (CPE) for the package |
+| dependencies | [][python.package](python.package.md) | List of packages depended on |
diff --git a/docs/mql/resources/os-pack/registrykey.md b/docs/mql/resources/os-pack/registrykey.md
new file mode 100644
index 000000000..3e33ffaca
--- /dev/null
+++ b/docs/mql/resources/os-pack/registrykey.md
@@ -0,0 +1,27 @@
+---
+title: registrykey
+id: registrykey
+sidebar_label: registrykey
+displayed_sidebar: MQL
+description: Windows registry key
+---
+
+# registrykey
+
+**Description**
+
+Windows registry key
+
+**Init**
+
+registrykey(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | --------------------------------------------------------- | ------------------------------- |
+| path | string | Registry key path |
+| exists | bool | Whether the property exists |
+| properties | map[string]string | Deprecated; use `items` instead |
+| items | [][registrykey.property](registrykey.property.md) | Registry key items |
+| children | []string | Registry key children |
diff --git a/docs/mql/resources/os-pack/registrykey.property.md b/docs/mql/resources/os-pack/registrykey.property.md
new file mode 100644
index 000000000..5f4e177e6
--- /dev/null
+++ b/docs/mql/resources/os-pack/registrykey.property.md
@@ -0,0 +1,29 @@
+---
+title: registrykey.property
+id: registrykey.property
+sidebar_label: registrykey.property
+displayed_sidebar: MQL
+description: Windows registry key property
+---
+
+# registrykey.property
+
+**Description**
+
+Windows registry key property
+
+**Init**
+
+registrykey.property(path string)
+registrykey.property(name string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------ | ------------------------------ |
+| path | string | Registry key path |
+| name | string | Registry key name |
+| exists | bool | Whether the property exists |
+| value | string | Deprecated; use `data` instead |
+| type | string | Registry key type |
+| data | dict | Registry key data |
diff --git a/docs/mql/resources/os-pack/rsyslog.conf.md b/docs/mql/resources/os-pack/rsyslog.conf.md
new file mode 100644
index 000000000..b7ad1eac8
--- /dev/null
+++ b/docs/mql/resources/os-pack/rsyslog.conf.md
@@ -0,0 +1,26 @@
+---
+title: rsyslog.conf
+id: rsyslog.conf
+sidebar_label: rsyslog.conf
+displayed_sidebar: MQL
+description: rsyslog service configuration
+---
+
+# rsyslog.conf
+
+**Description**
+
+rsyslog service configuration
+
+**Init**
+
+rsyslog.conf(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ------------------------- | ----------------------------------------------------- |
+| path | string | Path for the main rsyslog file and search |
+| files | [][file](file.md) | Files that make up this rsyslog service configuration |
+| content | string | Raw contents of this rsyslog service configuration |
+| settings | []string | List of settings for this rsyslog service |
diff --git a/docs/mql/resources/os-pack/secpol.md b/docs/mql/resources/os-pack/secpol.md
new file mode 100644
index 000000000..94ccf9db1
--- /dev/null
+++ b/docs/mql/resources/os-pack/secpol.md
@@ -0,0 +1,22 @@
+---
+title: secpol
+id: secpol
+sidebar_label: secpol
+displayed_sidebar: MQL
+description: Windows local security policy
+---
+
+# secpol
+
+**Description**
+
+Windows local security policy
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | --------------------------- | ---------------- |
+| systemaccess | map[string]string | System access |
+| eventaudit | map[string]string | Event audit |
+| registryvalues | map[string]string | Registry values |
+| privilegerights | map[string][]string | Privilege rights |
diff --git a/docs/mql/resources/os-pack/service.md b/docs/mql/resources/os-pack/service.md
new file mode 100644
index 000000000..86a4b1dc2
--- /dev/null
+++ b/docs/mql/resources/os-pack/service.md
@@ -0,0 +1,29 @@
+---
+title: service
+id: service
+sidebar_label: service
+displayed_sidebar: MQL
+description: Service on this system
+---
+
+# service
+
+**Description**
+
+Service on this system
+
+**Init**
+
+service(name string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ---------------------------------------------- |
+| name | string | Name of the service |
+| description | string | Service description |
+| installed | bool | Whether the service is installed |
+| running | bool | Whether the service is running |
+| enabled | bool | Whether the service is enabled (start at boot) |
+| type | string | Type information |
+| masked | bool | Whether the service is masked |
diff --git a/docs/mql/resources/os-pack/services.md b/docs/mql/resources/os-pack/services.md
new file mode 100644
index 000000000..b7e2dba71
--- /dev/null
+++ b/docs/mql/resources/os-pack/services.md
@@ -0,0 +1,23 @@
+---
+title: services
+id: services
+sidebar_label: services
+displayed_sidebar: MQL
+description: Services configured on this system
+---
+
+# services
+
+**Description**
+
+Services configured on this system
+
+**List**
+
+[]service
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------------------------------- | ----------- |
+| list | [][service](service.md) | |
diff --git a/docs/mql/resources/os-pack/shadow.entry.md b/docs/mql/resources/os-pack/shadow.entry.md
new file mode 100644
index 000000000..38002cb28
--- /dev/null
+++ b/docs/mql/resources/os-pack/shadow.entry.md
@@ -0,0 +1,27 @@
+---
+title: shadow.entry
+id: shadow.entry
+sidebar_label: shadow.entry
+displayed_sidebar: MQL
+description: Shadowed password file entry
+---
+
+# shadow.entry
+
+**Description**
+
+Shadowed password file entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | ---------------------------------- |
+| user | string | User |
+| password | string | Password |
+| lastchanged | time | Date of last password change |
+| mindays | int | Minimum password age in days |
+| maxdays | int | Maximum password age in days |
+| warndays | int | Password warning period in days |
+| inactivedays | int | Password inactivity period in days |
+| expirydates | string | Account expiration date |
+| reserved | string | Reserved field |
diff --git a/docs/mql/resources/os-pack/shadow.md b/docs/mql/resources/os-pack/shadow.md
new file mode 100644
index 000000000..1ca09a677
--- /dev/null
+++ b/docs/mql/resources/os-pack/shadow.md
@@ -0,0 +1,23 @@
+---
+title: shadow
+id: shadow
+sidebar_label: shadow
+displayed_sidebar: MQL
+description: Shadowed password file
+---
+
+# shadow
+
+**Description**
+
+Shadowed password file
+
+**List**
+
+[]shadow.entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ----------------------------------------- | ----------- |
+| list | [][shadow.entry](shadow.entry.md) | |
diff --git a/docs/mql/resources/os-pack/sshd.config.matchblock.md b/docs/mql/resources/os-pack/sshd.config.matchblock.md
new file mode 100644
index 000000000..413233807
--- /dev/null
+++ b/docs/mql/resources/os-pack/sshd.config.matchblock.md
@@ -0,0 +1,15 @@
+---
+title: sshd.config.matchBlock
+id: sshd.config.matchBlock
+sidebar_label: sshd.config.matchBlock
+displayed_sidebar: MQL
+---
+
+# sshd.config.matchBlock
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ----------------- | ---------------------------------- |
+| criteria | string | The match criteria for this block |
+| params | map[string]string | Configuration values in this block |
diff --git a/docs/mql/resources/os-pack/sshd.config.md b/docs/mql/resources/os-pack/sshd.config.md
new file mode 100644
index 000000000..57f9bb287
--- /dev/null
+++ b/docs/mql/resources/os-pack/sshd.config.md
@@ -0,0 +1,32 @@
+---
+title: sshd.config
+id: sshd.config
+sidebar_label: sshd.config
+displayed_sidebar: MQL
+description: SSH server configuration
+---
+
+# sshd.config
+
+**Description**
+
+SSH server configuration
+
+**Init**
+
+sshd.config(path string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------------------------------------------------------------- | ----------------------------------------------------------------------- |
+| file | [file](file.md) | File of this SSH server configuration |
+| files | [][file](file.md) | A list of lexically sorted files making up the SSH server configuration |
+| content | string | Raw content of this SSH server config |
+| params | map[string]string | Configuration values of this SSH server |
+| blocks | [][sshd.config.matchBlock](sshd.config.matchblock.md) | Blocks with match conditions in this SSH server config |
+| ciphers | []string | Ciphers configured for this SSH server |
+| macs | []string | MACs configured for this SSH server |
+| kexs | []string | Key exchange algorithms configured for this SSH server |
+| hostkeys | []string | Host keys configured for this SSH server |
+| permitRootLogin | []string | PermitRootLogin setting in SSH server |
diff --git a/docs/mql/resources/os-pack/sshd.md b/docs/mql/resources/os-pack/sshd.md
new file mode 100644
index 000000000..4824a7301
--- /dev/null
+++ b/docs/mql/resources/os-pack/sshd.md
@@ -0,0 +1,13 @@
+---
+title: sshd
+id: sshd
+sidebar_label: sshd
+displayed_sidebar: MQL
+description: SSH server resource
+---
+
+# sshd
+
+**Description**
+
+SSH server resource
diff --git a/docs/mql/resources/os-pack/user.md b/docs/mql/resources/os-pack/user.md
new file mode 100644
index 000000000..51817af13
--- /dev/null
+++ b/docs/mql/resources/os-pack/user.md
@@ -0,0 +1,28 @@
+---
+title: user
+id: user
+sidebar_label: user
+displayed_sidebar: MQL
+description: User on this system
+---
+
+# user
+
+**Description**
+
+User on this system
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------------------------------------- | ------------------------------------ |
+| uid | int | User ID |
+| gid | int | User's group ID |
+| sid | string | User's security identifier (Windows) |
+| name | string | Name of the user |
+| home | string | Home folder |
+| shell | string | Default shell configured |
+| enabled | bool | Whether the user is enabled |
+| authorizedkeys | [authorizedkeys](authorizedkeys.md) | List of authorized keys |
+| sshkeys | [][privatekey](privatekey.md) | List of SSH keys |
+| group | [group](group.md) | Group of which user is a member |
diff --git a/docs/mql/resources/os-pack/users.md b/docs/mql/resources/os-pack/users.md
new file mode 100644
index 000000000..cbc068107
--- /dev/null
+++ b/docs/mql/resources/os-pack/users.md
@@ -0,0 +1,23 @@
+---
+title: users
+id: users
+sidebar_label: users
+displayed_sidebar: MQL
+description: Users configured on this system
+---
+
+# users
+
+**Description**
+
+Users configured on this system
+
+**List**
+
+[]user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------------------------- | ----------- |
+| list | [][user](user.md) | |
diff --git a/docs/mql/resources/os-pack/vuln.advisory.md b/docs/mql/resources/os-pack/vuln.advisory.md
new file mode 100644
index 000000000..c39edc833
--- /dev/null
+++ b/docs/mql/resources/os-pack/vuln.advisory.md
@@ -0,0 +1,24 @@
+---
+title: vuln.advisory
+id: vuln.advisory
+sidebar_label: vuln.advisory
+displayed_sidebar: MQL
+description: Advisory information
+---
+
+# vuln.advisory
+
+**Description**
+
+Advisory information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------- | ------------------------------------- |
+| id | string | Advisory ID |
+| title | string | Title of the advisory |
+| description | string | Description of the advisory |
+| published | time | Advisory publication date |
+| modified | time | Last modification date |
+| worstScore | [audit.cvss](audit.cvss.md) | Worst CVSS score of all assigned CVEs |
diff --git a/docs/mql/resources/os-pack/vuln.cve.md b/docs/mql/resources/os-pack/vuln.cve.md
new file mode 100644
index 000000000..855230229
--- /dev/null
+++ b/docs/mql/resources/os-pack/vuln.cve.md
@@ -0,0 +1,25 @@
+---
+title: vuln.cve
+id: vuln.cve
+sidebar_label: vuln.cve
+displayed_sidebar: MQL
+description: CVE information
+---
+
+# vuln.cve
+
+**Description**
+
+CVE information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | --------------------------- | ------------------------------------- |
+| id | string | CVE ID |
+| state | string | CVE state |
+| summary | string | Summary description |
+| unscored | bool | Whether the CVE has a CVSS score |
+| published | time | Publication date |
+| modified | time | Last modification date |
+| worstScore | [audit.cvss](audit.cvss.md) | Worst CVSS score of all assigned CVEs |
diff --git a/docs/mql/resources/os-pack/vuln.package.md b/docs/mql/resources/os-pack/vuln.package.md
new file mode 100644
index 000000000..1d147936d
--- /dev/null
+++ b/docs/mql/resources/os-pack/vuln.package.md
@@ -0,0 +1,22 @@
+---
+title: vuln.package
+id: vuln.package
+sidebar_label: vuln.package
+displayed_sidebar: MQL
+description: Package information relevant for vulnerability management
+---
+
+# vuln.package
+
+**Description**
+
+Package information relevant for vulnerability management
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ---------------------------- |
+| name | string | Package name |
+| version | string | Package version |
+| available | string | Available package version |
+| arch | string | Architecture of this package |
diff --git a/docs/mql/resources/os-pack/vulnmgmt.md b/docs/mql/resources/os-pack/vulnmgmt.md
new file mode 100644
index 000000000..412e1b256
--- /dev/null
+++ b/docs/mql/resources/os-pack/vulnmgmt.md
@@ -0,0 +1,23 @@
+---
+title: vulnmgmt
+id: vulnmgmt
+sidebar_label: vulnmgmt
+displayed_sidebar: MQL
+description: Vulnerability Information
+---
+
+# vulnmgmt
+
+**Description**
+
+Vulnerability Information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------------------------------------------- | --------------------------------------------------- |
+| cves | [][vuln.cve](vuln.cve.md) | List of all CVEs affecting the asset |
+| advisories | [][vuln.advisory](vuln.advisory.md) | List of all Advisories affecting the asset |
+| packages | [][vuln.package](vuln.package.md) | List of all packages affected by vulnerabilities |
+| lastAssessment | time | Last time the vulnerability information was updated |
+| stats | [audit.cvss](audit.cvss.md) | Statistics about the vulnerabilities |
diff --git a/docs/mql/resources/os-pack/windows.bitlocker.md b/docs/mql/resources/os-pack/windows.bitlocker.md
new file mode 100644
index 000000000..f4d337119
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.bitlocker.md
@@ -0,0 +1,19 @@
+---
+title: windows.bitlocker
+id: windows.bitlocker
+sidebar_label: windows.bitlocker
+displayed_sidebar: MQL
+description: Windows BitLocker
+---
+
+# windows.bitlocker
+
+**Description**
+
+Windows BitLocker
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ----------------------------------------------------------------- | ----------- |
+| volumes | [][windows.bitlocker.volume](windows.bitlocker.volume.md) | |
diff --git a/docs/mql/resources/os-pack/windows.bitlocker.volume.md b/docs/mql/resources/os-pack/windows.bitlocker.volume.md
new file mode 100644
index 000000000..41515e1ea
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.bitlocker.volume.md
@@ -0,0 +1,26 @@
+---
+title: windows.bitlocker.volume
+id: windows.bitlocker.volume
+sidebar_label: windows.bitlocker.volume
+displayed_sidebar: MQL
+description: Windows BitLocker volume
+---
+
+# windows.bitlocker.volume
+
+**Description**
+
+Windows BitLocker volume
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| deviceID | string | Unique identifier for the volume |
+| driveLetter | string | Drive letter of the volume |
+| conversionStatus | dict | Status of the encryption or decryption on the volume |
+| encryptionMethod | dict | Encryption algorithm and key size used on the volume |
+| lockStatus | int | Whether the contents of the volume are accessible from Windows, 0 = Full contents of the volume are accessible, 1 = All or a portion of the contents of the volume are not accessible |
+| persistentVolumeID | string | Persistent identifier for the volume on this system |
+| protectionStatus | dict | Status of the volume, whether or not BitLocker is protecting the volume, 0 = Protection off, 1 = Protection on, 2 = Protection unknown |
+| version | dict | BitLocker Full Volume Encryption metadata version of the volume |
diff --git a/docs/mql/resources/os-pack/windows.feature.md b/docs/mql/resources/os-pack/windows.feature.md
new file mode 100644
index 000000000..355288cfb
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.feature.md
@@ -0,0 +1,28 @@
+---
+title: windows.feature
+id: windows.feature
+sidebar_label: windows.feature
+displayed_sidebar: MQL
+description: Windows feature resource
+---
+
+# windows.feature
+
+**Description**
+
+Windows feature resource
+
+**Init**
+
+windows.feature(name string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ------ | --------------------------------------------- |
+| path | string | Feature full path |
+| name | string | Command IDs of role, role service, or feature |
+| displayName | string | Feature name |
+| description | string | Feature description |
+| installed | bool | Whether the feature is installed |
+| installState | int | Feature installation state |
diff --git a/docs/mql/resources/os-pack/windows.firewall.md b/docs/mql/resources/os-pack/windows.firewall.md
new file mode 100644
index 000000000..088a37bb8
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.firewall.md
@@ -0,0 +1,21 @@
+---
+title: windows.firewall
+id: windows.firewall
+sidebar_label: windows.firewall
+displayed_sidebar: MQL
+description: Windows Firewall resource
+---
+
+# windows.firewall
+
+**Description**
+
+Windows Firewall resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
+| settings | dict | Global firewall settings |
+| profiles | [][windows.firewall.profile](windows.firewall.profile.md) | Settings that apply to the per-profile configurations of the Windows Firewall with Advanced Security |
+| rules | [][windows.firewall.rule](windows.firewall.rule.md) | Firewall rules |
diff --git a/docs/mql/resources/os-pack/windows.firewall.profile.md b/docs/mql/resources/os-pack/windows.firewall.profile.md
new file mode 100644
index 000000000..1a3da85f3
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.firewall.profile.md
@@ -0,0 +1,36 @@
+---
+title: windows.firewall.profile
+id: windows.firewall.profile
+sidebar_label: windows.firewall.profile
+displayed_sidebar: MQL
+description: Windows Firewall profile entry
+---
+
+# windows.firewall.profile
+
+**Description**
+
+Windows Firewall profile entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------- |
+| instanceID | string | |
+| name | string | Name of the profile |
+| enabled | int | Whether the firewall is enabled on this profile |
+| defaultInboundAction | int | Default action for inbound traffic |
+| defaultOutboundAction | int | Default action for outbound traffic |
+| allowInboundRules | int | Whether administrators can create firewall rules that allow unsolicited inbound traffic (if 0, such rules are ignored) |
+| allowLocalFirewallRules | int | Whether local firewall rules should merge into the effective policy along with group policy settings |
+| allowLocalIPsecRules | int | Whether local IPsec rules should merge into the effective policy along with rules from group policy |
+| allowUserApps | int | Whether to respect user allowed applications created in the legacy firewall |
+| allowUserPorts | int | Whether to respect globally opened ports created in the legacy firewall |
+| allowUnicastResponseToMulticast | int | Whether to allow unicast responses to multicast traffic |
+| notifyOnListen | int | Whether to notify users when an application listens on a port that is closed |
+| enableStealthModeForIPsec | int | Whether to use stealth mode for IPsec-protected traffic |
+| logMaxSizeKilobytes | int | Maximum size the log file can reach before being rotated |
+| logAllowed | int | Whether to log allowed packets |
+| logBlocked | int | Whether to log blocked traffic |
+| logIgnored | int | Whether to log an event when rules are ignored |
+| logFileName | string | Filename in which to store the firewall log |
diff --git a/docs/mql/resources/os-pack/windows.firewall.rule.md b/docs/mql/resources/os-pack/windows.firewall.rule.md
new file mode 100644
index 000000000..42c48fa6e
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.firewall.rule.md
@@ -0,0 +1,34 @@
+---
+title: windows.firewall.rule
+id: windows.firewall.rule
+sidebar_label: windows.firewall.rule
+displayed_sidebar: MQL
+description: Windows Firewall rule entry
+---
+
+# windows.firewall.rule
+
+**Description**
+
+Windows Firewall rule entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------ |
+| instanceID | string | A string that uniquely identifies this instance within the policy store |
+| name | string | Name of the rule |
+| displayName | string | Localized name of this rule |
+| description | string | Brief description of the rule |
+| displayGroup | string | The group that this rule belongs to |
+| enabled | int | Indicates whether this rule is administratively enabled or disabled, Values: enabled (1), disabled (2) |
+| direction | int | Specifies which direction of traffic to match with this rule, Values: inbound (1), outbound (2) |
+| action | int | Specifies the action to take on traffic that matches this rule |
+| edgeTraversalPolicy | int | Specifies how this firewall rule will handle edge traversal cases, Values: block (0), allow (1), defer to user (2), defer to app (3) |
+| looseSourceMapping | bool | Whether to group UDP packets into conversations based on the local address, local port, and remote port |
+| localOnlyMapping | bool | Whether to group UDP packets into conversations based only on the local address and port |
+| primaryStatus | int | PrimaryStatus provides a high level status value, Values: unknown (0), OK (1), degraded (2), error (3) |
+| status | string | Detailed status of the rule |
+| enforcementStatus | string | Whether this object is retrieved from the ActiveStore |
+| policyStoreSource | string | Contains the path to the policy store where this rule originally came from |
+| policyStoreSourceType | int | Describes the type of policy store where this rule originally came from |
diff --git a/docs/mql/resources/os-pack/windows.hotfix.md b/docs/mql/resources/os-pack/windows.hotfix.md
new file mode 100644
index 000000000..358aef851
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.hotfix.md
@@ -0,0 +1,27 @@
+---
+title: windows.hotfix
+id: windows.hotfix
+sidebar_label: windows.hotfix
+displayed_sidebar: MQL
+description: Windows hotfix resource
+---
+
+# windows.hotfix
+
+**Description**
+
+Windows hotfix resource
+
+**Init**
+
+windows.hotfix(hotfixId string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ------------------------------------------------ |
+| hotfixId | string | Hotfix ID |
+| description | string | Type of hotfix (e.g., Update or Security Update) |
+| caption | string | Reference to knowledge base |
+| installedOn | time | Date when the hotfix was installed |
+| installedBy | string | User that installed the hotfix |
diff --git a/docs/mql/resources/os-pack/windows.md b/docs/mql/resources/os-pack/windows.md
new file mode 100644
index 000000000..1fd997b35
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.md
@@ -0,0 +1,21 @@
+---
+title: windows
+id: windows
+sidebar_label: windows
+displayed_sidebar: MQL
+description: Windows-specific resource to get operating system details
+---
+
+# windows
+
+**Description**
+
+Windows-specific resource to get operating system details
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| computerInfo | dict | A consolidated object of system and operating system properties, , see https://docs.microsoft.com/en-us/dotnet/api/microsoft.powershell.commands.computerinfo?view=powershellsdk-1.1.0 for more information |
+| hotfixes | [][windows.hotfix](windows.hotfix.md) | Hotfixes installed on the computer |
+| features | [][windows.feature](windows.feature.md) | Information about Windows Server roles, role services, and features that are available for installation and installed on a specified server. |
diff --git a/docs/mql/resources/os-pack/windows.security.health.md b/docs/mql/resources/os-pack/windows.security.health.md
new file mode 100644
index 000000000..8afecd5fa
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.security.health.md
@@ -0,0 +1,25 @@
+---
+title: windows.security.health
+id: windows.security.health
+sidebar_label: windows.security.health
+displayed_sidebar: MQL
+description: Health of the Windows security provider
+---
+
+# windows.security.health
+
+**Description**
+
+Health of the Windows security provider
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------------- | ---- | ----------------------------------- |
+| firewall | dict | Firewall information |
+| autoUpdate | dict | Automatic update information |
+| antiVirus | dict | Antivirus information |
+| antiSpyware | dict | Spyware information |
+| internetSettings | dict | Internet settings information |
+| uac | dict | User account control information |
+| securityCenterService | dict | Security Center service information |
diff --git a/docs/mql/resources/os-pack/windows.security.md b/docs/mql/resources/os-pack/windows.security.md
new file mode 100644
index 000000000..f88c60e71
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.security.md
@@ -0,0 +1,14 @@
+---
+title: windows.security
+id: windows.security
+sidebar_label: windows.security
+displayed_sidebar: MQL
+---
+
+# windows.security
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ----------------------------------------------------------------- | ----------- |
+| products | [][windows.security.product](windows.security.product.md) | |
diff --git a/docs/mql/resources/os-pack/windows.security.product.md b/docs/mql/resources/os-pack/windows.security.product.md
new file mode 100644
index 000000000..2cd637d1d
--- /dev/null
+++ b/docs/mql/resources/os-pack/windows.security.product.md
@@ -0,0 +1,25 @@
+---
+title: windows.security.product
+id: windows.security.product
+sidebar_label: windows.security.product
+displayed_sidebar: MQL
+description: Private Windows security product
+---
+
+# windows.security.product
+
+**Description**
+
+Private Windows security product
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------ | --------------- |
+| type | string | Type of product |
+| guid | string | Product GUID |
+| name | string | Product name |
+| state | int | Product state |
+| productState | string | Product state |
+| signatureState | string | Signature state |
+| timestamp | time | Time stamp |
diff --git a/docs/mql/resources/os-pack/yum.md b/docs/mql/resources/os-pack/yum.md
new file mode 100644
index 000000000..a438c56cb
--- /dev/null
+++ b/docs/mql/resources/os-pack/yum.md
@@ -0,0 +1,20 @@
+---
+title: yum
+id: yum
+sidebar_label: yum
+displayed_sidebar: MQL
+description: Yum package manager resource
+---
+
+# yum
+
+**Description**
+
+Yum package manager resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----- | --------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| vars | map[string]string | Variables defined in Yum configuration files (/etc/yum.conf and all .repo files in the /etc/yum.repos.d/) |
+| repos | [][yum.repo](yum.repo.md) | List of all configured Yum repositories |
diff --git a/docs/mql/resources/os-pack/yum.repo.md b/docs/mql/resources/os-pack/yum.repo.md
new file mode 100644
index 000000000..381110b02
--- /dev/null
+++ b/docs/mql/resources/os-pack/yum.repo.md
@@ -0,0 +1,34 @@
+---
+title: yum.repo
+id: yum.repo
+sidebar_label: yum.repo
+displayed_sidebar: MQL
+description: Yum repository resource
+---
+
+# yum.repo
+
+**Description**
+
+Yum repository resource
+
+**Init**
+
+yum.repo(id string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------- | ---------------- | ----------------------------------------------------------- |
+| id | string | Repository ID |
+| name | string | Human-readable repository name |
+| status | string | Repository status |
+| baseurl | []string | URL where the repodata directory of a repository is located |
+| expire | string | Indicator when the repository will expire |
+| filename | string | Deprecated; use file.path |
+| file | [file](file.md) | Repository configuration file path |
+| revision | string | Repository revision |
+| pkgs | string | Packages in repository |
+| size | string | File size of this repository |
+| mirrors | string | Mirrors for this repository |
+| enabled | bool | Whether the repository is used as package source |
diff --git a/docs/mql/resources/slack-pack/README.md b/docs/mql/resources/slack-pack/README.md
new file mode 100644
index 000000000..dd679c60c
--- /dev/null
+++ b/docs/mql/resources/slack-pack/README.md
@@ -0,0 +1,23 @@
+---
+title: Slack Resource Pack - MQL Resources
+id: slack.pack
+sidebar_label: Slack Resource Pack
+displayed_sidebar: MQL
+description: The Slack resource pack lets you use MQL to query and assess the security of your Slack identities and configuration.
+---
+
+# Mondoo Slack Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ----------------------------------------------- | ------------------------------------------------------------------- |
+| [slack](slack.md) | Slack |
+| [slack.conversation](slack.conversation.md) | Slack conversation |
+| [slack.conversations](slack.conversations.md) | Slack conversations (channels, direct messages, and group messages) |
+| [slack.enterpriseUser](slack.enterpriseuser.md) | Slack Enterprise Grid user |
+| [slack.login](slack.login.md) | Slack access log entry |
+| [slack.team](slack.team.md) | Slack team |
+| [slack.user](slack.user.md) | Slack user |
+| [slack.userGroup](slack.usergroup.md) | Slack user groups |
+| [slack.users](slack.users.md) | Slack users |
diff --git a/docs/mql/resources/slack-pack/slack.conversation.md b/docs/mql/resources/slack-pack/slack.conversation.md
new file mode 100644
index 000000000..4bba20818
--- /dev/null
+++ b/docs/mql/resources/slack-pack/slack.conversation.md
@@ -0,0 +1,38 @@
+---
+title: slack.conversation
+id: slack.conversation
+sidebar_label: slack.conversation
+displayed_sidebar: MQL
+description: Slack conversation
+---
+
+# slack.conversation
+
+**Description**
+
+Slack conversation
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------ | ------------------------------------- | ------------------------------------------------------------------------------- |
+| id | string | Conversation ID |
+| name | string | Name of the conversation |
+| creator | [slack.user](slack.user.md) | User that created this conversation |
+| created | time | Timestamp of when the conversation was created |
+| locale | string | IETF language code that represents chosen language |
+| topic | dict | Information about the channel topic |
+| purpose | dict | Information about the channel purpose |
+| isArchived | bool | Indicates that the conversation is archived |
+| isOpen | bool | Indicates that the conversation is open |
+| isPrivate | bool | Whether the conversation is privileged between two or more members |
+| isIM | bool | Whether the conversation is a direct message |
+| isMpim | bool | Whether the conversation is private between multiple users |
+| isGroup | bool | Whether the conversation is a private channel created before March 2021 |
+| isChannel | bool | Whether a conversation is a channel |
+| isShared | bool | Whether the conversation is in some way shared between multiple workspaces |
+| isExtShared | bool | Whether the conversation is part of a shared channel with a remote organization |
+| isPendingExtShared | bool | Whether the conversation is to be shared with a remote organization |
+| isOrgShared | bool | Whether the channel is shared between Enterprise Grid workspaces |
+| priority | float | Priority of the conversation |
+| members | [][slack.user](slack.user.md) | Members of the conversation |
diff --git a/docs/mql/resources/slack-pack/slack.conversations.md b/docs/mql/resources/slack-pack/slack.conversations.md
new file mode 100644
index 000000000..6f8bb516b
--- /dev/null
+++ b/docs/mql/resources/slack-pack/slack.conversations.md
@@ -0,0 +1,26 @@
+---
+title: slack.conversations
+id: slack.conversations
+sidebar_label: slack.conversations
+displayed_sidebar: MQL
+description: Slack conversations (channels, direct messages, and group messages)
+---
+
+# slack.conversations
+
+**Description**
+
+Slack conversations (channels, direct messages, and group messages)
+
+**List**
+
+[]slack.conversation
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------- | ---------------------------------------- |
+| privateChannels | [][slack.conversation](slack.conversation.md) | List of private channels in a Slack team |
+| publicChannels | [][slack.conversation](slack.conversation.md) | List of public channels in a Slack team |
+| directMessages | [][slack.conversation](slack.conversation.md) | List of direct messages in a Slack team |
+| list | [][slack.conversation](slack.conversation.md) | |
diff --git a/docs/mql/resources/slack-pack/slack.enterpriseuser.md b/docs/mql/resources/slack-pack/slack.enterpriseuser.md
new file mode 100644
index 000000000..e0f1afc70
--- /dev/null
+++ b/docs/mql/resources/slack-pack/slack.enterpriseuser.md
@@ -0,0 +1,23 @@
+---
+title: slack.enterpriseUser
+id: slack.enterpriseUser
+sidebar_label: slack.enterpriseUser
+displayed_sidebar: MQL
+description: Slack Enterprise Grid user
+---
+
+# slack.enterpriseUser
+
+**Description**
+
+Slack Enterprise Grid user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------ | ---------------------------------------------------------------- |
+| id | string | Enterprise user ID |
+| enterpriseId | string | Unique ID for the Enterprise Grid organization |
+| enterpriseName | string | Name for the Enterprise Grid organization. |
+| isAdmin | bool | Whether the user is an admin of the Enterprise Grid organization |
+| isOwner | bool | Whether the user is an owner of the Enterprise Grid organization |
diff --git a/docs/mql/resources/slack-pack/slack.login.md b/docs/mql/resources/slack-pack/slack.login.md
new file mode 100644
index 000000000..d3794dbff
--- /dev/null
+++ b/docs/mql/resources/slack-pack/slack.login.md
@@ -0,0 +1,28 @@
+---
+title: slack.login
+id: slack.login
+sidebar_label: slack.login
+displayed_sidebar: MQL
+description: Slack access log entry
+---
+
+# slack.login
+
+**Description**
+
+Slack access log entry
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ----------------------------------------------------------------------- |
+| userID | string | User ID |
+| username | string | User's handle |
+| count | int | Total number of access log entries for that combination |
+| ip | string | IP address of the device used |
+| userAgent | string | User agent string from the browser or client application |
+| isp | string | Best guess at the internet service provider |
+| country | string | Best guesses at where the access originated, based on the IP address |
+| region | string | Best guesses at where the access originated, based on the IP address |
+| dateFirst | time | First access log entry for user, IP address, and user agent combination |
+| dateLast | time | Most recent log entry for user, IP address, and user agent combination |
diff --git a/docs/mql/resources/slack-pack/slack.md b/docs/mql/resources/slack-pack/slack.md
new file mode 100644
index 000000000..a09fb3ab4
--- /dev/null
+++ b/docs/mql/resources/slack-pack/slack.md
@@ -0,0 +1,20 @@
+---
+title: slack
+id: slack
+sidebar_label: slack
+displayed_sidebar: MQL
+description: Slack
+---
+
+# slack
+
+**Description**
+
+Slack
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ----------------------------------------------- | ------------------------- |
+| accessLogs | [][slack.login](slack.login.md) | Slack access logs |
+| userGroups | [][slack.userGroup](slack.usergroup.md) | List of Slack user groups |
diff --git a/docs/mql/resources/slack-pack/slack.team.md b/docs/mql/resources/slack-pack/slack.team.md
new file mode 100644
index 000000000..dfdf8377a
--- /dev/null
+++ b/docs/mql/resources/slack-pack/slack.team.md
@@ -0,0 +1,22 @@
+---
+title: slack.team
+id: slack.team
+sidebar_label: slack.team
+displayed_sidebar: MQL
+description: Slack team
+---
+
+# slack.team
+
+**Description**
+
+Slack team
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ------------------------ |
+| id | string | ID of the team |
+| name | string | Name of the team |
+| domain | string | Domain of the team |
+| emailDomain | string | Email domain of the team |
diff --git a/docs/mql/resources/slack-pack/slack.user.md b/docs/mql/resources/slack-pack/slack.user.md
new file mode 100644
index 000000000..2e37a8990
--- /dev/null
+++ b/docs/mql/resources/slack-pack/slack.user.md
@@ -0,0 +1,43 @@
+---
+title: slack.user
+id: slack.user
+sidebar_label: slack.user
+displayed_sidebar: MQL
+description: Slack user
+---
+
+# slack.user
+
+**Description**
+
+Slack user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------------------------------------- | ---------------------------------------------------------------------- |
+| id | string | ID of the workspace user |
+| name | string | User name |
+| teamId | string | Slack workspace ID |
+| deleted | bool | Whether the user has been deactivated |
+| color | string | Special user color |
+| realName | string | User's first and last name |
+| timeZone | string | Geographic timezone-related region |
+| timeZoneLabel | string | Commonly used name of the timezone |
+| timeZoneOffset | int | Number of seconds to offset UTC time |
+| isBot | bool | Whether the user is a bot |
+| isAdmin | bool | Whether the user is an admin of the current workspace |
+| isOwner | bool | Whether the user is an owner of the current workspace |
+| isPrimaryOwner | bool | Whether the user is the primary owner of the current workspace |
+| isRestricted | bool | Whether the user is a guest user |
+| isUltraRestricted | bool | Whether the user is a single-channel guest |
+| isStranger | bool | Whether the user belongs to a different workspace |
+| isAppUser | bool | Whether the user is an app bot |
+| isInvitedUser | bool | Whether a user has been invited but has not yet signed in |
+| has2FA | bool | Whether two-factor authentication is enabled for the user |
+| twoFactorType | string | Type of two-factor authentication the user is using |
+| hasFiles | bool | Whether the user owns files |
+| presence | string | Presence of the user |
+| locale | string | IETF language code that represents this user's chosen display language |
+| profile | dict | User profile |
+| enterpriseUser | [slack.enterpriseUser](slack.enterpriseuser.md) | Related Slack Enterprise Grid user |
diff --git a/docs/mql/resources/slack-pack/slack.usergroup.md b/docs/mql/resources/slack-pack/slack.usergroup.md
new file mode 100644
index 000000000..af9f032ac
--- /dev/null
+++ b/docs/mql/resources/slack-pack/slack.usergroup.md
@@ -0,0 +1,32 @@
+---
+title: slack.userGroup
+id: slack.userGroup
+sidebar_label: slack.userGroup
+displayed_sidebar: MQL
+description: Slack user groups
+---
+
+# slack.userGroup
+
+**Description**
+
+Slack user groups
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------------------------------------- | ------------------------------------ |
+| id | string | Group ID |
+| teamId | string | Slack workspace ID |
+| name | string | Friendly name of the group |
+| description | string | Purpose of the group |
+| handle | string | Value used to notify group members |
+| isExternal | bool | Whether the group is external |
+| created | time | Timestamp when the group was created |
+| updated | time | Timestamp when the group was updated |
+| deleted | time | Timestamp when the group was deleted |
+| createdBy | [slack.user](slack.user.md) | User that created the group |
+| updatedBy | [slack.user](slack.user.md) | User that updated the group |
+| deletedBy | [slack.user](slack.user.md) | User that deleted the group |
+| userCount | int | Total number of users in a group |
+| members | [][slack.user](slack.user.md) | Members of the group |
diff --git a/docs/mql/resources/slack-pack/slack.users.md b/docs/mql/resources/slack-pack/slack.users.md
new file mode 100644
index 000000000..751cd94a7
--- /dev/null
+++ b/docs/mql/resources/slack-pack/slack.users.md
@@ -0,0 +1,27 @@
+---
+title: slack.users
+id: slack.users
+sidebar_label: slack.users
+displayed_sidebar: MQL
+description: Slack users
+---
+
+# slack.users
+
+**Description**
+
+Slack users
+
+**List**
+
+[]slack.user
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------------------------------------- | -------------------------- |
+| bots | [][slack.user](slack.user.md) | Bot users in the workspace |
+| members | [][slack.user](slack.user.md) | Members of the workspace |
+| admins | [][slack.user](slack.user.md) | Admins of the workspace |
+| owners | [][slack.user](slack.user.md) | Owner of the workspace |
+| list | [][slack.user](slack.user.md) | |
diff --git a/docs/mql/resources/terraform-pack/README.md b/docs/mql/resources/terraform-pack/README.md
new file mode 100644
index 000000000..d1f33e6f6
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/README.md
@@ -0,0 +1,28 @@
+---
+title: Terraform IaC Resource Pack - MQL Resources
+id: terraform.iac.pack
+sidebar_label: Terraform IaC Resource Pack
+displayed_sidebar: MQL
+description: The Terraform IaC resource pack lets you use MQL to query and assess the security of your Terraform HCL, plan and state resources.
+---
+
+# Mondoo Terraform IaC Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ----------------------------------------------------------------- | --------------------------------------------------------- |
+| [terraform](terraform.md) | Terraform configuration files |
+| [terraform.block](terraform.block.md) | Terraform resource block |
+| [terraform.file](terraform.file.md) | Terraform configuration file (.tf or .tf.json file) |
+| [terraform.fileposition](terraform.fileposition.md) | Position of the Terraform configuration block in the file |
+| [terraform.module](terraform.module.md) | Terraform module block |
+| [terraform.plan](terraform.plan.md) | Terraform plan |
+| [terraform.plan.configuration](terraform.plan.configuration.md) | Terraform plan configuration |
+| [terraform.plan.proposedChange](terraform.plan.proposedchange.md) | Terraform plan proposed change |
+| [terraform.plan.resourceChange](terraform.plan.resourcechange.md) | Terraform plan resource change |
+| [terraform.settings](terraform.settings.md) | Terraform settings |
+| [terraform.state](terraform.state.md) | Terraform state |
+| [terraform.state.module](terraform.state.module.md) | Terraform state module |
+| [terraform.state.output](terraform.state.output.md) | Terraform state output values |
+| [terraform.state.resource](terraform.state.resource.md) | Terraform state resource |
diff --git a/docs/mql/resources/terraform-pack/terraform.block.md b/docs/mql/resources/terraform-pack/terraform.block.md
new file mode 100644
index 000000000..28fd2620c
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.block.md
@@ -0,0 +1,44 @@
+---
+title: terraform.block
+id: terraform.block
+sidebar_label: terraform.block
+displayed_sidebar: MQL
+description: Terraform resource block
+---
+
+# terraform.block
+
+**Supported platform**
+
+- terraform-hcl
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Terraform resource block
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | --------------------------------------------------- | -------------------- |
+| type | string | Block type |
+| labels | []string | Block Labels |
+| nameLabel | string | Block name label |
+| start | [terraform.fileposition](terraform.fileposition.md) | Block start position |
+| end | [terraform.fileposition](terraform.fileposition.md) | Block end position |
+| arguments | dict | Block arguments |
+| attributes | dict | Raw block attributes |
+| blocks | [][terraform.block](terraform.block.md) | Child blocks |
+| related | [][terraform.block](terraform.block.md) | Related blocks |
+| snippet | string | Block snippet |
+
+**Examples**
+
+Display all Terraform blocks and their arguments
+
+```coffee
+terraform.blocks { nameLabel arguments }
+```
diff --git a/docs/mql/resources/terraform-pack/terraform.file.md b/docs/mql/resources/terraform-pack/terraform.file.md
new file mode 100644
index 000000000..bd7112b83
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.file.md
@@ -0,0 +1,36 @@
+---
+title: terraform.file
+id: terraform.file
+sidebar_label: terraform.file
+displayed_sidebar: MQL
+description: Terraform configuration file (.tf or .tf.json file)
+---
+
+# terraform.file
+
+**Supported platform**
+
+- terraform-hcl
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Terraform configuration file (.tf or .tf.json file)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ----------------------------------------------- | ------------------------------- |
+| path | string | Terraform (.tf or tf.json file) |
+| blocks | [][terraform.block](terraform.block.md) | All blocks within the file |
+
+**Examples**
+
+Display all files and their blocks
+
+```coffee
+terraform.files { path blocks { nameLabel } }
+```
diff --git a/docs/mql/resources/terraform-pack/terraform.fileposition.md b/docs/mql/resources/terraform-pack/terraform.fileposition.md
new file mode 100644
index 000000000..f573e95a4
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.fileposition.md
@@ -0,0 +1,30 @@
+---
+title: terraform.fileposition
+id: terraform.fileposition
+sidebar_label: terraform.fileposition
+displayed_sidebar: MQL
+description: Position of the Terraform configuration block in the file
+---
+
+# terraform.fileposition
+
+**Supported platform**
+
+- terraform-hcl
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Position of the Terraform configuration block in the file
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------ | --------------------------------------------- |
+| path | string | File path to the Terraform configuration file |
+| line | int | Line of the block |
+| column | int | Column of the block |
+| byte | int | Size of the file |
diff --git a/docs/mql/resources/terraform-pack/terraform.md b/docs/mql/resources/terraform-pack/terraform.md
new file mode 100644
index 000000000..ed0b0bd10
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.md
@@ -0,0 +1,55 @@
+---
+title: terraform
+id: terraform
+sidebar_label: terraform
+displayed_sidebar: MQL
+description: Terraform configuration files
+---
+
+# terraform
+
+**Supported platform**
+
+- terraform-hcl
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Terraform configuration files
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------------------------------------------------- | ----------------------------------------------------------- |
+| files | [][terraform.file](terraform.file.md) | Access to individual files including .tf and .tf.json files |
+| tfvars | dict | The attributes defined in .tfvars and .tfvars.json |
+| modules | [][terraform.module](terraform.module.md) | All referenced Terraform modules |
+| blocks | [][terraform.block](terraform.block.md) | Raw HCL blocks |
+| providers | [][terraform.block](terraform.block.md) | Provider blocks |
+| datasources | [][terraform.block](terraform.block.md) | Data sources blocks |
+| resources | [][terraform.block](terraform.block.md) | All blocks with the type resource |
+| variables | [][terraform.block](terraform.block.md) | Variable blocks |
+| outputs | [][terraform.block](terraform.block.md) | Output blocks |
+
+**Examples**
+
+Display all Terraform blocks and their arguments
+
+```coffee
+terraform.blocks { nameLabel arguments }
+```
+
+Display all data blocks
+
+```coffee
+terraform.datasources { nameLabel arguments }
+```
+
+Display all resource blocks
+
+```coffee
+terraform.resources { nameLabel arguments }
+```
diff --git a/docs/mql/resources/terraform-pack/terraform.module.md b/docs/mql/resources/terraform-pack/terraform.module.md
new file mode 100644
index 000000000..f6828e229
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.module.md
@@ -0,0 +1,39 @@
+---
+title: terraform.module
+id: terraform.module
+sidebar_label: terraform.module
+displayed_sidebar: MQL
+description: Terraform module block
+---
+
+# terraform.module
+
+**Supported platform**
+
+- terraform-hcl
+
+**Maturity**
+
+experimental
+
+**Description**
+
+Terraform module block
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------- | ------------------------------------- | ------------------------------------------------ |
+| key | string | Unique identifier for the module |
+| source | string | Source from which the module was loaded |
+| version | string | Module version |
+| dir | string | Path to the directory where the module is stored |
+| block | [terraform.block](terraform.block.md) | Block (including the configuration) |
+
+**Examples**
+
+Display all loaded Terraform modules
+
+```coffee
+terraform.modules { key version source}
+```
diff --git a/docs/mql/resources/terraform-pack/terraform.plan.configuration.md b/docs/mql/resources/terraform-pack/terraform.plan.configuration.md
new file mode 100644
index 000000000..df1559377
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.plan.configuration.md
@@ -0,0 +1,24 @@
+---
+title: terraform.plan.configuration
+id: terraform.plan.configuration
+sidebar_label: terraform.plan.configuration
+displayed_sidebar: MQL
+description: Terraform plan configuration
+---
+
+# terraform.plan.configuration
+
+**Supported platform**
+
+- terraform-plan
+
+**Description**
+
+Terraform plan configuration
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | -------------- | ---------------------------------- |
+| providerConfig | []dict | Provider configuration |
+| resources | []dict | Root module resource configuration |
diff --git a/docs/mql/resources/terraform-pack/terraform.plan.md b/docs/mql/resources/terraform-pack/terraform.plan.md
new file mode 100644
index 000000000..2058cd816
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.plan.md
@@ -0,0 +1,25 @@
+---
+title: terraform.plan
+id: terraform.plan
+sidebar_label: terraform.plan
+displayed_sidebar: MQL
+description: Terraform plan
+---
+
+# terraform.plan
+
+**Supported platform**
+
+- terraform-plan
+
+**Description**
+
+Terraform plan
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | --------------------------------------------------------------------------- | ------------------------------ |
+| formatVersion | string | Terraform plan format version |
+| terraformVersion | string | Generated by Terraform version |
+| resourceChanges | [][terraform.plan.resourceChange](terraform.plan.resourcechange.md) | Resource changes |
diff --git a/docs/mql/resources/terraform-pack/terraform.plan.proposedchange.md b/docs/mql/resources/terraform-pack/terraform.plan.proposedchange.md
new file mode 100644
index 000000000..f7fb5f2d4
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.plan.proposedchange.md
@@ -0,0 +1,30 @@
+---
+title: terraform.plan.proposedChange
+id: terraform.plan.proposedChange
+sidebar_label: terraform.plan.proposedChange
+displayed_sidebar: MQL
+description: Terraform plan proposed change
+---
+
+# terraform.plan.proposedChange
+
+**Supported platform**
+
+- terraform-plan
+
+**Description**
+
+Terraform plan proposed change
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ---------------- | ------------------------------------------- |
+| address | string | Resource address |
+| actions | []string | Actions that wil be taken for on the object |
+| before | dict | Resource before values |
+| after | dict | Resource after values |
+| afterUnknown | dict | |
+| beforeSensitive | dict | |
+| afterSensitive | dict | |
+| replacePaths | dict | |
diff --git a/docs/mql/resources/terraform-pack/terraform.plan.resourcechange.md b/docs/mql/resources/terraform-pack/terraform.plan.resourcechange.md
new file mode 100644
index 000000000..f1d8ac012
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.plan.resourcechange.md
@@ -0,0 +1,32 @@
+---
+title: terraform.plan.resourceChange
+id: terraform.plan.resourceChange
+sidebar_label: terraform.plan.resourceChange
+displayed_sidebar: MQL
+description: Terraform plan resource change
+---
+
+# terraform.plan.resourceChange
+
+**Supported platform**
+
+- terraform-plan
+
+**Description**
+
+Terraform plan resource change
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ----------------------------------------------------------------- | ---------------------------------------------- |
+| address | string | Resource address |
+| previousAddress | string | Resource previous address |
+| moduleAddress | string | Resource module address |
+| mode | string | Resource mode |
+| type | string | Resource type |
+| name | string | Resource name |
+| providerName | string | Provider name |
+| deposed | string | Whether the action applies to a deposed object |
+| change | [terraform.plan.proposedChange](terraform.plan.proposedchange.md) | Change to make to this object |
+| actionReason | string | Resource action reason |
diff --git a/docs/mql/resources/terraform-pack/terraform.settings.md b/docs/mql/resources/terraform-pack/terraform.settings.md
new file mode 100644
index 000000000..5d880e566
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.settings.md
@@ -0,0 +1,25 @@
+---
+title: terraform.settings
+id: terraform.settings
+sidebar_label: terraform.settings
+displayed_sidebar: MQL
+description: Terraform settings
+---
+
+# terraform.settings
+
+**Supported platform**
+
+- terraform-hcl
+
+**Description**
+
+Terraform settings
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ------------------------------------- | --------------------- |
+| block | [terraform.block](terraform.block.md) | Settings block |
+| requiredProviders | dict | Provider requirements |
+| backend | dict | Backend configuration |
diff --git a/docs/mql/resources/terraform-pack/terraform.state.md b/docs/mql/resources/terraform-pack/terraform.state.md
new file mode 100644
index 000000000..8a8c92300
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.state.md
@@ -0,0 +1,28 @@
+---
+title: terraform.state
+id: terraform.state
+sidebar_label: terraform.state
+displayed_sidebar: MQL
+description: Terraform state
+---
+
+# terraform.state
+
+**Supported platform**
+
+- terraform-state
+
+**Description**
+
+Terraform state
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------------------------------------------------------- | --------------------------------------------------------- |
+| formatVersion | string | Terraform state format version |
+| terraformVersion | string | Generated by Terraform version |
+| outputs | [][terraform.state.output](terraform.state.output.md) | Output values |
+| rootModule | [terraform.state.module](terraform.state.module.md) | Root module which consists resources defined in .tf files |
+| modules | [][terraform.state.module](terraform.state.module.md) | flat list of all modules |
+| resources | [][terraform.state.resource](terraform.state.resource.md) | A flat list of all resources across all modules |
diff --git a/docs/mql/resources/terraform-pack/terraform.state.module.md b/docs/mql/resources/terraform-pack/terraform.state.module.md
new file mode 100644
index 000000000..e4f8134fc
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.state.module.md
@@ -0,0 +1,29 @@
+---
+title: terraform.state.module
+id: terraform.state.module
+sidebar_label: terraform.state.module
+displayed_sidebar: MQL
+description: Terraform state module
+---
+
+# terraform.state.module
+
+**Supported platform**
+
+- terraform-state
+
+**Description**
+
+Terraform state module
+
+**Init**
+
+terraform.state.module(identifier string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------ | ----------------------------------------------------------------- | ---------------------------------------------- |
+| address | string | Module identifier address |
+| resources | [][terraform.state.resource](terraform.state.resource.md) | Resources that describe infrastructure objects |
+| childModules | [][terraform.state.module](terraform.state.module.md) | Child modules called from this module |
diff --git a/docs/mql/resources/terraform-pack/terraform.state.output.md b/docs/mql/resources/terraform-pack/terraform.state.output.md
new file mode 100644
index 000000000..58ad7eb61
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.state.output.md
@@ -0,0 +1,30 @@
+---
+title: terraform.state.output
+id: terraform.state.output
+sidebar_label: terraform.state.output
+displayed_sidebar: MQL
+description: Terraform state output values
+---
+
+# terraform.state.output
+
+**Supported platform**
+
+- terraform-state
+
+**Description**
+
+Terraform state output values
+
+**Init**
+
+terraform.state.output(identifier string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------ | ------------------------------- |
+| identifier | string | Output identifier |
+| sensitive | bool | Whether the output is sensitive |
+| value | dict | Output value |
+| type | dict | Output value type |
diff --git a/docs/mql/resources/terraform-pack/terraform.state.resource.md b/docs/mql/resources/terraform-pack/terraform.state.resource.md
new file mode 100644
index 000000000..7a277fabf
--- /dev/null
+++ b/docs/mql/resources/terraform-pack/terraform.state.resource.md
@@ -0,0 +1,32 @@
+---
+title: terraform.state.resource
+id: terraform.state.resource
+sidebar_label: terraform.state.resource
+displayed_sidebar: MQL
+description: Terraform state resource
+---
+
+# terraform.state.resource
+
+**Supported platform**
+
+- terraform-state
+
+**Description**
+
+Terraform state resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ---------------- | --------------------------------------------------------------------------- |
+| address | string | Address is the absolute resource address |
+| mode | string | Mode: managed or data |
+| type | string | Resource type |
+| name | string | Resource name |
+| providerName | string | Terraform provider |
+| schemaVersion | int | Which version of the resource type schema the `values` property conforms to |
+| values | dict | Attribute values |
+| dependsOn | []string | List of the resource's dependencies |
+| tainted | bool | Whether the resource is tainted in the Terraform state |
+| deposedKey | string | Whether the resource is deposed in the Terraform state |
diff --git a/docs/mql/resources/vcd-pack/README.md b/docs/mql/resources/vcd-pack/README.md
new file mode 100644
index 000000000..34eb820d9
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/README.md
@@ -0,0 +1,26 @@
+---
+title: VMware Cloud Director Resource Pack - MQL Resources
+id: vmware.cloud.director.pack
+sidebar_label: VMware Cloud Director Resource Pack
+displayed_sidebar: MQL
+description: The VMware Cloud Director resource pack lets you use MQL to query and assess the security of your VMware Cloud Director configuration.
+---
+
+# Mondoo VMware Cloud Director Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ----------------------------------------------------------------- | ----------------------------------------------- |
+| [vcd](vcd.md) | VMware Cloud Director |
+| [vcd.externalNetwork](vcd.externalnetwork.md) | VMware Cloud Director external network |
+| [vcd.networkPool](vcd.networkpool.md) | VMware Cloud Director network pools |
+| [vcd.organization](vcd.organization.md) | VMware Cloud Director organization resource |
+| [vcd.organization.ldapSettings](vcd.organization.ldapsettings.md) | VMware Cloud Director LDAP setting |
+| [vcd.right](vcd.right.md) | VMware Cloud Director available rights |
+| [vcd.role](vcd.role.md) | VMware Cloud Director role |
+| [vcd.serverInstance](vcd.serverinstance.md) | vCenter server attached to VCD |
+| [vcd.vdc](vcd.vdc.md) | VMware Cloud Director organization VDC resource |
+| [vcd.vdcGroup](vcd.vdcgroup.md) | VMware Cloud Director NSX-T VDC groups |
+| [vcd.vdcProvider](vcd.vdcprovider.md) | VMware Cloud Director provider VDC |
+| [vcd.vm](vcd.vm.md) | VMware Cloud Director VM resource |
diff --git a/docs/mql/resources/vcd-pack/vcd.externalnetwork.md b/docs/mql/resources/vcd-pack/vcd.externalnetwork.md
new file mode 100644
index 000000000..2941f7d1c
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.externalnetwork.md
@@ -0,0 +1,23 @@
+---
+title: vcd.externalNetwork
+id: vcd.externalNetwork
+sidebar_label: vcd.externalNetwork
+displayed_sidebar: MQL
+description: VMware Cloud Director external network
+---
+
+# vcd.externalNetwork
+
+**Description**
+
+VMware Cloud Director external network
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------ | ------------------------------ |
+| id | string | Deprecated; use urn instead |
+| name | string | Unique name for the network |
+| urn | string | URN of the network |
+| description | string | Network description |
+| configuration | dict | External network configuration |
diff --git a/docs/mql/resources/vcd-pack/vcd.md b/docs/mql/resources/vcd-pack/vcd.md
new file mode 100644
index 000000000..88796510b
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.md
@@ -0,0 +1,23 @@
+---
+title: vcd
+id: vcd
+sidebar_label: vcd
+displayed_sidebar: MQL
+description: VMware Cloud Director
+---
+
+# vcd
+
+**Description**
+
+VMware Cloud Director
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------------------------------------------------------- | -------------------------------------------- |
+| organizations | [][vcd.organization](vcd.organization.md) | VMware Cloud Director organization resources |
+| providerVDCs | [][vcd.vdcProvider](vcd.vdcprovider.md) | VMware Cloud Director provider VDC |
+| networkPools | [][vcd.networkPool](vcd.networkpool.md) | VMware Cloud Director network pools |
+| externalNetworks | [][vcd.externalNetwork](vcd.externalnetwork.md) | VMware Cloud Director external networks |
+| serverInstances | [][vcd.serverInstance](vcd.serverinstance.md) | vCenter server attached to VCD |
diff --git a/docs/mql/resources/vcd-pack/vcd.networkpool.md b/docs/mql/resources/vcd-pack/vcd.networkpool.md
new file mode 100644
index 000000000..fde95d050
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.networkpool.md
@@ -0,0 +1,21 @@
+---
+title: vcd.networkPool
+id: vcd.networkPool
+sidebar_label: vcd.networkPool
+displayed_sidebar: MQL
+description: VMware Cloud Director network pools
+---
+
+# vcd.networkPool
+
+**Description**
+
+VMware Cloud Director network pools
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------ | ------------------------------------------------------------------------------------------------------------ |
+| name | string | Network pool name |
+| isBusy | bool | Whether the network pool is busy |
+| networkPoolType | int | Type of network pool (0=Vlan backed network pool; 1=vNI backed network pool;2=Portgroup backed network pool) |
diff --git a/docs/mql/resources/vcd-pack/vcd.organization.ldapsettings.md b/docs/mql/resources/vcd-pack/vcd.organization.ldapsettings.md
new file mode 100644
index 000000000..f7e9cabc5
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.organization.ldapsettings.md
@@ -0,0 +1,24 @@
+---
+title: vcd.organization.ldapSettings
+id: vcd.organization.ldapSettings
+sidebar_label: vcd.organization.ldapSettings
+displayed_sidebar: MQL
+description: VMware Cloud Director LDAP setting
+---
+
+# vcd.organization.ldapSettings
+
+**Description**
+
+VMware Cloud Director LDAP setting
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------ | ----------------------------------------------------------------- |
+| id | string | URI of the entity |
+| customUsersOu | string | LDAP attribute-value pair to use for the OU (organizational unit) |
+| orgLdapMode | string | Whether the organization is connected to an LDAP service |
+| hostname | string | Hostname of the LDAP server |
+| username | string | Username to use when logging in to LDAP |
+| realm | string | LDAP realm |
diff --git a/docs/mql/resources/vcd-pack/vcd.organization.md b/docs/mql/resources/vcd-pack/vcd.organization.md
new file mode 100644
index 000000000..46e4699fd
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.organization.md
@@ -0,0 +1,30 @@
+---
+title: vcd.organization
+id: vcd.organization
+sidebar_label: vcd.organization
+displayed_sidebar: MQL
+description: VMware Cloud Director organization resource
+---
+
+# vcd.organization
+
+**Description**
+
+VMware Cloud Director organization resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------------------------------------------------------- | ------------------------------------ |
+| id | string | Organization ID |
+| name | string | Organization name |
+| fullName | string | Organization full name |
+| isEnabled | bool | Whether this organization is enabled |
+| description | string | Organization description |
+| vms | [][vcd.vm](vcd.vm.md) | Virtual machines |
+| rights | [][vcd.right](vcd.right.md) | Rights |
+| vdcs | [][vcd.vdc](vcd.vdc.md) | Virtual data centers (VDCs) |
+| vdcGroups | [][vcd.vdcGroup](vcd.vdcgroup.md) | VDC groups |
+| roles | [][vcd.role](vcd.role.md) | Organization roles |
+| settings | dict | Organization settings |
+| ldapConfiguration | [vcd.organization.ldapSettings](vcd.organization.ldapsettings.md) | Organization LDAP configuration |
diff --git a/docs/mql/resources/vcd-pack/vcd.right.md b/docs/mql/resources/vcd-pack/vcd.right.md
new file mode 100644
index 000000000..07441d13e
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.right.md
@@ -0,0 +1,25 @@
+---
+title: vcd.right
+id: vcd.right
+sidebar_label: vcd.right
+displayed_sidebar: MQL
+description: VMware Cloud Director available rights
+---
+
+# vcd.right
+
+**Description**
+
+VMware Cloud Director available rights
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ----------------- |
+| id | string | Right ID |
+| name | string | Right name |
+| description | string | Right description |
+| bundleKey | string | Bundle key |
+| category | string | Category |
+| serviceNamespace | string | Service namespace |
+| rightType | string | Right type |
diff --git a/docs/mql/resources/vcd-pack/vcd.role.md b/docs/mql/resources/vcd-pack/vcd.role.md
new file mode 100644
index 000000000..5722190a0
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.role.md
@@ -0,0 +1,21 @@
+---
+title: vcd.role
+id: vcd.role
+sidebar_label: vcd.role
+displayed_sidebar: MQL
+description: VMware Cloud Director role
+---
+
+# vcd.role
+
+**Description**
+
+VMware Cloud Director role
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | -------------------- |
+| id | string | ID of the role |
+| name | string | Name of the role |
+| description | string | Optional description |
diff --git a/docs/mql/resources/vcd-pack/vcd.serverinstance.md b/docs/mql/resources/vcd-pack/vcd.serverinstance.md
new file mode 100644
index 000000000..0d6e6f29b
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.serverinstance.md
@@ -0,0 +1,28 @@
+---
+title: vcd.serverInstance
+id: vcd.serverInstance
+sidebar_label: vcd.serverInstance
+displayed_sidebar: MQL
+description: vCenter server attached to VCD
+---
+
+# vcd.serverInstance
+
+**Description**
+
+vCenter server attached to VCD
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ------ | ---------------------------------------- |
+| name | string | Name of vCenter server |
+| isBusy | bool | Indicates if vCenter server is busy |
+| isEnabled | bool | Indicates if vCenter server is enabled |
+| isSupported | bool | Indicates if vCenter server is supported |
+| listenerState | string | vCenter listener state |
+| status | string | vCenter status |
+| userName | string | User name to connect to the server |
+| vcVersion | string | Version of the vCenter server |
+| uuid | string | Instance UUID of the vCenter server |
+| vsmIP | string | VSM IP |
diff --git a/docs/mql/resources/vcd-pack/vcd.vdc.md b/docs/mql/resources/vcd-pack/vcd.vdc.md
new file mode 100644
index 000000000..3b238f8be
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.vdc.md
@@ -0,0 +1,28 @@
+---
+title: vcd.vdc
+id: vcd.vdc
+sidebar_label: vcd.vdc
+displayed_sidebar: MQL
+description: VMware Cloud Director organization VDC resource
+---
+
+# vcd.vdc
+
+**Description**
+
+VMware Cloud Director organization VDC resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ------ | ---------------------------------------------------------- |
+| id | string | ID of the VDC |
+| name | string | Name of the VDC |
+| status | int | Creation status of the VDC (0=creating, 1=ready, -1=error) |
+| description | string | Optional description |
+| allocationModel | string | Used allocation model |
+| nicQuota | int | Maximum number of virtual NICs allowed (0=unlimited) |
+| networkQuota | int | Maximum number of network objects allowed (0=unlimited) |
+| usedNetworkCount | int | Number of networks in use for/by this VDC |
+| vmQuota | int | Quota of VMs that can be created in this VDC |
+| isEnabled | bool | Indicates if VDC is enabled for use |
diff --git a/docs/mql/resources/vcd-pack/vcd.vdcgroup.md b/docs/mql/resources/vcd-pack/vcd.vdcgroup.md
new file mode 100644
index 000000000..ed02dd7e3
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.vdcgroup.md
@@ -0,0 +1,25 @@
+---
+title: vcd.vdcGroup
+id: vcd.vdcGroup
+sidebar_label: vcd.vdcGroup
+displayed_sidebar: MQL
+description: VMware Cloud Director NSX-T VDC groups
+---
+
+# vcd.vdcGroup
+
+**Description**
+
+VMware Cloud Director NSX-T VDC groups
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------------- | ------ | ----------------------------------------------------------------------------------------- |
+| name | string | Name of VDC group |
+| description | string | Description of the VDC group |
+| localEgress | bool | Whether local egress is enabled for a universal router belonging to a universal VDC group |
+| status | string | Status of the VDC group |
+| type | string | VDC group type (LOCAL or UNIVERSAL) |
+| universalNetworkingEnabled | bool | Whether a VDC group router has been created |
+| dfwEnabled | bool | Whether distributed firewall is enabled for the VDC group |
diff --git a/docs/mql/resources/vcd-pack/vcd.vdcprovider.md b/docs/mql/resources/vcd-pack/vcd.vdcprovider.md
new file mode 100644
index 000000000..e7ffe5f0e
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.vdcprovider.md
@@ -0,0 +1,39 @@
+---
+title: vcd.vdcProvider
+id: vcd.vdcProvider
+sidebar_label: vcd.vdcProvider
+displayed_sidebar: MQL
+description: VMware Cloud Director provider VDC
+---
+
+# vcd.vdcProvider
+
+**Description**
+
+VMware Cloud Director provider VDC
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------------- | ----------------- | ----------------------------------------- |
+| name | string | Name of the provider VDC |
+| status | string | Status of the provider VDC |
+| isBusy | bool | Whether the provider VDC is busy |
+| isDeleted | bool | Whether the provider VDC is deleted |
+| isEnabled | bool | Whether the provider VDC is enabled |
+| cpuAllocationMhz | int | CPU allocation in MHz |
+| cpuLimitMhz | int | CPU limit in MHz |
+| cpuUsedMhz | int | CPU used in MHz |
+| numberOfDatastores | int | Number of datastores |
+| numberOfStorageProfiles | int | Number of storage profiles |
+| numberOfVdcs | int | Number of VDCs |
+| memoryAllocationMB | int | Memory allocation in MB |
+| memoryLimitMB | int | Memory limit in MB |
+| memoryUsedMB | int | Memory used in MB |
+| storageAllocationMB | int | Storage allocation in MB |
+| storageLimitMB | int | Storage limit in MB |
+| storageUsedMB | int | Storage used in MB |
+| cpuOverheadMhz | int | CPU overhead in MHz |
+| storageOverheadMB | int | Storage overhead in MB |
+| memoryOverheadMB | int | Memory overhead in MB |
+| metadata | map[string]string | Key-value pairs for provider VDC metadata |
diff --git a/docs/mql/resources/vcd-pack/vcd.vm.md b/docs/mql/resources/vcd-pack/vcd.vm.md
new file mode 100644
index 000000000..4f6d57a63
--- /dev/null
+++ b/docs/mql/resources/vcd-pack/vcd.vm.md
@@ -0,0 +1,46 @@
+---
+title: vcd.vm
+id: vcd.vm
+sidebar_label: vcd.vm
+displayed_sidebar: MQL
+description: VMware Cloud Director VM resource
+---
+
+# vcd.vm
+
+**Description**
+
+VMware Cloud Director VM resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------------ | ------ | --------------------------------------------------- |
+| id | string | ID for the standalone VM in the VDC |
+| name | string | Name of the standalone VM in the VDC |
+| containerName | string | The name of the containing vApp or vApp template |
+| containerID | string | vApp or vApp template ID |
+| ownerId | string | Owner ID of the VM |
+| ownerName | string | Owner name of the VM |
+| isDeleted | bool | Whether the entity is deleted |
+| guestOs | string | Guest operating system |
+| numberOfCpus | int | Number of CPUs |
+| memoryMB | int | Memory in MB |
+| status | string | Status |
+| networkName | string | Network name |
+| ipAddress | string | IP Address of the VM on the primary network |
+| isBusy | bool | Whether the VM is busy |
+| isDeployed | bool | Whether the VM is deployed |
+| isPublished | bool | Whether the VM is in a published catalog |
+| catalogName | string | Catalog name |
+| hardwareVersion | int | Hardware version |
+| vmToolsStatus | string | VM tools status |
+| isInMaintenanceMode | bool | Whether the VM is in maintenance mode |
+| isAutoNature | bool | Whether the parent vApp is a managed vApp |
+| storageProfileName | string | Storage profile name |
+| gcStatus | string | GC status of this VM |
+| isComputePolicyCompliant | bool | Whether the VM is compliant with the compute policy |
+| encrypted | bool | Whether the VM is encrypted |
+| totalStorageAllocatedMb | int | Total storage allocation in MB |
+| isExpired | bool | Whether the VM's storage lease has expired |
+| hostName | string | ESXi host for this VM |
diff --git a/docs/mql/resources/vsphere-pack/README.md b/docs/mql/resources/vsphere-pack/README.md
new file mode 100644
index 000000000..87905f5a6
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/README.md
@@ -0,0 +1,38 @@
+---
+title: VMware vSphere Resource Pack - MQL Resources
+id: vmware.vsphere.pack
+sidebar_label: VMware vSphere Resource Pack
+displayed_sidebar: MQL
+description: The VMware vSphere resource pack lets you use MQL to query and assess the security of your VMware vSphere hosts and services.
+---
+
+# Mondoo VMware vSphere Resource Pack Reference
+
+In this pack:
+
+| ID | DESCRIPTION |
+| ------------------------------------------------------- | --------------------------------------------------------- |
+| [asset](asset.md) | vSphere asset resource |
+| [audit.cvss](audit.cvss.md) | Common Vulnerability Scoring System (CVSS) score |
+| [esxi](esxi.md) | VMware ESXi resource |
+| [esxi.command](esxi.command.md) | Run a command on ESXi |
+| [esxi.kernelmodule](esxi.kernelmodule.md) | vSphere ESXi kernel module resource |
+| [esxi.ntpconfig](esxi.ntpconfig.md) | vSphere ESXi NTP configuration resource |
+| [esxi.service](esxi.service.md) | vSphere ESXi management service resource |
+| [esxi.timezone](esxi.timezone.md) | vSphere ESXi timezone resource |
+| [esxi.vib](esxi.vib.md) | vSphere installation bundle resource |
+| [platform](platform.md) | vSphere platform resource (deprecated) |
+| [vsphere](vsphere.md) | VMware vSphere resource |
+| [vsphere.cluster](vsphere.cluster.md) | vSphere cluster resource |
+| [vsphere.datacenter](vsphere.datacenter.md) | vSphere datacenter inventory |
+| [vsphere.host](vsphere.host.md) | vSphere ESXi host resource |
+| [vsphere.license](vsphere.license.md) | vSphere license information |
+| [vsphere.vm](vsphere.vm.md) | vSphere VM resource |
+| [vsphere.vmknic](vsphere.vmknic.md) | vSphere ESXi virtual network interface resource |
+| [vsphere.vmnic](vsphere.vmnic.md) | vSphere ESXi physical network interface resource |
+| [vsphere.vswitch.dvs](vsphere.vswitch.dvs.md) | vSphere distributed virtual switch |
+| [vsphere.vswitch.standard](vsphere.vswitch.standard.md) | vSphere standard virtual switch |
+| [vuln.advisory](vuln.advisory.md) | Advisory information |
+| [vuln.cve](vuln.cve.md) | CVE information |
+| [vuln.package](vuln.package.md) | Package information relevant for vulnerability management |
+| [vulnmgmt](vulnmgmt.md) | Vulnerability Information |
diff --git a/docs/mql/resources/vsphere-pack/asset.md b/docs/mql/resources/vsphere-pack/asset.md
new file mode 100644
index 000000000..b22e2f96e
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/asset.md
@@ -0,0 +1,20 @@
+---
+title: asset
+id: asset
+sidebar_label: asset
+displayed_sidebar: MQL
+description: vSphere asset resource
+---
+
+# asset
+
+**Description**
+
+vSphere asset resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------- |
+| cpes | []core.cpe | Common Platform Enumeration (CPE) for the asset |
+| vulnerabilityReport | dict | Advisory & vulnerability report, Will be deprecated in version 10.0; Full advisory & vulnerability report, use vulnmgmt instead |
diff --git a/docs/mql/resources/vsphere-pack/audit.cvss.md b/docs/mql/resources/vsphere-pack/audit.cvss.md
new file mode 100644
index 000000000..4a5077b73
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/audit.cvss.md
@@ -0,0 +1,20 @@
+---
+title: audit.cvss
+id: audit.cvss
+sidebar_label: audit.cvss
+displayed_sidebar: MQL
+description: Common Vulnerability Scoring System (CVSS) score
+---
+
+# audit.cvss
+
+**Description**
+
+Common Vulnerability Scoring System (CVSS) score
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ------ | ----------------------------------------- |
+| score | float | CVSS score ranging from 0.0 to 10.0 |
+| vector | string | CVSS score represented as a vector string |
diff --git a/docs/mql/resources/vsphere-pack/esxi.command.md b/docs/mql/resources/vsphere-pack/esxi.command.md
new file mode 100644
index 000000000..27adccfaa
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/esxi.command.md
@@ -0,0 +1,30 @@
+---
+title: esxi.command
+id: esxi.command
+sidebar_label: esxi.command
+displayed_sidebar: MQL
+description: Run a command on ESXi
+---
+
+# esxi.command
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+Run a command on ESXi
+
+**Init**
+
+esxi.command(command string)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | -------------- | ---------------------- |
+| inventoryPath | string | vSphere inventory path |
+| command | string | Raw command |
+| result | []dict | Command result |
diff --git a/docs/mql/resources/vsphere-pack/esxi.kernelmodule.md b/docs/mql/resources/vsphere-pack/esxi.kernelmodule.md
new file mode 100644
index 000000000..307cdd938
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/esxi.kernelmodule.md
@@ -0,0 +1,33 @@
+---
+title: esxi.kernelmodule
+id: esxi.kernelmodule
+sidebar_label: esxi.kernelmodule
+displayed_sidebar: MQL
+description: vSphere ESXi kernel module resource
+---
+
+# esxi.kernelmodule
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere ESXi kernel module resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------------- | ------ | ----------------------------- |
+| name | string | Module name |
+| modulefile | string | Module file location |
+| version | string | Module version |
+| loaded | bool | Flag if the module is loaded |
+| license | string | Module license |
+| enabled | bool | Flag if the module is enabled |
+| signedStatus | string | Module signed status |
+| signatureDigest | string | Module signed digest |
+| signatureFingerprint | string | Module signed fingerprint |
+| vibAcceptanceLevel | string | Module acceptance level |
diff --git a/docs/mql/resources/vsphere-pack/esxi.md b/docs/mql/resources/vsphere-pack/esxi.md
new file mode 100644
index 000000000..f538f1378
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/esxi.md
@@ -0,0 +1,43 @@
+---
+title: esxi
+id: esxi
+sidebar_label: esxi
+displayed_sidebar: MQL
+description: VMware ESXi resource
+---
+
+# esxi
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Maturity**
+
+deprecated
+
+**Description**
+
+VMware ESXi resource
+
+The `esxi.host` and `esxi.vm` resource is deprecated. Please use `vsphere.host` and `vsphere.vm` instead.
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---- | ------------------------------- | -------------------------------- |
+| host | [vsphere.host](vsphere.host.md) | Current targeted ESXi host |
+| vm | [vsphere.vm](vsphere.vm.md) | Current targeted virtual machine |
+
+**Examples**
+
+Check that all kernel modules are signed
+
+```coffee
+esxi.host {
+ kernelModules {
+ signedStatus == "Signed"
+ }
+}
+```
diff --git a/docs/mql/resources/vsphere-pack/esxi.ntpconfig.md b/docs/mql/resources/vsphere-pack/esxi.ntpconfig.md
new file mode 100644
index 000000000..5de9cab11
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/esxi.ntpconfig.md
@@ -0,0 +1,26 @@
+---
+title: esxi.ntpconfig
+id: esxi.ntpconfig
+sidebar_label: esxi.ntpconfig
+displayed_sidebar: MQL
+description: vSphere ESXi NTP configuration resource
+---
+
+# esxi.ntpconfig
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere ESXi NTP configuration resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------ | ---------------- | ---------------------------------------------------------------------------------------------- |
+| id | string | NTP config ID |
+| server | []string | List of time servers, specified as either IP addresses or fully qualified domain names (FQDNs) |
+| config | []string | Content of ntp.conf host configuration file, split by lines |
diff --git a/docs/mql/resources/vsphere-pack/esxi.service.md b/docs/mql/resources/vsphere-pack/esxi.service.md
new file mode 100644
index 000000000..c2d5c76ee
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/esxi.service.md
@@ -0,0 +1,30 @@
+---
+title: esxi.service
+id: esxi.service
+sidebar_label: esxi.service
+displayed_sidebar: MQL
+description: vSphere ESXi management service resource
+---
+
+# esxi.service
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere ESXi management service resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ---------------- | ---------------------------------------------------------------------- |
+| key | string | Brief identifier for the service |
+| label | string | Display label for the service |
+| required | bool | Flag indicating whether the service is required and cannot be disabled |
+| uninstallable | bool | Deprecated; always set to false |
+| running | bool | Flag indicating whether the service is currently running |
+| ruleset | []string | Firewall rulesets used by this service |
+| policy | string | Service activation policy |
diff --git a/docs/mql/resources/vsphere-pack/esxi.timezone.md b/docs/mql/resources/vsphere-pack/esxi.timezone.md
new file mode 100644
index 000000000..86a8f5045
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/esxi.timezone.md
@@ -0,0 +1,27 @@
+---
+title: esxi.timezone
+id: esxi.timezone
+sidebar_label: esxi.timezone
+displayed_sidebar: MQL
+description: vSphere ESXi timezone resource
+---
+
+# esxi.timezone
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere ESXi timezone resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ---------------------------- |
+| key | string | Identifier for the time zone |
+| name | string | Time zone name |
+| description | string | Description of the time zone |
+| offset | int | GMT offset |
diff --git a/docs/mql/resources/vsphere-pack/esxi.vib.md b/docs/mql/resources/vsphere-pack/esxi.vib.md
new file mode 100644
index 000000000..7f3b3e20c
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/esxi.vib.md
@@ -0,0 +1,31 @@
+---
+title: esxi.vib
+id: esxi.vib
+sidebar_label: esxi.vib
+displayed_sidebar: MQL
+description: vSphere installation bundle resource
+---
+
+# esxi.vib
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere installation bundle resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------------- | ------ | ---------------- |
+| id | string | VIB ID |
+| name | string | Bundle name |
+| acceptanceLevel | string | Acceptance level |
+| creationDate | time | Creation date |
+| installDate | time | Install date |
+| status | string | Bundle status |
+| vendor | string | Bundle vendor |
+| version | string | Bundle version |
diff --git a/docs/mql/resources/vsphere-pack/platform.md b/docs/mql/resources/vsphere-pack/platform.md
new file mode 100644
index 000000000..dcc0bee97
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/platform.md
@@ -0,0 +1,19 @@
+---
+title: platform
+id: platform
+sidebar_label: platform
+displayed_sidebar: MQL
+description: vSphere platform resource (deprecated)
+---
+
+# platform
+
+**Description**
+
+vSphere platform resource (deprecated)
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------------- | ---- | ------------------------------------------------- |
+| vulnerabilityReport | dict | deprecated: use asset.vulnerabilityReport instead |
diff --git a/docs/mql/resources/vsphere-pack/vsphere.cluster.md b/docs/mql/resources/vsphere-pack/vsphere.cluster.md
new file mode 100644
index 000000000..3d5c774f3
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.cluster.md
@@ -0,0 +1,28 @@
+---
+title: vsphere.cluster
+id: vsphere.cluster
+sidebar_label: vsphere.cluster
+displayed_sidebar: MQL
+description: vSphere cluster resource
+---
+
+# vsphere.cluster
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere cluster resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------------------- | --------------------------------- |
+| moid | string | vSphere managed object ID |
+| name | string | vSphere resource name |
+| inventoryPath | string | vSphere inventory path |
+| properties | dict | Cluster properties |
+| hosts | [][vsphere.host](vsphere.host.md) | ESXi hosts running in the cluster |
diff --git a/docs/mql/resources/vsphere-pack/vsphere.datacenter.md b/docs/mql/resources/vsphere-pack/vsphere.datacenter.md
new file mode 100644
index 000000000..7211f3031
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.datacenter.md
@@ -0,0 +1,29 @@
+---
+title: vsphere.datacenter
+id: vsphere.datacenter
+sidebar_label: vsphere.datacenter
+displayed_sidebar: MQL
+description: vSphere datacenter inventory
+---
+
+# vsphere.datacenter
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere datacenter inventory
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ------------- | ----------------------------------------------- | -------------------------- |
+| moid | string | vSphere managed object ID |
+| name | string | vSphere datacenter name |
+| inventoryPath | string | vSphere inventory path |
+| hosts | [][vsphere.host](vsphere.host.md) | Hosts in the datacenter |
+| vms | [][vsphere.vm](vsphere.vm.md) | VMs in the datacenter |
+| clusters | [][vsphere.cluster](vsphere.cluster.md) | Clusters in the datacenter |
diff --git a/docs/mql/resources/vsphere-pack/vsphere.host.md b/docs/mql/resources/vsphere-pack/vsphere.host.md
new file mode 100644
index 000000000..171340214
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.host.md
@@ -0,0 +1,67 @@
+---
+title: vsphere.host
+id: vsphere.host
+sidebar_label: vsphere.host
+displayed_sidebar: MQL
+description: vSphere ESXi host resource
+---
+
+# vsphere.host
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere ESXi host resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------------- | ----------------------------------------------------------------- | ---------------------------------------------------------- |
+| moid | string | vSphere managed object ID |
+| name | string | vSphere resource name |
+| inventoryPath | string | vSphere inventory path |
+| properties | dict | ESXi properties |
+| standardSwitch | [][vsphere.vswitch.standard](vsphere.vswitch.standard.md) | Standard virtual switches |
+| distributedSwitch | [][vsphere.vswitch.dvs](vsphere.vswitch.dvs.md) | Distributed virtual switches |
+| adapters | [][vsphere.vmnic](vsphere.vmnic.md) | Physical NICs currently installed and loaded on the system |
+| vmknics | [][vsphere.vmknic](vsphere.vmknic.md) | Virtual network interface that is used by the VMKernel |
+| packages | [][esxi.vib](esxi.vib.md) | All VIBs installed on your ESXi host |
+| acceptanceLevel | string | Host-level VIB acceptance level |
+| kernelModules | [][esxi.kernelmodule](esxi.kernelmodule.md) | Kernel modules (drivers) on ESXi |
+| advancedSettings | map[string]string | ESXi host advanced settings |
+| services | [][esxi.service](esxi.service.md) | List of ESXi management services |
+| timezone | [esxi.timezone](esxi.timezone.md) | Host timezone settings |
+| ntp | [esxi.ntpconfig](esxi.ntpconfig.md) | Host NTP configuration |
+| snmp | map[string]string | Host SNMP configuration |
+
+**Examples**
+
+Verify the Software AcceptanceLevel for ESXi host
+
+```coffee
+// targeting a single ESXi host
+esxi.host {
+ acceptanceLevel == 'VMwareCertified' || acceptanceLevel == 'VMwareAccepted' || acceptanceLevel == 'PartnerSupported'
+}
+
+// targeting the vSphere API
+vsphere.datacenters {
+ hosts {
+ acceptanceLevel == 'VMwareCertified' || acceptanceLevel == 'VMwareAccepted' || acceptanceLevel == 'PartnerSupported'
+ }
+}
+```
+
+Verify that each vib is "VMwareCertified" or "VMwareAccepted"
+
+```coffee
+esxi.host {
+ packages {
+ acceptanceLevel == 'VMwareCertified' || acceptanceLevel == 'VMwareAccepted' || acceptanceLevel == 'PartnerSupported'
+ }
+}
+```
diff --git a/docs/mql/resources/vsphere-pack/vsphere.license.md b/docs/mql/resources/vsphere-pack/vsphere.license.md
new file mode 100644
index 000000000..41fd87eeb
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.license.md
@@ -0,0 +1,26 @@
+---
+title: vsphere.license
+id: vsphere.license
+sidebar_label: vsphere.license
+displayed_sidebar: MQL
+description: vSphere license information
+---
+
+# vsphere.license
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere license information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----- | ------ | -------------- |
+| name | string | License name |
+| total | int | Total licenses |
+| used | int | Used licenses |
diff --git a/docs/mql/resources/vsphere-pack/vsphere.md b/docs/mql/resources/vsphere-pack/vsphere.md
new file mode 100644
index 000000000..b6d8483c1
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.md
@@ -0,0 +1,66 @@
+---
+title: vsphere
+id: vsphere
+sidebar_label: vsphere
+displayed_sidebar: MQL
+description: VMware vSphere resource
+---
+
+# vsphere
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+VMware vSphere resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ----------------------------------------------------- | ---------------------------------------------------------------------- |
+| about | dict | System information including the name, type, version, and build number |
+| licenses | [][vsphere.license](vsphere.license.md) | Configured licenses |
+| datacenters | [][vsphere.datacenter](vsphere.datacenter.md) | List of available datacenter |
+
+**Examples**
+
+Display Information about the vSphere environment
+
+```coffee
+vsphere.about
+```
+
+Display ESXi host moid and properties
+
+```coffee
+vsphere.datacenters { hosts { moid properties } }
+```
+
+Display NTP server for all ESXi hosts
+
+```coffee
+vsphere.datacenters { hosts { ntp.server } }
+```
+
+Ensure a specific NTP Server is set
+
+```coffee
+vsphere.datacenters { hosts { ntp.server.any(_ == "10.31.21.2") } }
+```
+
+Ensure specific VmkNics properties for all management VmkNics
+
+```coffee
+vsphere.datacenters {
+ hosts {
+ vmknics.where(tags == "Management") {
+ properties['Enabled'] == true
+ properties['MTU'] == 1500
+ properties['VDSName'] != /(?i)storage/
+ }
+ }
+}
+```
diff --git a/docs/mql/resources/vsphere-pack/vsphere.vm.md b/docs/mql/resources/vsphere-pack/vsphere.vm.md
new file mode 100644
index 000000000..80940eb6b
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.vm.md
@@ -0,0 +1,28 @@
+---
+title: vsphere.vm
+id: vsphere.vm
+sidebar_label: vsphere.vm
+displayed_sidebar: MQL
+description: vSphere VM resource
+---
+
+# vsphere.vm
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere VM resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------------- | ----------------- | ----------------------------------- |
+| moid | string | vSphere managed object ID |
+| name | string | vSphere resource name |
+| inventoryPath | string | vSphere inventory path |
+| properties | dict | Virtual machine properties |
+| advancedSettings | map[string]string | Virtual machine advanced properties |
diff --git a/docs/mql/resources/vsphere-pack/vsphere.vmknic.md b/docs/mql/resources/vsphere-pack/vsphere.vmknic.md
new file mode 100644
index 000000000..d20dbfb6d
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.vmknic.md
@@ -0,0 +1,28 @@
+---
+title: vsphere.vmknic
+id: vsphere.vmknic
+sidebar_label: vsphere.vmknic
+displayed_sidebar: MQL
+description: vSphere ESXi virtual network interface resource
+---
+
+# vsphere.vmknic
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere ESXi virtual network interface resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ---------------- | --------------------- |
+| name | string | Interface name |
+| properties | dict | Interface properties |
+| ipv4 | []dict | IPv4 information |
+| ipv6 | []dict | IPv6 information |
+| tags | []string | Network interface tag |
diff --git a/docs/mql/resources/vsphere-pack/vsphere.vmnic.md b/docs/mql/resources/vsphere-pack/vsphere.vmnic.md
new file mode 100644
index 000000000..c927dd890
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.vmnic.md
@@ -0,0 +1,27 @@
+---
+title: vsphere.vmnic
+id: vsphere.vmnic
+sidebar_label: vsphere.vmnic
+displayed_sidebar: MQL
+description: vSphere ESXi physical network interface resource
+---
+
+# vsphere.vmnic
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere ESXi physical network interface resource
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | ------ | ----------------------------------------- |
+| name | string | NIC name |
+| properties | dict | NIC properties |
+| details | dict | Generic configuration of a network device |
+| pauseParams | dict | NIC pause parameters |
diff --git a/docs/mql/resources/vsphere-pack/vsphere.vswitch.dvs.md b/docs/mql/resources/vsphere-pack/vsphere.vswitch.dvs.md
new file mode 100644
index 000000000..81e611582
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.vswitch.dvs.md
@@ -0,0 +1,26 @@
+---
+title: vsphere.vswitch.dvs
+id: vsphere.vswitch.dvs
+sidebar_label: vsphere.vswitch.dvs
+displayed_sidebar: MQL
+description: vSphere distributed virtual switch
+---
+
+# vsphere.vswitch.dvs
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere distributed virtual switch
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | ------------------------------------------- | ----------------------------------------------------- |
+| name | string | Virtual switch name |
+| properties | dict | Virtual switch properties |
+| uplinks | [][vsphere.vmnic](vsphere.vmnic.md) | List of physical NICs currently configured as uplinks |
diff --git a/docs/mql/resources/vsphere-pack/vsphere.vswitch.standard.md b/docs/mql/resources/vsphere-pack/vsphere.vswitch.standard.md
new file mode 100644
index 000000000..8173adcb8
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vsphere.vswitch.standard.md
@@ -0,0 +1,29 @@
+---
+title: vsphere.vswitch.standard
+id: vsphere.vswitch.standard
+sidebar_label: vsphere.vswitch.standard
+displayed_sidebar: MQL
+description: vSphere standard virtual switch
+---
+
+# vsphere.vswitch.standard
+
+**Supported platform**
+
+- vmware-esxi
+- vmware-vsphere
+
+**Description**
+
+vSphere standard virtual switch
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------------------------------------------- | ----------------------------------------------------- |
+| name | string | Virtual switch name |
+| properties | dict | Virtual switch properties |
+| failoverPolicy | dict | NIC teaming policy |
+| securityPolicy | dict | Security policy |
+| shapingPolicy | dict | Shaping policy |
+| uplinks | [][vsphere.vmnic](vsphere.vmnic.md) | List of physical NICs currently configured as uplinks |
diff --git a/docs/mql/resources/vsphere-pack/vuln.advisory.md b/docs/mql/resources/vsphere-pack/vuln.advisory.md
new file mode 100644
index 000000000..c39edc833
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vuln.advisory.md
@@ -0,0 +1,24 @@
+---
+title: vuln.advisory
+id: vuln.advisory
+sidebar_label: vuln.advisory
+displayed_sidebar: MQL
+description: Advisory information
+---
+
+# vuln.advisory
+
+**Description**
+
+Advisory information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ----------- | --------------------------- | ------------------------------------- |
+| id | string | Advisory ID |
+| title | string | Title of the advisory |
+| description | string | Description of the advisory |
+| published | time | Advisory publication date |
+| modified | time | Last modification date |
+| worstScore | [audit.cvss](audit.cvss.md) | Worst CVSS score of all assigned CVEs |
diff --git a/docs/mql/resources/vsphere-pack/vuln.cve.md b/docs/mql/resources/vsphere-pack/vuln.cve.md
new file mode 100644
index 000000000..855230229
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vuln.cve.md
@@ -0,0 +1,25 @@
+---
+title: vuln.cve
+id: vuln.cve
+sidebar_label: vuln.cve
+displayed_sidebar: MQL
+description: CVE information
+---
+
+# vuln.cve
+
+**Description**
+
+CVE information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| ---------- | --------------------------- | ------------------------------------- |
+| id | string | CVE ID |
+| state | string | CVE state |
+| summary | string | Summary description |
+| unscored | bool | Whether the CVE has a CVSS score |
+| published | time | Publication date |
+| modified | time | Last modification date |
+| worstScore | [audit.cvss](audit.cvss.md) | Worst CVSS score of all assigned CVEs |
diff --git a/docs/mql/resources/vsphere-pack/vuln.package.md b/docs/mql/resources/vsphere-pack/vuln.package.md
new file mode 100644
index 000000000..1d147936d
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vuln.package.md
@@ -0,0 +1,22 @@
+---
+title: vuln.package
+id: vuln.package
+sidebar_label: vuln.package
+displayed_sidebar: MQL
+description: Package information relevant for vulnerability management
+---
+
+# vuln.package
+
+**Description**
+
+Package information relevant for vulnerability management
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| --------- | ------ | ---------------------------- |
+| name | string | Package name |
+| version | string | Package version |
+| available | string | Available package version |
+| arch | string | Architecture of this package |
diff --git a/docs/mql/resources/vsphere-pack/vulnmgmt.md b/docs/mql/resources/vsphere-pack/vulnmgmt.md
new file mode 100644
index 000000000..412e1b256
--- /dev/null
+++ b/docs/mql/resources/vsphere-pack/vulnmgmt.md
@@ -0,0 +1,23 @@
+---
+title: vulnmgmt
+id: vulnmgmt
+sidebar_label: vulnmgmt
+displayed_sidebar: MQL
+description: Vulnerability Information
+---
+
+# vulnmgmt
+
+**Description**
+
+Vulnerability Information
+
+**Fields**
+
+| ID | TYPE | DESCRIPTION |
+| -------------- | ------------------------------------------- | --------------------------------------------------- |
+| cves | [][vuln.cve](vuln.cve.md) | List of all CVEs affecting the asset |
+| advisories | [][vuln.advisory](vuln.advisory.md) | List of all Advisories affecting the asset |
+| packages | [][vuln.package](vuln.package.md) | List of all packages affected by vulnerabilities |
+| lastAssessment | time | Last time the vulnerability information was updated |
+| stats | [audit.cvss](audit.cvss.md) | Statistics about the vulnerabilities |
diff --git a/docs/platform/compliance/customize/_category_.json b/docs/platform/compliance/customize/_category_.json
new file mode 100644
index 000000000..27aa2d035
--- /dev/null
+++ b/docs/platform/compliance/customize/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Customize Compliance",
+ "position": 3
+}
diff --git a/docs/platform/compliance/customize/_custom-frameworks.mdx b/docs/platform/compliance/customize/_custom-frameworks.mdx
new file mode 100644
index 000000000..e69de29bb
diff --git a/docs/platform/compliance/customize/exceptions-checks.mdx b/docs/platform/compliance/customize/exceptions-checks.mdx
new file mode 100644
index 000000000..b088d3d47
--- /dev/null
+++ b/docs/platform/compliance/customize/exceptions-checks.mdx
@@ -0,0 +1,115 @@
+---
+title: Snooze or Disable Checks
+sidebar_label: Snooze or Disable Checks
+sidebar_position: 4
+description: Snooze or disable a check in a framework to customize how Mondoo evaluates your compliance with that framework
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+_Exceptions_ let you customize how Mondoo evaluates your compliance with a framework and communicate the reasons for that customization. They tell Mondoo to exclude certain [checks](/platform/compliance/monitor/frameworks/) when calculating your progress toward full compliance. There are two types of exceptions for checks:
+
+- _Snooze_ a check to temporarily or indefinitely exclude its results from your overall compliance progress percentage. Snoozing is useful when you intend to comply with a check eventually but don't want it distracting your team right now.
+
+- _Disable_ a check to instruct Mondoo to exclude it from your compliance score and explain this exclusion to your team. A check remains disabled unless you re-enable it.
+
+:::info
+
+When you snooze or disable a check, you snooze or disable it for the entire space. A check exception applies to the policy containing the check and impacts all compliance frameworks that use the check.
+
+To learn about frameworks, policies, controls, and checks, read [Enable Compliance Frameworks](/platform/compliance/monitor/frameworks/).
+
+:::
+
+:::tip
+
+You can also snooze or disable an entire control in a Framework. To learn more, read [Snooze or Disable Controls](/platform/compliance/customize/exceptions/).
+
+:::
+
+## Snooze or disable a check
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space you want to customize.
+
+ 
+
+2. In the side navigation bar, under **Compliance**, select **Frameworks**.
+
+ 
+
+3. Select the framework you want to customize and scroll down to the list of controls.
+
+ 
+
+4. Select the control containing the check you want to snooze or disable and then select the **Checks** tab.
+
+5. Select the box beside the check you want to snooze or disable.
+
+ 
+
+6. Select the **SET EXCEPTION** button.
+
+ 
+
+7. Select whether to **Snooze** or **Disable** the checks.
+
+ If you select Snooze, select how long to snooze the check. Select **Indefinitely** to keep the check snoozed unless you un-snooze it.
+
+8. Write a justification for the exception.
+
+9. Select the **SAVE EXCEPTION** button.
+
+## Approve or reject an exception
+
+Exceptions take effect the moment they're added. However, as an extra tracking step, a team member can approve or reject an exception:
+
+- Approving an exception allows it to remain.
+
+- Rejecting an exception removes it and re-enables/unsnoozes the check.
+
+To approve or reject an exception:
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space you want to work in.
+
+ 
+
+2. In the side navigation bar, select **Compliance**.
+
+ 
+
+3. Select the framework you want to work in and scroll down to the list of controls.
+
+ 
+
+4. Select the control containing the check you want to snooze or disable and then select the **Exceptions** tab.
+
+ 
+
+5. Find the snoozed or disabled check you want to approve or reject.
+
+ 
+
+6. Select the **Reject** button to remove the exception, or select the **Approve** button to keep the exception with your approval.
+
+## Un-snooze or re-enable a check
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space you want to work in.
+
+ 
+
+2. In the side navigation bar, select **Compliance**.
+
+ 
+
+3. Select the framework you want to work in and scroll down to the list of controls.
+
+4. Select the control containing the check you want to un-snooze or re-enable and select the **Checks** tab.
+
+ 
+
+5. Select the snoozed or disabled check you want to un-snooze or re-enable.
+
+ 
+
+6. Select the **REMOVE EXCEPTION AND ENABLE** button and then confirm the action by selecting the **YES, ENABLE THE CHECK** button.
+
+---
diff --git a/docs/platform/compliance/customize/exceptions.mdx b/docs/platform/compliance/customize/exceptions.mdx
new file mode 100644
index 000000000..24d265a98
--- /dev/null
+++ b/docs/platform/compliance/customize/exceptions.mdx
@@ -0,0 +1,137 @@
+---
+title: Snooze or Disable Controls
+sidebar_label: Snooze or Disable Controls
+sidebar_position: 3
+description: Snooze or disable a control in a framework to customize how Mondoo evaluates your compliance with that framework
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+_Exceptions_ let you customize how Mondoo evaluates your compliance with a framework and communicate the reasons for that customization.
+
+Exceptions tell Mondoo to exclude certain [controls](/platform/compliance/monitor/frameworks/) when calculating your progress toward full compliance. There are two types of exceptions for controls:
+
+- _Snooze_ a control to temporarily or indefinitely exclude its results from your overall compliance progress percentage. Snoozing is useful when you intend to comply with a control eventually but don't want it distracting your team right now. You can write a note justifying the delay to your team and your auditor.
+
+- _Disable_ a control to instruct Mondoo to exclude it from your compliance score and explain this exclusion to team. A control remains disabled unless you re-enable it.
+
+:::tip
+
+To exclude a control entirely from the compliance report to your auditor, [set it out of scope](/platform/compliance/customize/scope/).
+
+:::
+
+:::tip
+
+You can also snooze or disable individual checks within a control. To learn more, read [Snooze or Disable Checks](/platform/compliance/customize/exceptions-checks/).
+
+:::
+
+## Snooze or disable a control
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space you want to customize.
+
+ 
+
+2. In the side navigation bar, under **Compliance**, select **Frameworks**.
+
+ 
+
+3. Select the framework you want to customize and scroll down to the list of controls.
+
+ 
+
+4. Select the control you want to snooze or disable. Mondoo displays a page with control details.
+
+ 
+
+5. In the top-right corner, select the **SET EXCEPTION** button.
+
+ 
+
+6. Select whether to **Snooze** or **Disable** the controls.
+
+ If you select Snooze, select how long to snooze the control. Select **Indefinitely** to keep the control snoozed unless you un-snooze it.
+
+7. Write a justification for the exception.
+
+8. Select the **SAVE EXCEPTION** button.
+
+## Snooze or disable multiple controls at once
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space you want to customize.
+
+ 
+
+2. In the side navigation bar, under **Compliance**, select **Frameworks**.
+
+ 
+
+3. Select the framework you want to customize and scroll down to the list of controls.
+
+ 
+
+4. Check the boxes to the left of the controls you want to snooze or disable.
+
+ 
+
+5. Select the **SET EXCEPTION** button.
+
+ 
+
+6. Select whether to **Snooze** or **Disable** the controls.
+
+ If you select Snooze, select how long to snooze the control. Select **Indefinitely** to keep the control snoozed unless you un-snooze it.
+
+7. Write a justification for the exception.
+
+8. Select the **SAVE EXCEPTION** button.
+
+## Approve or reject an exception
+
+Exceptions take effect the moment they're added. However, as an extra tracking step, a team member can approve or reject an exception:
+
+- Approving an exception allows it to remain.
+
+- Rejecting an exception removes it and re-enables/unsnoozes the control.
+
+To approve or reject an exception:
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space you want to work in.
+
+ 
+
+2. In the side navigation bar, select **Compliance**.
+
+ 
+
+3. Select the framework you want to work in and scroll down to the list of controls.
+
+ 
+
+4. Select the snoozed or disabled control you want to approve or reject.
+
+ 
+
+5. Select the **Reject** button to remove the exception, or select the **Approve** button to keep the exception with your approval.
+
+## Un-snooze or re-enable a control
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space you want to work in.
+
+ 
+
+2. In the side navigation bar, select **Compliance**.
+
+ 
+
+3. Select the framework you want to work in and scroll down to the list of controls.
+
+ 
+
+4. Select the snoozed or disabled control you want to un-snooze or re-enable.
+
+ 
+
+5. Select **Delete Exception and Enable**.
+
+---
diff --git a/docs/platform/compliance/customize/overview.mdx b/docs/platform/compliance/customize/overview.mdx
new file mode 100644
index 000000000..ad70e1c39
--- /dev/null
+++ b/docs/platform/compliance/customize/overview.mdx
@@ -0,0 +1,15 @@
+---
+title: Customize Compliance - Overview
+sidebar_label: Overview
+sidebar_position: 1
+description: Customize how Mondoo assesses your compliance with major frameworks
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Because every business, organization, and space has unique needs and requirements, Mondoo lets you customize your compliance.
+
+- Define the [_scope_](/platform/compliance/customize/scope) of your compliance audit: If your auditor doesn't need data about a certain control, you can set the control out of scope.
+
+- Set an _exception_ to exclude a [control](/platform/compliance/customize/exceptions) or [check](/platform/compliance/customize/exceptions-checks) temporarily or indefinitely from your compliance score and communicate the decision with your team. To focus your team on complying with the highest priority benchmarks, snooze the lower priorities for now. Or if certain requirements in a framework don't make sense for your space, disable them and provide an explanation why.
+
+---
diff --git a/docs/platform/compliance/customize/scope.mdx b/docs/platform/compliance/customize/scope.mdx
new file mode 100644
index 000000000..4adb6b82c
--- /dev/null
+++ b/docs/platform/compliance/customize/scope.mdx
@@ -0,0 +1,61 @@
+---
+title: Define the Scope of Your Compliance Audit
+sidebar_label: Define Scope
+sidebar_position: 2
+description: Set a control in a framework out of scope if it's not a part of your compliance audit
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+If a certain control in a framework is not part of your compliance audit, you can set it _out of scope_. Mondoo excludes out-of-scope controls when calculating your overall progress toward compliance with the framework and when generating your [compliance report](/platform/compliance/monitor/progress/#generate-a-compliance-report).
+
+All controls in a framework are in scope by default. You set a control out of scope for a [space](/platform/start/organize/spaces/). In all other spaces, the control remains in scope.
+
+:::tip
+
+Setting a control out of scope hides it entirely from your auditor. To exclude a control from your compliance score but include it in the report to your auditor with a justification, [disable or snooze the control](/platform/compliance/customize/exceptions/).
+
+:::
+
+## Set a control out of scope
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space you want to customize.
+
+ 
+
+2. In the side navigation bar, under **Compliance**, select **Frameworks**.
+
+ 
+
+3. Select the framework you want to customize and scroll down to the list of controls.
+
+ 
+
+4. Check the box beside the control you want to set out of scope.
+
+ 
+
+5. Select the **SET OUT OF SCOPE** button. Mondoo removes the control from the scope of your compliance framework for the space.
+
+ 
+
+## Set an out-of-scope control back in scope
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space you want to customize.
+
+ 
+
+2. In the side navigation bar, under **Compliance**, select **Frameworks**.
+
+ 
+
+3. Select the framework you want to customize and scroll down to the list of controls.
+
+ 
+
+4. Check the box beside the out-of-scope control you want to set in scope.
+
+ 
+
+5. Select the **SET IN SCOPE** button. Mondoo restores the control to the scope of your compliance framework for the space.
+
+---
diff --git a/docs/platform/compliance/monitor/_category_.json b/docs/platform/compliance/monitor/_category_.json
new file mode 100644
index 000000000..21f34f1a2
--- /dev/null
+++ b/docs/platform/compliance/monitor/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Monitor Compliance",
+ "position": 2
+}
diff --git a/docs/platform/compliance/monitor/frameworks.mdx b/docs/platform/compliance/monitor/frameworks.mdx
new file mode 100644
index 000000000..68fbcbd1a
--- /dev/null
+++ b/docs/platform/compliance/monitor/frameworks.mdx
@@ -0,0 +1,114 @@
+---
+title: Enable Compliance Frameworks
+sidebar_label: Enable Frameworks
+sidebar_position: 2
+description: Mondoo continuously assesses your compliance with major frameworks
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+import controlsChecks from "/img/platform/compliance/controls-checks.png";
+import controlsChecksPolicies from "/img/platform/compliance/controls-checks-policies.png";
+
+To get started monitoring your infrastructure's compliance, you must choose the _frameworks_ you want to comply with. A framework is a set of published requirements (or guidelines) you want your organization to meet. These requirements are best practices and security measures that help make your systems secure.
+
+Some frameworks are required for organizations doing business in certain industries and nations or with government agencies. Examples:
+
+- BIS C5 is mandatory for public cloud services provided to German federal agencies.
+
+- HIPAA is a required framework for health care organizations in the USA.
+
+Other frameworks are voluntary but may be important to your customers or partners. Examples:
+
+- Many American businesses require SOC 2 compliance for all their partners and vendors.
+
+- PCI DSS is a globally accepted framework for protecting cardholders against misuse of personal information. Compliance with this framework is a worldwide standard.
+
+Frameworks are documents that describe the practices and guidelines that the publishing organization requires or recommends. For example, the Center for Internet Security (CIS) publishes the framework CIS Critical Security Controls (known as CIS Controls). Here is one example of the many requirements documented this framework:
+
+_Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum._
+
+If you want your organization to reach CIS Controls compliance, you must meet this requirement. But how do you take a general guideline like this and demonstrate that all of the assets in your immense infrastructure follow the practice? How do you prove that every system complies with it?
+
+## Compliance frameworks in Mondoo
+
+Mondoo breaks down and codifies compliance frameworks in order to automate continuous evidence collection and reporting. Mondoo's security team makes this possible by:
+
+1. Analyzing each written requirement in the compliance framework to determine how the requirement applies to different platforms.
+
+2. Identifying the practices and settings that different types of assets must follow to meet the requirement.
+
+3. Codifying these practices into _Mondoo frameworks_, which are used to automatically collect evidence.
+
+Based on these codified frameworks, Mondoo programmatically collects the data needed to evaluate the compliance of every asset in your infrastructure.
+
+### Controls and checks
+
+In Mondoo, each overarching requirement is called a _control_. Some examples of controls are:
+
+- Establish and maintain a secure network architecture
+
+- Log sensitive data access
+
+- Configure trusted DNS servers on enterprise assets
+
+A Mondoo framework is made up of controls that match the broad guidelines in the published framework document.
+
+Each control maps to one or more _checks_, the individual practices and settings that assets must follow. Checks tell Mondoo's query engine what evidence to collect about individual assets.
+
+
+
+For example, the Center for Internet Security's CIS Controls framework includes this control: "Implement and manage a firewall on end-user devices." Mondoo's security team analyzed the control and identified nearly 200 checks for different types of end-user devices. These are just a few examples:
+
+- On Ubuntu devices, install Uncomplicated Firewall (UFW)
+
+- On Ubuntu devices, configure iptables to deny incoming traffic by default
+
+- On Windows 11 devices, set the Windows Firewall to block incoming connections by default
+
+- On Windows 12 devices, log when Windows Firewall drops an incoming packet
+
+- On macOS 12 devices, enable firewall stealth mode
+
+- On Red Hat 9 devices, employ a single firewall configuration utility
+
+When you enable a compliance framework, you tell Mondoo to verify all of the checks in all of the controls in that framework.
+
+## Enable a compliance framework
+
+By default, for every space in your organization, all frameworks are in _preview_. Preview means that Mondoo collects data for the controls in a framework but doesn't provide an overall score.
+
+Enable a framework to calculate a score that represents your progress toward 100% compliance with that framework.
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space for which you want to assess compliance progress.
+
+ 
+
+2. In the side navigation bar, under **Compliance**, select **Frameworks**.
+
+ 
+
+3. Select the framework you want to comply with.
+
+ 
+
+4. To enable the framework, select the large toggle near the top-right corner of the framework page.
+
+5. Follow the steps in the next section to enable the policies that the framework relies on.
+
+## Enable policies for a compliance framework
+
+Frameworks don't contain checks; they contain controls. Each control maps to one or more checks, which exist in Mondoo policies. For Mondoo to perform the many checks required by a framework, you must enable the [policies](/platform/security/posture/pac/) that contain the checks.
+
+
+
+The controls in a framework typically map to checks in many different policies. In the CIS Controls example in the previous section, the single control, _Implement and manage a firewall on end-user devices_, maps to checks in different Ubuntu policies, macOS policies, Windows policies, and more. For the CIS Controls framework to accurately assess the compliance of all these different types of devices, each of those policies must be enabled.
+
+After you enable a framework, Mondoo tells you which policies you must enable in order to measure compliance with that framework.
+
+
+
+To enable a policy, hover over the policy and select the Enable icon.
+
+
+
+---
diff --git a/docs/platform/compliance/monitor/overview.mdx b/docs/platform/compliance/monitor/overview.mdx
new file mode 100644
index 000000000..fc9cebf04
--- /dev/null
+++ b/docs/platform/compliance/monitor/overview.mdx
@@ -0,0 +1,27 @@
+---
+title: Manage Compliance - Overview
+sidebar_label: Overview
+sidebar_position: 1
+description: Mondoo continuously assesses your compliance with major frameworks
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Mondoo continuously evaluates your compliance with major frameworks, including SOC 2 Type II, PCI DSS, HIPAA, and many more. It assesses all of your assets based on the framework's requirements and provides real-time success and failure data. You always know:
+
+- How close your infrastructure is to 100% compliance
+
+- Which guidelines within the framework you currently do and don't meet
+
+- What changes you must make (to which assets) to reach compliance
+
+Because Mondoo automatically and continuously collects the data required to assess compliance, you don't face extra labor and frustrating surprises at audit time. Evidence of compliance is available to you at all times.
+
+Mondoo takes compliance framework documentation (the written requirements or guidelines) and translates it into code that evaluates the assets in your infrastructure. It checks whether each asset meets each applicable requirement and reports the results in real time.
+
+To evaluate your organization's compliance with industry-standard regulatory frameworks, you must:
+
+- [Enable the frameworks](/platform/compliance/monitor/frameworks/) you need to comply with and the policies they require
+
+- [Gather evidence](/platform/compliance/monitor/progress/) of compliance or identify the changes required
+
+---
diff --git a/docs/platform/compliance/monitor/progress.mdx b/docs/platform/compliance/monitor/progress.mdx
new file mode 100644
index 000000000..a93e62260
--- /dev/null
+++ b/docs/platform/compliance/monitor/progress.mdx
@@ -0,0 +1,103 @@
+---
+title: Gather Evidence of Compliance
+sidebar_label: Gather Evidence
+sidebar_position: 3
+description: Mondoo always shows your level of compliance with major frameworks
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Mondoo continuously assesses your compliance. At any time, you can:
+
+- View up-to-date information on whether your infrastructure complies with your chosen [frameworks](/platform/compliance/monitor/frameworks/)
+
+- See a space's overall compliance and drill down into the details for different [controls, checks](/platform/compliance/monitor/frameworks/), and assets
+
+- Generate a report to export or print evidence of (or progress toward) compliance
+
+## View a space's compliance progress
+
+Mondoo expresses overall compliance as a percentage. A space is compliant with a framework only when it reaches 100%. Lower percentages show _progress_ toward full compliance.
+
+View a space's progress toward compliance with all available frameworks on the Compliance page:
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space where you want to enable the policies.
+
+ 
+
+2. In the side navigation bar, under **Compliance**, select **Frameworks**.
+
+ 
+
+ The Compliance page shows all available frameworks and the space's progress toward compliance with each of them.
+
+## View evidence of compliance
+
+From the Compliance Frameworks page, you can select a framework to learn more about the space's compliance with that framework.
+
+
+
+**COMPLETION** shows overall progress toward compliance.
+
+**CONTROL DISTRIBUTION** shows a high-level view of the state of controls in the framework: enabled, snoozed, and disabled. To learn about control states, read [Customize Compliance](/platform/compliance/customize/overview/).
+
+Using the tabs in the lower portion of the framework page, you can drill down into different details.
+
+- The **Controls** tab lists all the controls in the framework. You can see your progress on each control and select a control to see details on the checks it maps to.
+
+- The **Policies** tab lists all the policies that contain the checks this framework maps to. You can enable, snooze, and disable policies.
+
+- The **Assets** tab shows the compliance progress of all the assets in the space. You can select an asset to view its details.
+
+- The **Exceptions** tab shows any customization you've created for the framework. To learn more, read [Customize Compliance](/platform/compliance/customize/overview/).
+
+## Generate a compliance report
+
+To provide evidence to auditors, you can generate a report on a space's compliance with an entire framework or an individual control. Mondoo creates reports in PDF format.
+
+
+
+
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space for which you want to generate a compliance report.
+
+ 
+
+2. In the side navigation bar, under **Compliance**, select **Frameworks**.
+
+ 
+
+3. Select the framework for which you want to create a compliance report.
+
+ If you want to create a report on a single control, select the control in the **Controls** table.
+
+4. To the right of the framework or control title, select the **Generate Report** (download symbol) icon.
+
+ 
+
+5. Enter a name for the report and select the **GENERATE REPORT** button.
+
+ 
+
+6. Select the **VIEW REPORTS** button to go to the Compliance Reports page. It can take some time for Mondoo to generate a PDF with all the requested compliance data. If the new report is still in progress, you can leave and return to the Compliance Reports page later to retrieve it.
+
+ 
+
+## Delete compliance reports
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate/) to the space for which you want to delete a compliance report.
+
+ 
+
+2. In the side navigation bar, under **Compliance**, select **Reports**.
+
+ 
+
+3. Select the trash can icon on the row of the report you want to delete.
+
+:::tip
+
+To delete multiple reports at once, check the boxes next to the reports and then select the **DELETE** button.
+
+:::
+
+---
diff --git a/docs/platform/compliance/overview.mdx b/docs/platform/compliance/overview.mdx
new file mode 100644
index 000000000..60ecd9fa5
--- /dev/null
+++ b/docs/platform/compliance/overview.mdx
@@ -0,0 +1,19 @@
+---
+title: Continuous Compliance - Overview
+sidebar_label: Overview
+sidebar_position: 1
+description: Rely on Mondoo to assess and customize your compliance with major frameworks
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Mondoo eases your path to compliance with standard frameworks like SOC 2 Type II, PCI DSS, HIPAA, ISO 270001, and many more. It automates the time-consuming labor of evidence collection and continuously monitors your progress toward 100% compliance.
+
+With Mondoo, you always have a real-time evaluation of your compliance. From a high-level view of overall success to detailed evidence, the information you need is at your fingertips.
+
+To learn more, read [Manage Compliance](/platform/compliance/monitor/overview/).
+
+Because every organization is different, Mondoo lets you customize your compliance evaluation. If certain requirements don't apply to you, set exceptions to ignore them. If your team isn't yet ready to meet certain requirements, snooze them while you concentrate on higher priorities.
+
+To learn more, read [Customize Compliance](/platform/compliance/customize/overview/).
+
+---
diff --git a/docs/platform/home.md b/docs/platform/home.md
new file mode 100644
index 000000000..2302a3c0d
--- /dev/null
+++ b/docs/platform/home.md
@@ -0,0 +1,49 @@
+---
+title: "Mondoo Platform Docs"
+hide_title: true
+description: Mondoo Platform documentation home
+image: /img/featured_img/mondoo-feature.jpg
+hide_table_of_contents: true
+---
+
+
+
+Mondoo's flagship SaaS platform provides full-stack security, compliance, and asset intelligence for your entire cloud and on-premises infrastructure.
+
+#### Get started
+
+- [What Is Mondoo?](/platform/start/plat-what-is/)
+
+- [Create a Mondoo Account](/platform/start/plat-start-acct/)
+
+- [Plan your Mondoo Organization](/platform/start/organize/overview/)
+
+#### [Integrate Your Infrastructure with Mondoo](/platform/infra/overview/)
+
+- [Cloud and Kubernetes](/platform/infra/cloud/overview/)
+
+- [SaaS](/platform/infra/saas/overview/)
+
+- [Software Supply Chain](/platform/infra/supply/overview/)
+
+- [Servers and Endpoints](/platform/infra/opsys/osoverview/)
+
+### [Secure Your Infrastructure](/platform/security/overview/)
+
+### [Reach Continuous Compliance](/platform/compliance/overview/)
+
+### [Gain Asset Intelligence](/platform/intel/overview/)
+
+### [Manage Mondoo](/platform/maintain/overview/)
+
+- [Manage Access to Mondoo](/platform/maintain/overview/)
+
+- [Export Mondoo Data](/platform/maintain/export/overview/)
+
+- [Create Jira Issues from the Mondoo Console](/platform/maintain/jira/)
+
+### Help
+
+Can't find what you need? Join our [community Slack channel](https://mondoo.link/slack) to chat with us and other Mondoo users.
+
+---
diff --git a/docs/platform/infra/cloud/_category_.json b/docs/platform/infra/cloud/_category_.json
new file mode 100644
index 000000000..5d332a01c
--- /dev/null
+++ b/docs/platform/infra/cloud/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Cloud",
+ "position": 2
+}
diff --git a/docs/platform/infra/cloud/aws/_aws-client-service.mdx b/docs/platform/infra/cloud/aws/_aws-client-service.mdx
new file mode 100644
index 000000000..28789a822
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/_aws-client-service.mdx
@@ -0,0 +1,6 @@
+---
+title: AWS Instance Scanning with cnspec
+sidebar_label: Scanning with cnspec
+sidebar_position: 6
+description: This document covers scanning AWS instances running cnspec running as a service
+---
diff --git a/docs/platform/infra/cloud/aws/_aws-incl-ic.mdx b/docs/platform/infra/cloud/aws/_aws-incl-ic.mdx
new file mode 100644
index 000000000..e4c936a87
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/_aws-incl-ic.mdx
@@ -0,0 +1,12 @@
+cnspec lets you remotely scan EC2 instances using EC2 Instance Connect:
+
+1. Open a terminal.
+2. Set the `AWS_REGION` environment variable where the instance is running.
+3. Run: `cnspec scan aws ec2 instance-connect USER@HOST`
+
+| For... | Substitute... |
+| ------ | --------------------------------------- |
+| USER | Your user name for the AWS account |
+| HOST | The instance's public IP address or DNS |
+
+To learn about configuring EC2 instances with EC2 Instance Connect, read [Connect to your Linux instance using EC2 Instance Connect](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html) in the AWS documentation.
diff --git a/docs/platform/infra/cloud/aws/_category_.json b/docs/platform/infra/cloud/aws/_category_.json
new file mode 100644
index 000000000..8021aa3dc
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "AWS",
+ "position": 2
+}
diff --git a/docs/platform/infra/cloud/aws/aws-ebs-snapshot-scan.mdx b/docs/platform/infra/cloud/aws/aws-ebs-snapshot-scan.mdx
new file mode 100644
index 000000000..e865e7e4d
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/aws-ebs-snapshot-scan.mdx
@@ -0,0 +1,119 @@
+---
+title: Scan an EBS Snapshot
+sidebar_label: Scan an EBS Snapshot
+sidebar_position: 9
+description: This document covers the configuration and use of the Mondoo AWS Integration to scan AWS accounts and EC2 Instances
+---
+
+Mondoo can scan your EBS volume snapshots to evaluate the security and compliance of Linux-based EC2 instances. It doesn't require an agent or any connection to the instance that could impact your business applications.
+
+Snapshot scanning with Mondoo relies on [cnspec](/cnspec/cnspec-about/), Mondoo's CLI security tool.
+
+## Scan EBS volumes
+
+### Create a VM for EBS volume scanning
+
+1. Spin up a small EC2 instance (for example an Amazon Linux instance with the type `t2.micro`) where you'll attach the EBS snapshot.
+
+
+
+2. [Install cnspec on the new instance](/cnspec/) and [register it in the Mondoo Console](/cnspec/cnspec-platform/).
+
+### Create an IAM policy for EBS volume scanning
+
+1. Log into the AWS console.
+2. Navigate to **IAM**.
+3. In the side navigation, select **Policies**.
+4. Select the **Create policy** button.
+5. Under **Specify permissions** select **JSON**, add the following block and select "Next":
+
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": [
+ "ec2:AttachVolume",
+ "ec2:DetachVolume",
+ "ec2:DeleteVolume",
+ "ec2:DeleteSnapshot"
+ ],
+ "Resource": "*",
+ "Effect": "Allow"
+ },
+ {
+ "Action": [
+ "ec2:CreateSnapshot",
+ "ec2:CreateVolume",
+ "ec2:CopySnapshot",
+ "ec2:CreateTags",
+ "ec2:DescribeInstances",
+ "ec2:DescribeVolumes",
+ "ec2:DescribeSnapshots",
+ "kms:Decrypt",
+ "kms:ReEncryptTo",
+ "kms:GenerateDataKeyWithoutPlaintext",
+ "kms:DescribeKey",
+ "kms:ReEncryptFrom"
+ ],
+ "Resource": "*",
+ "Effect": "Allow"
+ },
+ {
+ "Condition": {
+ "Bool": {
+ "kms:GrantIsForAWSResource": "true"
+ }
+ },
+ "Action": "kms:CreateGrant",
+ "Resource": "*",
+ "Effect": "Allow"
+ }
+ ]
+}
+```
+
+6. Under **Policy details** -> **Policy name** give the policy a name such as **ebs-scanning-mondoo**, assign tags and a description to the role (if you want), and then select **Create policy**.
+
+
+
+### Create an IAM role for EBS volume scanning
+
+1. Log into the AWS console.
+2. Navigate to **IAM**.
+3. Select **Roles**.
+4. Select **Create Role**.
+5. For the **Trust entity type**, select **AWS service** and for the **Use case**, select **EC2**, the select the "Next" button.
+6. Search for **ebs** in the **Filter policies** box, select the policy you just created **ebs-scanning-mondoo**, and then select the "Next" button.
+7. Under **Role details** in the field "Role name" give the role a name **ebs**, assign tags and a description to the role (if you want), and then select **Create role**.
+
+
+
+### Attach the new IAM role (`ebs`) to your new EC2 instance.
+
+Your new role is ready for use and can be attached to existing EC2 instances, or to new EC2 instances as an [instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) when launching new instances.
+
+
+
+### Using your new EC2 instance for scanning
+
+1. Log into your new EC2 instance.
+
+2. Scan a snapshot from your new instance:
+
+```bash
+cnspec scan aws ec2 ebs snapshot SNAPSHOT_ID
+```
+
+For SNAPSHOT_ID, substitute the ID of the snapshot, for example `snap-123456b123a123da2` .
+
+## Learn more
+
+| To learn about... | Read... |
+| --------------------------- | -------------------------------------------------------------------------- |
+| Scanning with AWS SSM | [Scan Using AWS Systems Manager](/platform/infra/cloud/aws/aws-ssm-scan/) |
+| Scanning from a workstation | [Scan from a Workstation](/platform/infra/cloud/aws/aws-workstation-scan/) |
+| Continuous AWS scanning | [Continuously Scan AWS](/platform/infra/cloud/aws/aws-integration-scan/) |
+| cnspec | [The cnspec documentation](/cnspec/cnspec-about/) |
+
+---
diff --git a/docs/platform/infra/cloud/aws/aws-ec2-ic-scan.mdx b/docs/platform/infra/cloud/aws/aws-ec2-ic-scan.mdx
new file mode 100644
index 000000000..044437e61
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/aws-ec2-ic-scan.mdx
@@ -0,0 +1,23 @@
+---
+title: Scan Using EC2 Instance Connect
+sidebar_label: Scan Using EC2 Instance Connect
+sidebar_position: 8
+image: /img/featured_img/mondoo-aws.jpg
+description: This document covers the configuration and use of EC2 Instance Connect to scan EC2 instances.
+---
+
+import Partial from "./_aws-incl-ic.mdx";
+
+{" "}
+
+## Learn more
+
+| To learn about... | Read... |
+| --------------------------- | -------------------------------------------------------------------------- |
+| Scanning with AWS SSM | [Scan Using AWS Systems Manager](/platform/infra/cloud/aws/aws-ssm-scan/) |
+| Scanning from a workstation | [Scan from a Workstation](/platform/infra/cloud/aws/aws-workstation-scan/) |
+| Snapshot scanning | [Scan an EBS Snapshot](/platform/infra/cloud/aws/aws-ebs-snapshot-scan/) |
+| Continuous AWS scanning | [Continuously Scan AWS](/platform/infra/cloud/aws/aws-integration-scan/) |
+| cnspec | [The cnspec documentation](/cnspec/cnspec-about/) |
+
+---
diff --git a/docs/platform/infra/cloud/aws/aws-integration-faq.mdx b/docs/platform/infra/cloud/aws/aws-integration-faq.mdx
new file mode 100644
index 000000000..b31f10a96
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/aws-integration-faq.mdx
@@ -0,0 +1,147 @@
+---
+title: AWS Integration FAQ
+sidebar_label: Integration FAQ
+image: /img/featured_img/mondoo-aws.jpg
+description: This document covers how the Mondoo AWS integration works. It includes permissions and billing details.
+sidebar_position: 3
+---
+
+## How does the Mondoo AWS integration work?
+
+Mondoo Platform never has credentials to your AWS account.
+
+We install a Lambda function in your AWS account via the CloudFormation template, and communicate with that Lambda function over AWS EventBridge. The Lambda function communicates with Mondoo using service credentials stored in the SSM Parameter Store.
+
+## Why does the Mondoo integration need to create resources in my AWS account?
+
+The resources created in your AWS account are used to run and schedule configuration and EC2 instance scans. Those resources are low-cost, limited to a Lambda function, SNS topic, SQS Queues, some IAM roles, EventBridge rules, and SSM parameters. If using the EBS volume scanning feature, an Autoscaling Group and launch template will also be created.
+
+## How does the integration communicate from my AWS account to Mondoo Platform?
+
+On CloudFormation stack creation, a short-lived token is exchanged for Mondoo credentials. Those credentials are stored in the SSM Parameter store and used by the Lambda function and SSM instances in the AWS account to communicate with Mondoo Platform over HTTPS.
+
+## Choose to integrate an organization or an account
+
+If you've set up your AWS organization according to [AWS standard practices](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html), create an organization integration for ease of use.
+
+Before deploying, check the configuration of your AWS organization as described in [Requirements for deploying the Mondoo StackSet at the organization level](/platform/infra/cloud/aws/aws-integration-troubleshooting#requirements-for-deploying-the-mondoo-stackset-at-the-organization-level).
+
+## What information will leave my AWS Account?
+
+Scan report results only.
+
+## What information will Mondoo Platform store about my AWS resources?
+
+Mondoo Platform stores the latest report for all scanned assets in the AWS account (the reports viewable under **Inventory**) as well as the total counts of various resources in the AWS account, displayed on the Integration detail page.
+
+## Is the communication channel between Mondoo Platform and my AWS account secure?
+
+Yes, Mondoo communicates with your AWS account using [AWS EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html). The Eventbus policy and rule are created as part of the CloudFormation stack.
+
+## What permissions will the resources created by Mondoo request?
+
+There are three IAM roles created during the CloudFormation install:
+
+- MondooLambdaRole
+ Lambda function role enable AWS account scanning, includes:
+
+ - managed policy: arn:aws:iam::aws:policy/ReadOnlyAccess
+ - managed policy: arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
+ - managed policy: arn:aws:iam::aws:policy/AmazonEC2FullAccess
+ - limited to resources tagged with `Created By: Mondoo`:
+ - events:PutRule,
+ events:DeleteRule,
+ events:TagResource,
+ iam:CreateRole,
+ iam:CreateServiceLinkedRole,
+ iam:PutRolePolicy,
+ iam:AttachRolePolicy,iam:DetachRolePolicy,iam:DeleteRolePolicy,iam:TagRole
+ - unrestricted: cloudformation:UpdateStack,events:PutTargets, events:RemoveTargets,iam:PassRole,secretsmanager:GetSecretValue,ssm:GetParameter
+ - limited to RunShellScript and RunPowershellScript documents: ssm:SendCommand
+ - limited to Mondoo-\* SSM parameters: ssm:PutParameter,ssm:DeleteParameter,ssm:AddTagsToResource
+ - limited to Mondoo-created SQS queue:sqs:SendMessage,sqs:DeleteMessage,sqs:SetQueueAttributes
+ - limited to Mondoo-created SNS topic:sns:SetTopicAttributes,sns:TagResource
+ - limited to Mondoo Lambda function: lambda:UpdateFunctionConfiguration,lambda:GetFunctionConfiguration,lambda:AddPermission,lambda:UpdateFunctionCode,lambda:InvokeFunction
+
+- MondooEventBusRole
+ Eventbus role to allow Mondoo AWS account to send messages to your AWS account, includes:
+
+ - events:PutEvents on the default event bus
+ - sts:AssumeRole on events.amazonaws.com
+
+- EBSVolumeScanningInstancePolicy
+ Role to be used by the scanner instances in the autoscaling group if EBS volume scanning is active, includes:
+ - limited to resources tagged with `Created By: Mondoo`: ec2:AttachVolume,ec2:DetachVolume,ec2:DeleteVolume,ec2:DeleteSnapshot
+ - unrestricted: ec2:CreateSnapshot,ec2:CreateVolume,ec2:CopySnapshot,ec2:CreateTags,ec2:DescribeInstances,ec2:DescribeVolumes,ec2:DescribeSnapshots,kms:Decrypt,kms:ReEncryptTo,kms:GenerateDataKeyWithoutPlaintext,kms:DescribeKey,kms:ReEncryptFrom
+
+## What specific resources will the Mondoo integration create in my AWS account?
+
+During install (CloudFormation):
+
+The Mondoo AWS CloudFormation stack creates these resources:
+
+- Lambda function
+- SNS topic/subscription (tells Mondoo about CloudFormation stack status)
+- EventBridge rule (lets Mondoo AWS talk to your AWS)
+- IAM roles/policies (for the Lambda function, the ASG instances, and the EventBridge bus)
+- SQS queue (for queueing scan jobs)
+
+All resources are tagged with:
+
+```
+Created By: Mondoo
+Mondoo Integration Mrn:
+```
+
+Created by the Lambda function:
+
+- SSM parameters (to store the env configuration and credentials to communicate with Mondoo Platform)
+- EventBridge rules (to track aws events and set up cron events)
+- Launch configuration template & autoscaling group (only if using ebs volume scanning)
+
+## How do I update to the latest Lambda version?
+
+The Lambda function updates itself every 24 hours. It updates the AWS CloudFormation stack and the Lambda function code to the latest available from the Mondoo S3 bucket.
+
+There is a safeguard in place to ensure that the Lambda function only updates itself to the expected build: When new versions of the Lambda function and CloudFormation JSON files are uploaded to S3 during the release process, the SHA-256 of those files is recorded and stored in a place accessible to the Mondoo server.
+
+Every time the Lambda function updates, it first reads the SHA-256 of each file in the target S3 bucket and compares that to the expected (stored) hash. If the SHA-256 doesn't match, the Lambda doesn't update. Mondoo support receives an alert when this occurs.
+
+## What happens if I delete the CloudFormation stack?
+
+When the CloudFormation stack is deleted, the lambda function receives a notification and immediately deletes all AWS resources created by Mondoo. Mondoo Platform UI will display the integration as deleted. No data will be lost in Mondoo Platform. A CloudFormation stack can be deleted and recreated multiple times.
+
+## How much will operating the Mondoo AWS Integration cost?
+
+Most of the costs associated with the Mondoo AWS Integration fall into the free tier category. Over the course of a month, an example AWS Integration incurred this resource usage:
+
+- CloudWatch PutLogs: 1GB (First 5GB per month of log data ingested is free)
+- CloudWatch TimedStorage: 0.16GB (First 5GB-mo per month of logs storage is free)
+- CloudWatch Events: 8,000 64k chunk events ($1.00 per million EventBridge custom events received)
+- Lambda-GB-Seconds: 76,000 seconds (Compute Free Tier - 400,000 GB-Seconds)
+- Lambda Request: 11,000 requests (Requests Free Tier - 1,000,000 Requests)
+- SNS HTTP: 2,000 notifications (First 100,000 Amazon SNS HTTP/HTTPS Notifications per month are free)
+- SNS requests: 3,000 requests (First 1,000,000 Amazon SNS API Requests per month are free)
+- SQS requests: 626,000 requests (First 1,000,000 Amazon SQS Requests per month are free)
+- Simple Storage Service--Tier1: 257 requests ($0.00 per request - PUT, COPY, POST, or LIST requests under the monthly global free tier)
+- Simple Storage Service--Tier2: 41 requests ($0.00 per request - GET and all other requests under the monthly global free tier)
+
+## What do you about rate limiting?
+
+We spread out scan jobs to prevent too many calls to the EC2 and SSM apis. If the Lambda function encounters a rate limiting error, it automatically pauses all scan jobs for 15 minutes.
+
+## Can I see what runs?
+
+The AWS CloudFormation JSON and Lambda zip are available as part of the Mondoo S3 bucket:
+
+- [Mondoo StackSet CloudFormation](https://s3.amazonaws.com/mondoo-dev.us-east-1/mondoo-lambda-stackset-cf.json) (applies only to AWS Organization-level installations)
+- [Mondoo Stack CloudFormation](https://s3.amazonaws.com/mondoo.us-east-1/mondoo-root-cf.json) (applies only to single-account installations)
+- [Nested Stack CloudFormation](https://s3.amazonaws.com/mondoo.us-east-1/mondoo-lambda-cf.json) (applies only to single-account installations)
+- [Lambda Zip](https://s3.amazonaws.com/mondoo-dev.us-east-1/mondoo-lambda.zip)
+
+## Learn more
+
+- [AWS Integration Troubleshooting](/docs/platform/infra/cloud/aws/aws-integration-troubleshooting)
+- [Scan Continuously with an AWS Integration](/docs/platform/infra/cloud/aws/aws-integration-scan)
+
+---
diff --git a/docs/platform/infra/cloud/aws/aws-integration-scan.mdx b/docs/platform/infra/cloud/aws/aws-integration-scan.mdx
new file mode 100644
index 000000000..2f65f6cc3
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/aws-integration-scan.mdx
@@ -0,0 +1,199 @@
+---
+title: Continuously Scan with an AWS Integration
+sidebar_label: Scan Continuously
+sidebar_position: 2
+description: This document covers the configuration and use of the Mondoo AWS Integration to scan AWS accounts and EC2 instances
+---
+
+The Mondoo AWS integration enables continuous cron-scheduled and [event-based](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html) scanning of your AWS account and EC2 instances.
+
+To learn about how an integration runs and its required permissions, read [AWS Integration FAQ](/platform/infra/cloud/aws/aws-integration-faq/).
+
+## Integrate with an entire organization or single account
+
+The Mondoo AWS integration supports scanning multiple AWS accounts. To do this, you install Mondoo across an AWS Organization using CloudFormation StackSets. All scan configuration options you choose apply to every AWS account in the AWS Organization.
+
+If you choose to integrate an entire Organization, be sure your AWS organization meets the requirements described in [AWS Integration Troubleshooting](/platform/infra/cloud/aws/aws-integration-troubleshooting/#requirements-for-deploying-the-mondoo-stackset-at-the-organization-level).
+
+You can also opt to scan a single AWS account only. Single account integrations rely on CloudFormation stacks.
+
+:::info
+When you deploy an integration with Mondoo using a StackSet on the organizational level, the StackSet only creates an integration of the [target accounts](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stacksets-concepts-accts).
+
+The [administrator account](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stacksets-concepts-accts) in which the StackSet for the target accounts resides needs its own separate [single account integration](/platform/infra/cloud/aws/aws-integration-scan/#integrate-with-an-entire-organization-or-single-account).
+
+This is intentional and reflects the [architectural concepts of AWS StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html).
+:::
+
+## Set up a new AWS integration
+
+1. Access the Integrations > Add > AWS page in one of two ways:
+
+ - **New space setup**: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Amazon AWS**.
+
+ 
+
+ - **INTEGRATIONS page**: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Near the top of the page, select **Amazon AWS**.
+
+ 
+
+2. Select the type of integration:
+
+ | Option | Description |
+ | -------------------------- | ------------------------------------------------- |
+ | **Organization install** | Integrate Mondoo with an entire AWS Organization. |
+ | **Single account install** | Integrate Mondoo with a single AWS account. |
+
+:::caution
+
+Before creating a Mondoo deployment on an AWS organization, make sure to check if the configuration of your AWS organization meets the [requirements](/platform/infra/cloud/aws/aws-integration-troubleshooting/#requirements-for-deploying-the-mondoo-stackset-at-the-organization-level).
+
+:::
+
+3. Identify the account or Organization and the region:
+
+ | If you're integrating with... | Then... |
+ | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
+ | An entire AWS Organization | In the **AWS Organization(s)** box, enter any name for the integration. Select the region in which you want to deploy the integration. |
+ | A single AWS account | In the **AWS account** box, enter your AWS account ID. Select the region in which you want to deploy the integration. |
+
+4. Set the account options:
+
+ | Option | Description |
+ | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+ | **Schedule full scan** | Set the interval (in hours) at which to execute a full scan of the AWS account, independent of change [events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html). The default is 12 hours. |
+ | **Trigger on AWS console sign-in event** | Trigger an account scan whenever a user logs into the AWS console. |
+
+5. Set the EC2 options:
+
+ 
+
+ | Option | Description |
+ | ----------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
+ | **Discover EC2 instances** | Include EC2 instances in asset discovery. By default, this applies across all regions. |
+ | **Trigger on instance state change [events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html)** | Trigger a scan of all EC2 instances whenever an instance changes state. |
+ | [**Use SSM for instance connectivity**](/docs/platform/infra/cloud/aws/aws-ssm-scan) | Use the AWS SSM service to trigger scans for EC2 instances (when it's available). |
+ | **Use EC2 Instance Connect for instance connectivity** | If an EC2 instance has a public IP, connect using EC2 Instance Connect. |
+ | **Use EBS volume scanning for instance connectivity** | Use _EBS volume scanning_ to scan the filesystems of instances that Mondoo otherwise can't reach. This includes stopped instances. |
+
+6. If you enable EBS volume scanning, you can customize these options:
+
+ | Option | Description |
+ | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+ | **EBS targets per scanner** | Customize the number of targets a single scanner instance is responsible for scanning. Setting a low number (such as 5) results in faster scans, but requires AWS to create more scanner instances. Setting a high number (such as 50) reduces the number of scanner instances, but results in slower scans. The default is 20. |
+ | **Max ASG instances** | Set your own limit for how many instances AWS can spin up in the AutoScalingGroup to perform the filesystem scans. The default is 50. |
+
+7. To scan EC2 instances using SSH, enable **Use SSH for instance connectivity**. You must use the vault secret query if you use SSH. Provide this information:
+
+ | Option | Description |
+ | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+ | **Vault type** | Specify whether to read the secret from AWS Secrets Manager or AWS SSM Parameter store. |
+ | **Vault secret query** | Provide the query to match vault credentials to instances. To learn how to write the query, read [Secrets Management](/platform/infra/opsys/automation/vault.md). |
+
+8. If desired, limit the EC2 instances that Mondoo scans:
+
+ | Option | Description | Example |
+ | -------------------------- | ------------------------------------------------------------------------------ | ---------------------------------------- |
+ | **Filter by instance IDs** | Limit instance scanning to a subset of IDs, separated by commas. | `i-0d1f840578ca82600,i-07ae83fe5d22600a` |
+ | **Filter by regions** | Limit instance scanning to a subset of regions, separating values with commas. | `us-east-1,us-east-2` |
+ | **Filter by tags** | To Limit instance scanning to a subset of tags, separated with commas. | `Name:testname, env:test` |
+
+9. Set ECS, S3, and ECR options:
+
+ 
+
+ | Option | Description |
+ | ----------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- |
+ | **Discover and scan ECS containers** | Use Amazon ECS Exec to scan Fargate containers. |
+ | **Trigger on S3 bucket [events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html)** | Trigger a scan whenever a change is made to an S3 bucket. |
+ | **Discover and scan ECR images** | Include ECR images in asset discovery and scan them when found. |
+
+10. Select the **CREATE** button.
+
+11. Follow the instructions to launch the AWS CloudFormation stack (for an account) or StackSet (for an Organization).
+
+:::caution IMPORTANT
+
+Selecting **Create** does not finalize the integration between Mondoo and AWS. You must launch the AWS CloudFormation stack or StackSet to complete the setup.
+
+:::
+
+## Manage an AWS integration
+
+You can view the status of an AWS integration, change its configuration options, and more on its integration page.
+
+To access an existing integration:
+
+1. In the [Mondoo Console](https://console.mondoo.com), [navigate](/platform/start/navigate) to the space containing the integration.
+
+2. In the side navigation bar, under **Integrations**, select **AWS**.
+
+ 
+
+3. Select the integration you want to view or manage.
+
+ 
+
+### View an integration's status
+
+Mondoo shows the status at the top of the integration page, beside the integration name.
+
+
+
+Theses are the possible statuses for an AWS integration:
+
+| Status | Meaning |
+| --------------- | ---------------------------------------------------------------------------------------------------------------- |
+| **configuring** | Mondoo is sending the scan configuration options to the integration and the integration is saving those options. |
+| **active** | The integration is active and healthy. |
+| **error** | Mondoo detected an error during installation. |
+| **missing** | Mondoo hasn't received a check-in from the Lambda function for over an hour. |
+| **deleted** | CloudFormation for the integration has been deleted. |
+
+### Ping an integration
+
+At the top of the integration page, below the integration name, Mondoo shows the time of the last ping.
+
+To ping the integration now, select the ping icon (a heartbeat to the left of the **SCAN NOW** button).
+
+### Request a fresh scan
+
+To see fresh scan results, select the **SCAN NOW** button. Mondoo retrieves new scan results as soon as possible.
+
+### Retry a failed integration setup
+
+If an error occurred during setup and the CloudFormation stack is now up and running but the integration is unhealthy, you can try to return it to a healthy state: Select the ellipsis to the right of the integration name and select **Retry Setup**.
+
+### Enable and disable policies for an AWS integration
+
+The **RECOMMENDED POLICIES** tab on the integration page lists policies that can help you protect your AWS environment. It shows which policies are enabled and disabled.
+
+
+
+Use the toggle on the right side of each policy's row to enable or disable the policy.
+
+To learn more about policies, read [Policy as Code](/platform/security/posture/pac/).
+
+### Reconfigure an AWS integration
+
+The **CONFIGURATION** tab on the integration page shows the current settings and lets you make changes.
+
+
+
+To learn about individual settings, read the sections under the _Set up a new AWS integration_ section above.
+
+### Remove an integration
+
+To remove an integration, select the Remove (trash can) icon at the top of the integration page.
+
+
+
+A notification displays with a link to the CloudFormation Stacks list in the AWS console. Select the link and, in the AWS console, delete the stack. This removes the configured integration from Mondoo Platform and deletes the rule allowing the Mondoo AWS account to send events to the target account.
+
+## Learn more
+
+- [AWS Integration FAQ](/docs/platform/infra/cloud/aws/aws-integration-faq)
+
+- [AWS Integration Troubleshooting](/docs/platform/infra/cloud/aws/aws-integration-troubleshooting)
+
+---
diff --git a/docs/platform/infra/cloud/aws/aws-integration-troubleshooting.mdx b/docs/platform/infra/cloud/aws/aws-integration-troubleshooting.mdx
new file mode 100644
index 000000000..cd0e94cb5
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/aws-integration-troubleshooting.mdx
@@ -0,0 +1,175 @@
+---
+title: Mondoo AWS Integration Troubleshooting
+sidebar_label: Integration Troubleshooting
+sidebar_position: 4
+image: /img/featured_img/mondoo-aws.jpg
+description: This document covers how to debug and troubleshoot problems that may come up with the AWS Integration.
+---
+
+Troubleshoot problems that may come up deploying, running, and updating the Mondoo AWS Integration.
+
+## CloudFormation
+
+### Create failure - single account
+
+If CloudFormation fails to complete a single stack for any reason, Mondoo reports that failure.
+
+To fix the problem:
+
+1. Check the AWS CloudFormation console for detailed information about the error.
+
+2. Resolve the error as instructed.
+
+3. Visit the Configuration tab of the integration detail view to re-launch the stack.
+
+### Create failure - StackSets org install
+
+If AWS performs an org install and fails to complete a StackSet for any reason, you see an incomplete list of AWS accounts.
+
+To fix the problem and force an update:
+
+1. Check the AWS CloudFormation console for detailed information about the error.
+
+2. Resolve the error as instructed.
+
+3. Open the StackSet in the AWS CloudFormation console.
+
+4. In the top-right corner of the console, select the Actions menu and select Edit StackSet details.
+
+5. Step through the wizard without actually changing any information. Some fields require you to re-enter values.
+
+6. At the end of the wizard, select the Submit button to update the StackSet.
+
+7. Select the Operations tab and select the Refresh icon to see the update progress.
+
+### Requirements for deploying the Mondoo StackSet at the organization level
+
+For an AWS Organization to successfully integrate Mondoo, it must be configured [following AWS core principles](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html).
+
+A common misconfiguration seen in AWS Organizations that interferes with successful Mondoo integration is the lack of [organizational units (OUs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html#tutorial-orgs-step2).
+
+To ensure your Organizations are configured as needed, go to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) and check your structure:
+
+- The top level entity of the Organization is 'root', assigned an ID that uses this format: `r-ab12`
+
+- The 'root' spans a tree of one or more OUs with IDs that use this format: `ou-ab12-1234abcd`
+
+If the entities below your `root` node have IDs in the format `o-abcd5678`, this interferes with an Organization-level Mondoo integration. You can still deploy the Mondoo integration; just integrate with [single accounts](/platform/infra/cloud/aws/aws-integration-scan/#integrate-with-an-entire-organization-or-single-account).
+
+You can't integrate an improperly configured AWS Organization with Mondoo. The integration fails.
+
+The failed integration attempt creates artifacts (StackSets and roles) in the accounts below root that you must remove manually. Trying to delete those faulty StackSets in the AWS console can return an error like this:
+
+```
+An error occurred (ValidationError) when calling the DeleteStackInstances operation:
+StackSets with SERVICE_MANAGED permission model can only have OrganizationalUnit as target
+```
+
+You must remove these StackSet instances manually from an account using the AWS CLI.
+
+### Remove a faulty StackSet from the Organization root using the AWS CLI
+
+To remove a faulty StackSet with the AWS CLI , use the `aws cloudformation delete-stack-instances` [command](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/delete-stack-instances.html).
+
+:::danger WARNING
+Read the [full documentation on this command in the AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/delete-stack-instances.html) before you run it in your infrastructure.
+
+- **STACK-SET-NAME-USUALLY-MONDOO**: The name of your StackSet. By default, this is `Mondoo`.
+
+- **ROOT-OU-ID**: The ID of your Organization root, such as `r-85mw`.
+
+- **REGION**: The Organization's region, such as `us-central1`.
+
+```bash
+aws cloudformation delete-stack-instances \
+--stack-set-name STACK-SET-NAME-USUALLY-MONDOO \
+--deployment-targets OrganizationUnitIds=ROOT-OU-ID \
+--regions REGION \
+--no-retain-stacks
+```
+
+:::
+
+### Manually remove roles from an AWS account
+
+If you manually remove a Mondoo integration from an AWS account, you must remove all of these roles:
+
+```bash
+- ebs-volume-scan-instance
+- ecs
+- ecsInstanceRole
+- ecsTaskExecutionRole
+- MondooEventBusRole
+- MondooLambdaRole
+```
+
+:::info
+
+Depending on how you configured your deployment, not all of the roles above may be present.
+
+:::
+
+### Updates
+
+The CloudFormation stack and Lambda function update themselves to the latest available every 8 hours. These updates are independent of each other, meaning that if the CloudFormation stack fails to update, the Lambda code will still be updated.
+
+On occasion, one of these CloudFormation updates may result in an `Update Failed` state on the stack. Sometimes this is a chicken/egg issue that will resolve on the next auto-update. In some cases, a stack will remain in `Update Failed` state until a user manually updates the stack to give it the required extra permissions.
+
+## VPC
+
+### Lambda VPC access
+
+The [AWSLambdaVPCAccessExecutionRole](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-features) is already attached to the Mondoo Lambda Role in order to discover assets, and run policies against those assets.
+
+Should your Lambda function require VPC access to be able to scan instances, please refer to AWS documentation on [Configuring a Lambda function to access resources in a VPC](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring) to grant the Lambda function access to the appropriate VPC.
+
+Security groups for all AWS SSM managed instances must include an egress rule to allow outbound traffic on port 443 (HTTPS) to [Mondoo Platform](https://console.mondoo.com) at IP address `34.98.71.94` to send results back to your account.
+
+## Logging
+
+All lambda logs are stored in CloudWatch Logs, under a log group calls `/aws/lambda/MondooLambda` in the region where the CloudFormation was installed.
+
+To search the logs in the log group, select it and choose "Search Log Group" from the upper right corner of the console. 
+You can search for specific log messages or view a specific time frame of activity in one pane from this view.
+
+### Debug logging
+
+To enable debug logging, add the debug environment variable to the MondooLambda function: `DEBUG=1` by visiting the AWS Mondoo Lambda Console Configuration tab. 
+
+## 403 errors and Terraform
+
+A known restriction of the HashiCorp Terraform `aws_iam_policy_attachment` resource can result in 403 errors. According to [HashiCorp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment):
+
+The `aws_iam_policy_attachment` resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single `aws_iam_policy_attachment` resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource. Consider `aws_iam_role_policy_attachment`, `aws_iam_user_policy_attachment`, or `aws_iam_group_policy_attachment` instead. These resources do not enforce exclusive attachment of an IAM policy.
+
+If you use the `iam_policy_attachment` resource: Attaching a managed policy that Mondoo uses to a role you manage with Terraform detaches the policy from Mondoo's role. As recommended by HashiCorp, use a different resource to prevent this issue:
+
+- `aws_iam_role_policy_attachment`
+- `aws_iam_user_policy_attachment`
+- `aws_iam_group_policy_attachment`
+
+## Advanced debugging
+
+_Note: The AWS CloudFormation Stack can always be deleted and created without any data loss._
+
+Mondoo Platform receives a check-in from the AWS integration every 10 minutes. If no ping is received, the status will update in the Mondoo Platform UI.
+
+If the status is _not_ `active` or `deleted`:
+
+- Try the "Retry Setup" button, which will ensure that the EventBridge rule to talk to your AWS account is present in the Mondoo AWS account and refresh the stored service credentials if it is.
+
+Check the CloudFormation stack status and the CloudWatch logs for any obvious errors.
+
+Check for missing infrastructure:
+
+- Are the Mondoo credentials present? check the SSM parameter store in the installed region, under `MondooAgentConfig`
+- Is the EventBridge rule that allows Mondoo to talk to the integration present? check AWS EventBridge, rule named `mondoo-customevent-lambda-rule`
+
+And of course, please contact support@mondoo.com and join us in the [Mondoo Community Slack Channel](https://mondoo.link/slack).
+
+## Learn more
+
+- [AWS Integration FAQ](/docs/platform/infra/cloud/aws/aws-integration-faq)
+- [Scan Continuously with an AWS Integration](/docs/platform/infra/cloud/aws/aws-integration-scan)
+
+---
diff --git a/docs/platform/infra/cloud/aws/aws-overview.mdx b/docs/platform/infra/cloud/aws/aws-overview.mdx
new file mode 100644
index 000000000..c487a5ad7
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/aws-overview.mdx
@@ -0,0 +1,32 @@
+---
+title: Overview of AWS and Mondoo
+sidebar_label: Overview
+sidebar_position: 1
+image: /img/featured_img/mondoo-aws.jpg
+description: This page describes how you can use Mondoo to assess security configurations and risk for your infrastructure running in AWS.
+---
+
+Rely on Mondoo to secure all aspects of your Amazon cloud environment. Mondoo finds vulnerabilities and misconfigurations in instances, Kubernetes, buckets, APIs, and more.
+
+Mondoo offers a variety of approaches to evaluating your AWS infrastructure security. You can continuously scan your AWS accounts, evaluate builds before they go to production, and run ad hoc scans.
+
+## Continuously scan
+
+Continuously evaluate the security of your AWS accounts and resources, such as EC2 instances, so that you always have an up-to-date view of your environment's security posture.
+
+The [Mondoo AWS Integration](/platform/infra/cloud/aws/aws-integration-scan) provides cron-scheduled and [event-based](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html) continuous scanning of your AWS accounts and EC2 instances using a Lambda function. Deploy the integration once and always get the latest security assessments for new accounts and resources.
+
+## Scan during build time
+
+[Build Secure AMIs with cnspec and HashiCorp Packer](/cnspec/cnspec-aws/cnspec-aws-packer/): Scan Linux and Windows HashiCorp Packer builds for vulnerabilities and security misconfigurations. Mondoo's plugin works with any of the supported Packer builders, including containers.
+
+## Scan during run time
+
+Ad hoc, agentless scans are a great way to get started evaluating your AWS security with Mondoo. There's no agent to install or manage on instances in your infrastructure, so you can get started scanning in just minutes.
+
+- [Scan an AWS account from your workstation](/platform/infra/cloud/aws/aws-workstation-scan/): Scan your AWS accounts and instances using cnspec, the open source security scanning component of Mondoo.
+- [Instance scan with AWS SSM](/platform/infra/cloud/aws/aws-ssm-scan/): Perform agentless scans of your instances using AWS Systems Manager.
+- [Instance scan with EC2 Instance Connect](/platform/infra/cloud/aws/aws-ec2-ic-scan/): Use EC2 Instance Connect to assess configuration without an agent.
+- [Instance scan with EBS snapshots](/platform/infra/cloud/aws/aws-ebs-snapshot-scan): To prevent impact on running instances, you can conduct a jump-host-based scan of EC2 instance EBS snapshots.
+
+---
diff --git a/docs/platform/infra/cloud/aws/aws-scan-details.mdx b/docs/platform/infra/cloud/aws/aws-scan-details.mdx
new file mode 100644
index 000000000..4d4295cdf
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/aws-scan-details.mdx
@@ -0,0 +1,80 @@
+---
+title: Advanced AWS Integration Details
+sidebar_label: Advanced Integration Details
+sidebar_position: 5
+image: /img/featured_img/mondoo-aws.jpg
+description: This document provides detailed information on how the Mondoo AWS integration works.
+---
+
+:::note
+
+This supplemental topic provides detailed information on how the Mondoo AWS integration works. It's not essential knowledge for using Mondoo.
+
+:::
+
+## What is an "account scan"?
+
+When an AWS account is integrated with a space in Mondoo Platform, Mondoo performs a configuration assessment of the AWS account by analyzing the configuration of the account (IAM settings), and discovering resources (EC2 instances, S3 buckets, RDS instances, etc) across all regions. The configuration of discovered resources are assessed according to which policies have been **ENABLED** in the **registry**.
+
+### Account scan schedule
+
+
+
+Scanning happens every 12 hours by default, but the scan interval is configurable by going to **INTEGRATIONS** -> select the **AWS Account** you want to configure -> **CONFIGURATION**, under the **Account** section..
+
+### Scan Now (Mondoo Platform)
+
+
+
+Additionally, on-demand scans can be triggered in **INTEGRATIONS** section by selecting the integrated AWS account, selecting the **Scan Now**" button in the upper right corner of the integration details.
+
+:::info
+
+You can also scan an AWS account by running `cnspec scan aws` from any workstation on which cnspec is installed and configured. To learn more, read [Scan AWS from your workstation](/platform/infra/cloud/aws/aws-workstation-scan/).
+
+:::
+
+## What methods are used for EC2 scanning?
+
+There are three different methods used by Mondoo for EC2 scanning:
+
+- [AWS Systems Manager](#aws-systems-manager-ssm)
+- [SSH connection](#ssh)
+- [EC2 snapshot scanning](#ec2-snapshot-scanning)
+
+### Discovery
+
+Mondoo starts by querying the AWS API to get a list of all the EC2 instances in the account, across all regions available to the account, and gathering basic information about the instances.
+
+### AWS Systems Manager (SSM)
+
+When gathering information about the instances, the Lambda function checks whether the SSM agent is installed and has a ping with the status `Online` to indicate the instance is configured to be managed by SSM. In the configuration options for an integrated AWS Account, if the **Activate SSM for Instance Connectivity** is switched to **On**, Mondoo triggers a job on all `Online` instances to run an SSM document that downloads the latest version of cnspec, executes the `cnspec scan` command, and sends the results to Mondoo Platform. The integration also uses Mondoo Platform API credentials stored in SSM parameter store to authenticate with your Mondoo account, and send results. Once the scan completes, cnspec is completely uninstalled from the instance.
+
+For more details about how to set up SSM machines in your AWS Account, see the [ssm documentation](https://docs.aws.amazon.com/systems-manager/index.html)
+
+### SSH
+
+In order to facilitate the scanning of multiple instances over ssh connectivity, Mondoo has provided users with a way to match groups of instances to stored credentials. When `Activate SSH for Instance Connectivity` is set to true, an input box appears for the `Vault Secret Query`.
+
+The `Vault Secret Query` leverages MQL to define a mapping between instance labels and credentials stores in AWS Secrets Manager or AWS SSM Parameter store. In the example above, any instance with a Name tag of `ssh` (in AWS) will be scanned using the credential stored in AWS Secrets Manager with arn `arn:aws:secretsmanager:us-east-2:172746783610:secret:vj/secret-lHvP9r`.
+
+_Note: this functionality is not restricted to the `Name` tag; it will work with any tag_
+
+### EC2 snapshot scanning
+
+EC2 snapshot scanning offers a way to scan Linux EC2 instances without SSH credentials or an SSM agent.
+With this option, Mondoo spins up an instance in the AWS account and uses that instance to scan the other instances in the account. This is done by triggering an SSM job on the scanner instance that creates a snapshot of the target instance volume, attaches it to the scanner instance, and performs a scan of the mounted filesystem.
+
+EC2 snapshot scanning involves spinning up instances in an AutoScaling Group as well as one-off instances. It creates scanner instances named `ebs-scanner` in the same region as the target instances.
+
+It cleans up the scanners shortly after completing all scans, and cleans up any created snapshots and volumes (that are more than twelve hours old) every 8 hours. All created resources have the `Created By: Mondoo` tag.
+
+Be aware that EC2 snapshot scanning causes a slight increase on your AWS bill (for the EC2 and EBS services).
+
+### AWS tags
+
+All resources created by the Mondoo AWS Integration have the `Created By: Mondoo` tag. The IAM role attached to the Lambda function lets the integration delete EC2 resources only if they have the `Created By: Mondoo` tag.
+
+For information about AWS tags, read [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the AWS documentation.
+
+---
diff --git a/docs/platform/infra/cloud/aws/aws-ssm-scan.mdx b/docs/platform/infra/cloud/aws/aws-ssm-scan.mdx
new file mode 100644
index 000000000..e705362c8
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/aws-ssm-scan.mdx
@@ -0,0 +1,209 @@
+---
+title: Scan Using AWS Systems Manager
+sidebar_label: Scan Using AWS SSM
+sidebar_position: 6
+image: /img/featured_img/mondoo-aws.jpg
+description: This document covers the configuration and use of AWS Systems Manager (SSM) to scan EC2 instances without agents.
+---
+
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
+Use AWS Systems Manager (SSM) to securely scan EC2 instances. You don't need to deploy [cnspec](/cnspec/cnspec-about/) to instances in your environment. Any time Mondoo scans an instance, it automatically installs cnspec for the duration of the scan and then uninstalls cnspec when the scan finishes.
+
+## How Mondoo scans with SSM
+
+When Mondoo performs an SSM scan, these steps occur:
+
+1. SSM Run Command calls the AWS-RunShellScript SSM document.
+2. The latest version of cnspec is installed and configured to authenticate with your Mondoo Platform account.
+3. The EC2 instance runs `cnspec scan` to execute policy checks.
+4. cnspec publishes results of the scan to Mondoo Platform.
+5. cnspec is uninstalled from the EC2 instance.
+
+## Configuring AWS SSM
+
+This section covers a new setup of AWS SSM to manage EC2 instances in AWS. If you are brand new to AWS SSM, read the [AWS documentation](https://aws.amazon.com/systems-manager/) for additional implementation details.
+
+### Create an IAM role and instance profile for SSM
+
+Before you can manage EC2 instances using SSM you need to perform these steps either in the AWS Console or the AWS CLI:
+
+1. Set up an IAM Role with a trust policy for EC2.
+2. Attach the AWS managed AmazonSSMManagedInstanceCore policy to the IAM role.
+3. Create an instance profile (if you're using the AWS CLI).
+4. Attach the IAM role to the instance profile (if you're using the AWS CLI).
+
+Select your preferred method for configuring SSM, and follow the steps.
+
+
+
+
+#### Requirements
+
+- AWS console access to any account you plan to integrate with Mondoo
+- Administrator privileges in those accounts
+
+#### Create an IAM role for EC2 instances with AmazonSSMManagedInstanceCore policy
+
+
+
+1. Log in to the AWS Console.
+2. Navigate to **IAM**.
+3. Select **Roles**.
+4. Select **Create Role**.
+5. For the **Trust entity type**, select **AWS service** and for the **Use case**, select **EC2**. Then select the **Next** button.
+6. Search for **SSM** in the **Filter policies** box, select **AmazonSSMManagedInstanceCore**, and then select the **Next** button.
+7. Under **Role details**, give the role a name (such as EC2_SSM_ROLE), tags, and a description (if you want), and then select **Create role**.
+
+Your new role is ready for use and can be attached to existing EC2 instances, or to new EC2 instances as an [instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) when launching new instances.
+
+#### Launch a new EC2 instance with the newly created instance profile
+
+Follow the steps below to launch a new EC2 instance using the AWS console, attach the SSM role created in the last section, and then validate the instance is under management in the AWS SSM console.
+
+
+
+1. Log in to the AWS Console.
+2. Navigate to **EC2**.
+3. Select **Launch Instance**.
+4. Under **Name and tags**, in the **Name** field, enter _EC2 SSM Instance_.
+5. Under **Application and OS Images (Amazon Machine Image)**, select **Amazon Linux 2 AMI (HVM), SSD Volume Type**, which defaults to **64-bit (x86)**.
+6. Under **Instance type** select **t2.micro**.
+ 
+7. Under **Key pair (login)** you can either add or create a new key pair, but in this instance it's safe to select **Proceed without a key pair (Not recommended)**. If you want remote access to the instance, you can add an SSH key. This is not required.
+8. Under **Network settings - Firewall(security groups)**, select **Select existing security group** and choose the default security group.
+9. Open the block **Advanced details** and under **IAM instance profile**, select the role you created in the instructions above.
+10. Review the details then select **Launch**.
+11. Copy the **instance ID**. You need it in the next steps.
+ 
+
+#### Validate that the instance is under management of AWS Systems Manager
+
+
+
+To validate that the EC2 instance is under the management of SSM:
+
+1. Log in to the AWS console.
+2. Navigate to **Systems Manager**.
+3. Select **Fleet Manager**
+4. Locate the **instance ID** of the instance you launched in the section above and select it to bring up the **Instance Overview**.
+
+This confirms the instance is under the management of SSM. Mondoo can use it to perform continuous scans of the asset.
+
+
+
+
+#### Requirements
+
+- You must have the AWS CLI installed and configured for your account.
+- You must be a part of the Administrators group.
+
+#### Get the ARN of the SSM policy for the IAM role `AmazonSSMManagedInstanceCore`
+
+
+
+```bash
+aws iam list-policies --scope AWS --query "Policies[?PolicyName == 'AmazonSSMManagedInstanceCore']"
+```
+
+#### Create an AssumeRole policy
+
+1. Create a new file named `ec2-trust.json`.
+2. Copy this code snippet:
+
+```
+{
+ "Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Principal": {"Service": "ec2.amazonaws.com"},
+ "Action": "sts:AssumeRole"
+ }
+ }
+```
+
+3. Paste the code snippet into the `ec2-trust.json` file.
+4. Save the file.
+
+#### Create IAM SSM role and attach the role policy document
+
+```bash
+aws iam create-role --role-name EC2_SSM_ROLE --assume-role-policy-document file://ec2-trust.json
+```
+
+```bash
+aws iam attach-role-policy --role-name EC2_SSM_ROLE --policy-arn
+```
+
+#### Launch an Amazon Linux 2 EC2 instance with the instance profile
+
+With the instance profile you created, you can now launch EC2 instances that are configured for use with AWS SSM.
+
+:::note
+
+Not all AMIs the SSM agent installed by default. For a complete list of AMIs that come with SSM agent pre-installed, read [About SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/prereqs-ssm-agent.html) in the AWS documentation.
+:::
+
+Follow these steps to launch an Amazon Linux 2 EC2 instance in a default VPC using the new instance profile in the previous step:
+
+1. Get the subnet ID:
+
+```bash
+aws ec2 describe-subnets --query "Subnets[?Tags[?Value == 'SubnetA'] ].SubnetId | [0]"
+```
+
+2. Get the security group ID:
+
+```bash
+aws ec2 describe-security-groups \
+--filters Name=group-name,Values=SG \
+--query "SecurityGroups[?GroupName == 'SG'].GroupId | [0]"
+```
+
+3. Get the Amazon Linux 2 AMI ID (SSM agent preinstalled)
+
+```bash
+aws ec2 describe-images \
+--filters "Name=architecture,Values=x86_64" "Name=description,Values=*Amazon Linux 2 AMI 2.0.2019*gp2" "Name=owner-id,Values=137112412989" "Name=image-type,Values=machine" \
+--query "sort_by(Images, &CreationDate)[::-1].ImageId | [0]"
+```
+
+4. Launch a new EC2 instance with the EC2_SSM_ROLE:
+
+```bash
+aws ec2 run-instances --associate-public-ip-address \
+--security-group-ids \
+--iam-instance-profile Arn= \
+--instance-type t2.micro \
+--image-id \
+--subnet-id \
+--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=SSMTestInstance}]"
+```
+
+#### Confirm that the instance is managed by AWS Systems Manager
+
+1. Get the instance ID of the new instance:
+
+```bash
+aws ec2 describe-instances --filters Name=tag:Name,Values=SSMTestInstance --query "Reservations[].Instances[].InstanceId"
+```
+
+2. Confirm that the instance ID shows up in SSM:
+
+```bash
+aws ssm describe-instance-information --query "InstanceInformationList[?InstanceId == '']"
+```
+
+
+
+
+## Learn more
+
+| To learn about... | Read... |
+| ----------------------- | ------------------------------------------------------------------------ |
+| Snapshot scanning | [Scan an EBS Snapshot](/platform/infra/cloud/aws/aws-ebs-snapshot-scan/) |
+| Continuous AWS scanning | [Continuously Scan AWS](/platform/infra/cloud/aws/aws-integration-scan/) |
+| cnspec | [The cnspec documentation](/cnspec/cnspec-about/) |
+
+---
diff --git a/docs/platform/infra/cloud/aws/aws-workstation-scan.mdx b/docs/platform/infra/cloud/aws/aws-workstation-scan.mdx
new file mode 100644
index 000000000..34b6a7870
--- /dev/null
+++ b/docs/platform/infra/cloud/aws/aws-workstation-scan.mdx
@@ -0,0 +1,135 @@
+---
+title: Scan AWS Accounts and EC2 Instances from a Workstation
+sidebar_label: Scan from a Workstation
+sidebar_position: 7
+image: /img/featured_img/mondoo-aws.jpg
+description: Perform remote, agentless scans on AWS accounts and EC2 instances with Mondoo
+---
+
+Use [cnspec](/cnspec/cnspec-about/), Mondoo's CLI security tool, to scan AWS accounts and EC2 instances remotely from your workstation. These fast, on-demand assessments are independent from any [native AWS integrations](/platform/infra/cloud/aws/aws-integration-scan) that run continuously within your account.
+
+You can:
+
+- [Remotely scan an AWS account](#remotely-scan-aws-accounts) using the AWS CLI config
+
+or
+
+- [Perform agentless scans of EC2 instances](#perform-agentless-scans-of-ec2-instances) using EC2 Instance Connect, SSH, or snapshot scanning
+
+## Remotely scan AWS accounts
+
+cnspec can remotely scan AWS accounts using the configuration and credentials from the AWS CLI on your workstation, which is typically located in `~/.aws/credentials`. Before you can scan an AWS account, you must have the AWS CLI [installed and configured](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) with credentials for the accounts you want to scan.
+
+### Set up AWS credentials
+
+To ensure your AWS credentials are set up properly so you can scan from your workstation, run this command from a terminal:
+
+```bash
+cat ~/.aws/credentials
+[default]
+aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+aws_session_token = AQoDYXdzEJr...
+```
+
+If you want to use a specific profile, set `AWS_PROFILE`
+
+```bash
+export AWS_PROFILE=PROFILENAME
+```
+
+For PROFILENAME, substitute the name of the profile to use.
+
+### Permissions required to scan an AWS account
+
+cnspec requires read-only access to assess the configuration of the services and resources within an AWS account. It uses the credentials for the `awscli` to authenticate with the AWS API. So it inherits the permissions granted to your AWS access keys.
+
+:::info
+
+Amazon provides the **ReadOnlyAccess** IAM profile, which grants read-only access to all AWS Services.
+
+:::
+
+### Scan an AWS account with cnspec
+
+To scan an AWS account remotely with cnspec, enter this command in a terminal:
+
+```bash
+cnspec scan aws
+```
+
+cnspec scans the account using any AWS policies you have enabled in your Mondoo account. It prints the results to `STDOUT` on the command line. It also sends the results to Mondoo Platform, which generates a report for each policy executed against the account.
+
+### Manage multiple AWS profiles
+
+If you manage multiple AWS configurations in your credentials file, you can set the `AWS_PROFILE` environment variable to specify which profile to use for each scan. For example, this credentials file has two configurations:
+
+```bash title='~/.aws/credentials'
+[default]
+aws_access_key_id=AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+
+[aws-dev-account]
+aws_access_key_id=AKIAI44QH8DHBEXAMPLE
+aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
+```
+
+When you run a scan, you specify which profile to use:
+
+```bash title="Select AWS profile to scan"
+export AWS_PROFILE=PROFILENAME
+cnspec scan aws
+```
+
+For PROFILENAME, substitute the name of the profile to use.
+
+### Incognito mode
+
+cnspec provides an `--incognito` mode, which lets you scan your AWS account against a specific policy without sending the results back to Mondoo Platform. This can be helpful for assessing how an account will score against a policy before enabling it.
+
+To scan an AWS account using `incognito` mode, enter this command in a terminal:
+
+```bash
+cnspec scan aws --incognito
+```
+
+## Perform agentless scans of EC2 instances
+
+cnspec supports remote scanning of EC2 instances without installing an agent on the instance. This lets you assess your instances on demand. You must have remote connectivity to instances, either through SSH or EC2 Instance Connect.
+
+### Scan an EC2 instance using EC2 Instance Connect
+
+import Partial from "./_aws-incl-ic.mdx";
+
+{" "}
+
+### Scan an EC2 instance using SSH
+
+cnspec lets you remotely scan EC2 instances using SSH:
+
+```bash
+cnspec scan aws ec2 instance-connect USER@HOST --identity-file PATH
+```
+
+| For... | Substitute... |
+| ------ | --------------------------------------- |
+| USER | Your user name for the AWS account |
+| HOST | The instance's public IP address or DNS |
+| PATH | The path to the SSH key file |
+
+:::info
+
+To learn how to retrieve credentials from a secrets manager (such as AWS Secrets Manager or SSM Parameter Store), read [Secrets Management](/platform/infra/opsys/automation/vault.md).
+
+:::
+
+## Learn more
+
+| To learn about... | Read... |
+| ----------------------- | ------------------------------------------------------------------------- |
+| Scanning with AWS SSM | [Scan Using AWS Systems Manager](/platform/infra/cloud/aws/aws-ssm-scan/) |
+| Snapshot scanning | [Scan an EBS Snapshot](/platform/infra/cloud/aws/aws-ebs-snapshot-scan/) |
+| Continuous AWS scanning | [Continuously Scan AWS](/platform/infra/cloud/aws/aws-integration-scan/) |
+| cnspec | [The cnspec documentation](/cnspec/cnspec-about/) |
+
+---
diff --git a/docs/platform/infra/cloud/azure/_category_.json b/docs/platform/infra/cloud/azure/_category_.json
new file mode 100644
index 000000000..1a257cdb9
--- /dev/null
+++ b/docs/platform/infra/cloud/azure/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Azure",
+ "position": 3
+}
diff --git a/docs/platform/infra/cloud/azure/_include-graph.mdx b/docs/platform/infra/cloud/azure/_include-graph.mdx
new file mode 100644
index 000000000..d757aed90
--- /dev/null
+++ b/docs/platform/infra/cloud/azure/_include-graph.mdx
@@ -0,0 +1,46 @@
+1. In the navigation sidebar, select **API permissions**.
+
+ 
+
+ By default, Microsoft grants your new application `User.Read` permission for Microsoft Graph. It's not required for Mondoo, so you can remove it.
+
+2. Select **+ Add a permission**.
+
+ 
+
+3. From the list of **Commonly used Microsoft APIs**, select **Microsoft Graph**.
+
+ 
+
+4. Because Mondoo acts as a service, select **Application permissions**.
+
+5. Select **expand all** to see all permissions. Then select the required API permissions:
+
+ {" "}
+
+
+Show or hide required API permissions.
+
+| Microsoft Graph | Type | Description |
+| ----------------------------- | ----------- | ---------------------------------------------------- |
+| Application.Read.All | Application | Read all applications |
+| AuditLog.Read.All | Application | Read all audit log data |
+| Directory.Read.All | Application | Read directory data |
+| Domain.Read.All | Application | Read domains |
+| IdentityProvider.Read.All | Application | Read identity providers |
+| IdentityRiskEvent.Read.All | Application | Read all identity risk event information |
+| IdentityRiskyUser.Read.All | Application | Read all identity risky user information |
+| Policy.Read.All | Application | Read your organization's policies |
+| Policy.Read.ConditionalAccess | Application | Read your organization's conditional access policies |
+| Policy.Read.PermissionGrant | Application | Read consent and permission grant policies |
+| RoleManagement.Read.All | Application | Read role management data for all RBAC providers |
+| SecurityActions.Read.All | Application | Read your organization's security actions |
+| SecurityEvents.Read.All | Application | Read your organization's security events |
+| ThreatAssessment.Read.All | Application | Read threat assessment requests |
+| ThreatIndicators.Read.All | Application | Read all threat indicators |
+
+
+
+6. Select the **Add permissions** button.
+
+7. To complete the process, select **Grant admin consent for (your tenant name)** and select the **Yes** button to confirm.
diff --git a/docs/platform/infra/cloud/azure/_include-keyvault.mdx b/docs/platform/infra/cloud/azure/_include-keyvault.mdx
new file mode 100644
index 000000000..63bad10d3
--- /dev/null
+++ b/docs/platform/infra/cloud/azure/_include-keyvault.mdx
@@ -0,0 +1,29 @@
+If you use key vault access policy, this step is required.
+
+A key vault access policy determines whether a given security principal (a user, application or user group) can perform different operations on key vault secrets, keys, and certificates.
+
+1. From the Azure portal home, select **Key vaults**.
+
+2. Select a key vault from the list.
+
+3. In the sidebar under the key vault name, select **Access policies**.
+
+ 
+
+4. In the toolbar, select **+ Create**.
+
+5. Configure the permissions:
+
+ - Under **Key permissions**, select **Get** and **List**.
+
+ - Under **Secret permissions**, select **Get** and **List**.
+
+ - Under **Certificate permissions** , select **Get** and **List**.
+
+6. Select the **Next** button.
+
+7. From the list, select the app registration you created.
+
+8. Select the **Next** button and select the **Next** button again to skip the Application (optional) step.
+
+9. Review the access policy and then select the **Create** button.
diff --git a/docs/platform/infra/cloud/azure/_include-webapp.mdx b/docs/platform/infra/cloud/azure/_include-webapp.mdx
new file mode 100644
index 000000000..1b2b86dec
--- /dev/null
+++ b/docs/platform/infra/cloud/azure/_include-webapp.mdx
@@ -0,0 +1,134 @@
+Grant web app permissions by creating a custom RBAC role for Mondoo and assigning the custom role to your new app registration.
+
+1. In the sidebar under the subscription name, select **Overview**.
+
+2. Copy the subscription ID and save it somewhere handy.
+
+3. In the sidebar under the subscription name, select **Access control (IAM)**.
+
+4. On the subscription's **Access control (IAM)** page toolbar, select **+ Add** and select **Add custom role**.
+
+ 
+
+5. Name the new role `mondoo-role`, provide a description, and then select the **JSON** tab.
+
+6. On the **JSON** tab, select the **Edit** button and delete all existing content from the edit box.
+
+7. Copy this JSON content and paste it into the edit box on the JSON tab:
+
+ ```
+ {
+ "Name": "mondoo-role",
+ "IsCustom": true,
+ "description": "Custom role for Mondoo integration",
+ "assignableScopes": [
+ "/subscriptions/YOUR-SUBSCRIPTION-ID"
+ ],
+ "actions": [
+ "Microsoft.Authorization/*/read",
+ "Microsoft.ResourceHealth/availabilityStatuses/read",
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Support/*",
+ "Microsoft.Web/listSitesAssignedToHostName/read",
+ "Microsoft.Web/serverFarms/read",
+ "Microsoft.Web/sites/config/read",
+ "Microsoft.Web/sites/config/web/appsettings/read",
+ "Microsoft.Web/sites/config/web/connectionstrings/read",
+ "Microsoft.Web/sites/config/appsettings/read",
+ "Microsoft.web/sites/config/snapshots/read",
+ "Microsoft.Web/sites/config/list/action",
+ "Microsoft.Web/sites/read",
+ "Microsoft.KeyVault/checkNameAvailability/read",
+ "Microsoft.KeyVault/deletedVaults/read",
+ "Microsoft.KeyVault/locations/*/read",
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/operations/read"
+ ],
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
+ ],
+ "notDataActions": []
+ }
+ ```
+
+ To integrate with more than one subscription, list them:
+
+ ```
+ "assignableScopes": [
+
+ "/subscriptions/YOUR-SUBSCRIPTION-ID-1"
+
+ "/subscriptions/YOUR-SUBSCRIPTION-ID-2"
+
+ "/subscriptions/YOUR-SUBSCRIPTION-ID-3"
+
+ ]
+ ```
+
+ To integrate at the management group level, copy this JSON content and paste it into the edit box on the JSON tab:
+
+ ```
+ {
+ "properties": {
+ "roleName": "mondoo-role",
+ "description": "Custom role for Mondoo integration",
+ "assignableScopes": [
+ "/providers/Microsoft.Management/managementGroups/YOUR-MANAGEMENT-GROUP-ID"
+ ],
+ "permissions": [
+ {
+ "actions": [
+ "Microsoft.Authorization/*/read",
+ "Microsoft.ResourceHealth/availabilityStatuses/read",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Web/listSitesAssignedToHostName/read",
+ "Microsoft.Web/serverFarms/read",
+ "Microsoft.Web/sites/config/read",
+ "Microsoft.Web/sites/config/web/appsettings/read",
+ "Microsoft.Web/sites/config/web/connectionstrings/read",
+ "Microsoft.Web/sites/config/appsettings/read",
+ "microsoft.web/sites/config/snapshots/read",
+ "Microsoft.Web/sites/config/list/action",
+ "Microsoft.Web/sites/read",
+ "Microsoft.Web/sites/*/read"
+ ],
+ "notActions": [],
+ "dataActions": [],
+ "notDataActions": []
+ }
+ ]
+ }
+ }
+ ```
+
+ For YOUR-MANAGEMENT-GROUP-ID, substitute the name of the management group you want to monitor. If you don't have management groups, you can use your tenant ID because your tenant is your root management group.
+
+8. Select the **Save** button.
+
+9. Select the **Review + create** button (or the Next button), check your work, and then select the **Review + create** button again.
+
+10. Assign the created Custom role to the app: On the subscription's **Access control (IAM)** page toolbar, select **+ Add** and select **Add role assignment**.
+
+11. Search for and select the role you just created, `mondoo-role`.
+
+12. Select the **Members** tab and select **User, group, or service principal**.
+
+13. Select the **+ Select Members** link, find and select your Mondoo app registration, and select the **Select** button.
+
+
+
+14. Select the **Review + assign** button to check the assignment. Select the **Review + assign** button again to assign the `mondoo-role` role to your Mondoo app registration.
+
+
+
+15. Make sure that you have two RBAC roles for the app you created: On the subscription's **Access control (IAM)** page toolbar, select **Check Access**.
+
+16. Keep "User, group, or service principal" selected and type name you gave the app, such as `mondoo-security`.
+
+17. Select the app. Verify that you see two roles: Reader and the custom role that you created.
+
+It can take a few minutes for the roles you assigned to take effect.
diff --git a/docs/platform/infra/cloud/azure/azure-integration-scan-group.mdx b/docs/platform/infra/cloud/azure/azure-integration-scan-group.mdx
new file mode 100644
index 000000000..9564d33ab
--- /dev/null
+++ b/docs/platform/infra/cloud/azure/azure-integration-scan-group.mdx
@@ -0,0 +1,347 @@
+---
+title: Quick Setup - Azure Management Group Continuous Scanning
+sidebar_label: Quick Setup - Azure Management Group Continuous Scanning
+sidebar_position: 3
+description: Configure the Mondoo Azure Integration to scan Azure management groups.
+image: /img/featured_img/mondoo-azure.jpg
+---
+
+The Mondoo Azure integration lets you continuously scan Azure resources, such as compute instances and databases, in an Azure management group.
+
+You can also limit scanning one or more Azure subscriptions. For instructions, read [Continuously Scan an Azure Subscription](/platform/infra/cloud/azure/azure-integration-scan-subscription/).
+
+## Prerequisites
+
+Before you integrate Microsoft Azure with Mondoo, be sure you have:
+
+- A [Mondoo account](/platform/start/plat-start-acct/) with Editor or Owner permissions for the space in which you want to add the integration.
+
+- An [Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) with an active subscription and permission to manage applications in Microsoft Entra ID (formerly Active Directory). Any of these [Entra built-in roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference) include the required permissions:
+
+ - [Global Administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator)
+
+ - [Application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator)
+
+ - [Cloud application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator)
+
+ In the Azure portal you can see what roles your user account has: Go to **Microsoft Entra ID > Users > (your user account) > Assigned roles**.
+
+- Command-line access to Azure using either:
+
+ - [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/quickstart?tabs=azurecli)
+
+ -
+
+ The Azure CLI in either the Linux shell or the macOS shell
+
+
+ Log into the Azure CLI from PowerShell or a Linux/macOS CLI by
+ entering:
+
+ az login
+
+ Azure opens your web browser and prompts you to log in. After you do
+ so, you can return to the CLI.
+
+
+
+
+
+## Register and grant permissions to an Azure app
+
+Like any service that integrates with Azure, Mondoo must have Microsoft Entra ID app registration in your Azure tenant. To learn more about creating a new app registration and service principal, read [App registration, app objects, and service principals](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals) in the Azure documentation.
+
+Registering Mondoo with Entra establishes a trust relationship between Mondoo and the Microsoft identity platform. The trust is unidirectional: Mondoo trusts the Microsoft identity platform, and not the other way around. The Entra app registration creates a [service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#what-are-service-principals-and-where-do-they-come-from) to represent Mondoo in any tenants and subscriptions.
+
+The app registration you create gives Mondoo read-only access to Azure resources, web apps, key vault, and Graph API.
+
+These instructions describe how to use Microsoft's "automatic" method of registering an Azure app. If you want to use your own certificates for authentication, if you use the [_key vault access policy_ permission model](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy), or if your Azure environment is unusually large, follow the instructions in [Manually Set up an Azure Integration](/platform/infra/cloud/azure/manual-reg-path/) instead.
+
+To configure your Azure resources, you must:
+
+Step A. Retrieve your management group ID
+
+Step B. Create the app registration and certificate and grant READ access
+
+Step C. Grant web app and key vault READ permissions to the registered app
+
+Step D. Grant permissions to access Microsoft Graph (API permissions)
+
+### Step A: Retrieve your management group ID
+
+If you want Mondoo to continuously scan all the resources in a management group, retrieve the group's ID in the Azure CLI:
+
+1. Run this command:
+
+```bash
+az account management-group list
+```
+
+2. Copy the ID of the group you want and paste it somewhere handy to use in later steps.
+
+### Step B: Create the app, service principal, and certificate and grant READ access
+
+A single command in the Azure CLI performs these tasks:
+
+- Creates the application registration and service principal in Microsoft Entra ID
+
+- Grants READ access (using RBAC) to the new application
+
+- Creates a certificate and assigns it to the newly created app
+
+In the Azure CLI, enter:
+
+```bash
+az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /providers/Microsoft.Management/managementGroups/YOUR-GROUP-ID --create-cert
+```
+
+For `YOUR-GROUP-ID`, substitute the management group ID value you copied in the step above. For example, this command creates a service principal and an application named `mondoo-security` that provides access to a management group with the ID `e4e2600a-2d3d-2600-aa70-b9d8c8ec2600`:
+
+```bash
+az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /providers/Microsoft.Management/managementGroups/e4e2600a-2d3d-2600-aa70-b9d8c8ec2600 --create-cert
+```
+
+When successful, the Azure CLI returns results like these:
+
+```bash
+"appId": "63c35483-c62f-2600-a097-a6e44d8dcdf6",
+"displayName": "Mondoo",
+"fileWithCertAndPrivateKey": "/Users/stella/tmpkqyme3rm.pem",
+"password": null,
+"tenant": "e4e2600a-2d3d-2600-aa70-b9d8c8ec2600"
+```
+
+Copy your results and paste them somewhere handy; you'll need them in later steps.
+
+Copy the created PEM file (in the example above, it's named tmpkqyme3rm.pem) and save it; you'll need it in later steps.
+
+:::tip
+
+In the Azure portal, you can make sure that the created application has the required READ access at the subscription level: Go to **Azure portal > [your subscription] > Access control (IAM) > Roles (choose Reader and View) > Assessments**. If you see the `mondoo-security` application, you've succeeded.
+
+:::
+
+### Step C: Grant web app and key vault READ permissions to the registered app
+
+:::note
+
+The key vault permissions below are from Microsoft's "Key Vault Reader" role. The [Microsoft documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) describes this role:
+
+> _Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model._
+
+:::
+
+Follow these steps, substituting the management group ID(s) you copied in Step A for YOUR-GROUP-ID:
+
+1. Copy this content and paste it into a new file named `mondoo-role.json`:
+
+ ```json
+ {
+ "Name": "mondoo-role",
+ "IsCustom": true,
+ "description": "Custom role for Mondoo integration",
+ "assignableScopes": [
+ "/providers/Microsoft.Management/managementGroups/YOUR-GROUP-ID"
+ ],
+ "actions": [
+ "Microsoft.Authorization/*/read",
+ "Microsoft.ResourceHealth/availabilityStatuses/read",
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Support/*",
+ "Microsoft.Web/listSitesAssignedToHostName/read",
+ "Microsoft.Web/serverFarms/read",
+ "Microsoft.Web/sites/config/read",
+ "Microsoft.Web/sites/config/web/appsettings/read",
+ "Microsoft.Web/sites/config/web/connectionstrings/read",
+ "Microsoft.Web/sites/config/appsettings/read",
+ "Microsoft.web/sites/config/snapshots/read",
+ "Microsoft.Web/sites/config/list/action",
+ "Microsoft.Web/sites/read",
+ "Microsoft.KeyVault/checkNameAvailability/read",
+ "Microsoft.KeyVault/deletedVaults/read",
+ "Microsoft.KeyVault/locations/*/read",
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/operations/read"
+ ],
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
+ ],
+ "notDataActions": []
+ }
+ ```
+
+2. Create a custom role:
+
+ ```
+ az role definition create --role-definition mondoo-role.json
+ ```
+
+3. Make sure you successfully created the role:
+
+ ```
+ az role assignment list --role mondoo-role --scope /providers/Microsoft.Management/managementGroups/YOUR-GROUP-ID
+ ```
+
+4. Assign the created custom role to the app you registered:
+
+ ```
+ az role assignment create --role mondoo-role --assignee --scope /providers/Microsoft.Management/managementGroups/YOUR-GROUP-ID
+ ```
+
+### Step D: Grant permissions to access Microsoft Graph (API permissions)
+
+1. Copy this content and paste it into a new file on your local system named `app-manifest.json`:
+
+ ```json
+ [
+ {
+ "resourceAppId": "00000003-0000-0000-c000-000000000000",
+ "resourceAccess": [
+ {
+ "id": "246dd0d5-5bd0-4def-940b-0421030a5b68",
+ "type": "Role"
+ },
+ {
+ "id": "e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0",
+ "type": "Role"
+ },
+ {
+ "id": "5e0edab9-c148-49d0-b423-ac253e121825",
+ "type": "Role"
+ },
+ {
+ "id": "bf394140-e372-4bf9-a898-299cfc7564e5",
+ "type": "Role"
+ },
+ {
+ "id": "6e472fd1-ad78-48da-a0f0-97ab2c6b769e",
+ "type": "Role"
+ },
+ {
+ "id": "dc5007c0-2d7d-4c42-879c-2dab87571379",
+ "type": "Role"
+ },
+ {
+ "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
+ "type": "Role"
+ },
+ {
+ "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
+ "type": "Role"
+ },
+ {
+ "id": "197ee4e9-b993-4066-898f-d6aecc55125b",
+ "type": "Role"
+ },
+ {
+ "id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30",
+ "type": "Role"
+ },
+ {
+ "id": "f8f035bb-2cce-47fb-8bf5-7baf3ecbee48",
+ "type": "Role"
+ },
+ {
+ "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
+ "type": "Role"
+ },
+ {
+ "id": "9e640839-a198-48fb-8b9a-013fd6f6cbcd",
+ "type": "Role"
+ },
+ {
+ "id": "37730810-e9ba-4e46-b07e-8ca78d182097",
+ "type": "Role"
+ },
+ {
+ "id": "c7fbd983-d9aa-4fa7-84b8-17382c103bc4",
+ "type": "Role"
+ }
+ ]
+ }
+ ]
+ ```
+
+2. Execute these commands to grant the permissions in the JSON file and give administrator consent. For YOUR-APP-ID, substitute the `appId` value from the results you copied in Step B:
+
+ ```
+ az ad app update --id YOUR-APP-ID --required-resource-accesses @app-manifest.json
+
+ az ad app permission admin-consent --id YOUR-APP-ID
+ ```
+
+## Add a new Azure integration in the Mondoo Console
+
+After you've created, granted permissions to, and tested a new app registration, you can create a Mondoo Azure integration. You need some values from the app registration you created in the instructions above.
+
+1. Access the Integrations > Add > Azure page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Azure**.
+
+ 
+
+ - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under Cloud Security, select **Azure**.
+
+ 
+
+2. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the Azure tenant.
+
+3. In the **Enter Application (client) ID** box, enter the value from the `appId` value you copied in Step B.
+
+4. In the **Enter the Directory (tenant) ID** box, enter the `tenantId` value you copied in Step A.
+
+5. Specify the subscriptions for Mondoo to continuously scan. You copied at least one subscription ID in step A.
+
+ - To continuously scan all subscriptions in the tenant, leave the **Scan all subscriptions connected to the Directory (tenant) ID** toggle enabled.
+
+ - To choose the subscriptions to scan, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle, select Allowlist, and enter the subscription ID to scan.
+
+ - To scan **all** subscriptions except those you specify, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle, select Denylist, and enter the names of the subscriptions you don't want Mondoo to scan.
+
+6. To automatically discover all Linux and Windows VMs in your subscription and scan them using Azure Run Command, select **Scan Azure VMs using Run Command**.
+
+7. Provide the certificate (a [PEM](https://aboutssl.org/what-is-pem-certificate-file/) (privacy-enhanced mail) file) for Mondoo to securely authenticate with the app (service principal) you created. You created this certificate in Step B.
+
+ The certificate file must have the `.pem` extension and must contain both the private key and the certificate in this order:
+
+ ```
+ -----BEGIN PRIVATE KEY-----
+ key goes here
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+ certificate goes here
+ -----END CERTIFICATE-----
+ ```
+
+ Upload the certificate to Mondoo: In the **Drag and drop your .pem file here** box, select the cloud icon and choose the file to upload.
+
+ 
+
+8. Select the **START SCANNING** button.
+
+9. On the Recommended Policies page, enable the policies on which you want to base assessments of your Azure environment. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+10. Select **FINALIZE SETUP**.
+
+Mondoo begins scanning your Azure resources. When it completes, you can see results on the INVENTORY page. To learn more, read [Monitor Your Infrastructure Security](/platform/security/posture/monitor/).
+
+If your integration is unsuccessful, read [Troubleshoot an Azure Configuration](/platform/infra/cloud/azure/troubleshoot/).
+
+## Next steps
+
+- [Learn more about Mondoo](/platform/start/plat-what-is/)
+
+- [Integrate Mondoo with other cloud platforms in your infrastructure](/platform/infra/cloud/overview/)
+
+---
diff --git a/docs/platform/infra/cloud/azure/azure-integration-scan-subscription.mdx b/docs/platform/infra/cloud/azure/azure-integration-scan-subscription.mdx
new file mode 100644
index 000000000..293443e04
--- /dev/null
+++ b/docs/platform/infra/cloud/azure/azure-integration-scan-subscription.mdx
@@ -0,0 +1,379 @@
+---
+title: Quick Setup - Azure Subscription Continuous Scanning
+sidebar_label: Quick Setup - Azure Subscription Continuous Scanning
+sidebar_position: 2
+description: Configure the Mondoo Azure Integration to scan Azure subscriptions
+image: /img/featured_img/mondoo-azure.jpg
+---
+
+The Mondoo Azure integration lets you continuously scan Azure resources, such as compute instances and databases, in one or more Azure subscriptions.
+
+You can also scan an Azure management group. For instructions, read [Continuously Scan an Azure Management Group](/platform/infra/cloud/azure/azure-integration-scan-group/).
+
+## Prerequisites
+
+Before you integrate Microsoft Azure with Mondoo, be sure you have:
+
+- A [Mondoo account](/platform/start/plat-start-acct/) with Editor or Owner permissions for the space in which you want to add the integration.
+
+- An [Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) with an active subscription and permission to manage applications in Microsoft Entra ID (formerly Active Directory). Any of these [Entra built-in roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference) include the required permissions:
+
+ - [Global Administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator)
+
+ - [Application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator)
+
+ - [Cloud application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator)
+
+ In the Azure portal you can see what roles your user account has: Go to **Microsoft Entra ID > Users > (your user account) > Assigned roles**.
+
+- Command-line access to Azure using either:
+
+ - [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/quickstart?tabs=azurecli)
+
+ -
+
+ The Azure CLI in either the Linux shell or the macOS shell
+
+
+ Log into the Azure CLI from PowerShell or a Linux/macOS CLI by
+ entering:
+
+ az login
+
+ Azure opens your web browser and prompts you to log in. After you do
+ so, you can return to the CLI.
+
+
+
+
+
+## Register and grant permissions to an Azure app
+
+Like any service that integrates with Azure, Mondoo must have Microsoft Entra ID app registration in your Azure tenant. To learn more about creating a new app registration and service principal, read [App registration, app objects, and service principals](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals) in the Azure documentation.
+
+Registering Mondoo with Entra establishes a trust relationship between Mondoo and the Microsoft identity platform. The trust is unidirectional: Mondoo trusts the Microsoft identity platform, and not the other way around. The Entra app registration creates a [service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#what-are-service-principals-and-where-do-they-come-from) to represent Mondoo in any tenants and subscriptions.
+
+The app registration you create gives Mondoo read-only access to Azure resources, web apps, key vault, and Graph API.
+
+These instructions describe how to use Microsoft's "automatic" method of registering an Azure app. If you want to use your own certificates for authentication, if you use the [_key vault access policy_ permission model](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy), or if your Azure environment is unusually large, follow the instructions in [Manually Set up an Azure Integration](/platform/infra/cloud/azure/manual-reg-path/) instead.
+
+To configure your Azure resources, you must:
+
+Step A. Retrieve the subscription ID
+
+Step B. Create the app registration and certificate and grant READ access
+
+Step C. Grant web app and key vault READ permissions to the registered app
+
+Step D. Grant permissions to access Microsoft Graph (API permissions)
+
+### Step A: Retrieve your subscription ID and tenant ID
+
+You can give your app READ access to one or several subscriptions.
+
+1. In the Azure CLI, find the ID(s) of the subscription(s) you want to monitor by entering:
+
+ ```bash
+ az account subscription list
+ ```
+
+ OR
+
+ ```bash
+ az account list
+ ```
+
+The Azure CLI provides information about all your subscriptions across all tenants. Each entry has an `id` value.
+
+2. Copy the `id` value for each of the subscriptions you want to integrate with Mondoo. Paste the value(s) somewhere handy to use later.
+
+3. Copy the `tenantId` value and paste it somewhere handy to use later.
+
+### Step B: Create the app, service principal, and certificate and grant READ access
+
+A single command in the Azure CLI performs these tasks:
+
+- Creates the application registration and service principal in Microsoft Entra ID
+
+- Grants READ access (using RBAC) to the new application at the defined level
+
+- Creates a certificate and assigns it to the newly created app
+
+In the Azure CLI, enter:
+
+```bash
+az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /subscriptions/YOUR-SUBSCRIPTION-ID --create-cert
+```
+
+For `YOUR-SUBSCRIPTION-ID`, substitute the `subscriptionId` value you copied in the instruction above. For example, this command creates a service principal and an application named `mondoo-security` that provides access to a subscription with the ID `e4e2600a-2d3d-2600-aa70-b9d8c8ec2600`:
+
+```bash
+az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /subscriptions/e4e2600a-2d3d-2600-aa70-b9d8c8ec2600 --create-cert
+```
+
+:::tip
+
+To scan multiple subscriptions, in the Azure CLI, provide multiple subscription IDs:
+
+```bash
+az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /subscriptions/YOUR-SUBSCRIPTION-ID-1 /subscriptions/YOUR-SUBSCRIPTION-ID-2 /subscriptions/YOUR-SUBSCRIPTION-ID-3 --create-cert
+```
+
+:::
+
+When successful, the Azure CLI returns results like these:
+
+```bash
+"appId": "63c35483-c62f-2600-a097-a6e44d8dcdf6",
+"displayName": "Mondoo",
+"fileWithCertAndPrivateKey": "/Users/stella/tmpkqyme3rm.pem",
+"password": null,
+"tenant": "e4e2600a-2d3d-2600-aa70-b9d8c8ec2600"
+```
+
+Copy your results and paste them somewhere handy; you'll need them in later steps.
+
+Copy the created PEM file (in the example above, it's named tmpkqyme3rm.pem) and save it; you'll need it in later steps.
+
+:::tip
+
+In the Azure portal, you can make sure that the created application has the required READ access at the subscription level: Go to **Azure portal > [your subscription] > Access control (IAM) > Roles (choose Reader and View) > Assessments**. If you see the `mondoo-security` application, you've succeeded.
+
+:::
+
+### Step C: Grant web app and key vault READ permissions to the registered app
+
+:::note
+
+The key vault permissions below are from Microsoft's "Key Vault Reader" role. The [Microsoft documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) describes this role:
+
+> _Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model._
+
+:::
+
+Follow these steps, substituting the subscription ID(s) you copied in Step A for YOUR-SUBSCRIPTION-ID:
+
+1. Copy this content and paste it into a new file named `mondoo-role.json`:
+
+ ```json
+ {
+ "Name": "mondoo-role",
+ "IsCustom": true,
+ "description": "Custom role for Mondoo integration",
+ "assignableScopes": ["/subscriptions/YOUR-SUBSCRIPTION-ID"],
+ "actions": [
+ "Microsoft.Authorization/*/read",
+ "Microsoft.ResourceHealth/availabilityStatuses/read",
+ "Microsoft.Insights/alertRules/*",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Support/*",
+ "Microsoft.Web/listSitesAssignedToHostName/read",
+ "Microsoft.Web/serverFarms/read",
+ "Microsoft.Web/sites/config/read",
+ "Microsoft.Web/sites/config/web/appsettings/read",
+ "Microsoft.Web/sites/config/web/connectionstrings/read",
+ "Microsoft.Web/sites/config/appsettings/read",
+ "Microsoft.web/sites/config/snapshots/read",
+ "Microsoft.Web/sites/config/list/action",
+ "Microsoft.Web/sites/read",
+ "Microsoft.KeyVault/checkNameAvailability/read",
+ "Microsoft.KeyVault/deletedVaults/read",
+ "Microsoft.KeyVault/locations/*/read",
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/operations/read"
+ ],
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/*/read",
+ "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
+ ],
+ "notDataActions": []
+ }
+ ```
+
+ To integrate with more than one subscription, list them:
+
+ ```bash
+ "assignableScopes": [
+
+ "/subscriptions/YOUR-SUBSCRIPTION-ID-1"
+
+ "/subscriptions/YOUR-SUBSCRIPTION-ID-2"
+
+ "/subscriptions/YOUR-SUBSCRIPTION-ID-3"
+
+ ]
+ ```
+
+2. Create a custom role in the specified subscription:
+
+ ```bash
+ az role definition create --role-definition mondoo-role.json
+ ```
+
+3. Make sure you successfully created the role:
+
+ ```bash
+ az role assignment list --role mondoo-role --scope /subscriptions/YOUR-SUBSCRIPTION-ID
+ ```
+
+4. Assign the created custom role to the app you registered:
+
+ ```bash
+ az role assignment create --role mondoo-role --assignee --scope /subscriptions/YOUR-SUBSCRIPTION-ID
+ ```
+
+### Step D: Grant permissions to access Microsoft Graph (API permissions)
+
+1. Copy this content and paste it into a new file on your local system named `app-manifest.json`:
+
+```json
+[
+ {
+ "resourceAppId": "00000003-0000-0000-c000-000000000000",
+ "resourceAccess": [
+ {
+ "id": "246dd0d5-5bd0-4def-940b-0421030a5b68",
+ "type": "Role"
+ },
+ {
+ "id": "e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0",
+ "type": "Role"
+ },
+ {
+ "id": "5e0edab9-c148-49d0-b423-ac253e121825",
+ "type": "Role"
+ },
+ {
+ "id": "bf394140-e372-4bf9-a898-299cfc7564e5",
+ "type": "Role"
+ },
+ {
+ "id": "6e472fd1-ad78-48da-a0f0-97ab2c6b769e",
+ "type": "Role"
+ },
+ {
+ "id": "dc5007c0-2d7d-4c42-879c-2dab87571379",
+ "type": "Role"
+ },
+ {
+ "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
+ "type": "Role"
+ },
+ {
+ "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
+ "type": "Role"
+ },
+ {
+ "id": "197ee4e9-b993-4066-898f-d6aecc55125b",
+ "type": "Role"
+ },
+ {
+ "id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30",
+ "type": "Role"
+ },
+ {
+ "id": "f8f035bb-2cce-47fb-8bf5-7baf3ecbee48",
+ "type": "Role"
+ },
+ {
+ "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
+ "type": "Role"
+ },
+ {
+ "id": "9e640839-a198-48fb-8b9a-013fd6f6cbcd",
+ "type": "Role"
+ },
+ {
+ "id": "37730810-e9ba-4e46-b07e-8ca78d182097",
+ "type": "Role"
+ },
+ {
+ "id": "c7fbd983-d9aa-4fa7-84b8-17382c103bc4",
+ "type": "Role"
+ }
+ ]
+ }
+]
+```
+
+2. Execute these commands to grant the permissions in the JSON file and give administrator consent. For YOUR-APP-ID, substitute the `appId` value from the results you copied in Step B:
+
+ ```
+ az ad app update --id YOUR-APP-ID --required-resource-accesses @app-manifest.json
+
+ az ad app permission admin-consent --id YOUR-APP-ID
+ ```
+
+## Add a new Azure integration in the Mondoo Console
+
+After you've created, granted permissions to, and tested a new app registration, you can create a Mondoo Azure integration. You need some values from the app registration you created in the instructions above.
+
+1. Access the Integrations > Add > Azure page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Azure**.
+
+ 
+
+ - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under Cloud Security, select **Azure**.
+
+ 
+
+2. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the Azure tenant.
+
+3. In the **Enter Application (client) ID** box, enter the value from the `appId` value you copied in Step B.
+
+4. In the **Enter the Directory (tenant) ID** box, enter the `tenantId` value you copied in Step A.
+
+5. Specify the subscriptions for Mondoo to continuously scan. You copied at least one subscription ID in step A.
+
+ - To continuously scan all subscriptions in the tenant, leave the **Scan all subscriptions connected to the Directory (tenant) ID** toggle enabled.
+
+ - To choose the subscriptions to scan, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle, select Allowlist, and enter the subscription ID to scan.
+
+ - To scan **all** subscriptions except those you specify, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle, select Denylist, and enter the names of the subscriptions you don't want Mondoo to scan.
+
+6. To automatically discover all Linux and Windows VMs in your subscription and scan them using Azure Run Command, select **Scan Azure VMs using Run Command**.
+
+7. Provide the certificate (a [PEM](https://aboutssl.org/what-is-pem-certificate-file/) (privacy-enhanced mail) file) for Mondoo to securely authenticate with the app (service principal) you created. You created this certificate in Step B.
+
+ The certificate file must have the `.pem` extension and must contain both the private key and the certificate in this order:
+
+ ```
+ -----BEGIN PRIVATE KEY-----
+ key goes here
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+ certificate goes here
+ -----END CERTIFICATE-----
+ ```
+
+ Upload the certificate to Mondoo: In the **Drag and drop your .pem file here** box, select the cloud icon and choose the file to upload.
+
+ 
+
+8. Select the **START SCANNING** button.
+
+9. On the Recommended Policies page, enable the policies on which you want to base assessments of your Azure environment. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+10. Select **FINALIZE SETUP**.
+
+Mondoo begins scanning your Azure resources. When it completes, you can see results on the INVENTORY page. To learn more, read [Monitor Your Infrastructure Security](/platform/security/posture/monitor/).
+
+If your integration is unsuccessful, read [Troubleshoot an Azure Configuration](/platform/infra/cloud/azure/troubleshoot/).
+
+## Next steps
+
+- [Learn more about Mondoo](/platform/start/plat-what-is/)
+
+- [Integrate Mondoo with other cloud platforms in your infrastructure](/platform/infra/cloud/overview/)
+
+---
diff --git a/docs/platform/infra/cloud/azure/manual-reg-path.mdx b/docs/platform/infra/cloud/azure/manual-reg-path.mdx
new file mode 100644
index 000000000..63fc58231
--- /dev/null
+++ b/docs/platform/infra/cloud/azure/manual-reg-path.mdx
@@ -0,0 +1,292 @@
+---
+title: Manual Setup - Azure Continuous Scanning
+sidebar_label: Manual Setup - Azure Continuous Scanning
+sidebar_position: 5
+description: Take the manual approach to configuring the Mondoo Azure Integration to scan Azure resources.
+image: /img/featured_img/mondoo-azure.jpg
+---
+
+Mondoo integration with Azure requires that you register and grant permissions to an Azure app. Follow this "manual" approach to app registration and configuration if:
+
+- You want to use your own certificates for authentication
+
+- You use the [key vault access policy](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy) permission model for your key vaults
+
+- Your unique Azure infrastructure doesn't support Microsoft's "automatic" app registration method
+
+- You followed the steps in [Continuously Scan an Azure Management Group](/platform/infra/cloud/azure/azure-integration-scan-group/) or [Continuously Scan an Azure Subscription](/platform/infra/cloud/azure/azure-integration-scan-subscription/) and didn't successfully integrate Mondoo with Azure.
+
+## Prerequisites
+
+Before you integrate Microsoft Azure with Mondoo, be sure you have:
+
+- A [Mondoo account](/platform/start/plat-start-acct/) with Editor or Owner permissions for the space in which you want to add the integration.
+
+- An [Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) with an active subscription and permission to manage applications in Microsoft Entra ID (formerly Active Directory). Any of these [Entra built-in roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference) include the required permissions:
+
+ - [Global Administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator)
+
+ - [Application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator)
+
+ - [Cloud application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator)
+
+ In the Azure portal you can see what roles your user account has: Go to **Microsoft Entra ID > Users > (your user account) > Assigned roles**.
+
+- Command-line access to Azure using either:
+
+ - [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/quickstart?tabs=azurecli)
+
+ -
+
+ The Azure CLI in either the Linux shell or the macOS shell
+
+
+ Log into the Azure CLI from PowerShell or a Linux/macOS CLI by
+ entering:
+
+ az login
+
+ Azure opens your web browser and prompts you to log in. After you do
+ so, you can return to the CLI.
+
+
+
+
+
+## Register and grant permissions to an Azure app
+
+Like any service that integrates with Azure, Mondoo must have Microsoft Entra ID app registration in your Azure tenant. To learn more about creating a new app registration and service principal, read [App registration, app objects, and service principals](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals) in the Azure documentation.
+
+Registering Mondoo with Entra establishes a trust relationship between Mondoo and the Microsoft identity platform. The trust is unidirectional: Mondoo trusts the Microsoft identity platform, and not the other way around. The Entra app registration creates a [service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#what-are-service-principals-and-where-do-they-come-from) to represent Mondoo in any tenants and subscriptions.
+
+The app registration you create gives Mondoo read-only access to Azure resources, web apps, key vault, and Graph API.
+
+To configure your Azure resources, you must:
+
+Step A: Register an app with Microsoft Entra ID and create a service principal
+
+Step B: Grant permissions to access Microsoft Graph (API permissions)
+
+Step C: Grant required READ permissions to the app
+
+Step D: Grant web app READ permissions to the app
+
+Step E: Grant permissions to access Azure key vault
+
+Step F: Upload the application certificate
+
+### Step A: Register an app with Microsoft Entra ID and create a service principal
+
+Like any service that integrates with Azure, Mondoo must have an app registration. To learn more about creating a new app registration, read [App registration, app objects, and service principals](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals) in the Azure documentation.
+
+1. Log into the [Azure portal](https://portal.azure.com/) as a global administrator, application administrator or cloud application administrator.
+
+2. Find and select **Microsoft Entra ID**.
+
+3. In the navigation sidebar, select **App registrations**.
+
+ 
+
+4. Select **+ New registration**.
+
+ 
+
+5. Enter an application name (such as `mondoo-security`) and select **Accounts in this organizational directory only** as the supported account type. Mondoo does not require an application redirect URI.
+
+6. Select the **Register** button.
+
+ Microsoft creates the application ID and displays it in the application registration overview.
+
+ 
+
+ Keep the page open as you continue to the next step.
+
+### Step B: Grant permissions to access Microsoft Graph (API permissions)
+
+import Graph from "./_include-graph.mdx";
+
+{" "}
+
+### Step C: Grant required READ permissions to the app
+
+These steps guide you through setting the READ permissions and "Key Vault Reader" permissions for a single subscription. If you want to scan several subscriptions, you must repeat the same steps for each subscription.
+
+If you want Mondoo to monitor an entire management group, you can perform these steps at the management group level: Search for "management groups" in the Azure portal and then select the management group you want to monitor. To monitor the entire directory, select the **tenant root** group.
+
+Set subscription-level permissions for your new app registration:
+
+1. From the Azure portal home, select **Subscriptions**.
+
+ 
+
+2. Select the subscription you want to integrate with Mondoo.
+
+ 
+
+3. In the sidebar under the subscription name, select **Access control (IAM)**.
+
+4. Select the **Add role assignment** button.
+
+5. Select the **Reader** role and then select the Members tab (or Next button).
+
+ 
+
+6. Select **+ Select Members**, find and select your Mondoo app registration, and select the **Select** button.
+
+ 
+
+7. Select the **Review + assign** button (or Next button), check your work, and then select the **Review + assign** button again to assign the Reader role to your Mondoo app registration.
+
+8. Repeat steps 4-7 and this time choose the **"Key Vault Reader"** role in step 5.
+
+ Keep the Access control (IAM) page open as you continue to Step D.
+
+### Step D: Grant web app READ permissions to the app
+
+import Webapp from "./_include-webapp.mdx";
+
+{" "}
+
+### Step E: Grant permissions to access Azure key vault
+
+:::note
+
+There are two permission models for key vaults: role-based access control (RBAC) and key vault access policy.
+
+See what permission model your key vault uses: In the Azure portal, view the key vault's **Access configuration** settings. (You can easily change it to RBAC.)
+
+:::
+
+If you are using the RBAC for the key vault, there is no need for further actions; the READ permissions on the key vault will be applied by the "Key Vault Reader" subscription permissions applied in Step C.
+
+import Keyvault from "./_include-keyvault.mdx";
+
+{" "}
+
+### Step F: Upload the application certificate.
+
+The app registration and your Mondoo integration must share a [PEM](https://aboutssl.org/what-is-pem-certificate-file/) (privacy-enhanced mail) certificate for secure authentication. The certificate must not be password protected.
+
+Create a PEM certificate using the method approved by your organization's security team. You need two files:
+
+- The file you upload to Azure must have only the certificate, not the private key.
+
+- The file you upload to Mondoo Console (in the [Add a new Azure integration in the Mondoo Console](#add-a-new-azure-integration-in-the-mondoo-console) section below) must have both the private key and the certificate. It must have a `.pem` extension and must use this format and order of information:
+
+ ```
+ -----BEGIN PRIVATE KEY-----
+ key goes here
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+ certificate goes here
+ -----END CERTIFICATE-----
+ ```
+
+
+Generate a self-signed certificate for testing
+
+For testing purposes only, you can use OpenSSL toolkit together with req to generate a certificate. Run this command in Linux shell, macOS shell, or Azure Cloud shell (bash):
+
+```
+openssl req -newkey rsa:4096 -x509 -sha512 -days 365 -nodes -out certificate.pem -keyout privatekey.key
+```
+
+Add the private key to the beginning of the PEM file:
+
+```
+cat privatekey.key certificate.pem > certificate.combo.pem
+```
+
+
+
+Upload the certificate to Azure:
+
+1. From the Azure portal home, select **Microsoft Entra ID**.
+
+2. In the navigation sidebar, select **App registrations**.
+
+3. Select the app you created.
+
+4. In the sidebar under the app name, select **Certificate & secrets**.
+
+5. Select **Certificates** and then select **Upload certificate**.
+
+6. Select the PEM certificate and enter a description, such as `Mondoo certificate`.
+
+:::info
+
+Be sure to choose the file containing only the certificate, not the private key.
+
+:::
+
+7. Select the **Add** button.
+
+## Add a new Azure integration in the Mondoo Console
+
+After you've created, granted permissions to, and tested a new app registration, you can create a Mondoo Azure integration. You need some values from the app registration you created in the instructions above.
+
+1. Access the Integrations > Add > Azure page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Azure**.
+
+ 
+
+ - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under Cloud Security, select **Azure**.
+
+ 
+
+2. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the Azure tenant.
+
+3. In the **Enter Application (client) ID** box, enter the value from the app registration's **Application (client) ID** box.
+
+4. In the **Enter the Directory (tenant) ID** box, enter the value from the app registration's **Directory (tenant) ID** box.
+
+5. Specify the subscriptions for Mondoo to continuously scan.
+
+ - To continuously scan all subscriptions in the tenant, leave the **Scan all subscriptions connected to the Directory (tenant) ID** toggle enabled.
+
+ - To choose the subscriptions to scan, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle, select Allowlist, and enter the subscription ID to scan.
+
+ - To scan **all** subscriptions except those you specify, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle, select Denylist, and enter the names of the subscriptions you don't want Mondoo to scan.
+
+6. To automatically discover all Linux and Windows VMs in your subscription and scan them using Azure Run Command, select **Scan Azure VMs using Run Command**.
+
+7. Provide a certificate (a [PEM](https://aboutssl.org/what-is-pem-certificate-file/) (privacy-enhanced mail) file) for Mondoo to securely authenticate with the app (service principal) you created.
+
+ The certificate file must have the `.pem` extension and must contain both the private key and the certificate in this order:
+
+ ```
+ -----BEGIN PRIVATE KEY-----
+ key goes here
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+ certificate goes here
+ -----END CERTIFICATE-----
+ ```
+
+ Upload the certificate to Mondoo: In the **Drag and drop your .pem file here** box, select the cloud icon and choose the file to upload.
+
+ 
+
+8. To complete the integration, select the **START SCANNING** button.
+
+9. On the Recommended Policies page, enable the policies on which you want to base assessments of your Azure environment. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+10. Select **FINALIZE SETUP**.
+
+Mondoo begins scanning your Azure resources. When it completes, you can see results on the INVENTORY page. To learn more, read [Monitor Your Infrastructure Security](/platform/security/posture/monitor/).
+
+If your integration is unsuccessful, read [Troubleshoot an Azure Configuration](/platform/infra/cloud/azure/troubleshoot/).
+
+## Next steps
+
+- [Learn more about Mondoo](/platform/start/plat-what-is/)
+
+- [Integrate Mondoo with other cloud platforms in your infrastructure](/platform/infra/cloud/overview/)
diff --git a/docs/platform/infra/cloud/azure/overview.mdx b/docs/platform/infra/cloud/azure/overview.mdx
new file mode 100644
index 000000000..56920c133
--- /dev/null
+++ b/docs/platform/infra/cloud/azure/overview.mdx
@@ -0,0 +1,39 @@
+---
+title: Secure Azure with Mondoo
+sidebar_label: Overview
+sidebar_position: 1
+description: Use Mondoo to assess your Microsoft Azure configurations and identify risks to your infrastructure
+image: /img/featured_img/mondoo-azure.jpg
+---
+
+Trust Mondoo to secure your Microsoft Azure environment. Mondoo identifies vulnerabilities and misconfigurations in compute instances, databases, networks, and more.
+
+Mondoo offers a variety of approaches to evaluating your Azure infrastructure security. You can continuously scan your Azure subscriptions, evaluate builds before they go to production, and run ad hoc scans.
+
+## Continuously scan
+
+Continuously evaluate the security of your Azure resources, such as compute instances, so that you always have an up-to-date view of your environment's security posture.
+
+With the API-driven Mondoo Azure Integration, you deploy the integration once and always get the latest security assessments for new accounts and resources:
+
+- [Quick Setup - Azure Subscription Continuous Scanning](/platform/infra/cloud/azure/azure-integration-scan-subscription)
+
+## Scan during build time
+
+- [Risk assessment for Azure Container Registry](/cnspec/supplychain/registry/azure_acr.md)
+
+- [Build VM Images with Packer](/cnspec/supplychain/packer.md)
+
+## Scan during run time
+
+- [Scan an Azure subscription from your workstation using cnspec](/cnspec/cnspec-azure/)
+
+- [Install cnspec via cloud-init](/platform/infra/opsys/automation/cloudinit.md)
+
+- [Terraform deployment](/cnspec/supplychain/terraform.md)
+
+- [Verify instances managed by Chef/AWS OpsWorks](/platform/infra/opsys/automation/chef.md)
+
+- [Verify instances managed by Ansible](/platform/infra/opsys/automation/ansible.md)
+
+---
diff --git a/docs/platform/infra/cloud/azure/troubleshoot.mdx b/docs/platform/infra/cloud/azure/troubleshoot.mdx
new file mode 100644
index 000000000..fac7d5742
--- /dev/null
+++ b/docs/platform/infra/cloud/azure/troubleshoot.mdx
@@ -0,0 +1,78 @@
+---
+title: Test or troubleshoot an Azure Integration
+sidebar_label: Troubleshoot Azure
+sidebar_position: 4
+description: Troubleshoot integrations between Mondoo and Microsoft Azure.
+image: /img/featured_img/mondoo-azure.jpg
+---
+
+Test your Azure configuration to ensure that the app registration and all the permissions are configured properly. You can do so using Mondoo's open source security scanning CLI, cnspec.
+
+## Scan with cnspec
+
+1. From your terminal, download the latest cnspec package from here: [https://releases.mondoo.com/cnspec/](https://releases.mondoo.com/cnspec/)
+
+ Example:
+
+ ```bash
+ wget https://releases.mondoo.com/cnspec/8.9.0/cnspec_8.9.0_linux_amd64.tar.gz
+ tar -xvf cnspec_8.9.0_linux_amd64.tar.gz
+ ```
+
+2. Scan your Azure platform:
+
+```bash
+./cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --certificate-path certificate.combo.pem --policy-bundle mondoo-azure-security.mql.yaml
+```
+
+For `YOUR-SUBSCRIPTION-ID`, `YOUR-TENANT-ID`, and `YOUR-CLIENT-ID`, substitute your Azure information. The client ID is also called the application ID or app ID.
+
+Pay special attention to the queries showing `Error` results; they can result from improper permissions.
+
+## Troubleshoot: Scan with cnspec using a client secret
+
+If the scan above is unsuccessful, try using a client secret to authenticate and scan.
+
+1. Create a client secret:
+
+ a. From the Azure portal home, select **Microsoft Entra ID**.
+
+ b. In the navigation sidebar, select **App registrations**.
+
+ c. Select the app you created for Mondoo.
+
+ d. In the sidebar under the app name, select **Certificate & secrets**.
+
+ e. Select **New client secret**.
+
+ f. Enter a description for the client secret.
+
+ g. For **Duration**, specify a time after which the secret expires.
+
+ h. Select **Add** and quickly record the `Value`; it will disappear shortly.
+
+2. Scan with cnspec using the client secret:
+
+ ```bash
+ ./cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --client-secret YOUR-CLIENT-SECRET-VALUE --policy-bundle mondoo-azure-security.mql.yaml
+ ```
+
+ For `YOUR-SUBSCRIPTION-ID`, `YOUR-TENANT-ID`, and `YOUR-CLIENT-ID`, substitute your Azure information.
+
+ For `YOUR-CLIENT-SECRET-VALUE`, substitute the value you recorded above.
+
+ If this scan is successful after the first scan was unsuccessful, then the issue is with your certificate. Follow the steps above again to provide a new certificate.
+
+## Troubleshoot: Scan with cnspec using direct authentication
+
+If you suspect that the problem is related to the app, it's helpful to scan using direct authentication. This only works if your current user account has adequate privileges.
+
+```bash
+./cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID --policy-bundle mondoo-azure-security.mql.yaml
+```
+
+For `YOUR-SUBSCRIPTION-ID`, substitute your Azure subscription ID.
+
+## Troubleshoot: Manually register and configure a new app
+
+If you're unsuccessful with these troubleshooting approaches, try using the Microsoft's "manual" method for creating and configuring an app registration: read [Manually Set up an Azure Integration](/platform/infra/cloud/azure/manual-reg-path/).
diff --git a/docs/platform/infra/cloud/gcp/_category_.json b/docs/platform/infra/cloud/gcp/_category_.json
new file mode 100644
index 000000000..6d5843ad2
--- /dev/null
+++ b/docs/platform/infra/cloud/gcp/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "GCP",
+ "position": 4
+}
diff --git a/docs/platform/infra/cloud/gcp/gcp-integration-scan.mdx b/docs/platform/infra/cloud/gcp/gcp-integration-scan.mdx
new file mode 100644
index 000000000..c6a0368fe
--- /dev/null
+++ b/docs/platform/infra/cloud/gcp/gcp-integration-scan.mdx
@@ -0,0 +1,83 @@
+---
+title: Continuously Scan with a GCP Integration
+sidebar_label: Scan Continuously
+sidebar_position: 2
+description: This document covers the configuration and use of the Mondoo Google Cloud Platform (GCP) Integration to scan GCP projects
+image: /img/featured_img/mondoo-gcp.jpg
+---
+
+The Mondoo Google Cloud Platform (GCP) integration lets you continuously scan your GCP resources, such as compute instances and GKE service clusters.
+
+## Requirements
+
+- Create Service Accounts role in GCP
+- The GCP IAM API enabled
+- The GCP CLI
+
+## Create a service account for your GCP integration
+
+To access the data it needs, your GCP integration needs a GCP service account. To learn about service accounts, read [Understanding service accounts](https://cloud.google.com/iam/docs/understanding-service-accounts) in the Google documentation.
+
+1. Create a new GCP service account for the Mondoo integration to use.
+
+ For instructions, read [Creating and managing service accounts](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-gcloud) in the Google documentation.
+
+ Note the email address created for the new service account.
+
+2. Assign the project viewer basic role to the service account: `roles/viewer`
+
+ For instructions, read [Grant a single role](https://cloud.google.com/iam/docs/granting-changing-revoking-access#grant-single-role) in the Google documentation.
+
+3. Create a JSON key for the service account.
+
+ For instructions, read [Create and manage service account keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-get-gcloud) in the Google documentation.
+
+ Save the JSON file that downloads to your workstation when you create the key. You need it to configure the integration (in the next section below).
+
+## Add a new GCP integration
+
+1. Access the Integrations > Add > GCP page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **GCP**.
+
+ 
+
+ - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under Cloud Security, select **GCP**.
+
+ 
+
+2. To integrate your entire GCP organization with Mondoo, select **Organization**.
+
+ OR
+
+ To limit the integration to a single project, select **Project**.
+
+3. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the GCP project or organization.
+
+4. Identify the organization or project to integrate with Mondoo.
+
+ - For an organization: In the **Enter the organization resource ID** box, enter your organization's resource ID. To learn how to retrieve this value, read [Getting your organization resource ID](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id) in the Google documentation.
+
+ - For a project: In the **Enter the project ID** box, enter your project's ID. To learn how to retrieve this value, read [Identifying projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects) in the Google documentation.
+
+5. Under **Provide your Google Service Account config**, upload the GCP service account's JSON key that you downloaded in the previous section:
+
+ Drag the file and drop it in the **Drag and drop your .json file here** box.
+
+ OR
+
+ In the **Drag and drop your .json file here** box, select the cloud icon and choose the file to upload.
+
+ 
+
+6. To complete the integration, select the **START SCANNING** button.
+
+7. On the Recommended Policies page, enable the policies on which you want to base assessments of your Google Cloud environment. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+## Next steps
+
+- [Learn more about Mondoo](/platform/start/plat-what-is/)
+
+- [Integrate Mondoo with other cloud platforms in your infrastructure](/platform/infra/cloud/overview/)
+
+---
diff --git a/docs/platform/infra/cloud/gcp/overview.mdx b/docs/platform/infra/cloud/gcp/overview.mdx
new file mode 100644
index 000000000..696515798
--- /dev/null
+++ b/docs/platform/infra/cloud/gcp/overview.mdx
@@ -0,0 +1,32 @@
+---
+title: Secure Google Cloud Platform (GCP) with Mondoo
+sidebar_label: Overview
+sidebar_position: 1
+description: Use Mondoo to assess your Google Cloud Platform (GCP) configurations and identify risks to your infrastructure
+image: /img/featured_img/mondoo-gcp.jpg
+---
+
+Rely on Mondoo to secure your Google Cloud Platform (GCP) environment. Mondoo identifies vulnerabilities and misconfigurations in compute instances, Dataproc and GKE clusters, Pub/Sub, and more.
+
+Mondoo offers a variety of approaches to evaluating your GCP infrastructure security. You can continuously scan your GCP projects, evaluate builds before they go to production, and run ad hoc scans.
+
+## Continuously scan
+
+Continuously evaluate the security of your GCP resources, such as compute instances, so that you always have an up-to-date view of your environment's security posture.
+
+With the [Mondoo GCP Integration](/platform/infra/cloud/gcp/gcp-integration-scan), you deploy the integration once and always get the latest security assessments for new accounts and resources.
+
+## Scan during build time
+
+- [Build secure VM images in Google Cloud with cnspec and HashiCorp Packer](/cnspec/cnspec-gcp/cnspec-gcp-packer/)
+- [Assess risk in the Google Cloud Container Registry](/cnspec/supplychain/registry/gcp_gcr.md)
+- [Build GCE custom images with HashiCorp Packer](/cnspec/supplychain/packer.md)
+
+## Scan during run time
+
+- [Scan a Google Cloud project with cnspec](/cnspec/cnspec-gcp/)
+- [Terraform deployment](/cnspec/supplychain/terraform.md)
+- [Verify instances managed by Chef/AWS OpsWorks](/platform/infra/opsys/automation/chef.md)
+- [Verify instances managed by Ansible](/platform/infra/opsys/automation/ansible.md)
+
+---
diff --git a/docs/platform/infra/cloud/kubernetes/.gitkeep b/docs/platform/infra/cloud/kubernetes/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/docs/platform/infra/cloud/kubernetes/_category_.json b/docs/platform/infra/cloud/kubernetes/_category_.json
new file mode 100644
index 000000000..6089c0a5f
--- /dev/null
+++ b/docs/platform/infra/cloud/kubernetes/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Kubernetes",
+ "position": 4
+}
diff --git a/docs/platform/infra/cloud/kubernetes/cli.md b/docs/platform/infra/cloud/kubernetes/cli.md
new file mode 100644
index 000000000..34fe9e6f1
--- /dev/null
+++ b/docs/platform/infra/cloud/kubernetes/cli.md
@@ -0,0 +1,54 @@
+---
+title: Scan From Your Workstation
+sidebar_label: Scan From Your Workstation
+sidebar_position: 2
+image: /img/featured_img/mondoo-kubernetes.jpg
+description: This document provides detailed information on how to scan Kubernetes clusters from your workstation
+---
+
+Mondoo's security assessment CLI, cnspec, makes it easy to secure your Kubernetes cluster and all running workloads.
+
+:::note
+
+To ensure the maximum security, we recommend scanning container images before they are deployed into production, such as within a CI/CD pipelines or within a container registry. To learn more, read the [Mondoo CI/CD Overview](/platform/infra/supply/cicd/overview/).
+
+:::
+
+## Requirements
+
+To scan a Kubernetes cluster with Mondoo's cnspec CLI, you must install and set up [kubectl](https://kubernetes.io/docs/tasks/tools/) to communicate with your cluster. Make sure you can see your pods:
+
+```shell
+kubectl get pods
+NAME READY STATUS RESTARTS AGE
+luna-frontend-7fb96c846b-jjnhz 1/1 Running 0 30d
+luna-frontend-7fb96c846b-tmg95 1/1 Running 0 30d
+luna-frontend-7fb96c846b-xrl6c 1/1 Running 0 30d
+postgresql-5bb9d69b96-d9zzg 1/1 Running 0 30d
+```
+
+## Scan
+
+Mondoo leverages the configuration from `kubectl`. No additional configuration is required. To scan all namespaces, run:
+
+```shell
+cnspec scan k8s
+```
+
+### Scanning container images in pods
+
+To optionally scan container images defined in Kubernetes pods run:
+
+```shell
+cnspec scan k8s --discover container-images
+```
+
+### Scanning specific namespaces
+
+By default Mondoo will scan all Kubernetes namespace. To target a specific namespace use the `--namespace` flag:
+
+```shell
+cnspec scan k8s --namespace EXAMPLE_NAMESPACE
+```
+
+---
diff --git a/docs/platform/infra/cloud/kubernetes/overview.md b/docs/platform/infra/cloud/kubernetes/overview.md
new file mode 100644
index 000000000..ecf0bffe7
--- /dev/null
+++ b/docs/platform/infra/cloud/kubernetes/overview.md
@@ -0,0 +1,25 @@
+---
+title: Secure Kubernetes with Mondoo
+sidebar_label: Overview
+sidebar_position: 1
+image: /img/featured_img/mondoo-kubernetes.jpg
+description: Overview of Mondoo for Kubernetes clusters
+---
+
+Mondoo provides full-stack security assessment for your Kubernetes infrastructure. With Mondoo, you can continuously monitor your deployed clusters for vulnerabilities and misconfigurations.
+
+Mondoo can integrate with your Kubernetes CI/CD lifecycle: Automatically scan images, Kubernetes manifests, and registries to reveal issues before pushing them to production.
+
+Rely on Mondoo to protect the infrastructure your cluster runs on: automatically scan nodes for misconfigurations and CVEs.
+
+Learn how to:
+
+- [Continuously Scan Kubernetes with the Mondoo Kubernetes Operator](/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator)
+
+- [Run ad hoc security Kubernetes scans from your workstation](/cnspec/cnspec-k8s/)
+
+- [Scan Kubernetes manifests](/cnspec/cnspec-k8s/cnspec-k8s-manifest)
+
+- [Integrate Mondoo with CI/CD systems](/platform/infra/supply/cicd/overview)
+
+---
diff --git a/docs/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator.md b/docs/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator.md
new file mode 100644
index 000000000..8be053428
--- /dev/null
+++ b/docs/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator.md
@@ -0,0 +1,86 @@
+---
+title: Continuously Scan Kubernetes with the Mondoo Kubernetes Operator
+sidebar_label: Scan Continuously
+description: This guide covers how you can continuously assess the security configuration of your Kubernetes cluster, nodes, and deployments with Mondoo.
+image: /img/featured_img/mondoo-kubernetes.jpg
+---
+
+The Mondoo Kubernetes Operator is Mondoo software that runs in your Kubernetes environment. Working within your cluster, the Mondoo Operator can:
+
+- Continuously scan nodes to assess security and identify vulnerabilities
+
+- Continuously scan the cluster to assess security and identify vulnerabilities
+
+- Scan new nodes as they come online
+
+The operator includes a Kubernetes admission controller that performs a security scan on each deployment introduced into the cluster and reports the results. [Learn more.](/cnspec/cnspec-k8s/)
+
+### Add a Mondoo Kubernetes integration
+
+To set up a Mondoo Kubernetes operator integration, access the Integrations > Add > GCP page in one of two ways:
+
+- New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Kubernetes**.
+
+ 
+
+- INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under Cloud Security, select **Kubernetes**.
+
+### Configure a Mondoo Kubernetes integration
+
+
+
+1. Type a name for the integration. This name identifies the integration in lists and distinguishes it from other integrations in your space. You can't change the name after you leave this page.
+
+2. To continuously assess the security posture of nodes in your Kubernetes cluster, enable **Scan nodes**.
+
+3. To continuously assess the security posture of workloads and resources in your cluster, enable **Scan workloads**.
+
+4. To assess the security of every change applied to your Kubernetes cluster and display the results in the CI/CD view, enable **Scan incoming deployments**.
+
+5. If you enable **Scan incoming deployments**, choose the tool to use for managing the Mondoo admission controller's certificates: **cert-manager** or **OpenShift**.
+
+### Scanning incoming deployments
+
+Whenever a supported workload type is created or updated, the Kubernetes admission controller scans it.
+Currently, the admission controller can scan these workload types:
+
+- Pods
+- Deployments
+- DaemonSets
+- StatefulSets
+- Jobs
+- CronJobs
+
+If a workload is dependent on another workload, the admission controller only scans the owner workload. For example, if a Deployment creates a pod, the admission controller skips the pod and scans the Deployment.
+The owner workload is the definition where you can fix issues permanently.
+For more details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/).
+
+Mondoo scans workloads according to the activated policies. [Learn more](/platform/security/posture/overview)
+
+Scan results appear in the CI/CD view when running the admission webhook in **permissive** mode.
+In **enforcing** mode, the scan result also determines whether the workload is applied to the cluster.
+For general information about admission controllers, see the [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/).
+
+## View Kubernetes integrations
+
+Once you've added a Kubernetes Operator Integration you can view these integrations by going to the **Integrations** page and selecting **Kubernetes**
+
+
+
+To view additional status details or change an integration's configuration, select its row in the list.
+
+
+
+## Remove Kubernetes integrations
+
+1. Follow the instructions above to view your Kubernetes integrations.
+
+2. On the Kubernetes Integrations page, select the pencil icon.
+
+3. Find the integration you want to remove and check the box beside it.
+
+4. On the **Edit Selection** menu, select **Remove** and then select the **Done** button.
+
+
+
+---
diff --git a/docs/platform/infra/cloud/oci.mdx b/docs/platform/infra/cloud/oci.mdx
new file mode 100644
index 000000000..0bf8e9582
--- /dev/null
+++ b/docs/platform/infra/cloud/oci.mdx
@@ -0,0 +1,94 @@
+---
+title: Secure Oracle Cloud Infrastructure (OCI) with Mondoo
+sidebar_label: Oracle Cloud Infrastructure (OCI)
+sidebar_position: 7
+description: Continuously secure your Oracle Cloud Infrastructure (OCI) environment with Mondoo
+image: /img/featured_img/mondoo-oracle.jpg
+---
+
+Rely on Mondoo to continuously secure your Oracle Cloud (OCI) environment. Mondoo regularly checks your OCI tenancy for misconfigurations and vulnerabilities that can put your organization at risk.
+
+Create an OCI integration to give Mondoo the access it needs to assess your tenancy.
+
+## Prerequisites
+
+- Owner or Editor access to the Mondoo space where you want to add the OCI integration
+
+- Access to an OCI tenancy
+
+## Add an OCI integration
+
+1. In the [Mondoo Console](https://console.mondoo.com), access the Integrations > Add > Oracle Cloud Infrastructure page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Oracle Cloud Infrastructure**.
+
+ 
+
+ - INTEGRATIONS page: Navigate to **INTEGRATIONS**. Under Cloud, select **Oracle Cloud Infrastructure**.
+
+ 
+
+2. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the OCI tenancy.
+
+ 
+
+3. In a different browser tab, log into the [Oracle Cloud Console](https://cloud.oracle.com).
+
+4. In the top-right corner of the Oracle Cloud Console, select the User Profile icon and select My Profile.
+
+ 
+
+5. In the bottom-left Resources menu, select **API keys** and select the **Add API key** button.
+
+ 
+
+To learn about API keys, read [Required Keys and OCIDs](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm) in the OCI documentation.
+
+6. Select the **Download private key** button to download a PEM certificate to use for the Mondoo OCI integration.
+
+ 
+
+7. Select the **Add** button.
+
+ OCI shows a configuration file snippet. Select **Copy** to copy the snippet.
+
+ 
+
+8. Return to the tab where you're creating an integration in the Mondoo Console. In the **Provide the config file snippet** box, paste the snippet you copied.
+
+ 
+
+9. Upload the PEM certificate that you downloaded when you added an OCI API key: In the **Drag and drop your .pem file here** box, select the cloud icon and choose the file to upload.
+
+10. Select the **START SCANNING** button.
+
+11. On the Recommended Policies page, enable the policies on which you want to base assessments of your OCI environment. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+## View your OCI integration
+
+1. In the side navigation bar, under Integrations, select **Oracle Cloud Infrastructure**.
+
+ 
+
+2. In the list of OCI integrations, select the integration you want to view.
+
+ 
+
+### Statuses
+
+The possible statuses for an OCI integration are:
+
+- **ACTIVE**: The integration is active/healthy.
+- **ERROR**: Mondoo detected an error when attempting to scan.
+
+### Remove an integration
+
+To remove an integration, select the trash can icon. A confirmation prompt displays. Once you confirm the deletion, Mondoo removes the configured integration and stops triggering scans of the OCI tenancy.
+
+## Next steps
+
+- [Learn more about Mondoo](/platform/start/plat-what-is/)
+
+- [Secure other platforms](/platform/infra/overview)
+
+---
diff --git a/docs/platform/infra/cloud/overview.md b/docs/platform/infra/cloud/overview.md
new file mode 100644
index 000000000..b0f6c50b4
--- /dev/null
+++ b/docs/platform/infra/cloud/overview.md
@@ -0,0 +1,39 @@
+---
+title: Overview of Cloud Security with Mondoo
+sidebar_label: Overview
+sidebar_position: 1
+description: This page provides an overview of how you can use Mondoo to secure both your public cloud (AWS, Google Cloud, Azure), private cloud (VMware), Kubernetes, as well as SaaS services such as Microsoft 365.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+With Mondoo, you can ensure that your cloud infrastructure is free of security vulnerabilities and complies with your security standards. Mondoo identifies cloud misconfigurations and CVEs that put your organization at risk. It scans all of your cloud environments to expose gaps before attackers can find them.
+
+## Cloud platforms
+
+Mondoo's cloud integrations make risk assessments easy:
+
+- [Amazon Web Services (AWS)](/platform/infra/cloud/aws/aws-overview/)
+
+- [Google Cloud Platform (GCP)](/platform/infra/cloud/gcp/overview/)
+
+- [Kubernetes](/platform/infra/cloud/kubernetes/overview/)
+
+- [Microsoft Azure](/platform/infra/cloud/azure/overview/)
+
+- [Oracle Cloud Infrastructure (OCI)](/platform/infra/cloud/oci/)
+
+- [VMware vSphere](/platform/infra/cloud/vmware/)
+
+## Learn more
+
+- **[SaaS security](/platform/infra/saas/overview/)**
+
+- **[Software supply chain security](/platform/infra/supply/overview/)**
+
+- **[Server and endpoint security](/platform/infra/opsys/osoverview/)**
+
+- **[Deployment automation](/platform/infra/opsys/automation/overview/)**
+
+## Get help
+
+Can't find what you need? Join our community Slack channel to chat with us and other Mondoo users.
diff --git a/docs/platform/infra/cloud/vmware.md b/docs/platform/infra/cloud/vmware.md
new file mode 100644
index 000000000..bfb340597
--- /dev/null
+++ b/docs/platform/infra/cloud/vmware.md
@@ -0,0 +1,537 @@
+---
+title: Secure VMware with Mondoo
+sidebar_label: VMware
+sidebar_position: 7
+description: This page covers how you can use Mondoo to assess VMware vSphere and ESXi hosts for advisories, vulnerabilities, and security misconfigurations.
+image: /img/featured_img/mondoo-vmware.jpg
+---
+
+This page describes how to use Mondoo to assess VMware vSphere and ESXi hosts for advisories, vulnerabilities, and security misconfigurations.
+
+## Create a read-only user for Mondoo in vCenter
+
+For Mondoo to scan assets, it requires read-only user access to the vCenter. To provide this, you must first create a new, read-only role. Then you create a new user and assign it the role you created.
+
+1. On the vSphere Client main menu, select **Administration** and then select **Roles**.
+2. Select the **Read-only** role and then select **CLONE**.
+3. Type the name **Mondoo read-only role** and select **OK**.
+
+ 
+
+4. In the list of roles, select the **Mondoo read-only role** you just created and select **EDIT**.
+5. In the left-side list, select **Global**, and in the right-side list, check **Settings**. Then select **SAVE**.
+
+ 
+
+6. On the **Administration** menu, select **Users and Groups**.
+7. Under **Users**, select the Domain **vsphere.local**, and select **ADD**.
+8. Type the name **mondoo-read** and assign it a password, then select **ADD**.
+
+ 
+
+9. On the **Administration** menu, select **Global Permissions** and select **ADD**.
+10. Assign the new role to the new user:
+
+a. Select the user you created, **mondoo-read**.
+
+b. Select the role you created, **Mondoo Read-only role**.
+
+c. Check **Propagate to children**.
+
+d. Select **OK**.
+
+
+
+## Mondoo VMware appliance
+
+Mondoo's VMware appliance is a pre-configured standard Linux host that allows you to quickly launch a virtual machine designed to scan your VMware environment using cnspec. It is built using these components:
+
+- Debian 12
+- [dev-sec.io's Ansible os and ssh role](https://github.com/dev-sec/ansible-collection-hardening)
+- [VMware tools](https://github.com/vmware/open-vm-tools)
+- [Cloud-Init](https://cloudinit.readthedocs.io/en/latest/index.html) and [cloud-init-vmware-guestinfo](https://github.com/vmware/cloud-init-vmware-guestinfo)
+- [cnspec](https://mondoo.com/cnspec)
+- [cnquery](https://mondoo.com/cnquery)
+
+:::info
+
+It is not required to use the Mondoo VMware appliance. Instead, you can provision your own hardened Linux instance and install and configure cnspec to scan your VMware infrastructure.
+
+:::
+
+**Setup**
+
+1. Download the [Mondoo OVA image](https://releases.mondoo.com/vmware/).
+2. Import the Mondoo OVA image.
+3. Launch the Mondoo OVA image.
+
+### Launch the appliance using the vCenter web UI
+
+1. Right-click on your Datacenter and select **Deploy OVF Template**.
+
+
+
+2. Select an OVF template using **URL** or **Local file** and select **Next**.
+
+
+
+3. Select a name and folder where you want to deploy the Mondoo appliance and select **Next**.
+
+
+
+4. Select any compute resource to run the Mondoo appliance and select **Next**.
+
+5. Review the details and select **Next**.
+
+
+
+6. Select the appropriate storage (such as `datastore2`) and select **Next**.
+
+
+
+7. Select destination network (such as `VM Network`) and select **Next**.
+
+
+
+8. Review your complete configuration for the Mondoo appliance and select **Next**.
+
+
+
+9. Launch the Mondoo appliance.
+
+### SSH for Mondoo appliance
+
+The virtual machine is configured with a `mondoo` user and `mondoo` password. After the first login, you must change the password.
+
+By default, the hardened machine disables password login. To configure the `authorized_keys`, add your ssh public keys to `/home/mondoo/.ssh/authorized_keys`.
+
+:::note
+
+Instead of setting `/home/mondoo/.ssh/authorized_keys` manually, you can configure Cloud-Init to configure the ssh key when during boot time.
+
+:::
+
+:::tip
+
+If you are using GitHub, you can quickly fetch your public keys with this command: `mkdir ~/.ssh && curl https://github.com/{youruser}.keys > .ssh/authorized_keys`
+
+:::
+
+When you log in using your ssh key, you see this welcome screen:
+
+```
+ .-.
+ : :
+,-.,-.,-. .--. ,-.,-. .-' : .--. .--. ™
+: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
+:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'
+
+Mondoo VMware Appliance
+
+mondoo@debian:~$
+```
+
+#### Enable SSH password authentication
+
+If you can't copy the SSH key using the `curl` command, you can allow SSH password authentication during deployment.
+
+1. After the SSH public keys are deployed, enable SSH password authentication by modifying these lines in `/etc/ssh/sshd_config`:
+
+```bash
+AuthenticationMethods password
+PasswordAuthentication yes
+```
+
+2. Restart the sshd service using `systemctl restart sshd.service`.
+
+3. Log in with your user name and password.
+
+### Configure a static IP address (optional)
+
+If you choose, you can configure a static IP address (using a `root` user shell).
+
+1. In the editor of your choice, open the `/etc/network/interfaces` file and rewrite the block that defines your primary network interface. For example, this block adds the static IP `192.168.1.100` to the interface `ens32` in a Class C private network with the network gateway and the name server both housed at `192.168.1.1`:
+
+```bash
+# The primary network interface
+auto ens32
+iface ens32 inet static
+address 192.168.1.100
+netmask 255.255.255.0
+gateway 192.168.1.1
+dns-nameservers 192.168.1.1 8.8.8.8
+```
+
+2. Make sure to comment out these lines in the file `/etc/network/interfaces.d/50-cloud-init`:
+
+```bash
+#auto lo
+#iface lo inet loopback
+
+#auto ens32
+#iface ens32 inet dhcp
+```
+
+3. Create the file `/etc/cloud/cloud.cfg.d/99-disable-network-config.cfg` with the following content:
+
+```bash
+network: {config: disabled}
+```
+
+4. Make sure to set the correct name server(s) in the file `/etc/resolv.conf`:
+
+```bash
+nameserver 192.168.1.1
+nameserver 192.168.1.2
+```
+
+5. Now restart the `networking` service:
+
+```bash
+systemctl restart networking
+```
+
+:::note
+
+If the static IP you chose is different then the current IP address of the VM, you will lose the current shell connection to the Mondoo Appliance and need to reconnect to the new, static IP address.
+
+:::
+
+### Configure cnspec
+
+Mondoo's cross-platform scanning engine, [cnspec](/cnspec/cnspec-about/), assesses your VMware. To return results to Mondoo for monitoring, reporting, and measuring improvements, you must register cnspec with Mondoo Platform.
+
+1. Enter this command:
+
+```bash
+sudo cnspec login -t --config /etc/opt/mondoo/mondoo.yml
+```
+
+2. Verify that cnspec is registered successfully with Mondoo Platform by running `cnspec status`:
+
+```bash
+→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
+→ Hostname: debian
+→ IP: 192.168.51.139
+→ Platform: debian
+→ Release: 11.2
+→ Time: 2022-05-26T15:43:59-07:00
+→ Version: 6.0.0 (API Version: 6)
+→ API ConnectionConfig: https://us.api.mondoo.com
+→ API Status: SERVING
+→ API Time: 2022-05-26T22:44:00Z
+→ API Version: 6
+→ Space: //captain.api.mondoo.app/spaces/relaxed-poincare-384428
+→ Client: //agents.api.mondoo.app/spaces/relaxed-poincare-384428/agents/22vUq9U0gN9Uoy2c3UqCaKARSEg
+→ Service Account: //agents.api.mondoo.app/spaces/relaxed-poincare-384428/serviceaccounts/22y0WDmHloyEvdJEteV5cEvsQTj
+→ client is registered
+→ client authenticated successfully
+```
+
+3. Test that cnspec can reach the vSphere API. The command below runs the two default Mondoo policies:
+ - The `Platform End-of-Life Policy`
+ - The `Platform Vulnerability Policy`
+
+As their names suggest, they scan the vSphere and determine if it has reached its end-of-life and if there are any known vulnerabilities.
+
+Use the `--incognito` switch to disable sending the results to the Mondoo Console.
+
+```bash
+# vSphere 6.x / 7.x
+cnspec scan vsphere user@host --ask-pass
+```
+
+4. Activate the policies against which Mondoo assesses your VMware.
+
+To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+A good place to start scanning is the `VMware vSphere ESXi Security Baseline by Mondoo` policy.
+
+5. Now, with the policy of your choice activated, scan again:
+
+```bash
+cnspec scan vsphere user@host --ask-pass
+```
+
+Since we did not pass the `--incognito` switch, the command output will also include a link to the Mondoo Console, where you can review the scan results.
+
+## Set up cnspec inventory
+
+cnspec is able to leverage an inventory to scan multiple VMware assets at the same time. An inventory is a list of systems with their connection types and accounts.
+
+### cnspec inventory with embedded secrets
+
+This `inventory.yml` illustrates the configuration for the vCenter connection:
+
+```yaml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: cnspec-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - name:
+ connections:
+ - type: vsphere
+ host: < ip of the ESXi or vCenter >
+ insecure: true
+ credentials:
+ - type: password
+ user: < username >
+ password: < password >
+ discover:
+ targets:
+ - host-machines
+```
+
+Using a user account with `root` privileges, store the content in `/etc/opt/mondoo/inventory.yml` to ensure that cnspec picks up the inventory automatically.
+
+Test that the `inventory.yml` is working:
+
+```bash
+mondoo@debian:~$ sudo cnspec scan --inventory-file /etc/opt/mondoo/inventory.yml
+→ load inventory inventory=/etc/opt/mondoo/inventory.yml
+→ cnspec 7.15.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account: "22y0WDmHloyEvdJEteV5cEvsQTj", Managed Client: "22vUq9U0gN9Uoy2c3UqCaKARSEg")
+→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
+
+→ discover related assets for 1 asset(s)
+→ resolved assets resolved-assets=4
+→ execute policies
+→ synchronize asset found=4
+→ establish connection to asset 192.168.51.134 (VMware vCenter Server) (api)
+→ established connection
+→ run policies for asset asset=//assets.api.mondoo.app/spaces/relaxed-poincare-384428/assets/22y2gEXiZrRagoV5cPbVFjj0MSI
+...
+```
+
+Restart the service, so that the new inventory is loaded:
+
+```bash
+sudo systemctl restart cnspec
+```
+
+Check if the `inventory.yml` is loaded:
+
+```bash
+sudo journalctl -u cnspec.service
+```
+
+```bash
+-- Journal begins at Wed 2021-12-29 16:03:27 UTC, ends at Wed 2021-12-29 16:39:28 UTC. --
+Dec 29 16:38:04 debian systemd[1]: Started cnspec Service.
+Dec 29 16:38:05 debian cnspec[1294]: → load inventory inventory=/etc/opt/mondoo/inventory.yml
+Dec 29 16:38:05 debian cnspec[1294]: → cnspec 7.15.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account>
+Dec 29 16:38:05 debian cnspec[1294]: → loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
+Dec 29 16:38:06 debian cnspec[1294]: → start cnspec background service
+```
+
+Enable the service so that after the VM restarts, the service starts automatically:
+
+```bash
+sudo systemctl enable cnspec
+```
+
+### cnspec inventory YAML with encrypted file vault
+
+Configure cnspec's vault to use the encrypted file vault. Execute the following commands as `mondoo` user (not as `root` user). Run the following command to create the vault configuration:
+
+```bash
+cnspec vault configure mondoo-client-vault --type encrypted-file --option=password='changeme' --option path='/etc/opt/mondoo/vault.enc'
+→ add the following vault configuration to your inventory file
+spec:
+ vault:
+ name: mondoo-client-vault
+ options:
+ password: changeme
+ path: /etc/opt/mondoo/vault.enc
+ type: encrypted-file
+```
+
+Adjust the `/etc/opt/mondoo/inventory.yml` with the proposed configuration to use the encrypted file vault functionality:
+
+```yaml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: cnspec-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - name:
+ connections:
+ - type: vsphere
+ host: 192.168.51.134
+ insecure: true
+ credentials:
+ - secret_id: vcenter
+ discover:
+ targets:
+ - host-machines
+ vault:
+ name: mondoo-client-vault
+ options:
+ password: changeme
+ path: /etc/opt/mondoo/vault.enc
+ type: encrypted-file
+```
+
+To store the vSphere login credentials into the encrypted file vault, execute the following command:
+
+```bash
+cnspec vault add-secret vcenter '{ "type": "password", "user": "chris@vsphere.local", "password": "password" }' --inventory-file /etc/opt/mondoo/inventory.yml
+```
+
+Now, you can scan the vSphere using the encrypted file vault:
+
+```bash
+# Note that you need to run this as root user, as the vault is stored in /etc/opt/mondoo/vault.enc
+sudo cnspec scan --inventory-file /etc/opt/mondoo/inventory.yml
+```
+
+Once you have verified that the encrypted file vault is working, you can restart the cnspec service:
+
+```bash
+systemctl restart cnspec
+```
+
+## Scan virtual machines using VMware tools
+
+As the first step, we query for available virtual machines that have VMware Tools configured.
+
+```bash
+# open the shell to the vsphere api
+cnspec shell vsphere user@host --ask-pass
+
+# select the platform id for api
+cnspec shell vsphere user@host --ask-pass --platform-id /platformid.api.mondoo.app/runtime/vsphere/instance/ha-host
+```
+
+Within the cnspec shell query the available VMs and their inventory Path.
+
+```javascript
+cnspec> vsphere.datacenters { vms { inventoryPath name } }
+vsphere.datacenters: [..
+ 0: {
+ vms: [
+ 0: {
+ name: "mondoo-appliance"
+ inventoryPath: "/Mondoo Datacenter 2/vm/mondoo-appliance"
+ }
+ 1: {
+ name: "vCenter"
+ inventoryPath: "/Mondoo Datacenter 2/vm/vCenter"
+ }
+ 2: {
+ name: "windows 2022"
+ inventoryPath: "/Mondoo Datacenter 2/vm/windows 2022"
+ }
+ ]
+ }
+ 1: {
+ vms: [
+ 0: {
+ name: "ubuntu-no-guest-tools"
+ inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu-no-guest-tools"
+ }
+ 1: {
+ name: "ubuntu"
+ inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu"
+ }
+ ]
+ }
+]
+```
+
+Next, we query for all VMs and get check if the VMware Guest Tools are installed:
+
+```javascript
+cnspec> vsphere.datacenters { vms { name inventoryPath properties["summary"]["guest"]["toolsStatus"] }}
+vsphere.datacenters: [..
+ 0: {
+ vms: [
+ 0: {
+ name: "mondoo-appliance"
+ inventoryPath: "/Mondoo Datacenter 2/vm/mondoo-appliance"
+ properties[summary][guest][toolsStatus]: "toolsOk"
+ }
+ 1: {
+ name: "vCenter"
+ inventoryPath: "/Mondoo Datacenter 2/vm/vCenter"
+ properties[summary][guest][toolsStatus]: "toolsOk"
+ }
+ 2: {
+ name: "windows 2022"
+ inventoryPath: "/Mondoo Datacenter 2/vm/windows 2022"
+ properties[summary][guest][toolsStatus]: "toolsNotRunning"
+ }
+ ]
+ }
+ 1: {
+ vms: [
+ 0: {
+ name: "ubuntu-no-guest-tools"
+ inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu-no-guest-tools"
+ properties[summary][guest][toolsStatus]: "toolsNotInstalled"
+ }
+ 1: {
+ name: "ubuntu"
+ inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu"
+ properties[summary][guest][toolsStatus]: "toolsNotRunning"
+ }
+ ]
+ }
+]
+```
+
+With that information, we can connect to an individual virtual machine via VMware Tools:
+
+```bash
+cnspec scan vsphere vm user@host --password password --insecure --option 'inventoryPath=/Mondoo Datacenter 2/vm/mondoo-appliance' --option guestUser=mondoo --option guestPassword='changeme'
+```
+
+The result would look like this:
+
+```
+cnspec scan vsphere vm mondoo-read@vsphere.local@192.168.51.134 --password changeme --insecure --option 'inventoryPath=/Mondoo Datacenter 2/vm/mondoo-appliance' --option guestUser=mondoo --option guestPassword='changeme'
+→ cnspec 7.15.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account: "22y0WDmHloyEvdJEteV5cEvsQTj", Managed Client: "22vUq9U0gN9Uoy2c3UqCaKARSEg")
+→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
+
+→ discover related assets for 1 asset(s)
+→ resolved assets resolved-assets=1
+→ execute policies
+→ synchronize asset found=1
+→ establish connection to asset mondoo-appliance
+→ established connection
+→ run policies for asset asset=//assets.api.mondoo.app/spaces/relaxed-poincare-384428/assets/22y6EAkCdtKawukAEWGxoTezNGg
+
+█████████████████████████████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 50% mondoo-appliance
+```
+
+## Scan vSphere and ESXi using cnspec
+
+Scan vSphere API, ESXi, and VMs
+
+```bash
+cnspec scan vsphere mondoo-read@vsphere.local@192.168.51.134 --ask-pass --discover auto
+```
+
+:::info
+
+The `--discover auto` option will automatically discover all ESXi hosts and the vCenter.
+
+:::
+
+Scan vSphere API, ESXi, and VMs
+
+```bash
+cnspec scan vsphere mondoo-read@vsphere.local@192.168.51.134 --ask-pass --discover all
+```
+
+:::info
+
+The `--discover all` option automatically discovers all ESXi hosts and VMs.
+
+:::
diff --git a/docs/platform/infra/networking/_category_.json b/docs/platform/infra/networking/_category_.json
new file mode 100644
index 000000000..634387b95
--- /dev/null
+++ b/docs/platform/infra/networking/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Networking",
+ "position": 4
+}
diff --git a/docs/platform/infra/networking/domain-ip.mdx b/docs/platform/infra/networking/domain-ip.mdx
new file mode 100644
index 000000000..d44db8bb0
--- /dev/null
+++ b/docs/platform/infra/networking/domain-ip.mdx
@@ -0,0 +1,32 @@
+---
+title: Secure a Host (Domain or IP Address)
+sidebar_label: Secure a Domain or IP Address
+sidebar_position: 2
+description: Use Mondoo to ensure that your HTTP or HTTPS hosts are secure
+---
+
+Mondoo can continuously scan a domain or IP address to ensure that your hosts follow best security practices. You can choose to monitor HTTP or HTTPS security.
+
+To set up continuous scanning for a host:
+
+1. Access the Integrations > Add > Domain or IP Address page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Domain/IP Address**.
+
+ 
+
+ - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under Network Security, select **Domain/IP Address**.
+
+ 
+
+2. In the **Enter the domain or IP address to scan** box, enter the domain name (such as www.lunalectric.com) or IP address (such as 123.45.67.89) of the host to scan.
+
+3. Under **Select ports to scan** box, choose to scan for HTTP or HTTPS security.
+
+4. Select the **CREATE** button.
+
+5. On the Recommended Policies page, enable the policies on which you want to base scans of the host. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+6. To complete the integration, select the **FINALIZE SETUP** button.
+
+---
diff --git a/docs/platform/infra/networking/overview.mdx b/docs/platform/infra/networking/overview.mdx
new file mode 100644
index 000000000..81a512758
--- /dev/null
+++ b/docs/platform/infra/networking/overview.mdx
@@ -0,0 +1,14 @@
+---
+title: Overview of Networking Security with Mondoo
+sidebar_label: Overview
+sidebar_position: 1
+description: Secure your network with Mondoo
+---
+
+Mondoo's continuous scanning ensures that you follow best networking security practices:
+
+- [Monitor host security by continuously scanning a domain or IP address](/platform/infra/networking/domain-ip)
+
+Stay tuned for more networking security capabilities coming soon!
+
+---
diff --git a/docs/platform/infra/opsys/_category_.json b/docs/platform/infra/opsys/_category_.json
new file mode 100644
index 000000000..3de0ec203
--- /dev/null
+++ b/docs/platform/infra/opsys/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Servers and Endpoints",
+ "position": 5
+}
diff --git a/docs/platform/infra/opsys/automation/_automation-providers-note.mdx b/docs/platform/infra/opsys/automation/_automation-providers-note.mdx
new file mode 100644
index 000000000..87e69b796
--- /dev/null
+++ b/docs/platform/infra/opsys/automation/_automation-providers-note.mdx
@@ -0,0 +1,5 @@
+:::note
+
+If you deploy cnspec to machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read [Manage cnspec Providers](/cnspec/cnspec-adv-install/providers/).
+
+:::
diff --git a/docs/platform/infra/opsys/automation/_category_.json b/docs/platform/infra/opsys/automation/_category_.json
new file mode 100644
index 000000000..939696f30
--- /dev/null
+++ b/docs/platform/infra/opsys/automation/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Deployment Automation",
+ "position": 4
+}
diff --git a/docs/platform/infra/opsys/automation/ansible.md b/docs/platform/infra/opsys/automation/ansible.md
new file mode 100644
index 000000000..3f6e66c87
--- /dev/null
+++ b/docs/platform/infra/opsys/automation/ansible.md
@@ -0,0 +1,527 @@
+---
+title: Ansible and Mondoo
+sidebar_label: Ansible
+sidebar_position: 2
+description: How to use Ansible with Mondoo to scan your Windows and a Linux hosts for security misconfigurations and vulnerabilities.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+Mondoo works seamlessly with configuration management tools in the DevOps ecosystem. For businesses already using Ansible to automate their environments, there are two primary ways to use Mondoo and Ansible together:
+
+[**Continuously assess host configuration**](#continuous-configuration-assessments-with-mondoo-and-ansible)
+
+Use Ansible to:
+
+- Install and configure [cnspec](/platform/infra/opsys/mondoo-cnspec/) on supported Linux and Windows hosts
+
+- Register hosts with Mondoo Platform
+
+- Configure hosts to continuously scan with Mondoo policies and report scan results to Mondoo Platform
+
+[**Scan Ansible inventories on demand**](#on-demand-scanning-of-ansible-inventories)
+
+Perform on-demand scans of Ansible inventories without installing cnspec as a service on the host.
+
+Hosts from your Ansible inventory authenticate with your Mondoo Platform account so that cnspec can retrieve policies you've enabled. cnspec sends scan results from the host to Mondoo Platform, where you can see asset scores and reports.
+
+
+import Partial from "./_automation-providers-note.mdx";
+
+{" "}
+
+## Requirements
+
+- In your Mondoo Platform account, enable all the policies you want to run against your Ansible inventory. To learn how to enable policies, read [Monitor Your Infrastructure Security](/platform/security/posture/monitor).
+
+- You must have root or administrator access for each host in the Ansible inventory you want to scan.
+
+- You must have Ansible installed on your workstation. For installation instructions, read the Ansible documentation.
+
+- All hosts in your inventory must allow outbound traffic on port 443 (HTTPS) to Mondoo Platform at `https://us.api.mondoo.com:443` (IP address `34.98.71.94`) to send results to your account.
+
+## Continuous configuration assessments with Mondoo and Ansible
+
+Use Ansible to install and configure cnspec on supported Linux and Windows hosts so that Mondoo runs continuously as a service.
+
+Mondoo maintains and publishes an official Mondoo/cnspec Role, which is available on Ansible Galaxy. The code for the role is open source and available in our GitHub repo.
+
+Our Ansible Role lets you:
+
+- Install cnspec on supported Linux and Windows hosts
+
+- Register host on Mondoo Platform
+
+- Configure cnspec to run as a service at system startup
+
+- Run continuous security assessments of the host
+
+Once configured, cnspec authenticates with Mondoo Platform every 60 minutes, running every policy enabled in the registry. It sends results from the scan to Mondoo Platform so you can see the generated scores and reports in the Mondoo Console.
+
+### Hands-on: Continuous configuration assessments with Mondoo & Ansible
+
+> This section provides a hands-on guide for using the Mondoo Ansible role.
+
+This guide covers how to set up continuous configuration assessments on Linux and Windows hosts with Ansible. After completing this guide, you will have an Ansible inventory running cnspec as a service, registered with your Mondoo Platform account, running policy scans, and reporting the findings to Mondoo Platform.
+
+#### Step 1: Generate a registration token
+
+The Mondoo Ansible role provides a `registration_token` variable to specify a Mondoo registration token to use to register the client with Mondoo Platform.
+
+1. In the [Mondoo Console](https://console.mondoo.com) navigate to the **INTEGRATIONS** page.
+
+2. Select "Add Another Integration".
+
+3. Select **Workstation**.
+
+:::info
+
+By default, tokens expire every 600 seconds, but expiration time can be extended by selecting **Token Options** and setting the expiration time (max: 86400 seconds).
+
+:::
+
+3. Copy the registration token to the clipboard.
+
+#### Step 2: Install Mondoo role and create playbook
+
+Next you must install the Mondoo Ansible role from Ansible Galaxy on your local workstation, and create an Ansible playbook to call that role on your inventory.
+
+1. Download the Ansible Mondoo role on your workstation:
+
+ ```bash title="Download Mondoo role on your workstation"
+ ansible-galaxy install mondoo.client
+ ```
+
+2. Create a `playbook.yaml` file to run the Ansible Mondoo role on your inventory of hosts. You must update the `registration_token` value with your registration token from _Step 1: Generate a registration token_ above. This example has both Linux and Windows hosts, and should be updated accordingly if only using one platform or another:
+
+ ```yaml title="Example playbook.yml"
+ ---
+ - hosts: mondoo_linux_clients
+ become: yes
+ roles:
+ - role: mondoo.client
+ vars:
+ registration_token: "PASTE MONDOO REGISTRATION TOKEN"
+
+ - hosts: mondoo_windows_clients
+ roles:
+ - role: mondoo.client
+ vars:
+ registration_token: "PASTE MONDOO REGISTRATION TOKEN"
+ force_registration: false
+ ```
+
+3. Save the `playbook.yaml` file.
+
+#### Step 3: Run Ansible
+
+You should already have a `hosts.ini` file with your Ansible inventory. This is an example `hosts.ini` with both Linux and Windows hosts:
+
+```ini title="EXAMPLE hosts.ini"
+
+# Linux Hosts
+[mondoo_linux_clients]
+3.92.154.110 ansible_user=admin
+3.95.154.111 ansible_user=ec2-user
+3.82.22.136 ansible_user=ec2-user
+54.211.122.215 ansible_user=ec2-user
+54.209.155.66 ansible_user=ubuntu
+54.146.154.182 ansible_user=ubuntu
+
+# Windows Hosts
+[mondoo_windows_clients]
+# Windows Hosts WinRM
+3.85.201.162 ansible_port=5986 ansible_connection=winrm ansible_user=Administrator ansible_password=changeme ansible_shell_type=powershell ansible_winrm_server_cert_validation=ignore
+54.66.89.204 ansible_port=5986 ansible_connection=winrm ansible_user=Administrator ansible_password=changeme ansible_shell_type=powershell ansible_winrm_server_cert_validation=ignore
+# Windows Hosts SSH
+3.235.247.76 ansible_port=22 ansible_connection=ssh ansible_user=Administrator ansible_password=changeme ansible_shell_type=cmd
+```
+
+Run Ansible against your inventory:
+
+```bash title="Run Ansible against existing inventory"
+ansible-playbook -i hosts.ini playbook.yml
+```
+
+#### Step 4: View scan reports in the Mondoo Console
+
+Once Ansible runs the `playbook.yaml` against your inventory, you can view the scan results in Mondoo Platform.
+
+1. In the [Mondoo Console](https://console.mondoo.com) navigate to the **INVENTORY** page.
+
+2. All servers should now be reporting in and have received an asset score for the policies executed.
+
+3. To view the policies that ran on a given asset, and detailed information, select an asset in the list.
+ 
+
+This view shows each policy that ran against an asset, and the individual score for each policy. Select any policy in the list to view the results from each query.
+
+:::info
+
+To learn more about how Mondoo generates asset scores, read [Manage Policies](/platform/security/posture/overview).
+
+:::
+
+#### You're done!
+
+cnspec is now running as a service on your Ansible inventory. It will continue to scan your assets every 60 minutes and report findings back to your account.
+
+## On-demand scanning of Ansible inventories
+
+> This section covers how to use cnspec for on-demand scans of Ansible inventories without needing to install and configure cnspec as a service on the host.
+
+While you can easily configure Mondoo's cnspec to run as a service to continuously scan your infrastructure, there may be times when you just want to scan an Ansible inventory without having to install and configure cnspec on your infrastructure.
+
+Mondoo supports on-demand scanning of an Ansible inventory in two ways:
+
+- **Run cnspec scan --ansible-inventory** - Use the `cnspec scan --ansible-inventory` command to parse the output of `ansible-inventory -i --list` command, and scan with Mondoo.
+- **Run cnspec scan as an Ansible Task** - Create an Ansible task to scan your infrastructure.
+
+With both of the scenarios above, your assets:
+
+1. Authenticates with your Mondoo Platform account using the cnspec configuration on your local workstation
+
+2. Run any policies enabled in that space
+
+3. Report the results back to Mondoo Platform so you can view reports and asset scores for all assets in the Mondoo Console
+
+With these approaches, Mondoo doesn't install anything on your infrastructure. Every time you want to see fresh results, you must scan the assets.
+
+The next section provides hands-on tutorials for running both on-demand scenarios.
+
+### On-demand scan of Ansible inventory with cnspec scan --ansible-inventory
+
+This section is a hands-on guide on how to trigger an on-demand scan of an Ansible inventory. When you finish, you will have fresh asset scores and reports for all of your Ansible inventory in your Mondoo Platform account.
+
+:::caution
+
+Because on-demand scans of Ansible inventories run serially, we don't recommend them for large inventories. If you want to run on-demand scans that execute in parallel, please reach out to us in the [Mondoo Community Slack](https://mondoo.link/slack) channel.
+
+:::
+
+#### Step 1: Set up or validate your Ansible inventory
+
+An Ansible inventory is a list of hosts that is mostly stored in the two common formats `ini` and `yaml`. These examples illustrate their structure. The ini format allows grouping and easy configuration of additional properties.
+
+```ini title="Example hosts.ini"
+[workers]
+34.243.41.251 ansible_user=ec2-user
+instance1 ansible_host=18.203.250.158 ansible_user=ubuntu
+```
+
+The same structure in yaml:
+
+```yaml title="Example hosts.yml"
+all:
+ children:
+ ungrouped: {}
+ workers:
+ hosts:
+ 34.243.41.251:
+ ansible_user: ec2-user
+ instance1:
+ ansible_host: 18.203.250.158
+ ansible_user: ubuntu
+```
+
+You can validate connectivity with the Ansible inventory by running this command:
+
+```bash title="Ping Ansible inventory"
+ansible all -i hosts.ini -m ping
+```
+
+**Example output**
+
+```
+instance1 | SUCCESS => {
+ "ansible_facts": {
+ "discovered_interpreter_python": "/usr/bin/python"
+ },
+ "changed": false,
+ "ping": "pong"
+}
+34.243.41.251 | SUCCESS => {
+ "ansible_facts": {
+ "discovered_interpreter_python": "/usr/bin/python"
+ },
+ "changed": false,
+ "ping": "pong"
+}
+```
+
+#### Step 2: Scan the Ansible inventory
+
+cnspec provides the `cnspec scan --ansible-inventory` command to scan existing Ansible inventories. There are two main ways to use this command.
+
+##### Option 1: Pipe the Ansible inventory to cnspec scan
+
+The first option if you are using a shell such as `bash` or `zsh` that supports `|` redirects is to pipe the outputs of the `ansible-inventory -i hosts.ini --list` command to `cnspec scan --ansible-inventory`.
+
+```bash title="Pipe the contents of an Ansible inventory to the cnspec scan --ansible-inventory command"
+ansible-inventory -i hosts.ini --list | cnspec scan --inventory-file - --ansible-inventory --insecure
+```
+
+:::info
+
+Use the `--insecure` flag for:
+
+- Hosts that have not been added to `~/.ssh/known_hosts`
+
+- Windows WinRM using self-signed certificates
+
+:::
+
+##### Option 2: Scan Ansible inventory hosts.json
+
+If your shell does not support pipes, you can generate a `hosts.json` from the `ansible-inventory` command and then pass that file to `cnspec scan` using the `--inventory` flag.
+
+```bash title="Generate hosts.json and scan with cnspec scan command"
+ansible-inventory -i hosts.ini --list > hosts.json
+cnspec scan --inventory-file hosts.json --ansible-inventory
+```
+
+Both cnspec and the Mondoo Console show results from each policy that runs against your assets.
+
+**Example shell output**
+
+```
+Checks:
+✓ Pass: Ensure no known platform advisories exist
+✓ Pass: Ensure talk server is stopped and not enabled
+✓ Pass: Ensure SNMP server is stopped and not enabled
+. Skipped: Ensure secure permissions on /etc/passwd- are set
+✓ Pass: Ensure no duplicate UIDs exist
+✕ Fail: C 40 Ensure rsyslog is installed
+✕ Fail: F 0 Ensure broadcast ICMP requests are ignored
+✓ Pass: Ensure rsync service is stopped and not enabled
+. Skipped: Ensure secure permissions on /etc/gshadow- are set
+. Skipped: Ensure journald is configured to send logs to rsyslog
+✓ Pass: Ensure secure permissions on /etc/group are set
+✓ Pass: Ensure LDAP server is stopped and not enabled
+✕ Fail: D 20 Ensure events that modify the system's Mandatory Access Controls are collected
+✓ Pass: Ensure Samba is stopped and not enabled
+✕ Fail: F 0 Ensure TCP SYN Cookies is enabled
+✕ Fail: F 0 Ensure source routed packets are not accepted
+✓ Pass: Ensure Avahi server is stopped and not enabled
+✓ Pass: Ensure DHCP server is stopped and not enabled
+✕ Fail: D 20 Ensure session initiation information is collected
+✓ Pass: Ensure default group for the root account is GID 0
+✓ Pass: Ensure HTTP servers are stopped and not enabled
+✕ Fail: D 20 Ensure login and logout events are collected
+✓ Pass: Ensure secure permissions on /etc/gshadow are set
+. Skipped: Ensure journald is configured to write logfiles to persistent disk
+✓ Pass: Platform is not end-of-life
+✓ Pass: Ensure UID_MIN is set to 1000
+. Skipped: Ensure secure permissions on /etc/group- are set
+✕ Fail: D 20 Ensure auditd is installed
+✕ Fail: D 20 Ensure events that modify user/group information are collected
+✕ Fail: D 20 Ensure changes to system administration scope (sudoers) is collected
+✕ Fail: C 40 Ensure Advanced Intrusion Detection Environment (AIDE) is installed
+✕ Fail: C 40 Ensure IP forwarding is disabled
+✕ Fail: D 20 Ensure audit log storage size is configured
+✕ Fail: F 0 Ensure packet redirect sending is disabled
+✓ Pass: Ensure tftp server is stopped and not enabled
+✕ Fail: F 0 Ensure ICMP redirects are not accepted
+✓ Pass: Ensure secure permissions on /etc/passwd are set
+✓ Pass: Ensure IMAP and POP3 server is stopped and not enabled
+✓ Pass: Ensure no duplicate user names exist
+✕ Fail: D 20 Ensure system administrator actions (sudolog) are collected
+✓ Pass: Ensure all GIDs in /etc/passwd exist in /etc/group
+✓ Pass: Ensure telnet server is stopped and not enabled
+✓ Pass: Ensure FTP server is stopped and not enabled
+✓ Pass: Ensure rsh server is stopped and not enabled
+✕ Fail: D 20 Ensure kernel module loading and unloading is collected
+✓ Pass: Ensure no duplicate group names exist
+✓ Pass: Ensure secure permissions on /etc/shadow are set
+✓ Pass: Ensure system accounts are non-login
+✕ Fail: D 20 Ensure unsuccessful unauthorized file access attempts are collected
+✕ Fail: F 0 Ensure address space layout randomization (ASLR) is enabled
+✕ Fail: C 40 Ensure rsyslog Service is enabled
+. Skipped: Ensure journald is configured to compress large log files
+✕ Fail: D 20 Ensure events that modify date and time information are collected
+✓ Pass: Ensure NIS server is stopped and not enabled
+. Skipped: Ensure secure permissions on /etc/shadow- are set
+✓ Pass: Ensure root group is empty
+✕ Fail: D 20 Ensure the audit configuration is immutable
+✓ Pass: Ensure no duplicate GIDs exist
+✓ Pass: Ensure X Window System is not installed
+✕ Fail: D 20 Ensure events that modify the system's network environment are collected
+✕ Fail: D 20 Ensure discretionary access control permission modification events are collected
+✓ Pass: Ensure no known platform CVEs exist
+✕ Fail: F 0 Ensure access to the su command is restricted
+✕ Fail: C 40 Ensure system is disabled when audit logs are full
+✕ Fail: F 0 Ensure IPv6 router advertisements are not accepted
+! Error: Ensure mail transfer agent is configured for local-only mode
+✕ Fail: F 0 Ensure secure ICMP redirects are not accepted
+✕ Fail: D 20 Ensure file deletion events by users are collected
+✕ Fail: F 0 Ensure Reverse Path Filtering is enabled
+✕ Fail: F 0 Ensure core dumps are restricted
+! Error: Ensure filesystem integrity is regularly checked
+! Error: Ensure sudo logging is enabled
+✓ Pass: Ensure prelink is disabled
+✕ Fail: D 20 Ensure secure permissions on all log files are set
+✓ Pass: Ensure CUPS is stopped and not enabled
+✓ Pass: Ensure HTTP Proxy server is stopped and not enabled
+✕ Fail: D 20 Ensure suspicious packets are logged
+✓ Pass: Ensure each user is a member of a group
+✓ Pass: Ensure NFS and RPC are stopped and not enabled
+✓ Pass: Ensure DNS server is stopped and not enabled
+✕ Fail: F 0 Ensure bogus ICMP responses are ignored
+✓ Pass: Ensure shadow group is empty
+✕ Fail: C 40 Ensure rsyslog default file permissions configured
+. Skipped: Ensure auditing for processes that start prior to auditd is enabled
+✕ Fail: D 20 Ensure auditd service is enabled
+✕ Fail: Ensure the platform is not End-of-Life
+✕ Fail: Ensure audit logs are not automatically deleted
+✕ Fail: D 20 Ensure successful file system mounts are collected
+
+Vulnerabilities:
+■ No advisories found (passed)
+
+Overall CVSS score: 0.0
+
+Scanned 1 assets
+
+Ubuntu 18.04.6 LTS
+ C mysystem.internal.dmz
+
+For detailed output, run this scan with "-o full".
+
+See more scan results and asset relationships on the Mondoo Console: https://console.mondoo.com/space/inventory/12ejfpX1SbxfrNf6bq8f8gCCgMb?spaceId=ansible-hosts
+```
+
+#### Step 3: View scan reports in the Mondoo Console
+
+Once Ansible completes, scan results are sent to Mondoo Platform so you can see the generated scores and reports in the Mondoo Console..
+
+To view the reports in the Mondoo Console:
+
+1. In the [Mondoo Console](https://console.mondoo.com) navigate to the **INVENTORY** page.
+2. All servers should now be reporting in and have received a asset score for the policies executed.
+3. To view the policies that ran on a given asset, and detailed information, select an asset in the list.
+ 
+
+This view shows each policy that ran against an asset, and the individual score for each policy. Select any policy in the list to view the results from each query.
+
+We rely on [ansible-inventory](https://docs.ansible.com/ansible/latest/cli/ansible-inventory.html) command to be able to support various inventory formats and to be able to re-use [dynamic inventory](https://docs.ansible.com/ansible/latest/user_guide/intro_dynamic_inventory.html) too. This command outputs a standardized format independently if a `ini` or `yaml` inventory is used.
+
+:::info
+
+Note: At this point, we do not support group [patterns](https://docs.ansible.com/ansible/latest/user_guide/intro_patterns.html). If you need additional support, please do not hesitate to contact us.
+
+:::
+
+### Hands-On: On-demand scan of Ansible inventory using an Ansible task
+
+As an alternative, you can use the `cnspec scan` command in an Ansible task. Mondoo uses the ssh-agent so you do not need to set up additional credentials configuration.
+
+#### Step 1: Set up or validate your Ansible Inventory
+
+An Ansible inventory is a list of hosts that is mostly stored in the two common formats `ini` and `yaml`. These examples illustrate their structure. The ini format allows grouping and easy configuration of additional properties.
+
+```ini title="Example hosts.ini"
+[workers]
+34.243.41.251 ansible_user=ec2-user
+instance1 ansible_host=18.203.250.158 ansible_user=ubuntu
+```
+
+The same structure in yaml:
+
+```yaml title="Example hosts.yml"
+all:
+ children:
+ ungrouped: {}
+ workers:
+ hosts:
+ 34.243.41.251:
+ ansible_user: ec2-user
+ instance1:
+ ansible_host: 18.203.250.158
+ ansible_user: ubuntu
+```
+
+You can validate connectivity with the Ansible inventory by running this command:
+
+```bash title="Ping Ansible inventory"
+ansible all -i hosts.ini -m ping
+```
+
+**Example output**
+
+```
+instance1 | SUCCESS => {
+ "ansible_facts": {
+ "discovered_interpreter_python": "/usr/bin/python"
+ },
+ "changed": false,
+ "ping": "pong"
+}
+34.243.41.251 | SUCCESS => {
+ "ansible_facts": {
+ "discovered_interpreter_python": "/usr/bin/python"
+ },
+ "changed": false,
+ "ping": "pong"
+}
+```
+
+#### Step 2: Set up playbook.yaml to run cnspec scan
+
+Next, you must create a playbook to run the `cnspec scan` against your inventory. This is an example `playbook.yaml` used to execute `cnspec scan` locally with a playbook against Linux hosts:
+
+```yaml title="Example playbook.yml for executing cnspec scan against Linux hosts"
+---
+- hosts: all
+ gather_facts: no
+ tasks:
+ - name: add key to ssh-agent
+ local_action: ansible.builtin.command ssh-agent
+ run_once: true
+ - name: add key to ssh-agent
+ # activate rsa key if that is used
+ # local_action: command ssh-agent ssh-add ~/.ssh/id_rsa
+ local_action: ansible.builtin.command ssh-add ~/.ssh/id_ed25519
+ run_once: true
+ - name: run cnspec scan for target destination
+ local_action: ansible.builtin.command cnspec scan --insecure --score-threshold 0 ssh {{ ansible_user }}@{{ inventory_hostname }}
+```
+
+Be sure to save the file.
+
+#### Step 3: Run Ansible
+
+Run the playbook with this command:
+
+```bash title="Command Line"
+ansible-playbook -i hosts.ini playbook.yml
+```
+
+:::info
+
+Use the `--insecure` flag for:
+
+- Hosts that have not been added to `~/.ssh/known_hosts`
+
+- Windows WinRM using self-signed certificates
+
+:::
+
+#### Step 4: View scan reports in the Mondoo Console
+
+Once Ansible completes, scan results are sent to Mondoo Platform so you can view asset scores and reports for all assets scanned in the Mondoo Console.
+
+To view the reports in the Mondoo Console:
+
+1. In the [Mondoo Console](https://console.mondoo.com) navigate to the **INVENTORY** page.
+
+2. All servers should now be reporting in and have received an asset score for the policies executed.
+
+3. To view the policies that ran on a given asset, and detailed information, select an asset in the list.
+ 
+
+This view shows each policy that ran against an asset, as well as the individual score for each policy. Select any policy in the list to view the results from each query.
+
+:::info
+
+To learn more about how Mondoo scores assets, read [Score Policies](/cnspec/cnspec-policies/write/policy-scoring/).
+
+:::
diff --git a/docs/platform/infra/opsys/automation/chef.md b/docs/platform/infra/opsys/automation/chef.md
new file mode 100644
index 000000000..6e8959b9a
--- /dev/null
+++ b/docs/platform/infra/opsys/automation/chef.md
@@ -0,0 +1,33 @@
+---
+title: Chef Infra and Mondoo
+sidebar_label: Chef Infra
+sidebar_position: 3
+description: This page covers how to use Chef Infra with Mondoo to install cnspec on hosts to run policies as code.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+This page covers how to use Chef Infra to install cnspec on hosts to run policies as code.
+
+
+import Partial from "./_automation-providers-note.mdx";
+
+{" "}
+
+## Installing using Chef Infra
+
+We publish an official [mondoo cookbook](https://supermarket.chef.io/cookbooks/mondoo) on Chef Supermarket. You can use the cookbook in your own [wrapper cookbooks](https://www.chef.io/blog/writing-wrapper-cookbooks) or [Chef Infra roles](https://www.digitalocean.com/community/tutorials/how-to-use-roles-and-environments-in-chef-to-control-server-configurations)
+
+To apply the cookbook, set the Mondoo Registration Token via:
+
+```bash title="Command Line"
+default['cnspec']['registration_token'] = "changeme"
+```
+
+## Example: Apply a cookbook to an Amazon EC2 instance
+
+1. Spin up a new Linux instance on [AWS](https://console.aws.amazon.com/console/home)
+2. Create the `run` wrapper cookbook as documented in our [example](https://github.com/mondoohq/chef-mondoo/tree/main/examples)
+3. Run `chef-run ssh://user@host ./run`
+4. All instances [reported their vulnerability status](https://console.mondoo.com/)
+
+---
diff --git a/docs/platform/infra/opsys/automation/cloudinit.md b/docs/platform/infra/opsys/automation/cloudinit.md
new file mode 100644
index 000000000..9a00e1897
--- /dev/null
+++ b/docs/platform/infra/opsys/automation/cloudinit.md
@@ -0,0 +1,59 @@
+---
+title: cloud-init and Mondoo
+sidebar_label: cloud-init
+sidebar_position: 4
+description: This page covers how to use cloud-init to install cnspec on hosts to run policies as code.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+This page covers how to use cloud-init to install cnspec on hosts to run policies as code.
+
+
+import Partial from "./_automation-providers-note.mdx";
+
+{" "}
+
+## Installing cnspec using cloud-init
+
+Most cloud environments support the configuration of an operating system during launch. In most cases [cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used. For Linux systems, cloud-init supports bash scripts.
+
+We simply leverage the Mondoo [Bash installer script](/cnspec/cnspec-adv-install/linux.mdx) for cloud-init. To deploy agents with cloud-init, get an registration token via [Mondoo Console](https://console.mondoo.com/) -> Select Space -> Agents -> New Agent (➕Icon in action menu) and paste it into this snippet:
+
+```bash title="Command Line"
+#!/bin/bash
+export MONDOO_REGISTRATION_TOKEN='ey..gg'
+bash -c "$(curl -sSL https://install.mondoo.com/sh)"
+```
+
+Once the machine is ready, the first scan will be performed about 30 seconds after the machine booted up.
+
+## Examples
+
+### AWS EC2 instance user data
+
+1. Save the snippet shown above to `mondoo-cloudinit.sh` and paste in your registration token:
+
+ ```bash title="Command Line"
+ cat > mondoo-cloudinit.sh << EOF
+ #!/bin/bash
+ export MONDOO_REGISTRATION_TOKEN='eyJhbG..bn'
+ bash -c "$(curl -sSL https://install.mondoo.com/sh)"
+ EOF
+ ```
+
+2. Launch a new instance
+
+ ```bash title="Command Line"
+ # Note: you need to adapt the image-id, security-group-ids, key-name to your region and account
+ aws ec2 run-instances --region us-east-1 --image-id ami-0ad82a384c06c911e --security-group-ids sg-903004f8 --count 1 --instance-type t2.micro --key-name suki --user-data file://mondoo-cloudinit.sh
+ ```
+
+
+
+You can see the results of the vulnerability scan in your Mondoo Console once the installation is complete:
+
+
+
+Once the machine is up and running, it will report vulnerabilities to Mondoo automatically. Further documentation for the AWS CLI is available at [Launch, List, and Terminate Amazon EC2 Instances](https://docs.aws.amazon.com/cli/latest/userguide/cli-services-ec2-instances.html) and [Running Commands on Your Linux Instance at Launch](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html)
+
+In case of troubleshooting, have a look at the `/var/log/cloud-init-output.log` to see the cloudinit run output.
diff --git a/docs/platform/infra/opsys/automation/overview.mdx b/docs/platform/infra/opsys/automation/overview.mdx
new file mode 100644
index 000000000..24347b936
--- /dev/null
+++ b/docs/platform/infra/opsys/automation/overview.mdx
@@ -0,0 +1,22 @@
+---
+title: Overview of Secure Deployment Automation with Mondoo
+sidebar_label: Overview
+sidebar_position: 1
+description: Securely deploy servers and endpoints with Mondoo
+---
+
+Choose a deployment automation tool:
+
+- [Ansible](/platform/infra/opsys/automation/ansible/)
+
+- [Chef Infra](/platform/infra/opsys/automation/chef/)
+
+- [cloud-init](/platform/infra/opsys/automation/cloudinit/)
+
+Learn about [managing secrets](/platform/infra/opsys/automation/vault/).
+
+#### Get help
+
+Can't find what you need? Join our community Slack channel to chat with us and other Mondoo users.
+
+---
diff --git a/docs/platform/infra/opsys/automation/vault.md b/docs/platform/infra/opsys/automation/vault.md
new file mode 100644
index 000000000..5bdf23000
--- /dev/null
+++ b/docs/platform/infra/opsys/automation/vault.md
@@ -0,0 +1,112 @@
+---
+title: Secrets Management
+sidebar_label: Secrets Management
+sidebar_position: 5
+description: Learn how you can use secrets managers such as HashiCorp Vault, Google Cloud Secrets Manager, and AWS Secrets Manager with Mondoo.
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+In order to facilitate SSH scanning to a fleet of instances, Mondoo integrates with several vault systems:
+
+- AWS Secrets Manager
+- AWS SSM Parameter Store
+- Google Cloud Secrets Manager
+- HashiCorp Vault
+- macOS Keychain
+- Windows credential store
+- SystemD Secret Service
+- Encrypted File
+
+### HashiCorp Vault
+
+Write a secret to the Create vault secret:
+
+```bash
+vault kv put secret/vcenter/mondoo-read password="< password >" type="password" user="mondoo-read@vsphere.local"
+```
+
+Create an inventory yaml file with HashiCorp Vault:
+
+```yaml title=inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: mondoo-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - name:
+ connections:
+ - type: vsphere
+ host: < ip of the ESXi or vCenter >
+ insecure: true
+ credentials:
+ - secret_id: vcenter/mondoo-read
+ discover:
+ targets:
+ - auto
+ annotations:
+ Owner: patrick@mondoo.com
+ vault:
+ name: cnspec-hashivault
+ type: hashicorp-vault
+ options:
+ url: < Url to vault >
+ token: < Token >
+```
+
+### Encrypted file
+
+Configure cnspec's vault to use the keyring `cnspec-client-vault` for secrets:
+
+```bash
+cnspec vault configure mondoo-client-vault --type encrypted-file --option=password='changeme' --option path='/etc/opt/mondoo/vault.enc'
+```
+
+This outputs the following configuration:
+
+```yaml
+spec:
+ vault:
+ name: mondoo-client-vault
+ options:
+ password: changeme
+ path: /etc/opt/mondoo/vault.enc
+ type: encrypted-file
+```
+
+Create an inventory yaml file with Linux Vault:
+
+```yaml title=/etc/opt/mondoo/inventory.yml
+apiVersion: v1
+kind: Inventory
+metadata:
+ name: cnspec-inventory
+ labels:
+ environment: production
+spec:
+ assets:
+ - name:
+ connections:
+ - type: vsphere
+ host: < ip of the ESXi or vCenter >
+ insecure: true
+ credentials:
+ - secret_id: vcenter
+ discover:
+ targets:
+ - auto
+ vault:
+ name: mondoo-client-vault
+ options:
+ password: changeme
+ path: /etc/opt/mondoo/vault.enc
+ type: encrypted-file
+```
+
+Add a secret for a VMware vSphere API to the encrypted file vault:
+
+```bash
+sudo cnspec vault add-secret vcenter '{ "type": "password", "user": "chris@vsphere.local", "password": "password" }' --inventory-file /etc/opt/mondoo/inventory.yml
+```
diff --git a/docs/platform/infra/opsys/mondoo-cnspec.mdx b/docs/platform/infra/opsys/mondoo-cnspec.mdx
new file mode 100644
index 000000000..beed4d3b5
--- /dev/null
+++ b/docs/platform/infra/opsys/mondoo-cnspec.mdx
@@ -0,0 +1,91 @@
+---
+title: Mondoo and cnspec
+sidebar_label: Mondoo and cnspec
+sidebar_position: 2
+description: This page provides an overview of how cnspec works with Mondoo
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+[cnspec](/cnspec/cnspec-about/) is a core component of Mondoo Platform. Think of it as both the CLI for Mondoo and part of its engine. This cross-platform binary evaluates systems and exposes misconfigurations and vulnerabilities that put your organization at risk. It's what enables Mondoo to assess and secure the IT infrastructure that powers your critical business systems.
+
+You can invoke cnspec directly from the command line to assess the local host, perform agentless scans of remote assets, or remotely query IT infrastructure using MQL. It can also run automatically as a background service.
+
+When combined with Mondoo Platform's management capabilities, cnspec can continuously assess your business-critical systems according to the policies you apply. Mondoo reports any deviation from those policies so that you can take immediate action.
+
+```bash
+$ cnspec scan
+
+→ no provider specified, defaulting to local. Use --help to see all providers.
+→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
+→ using service account credentials
+→ discover related assets for 1 asset(s)
+→ synchronize assets
+
+ MacBook.localdomain ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score
+
+
+Asset: MacBook.localdomain
+----------------------------
+
+Data queries:
+asset.title: "macOS, bare metal"
+packages.list.length: 428
+title: "macOS, bare metal"
+asset: {
+ kind: "baremetal"
+ version: "14.0"
+ title: "macOS, bare metal"
+ arch: "arm64"
+ platform: "macos"
+ runtime: ""
+ name: "MacBook.localdomain"
+}
+
+Checks:
+✕ Fail: C 50 Ensure AirDrop Is Disabled
+✓ Pass: A 100 Disable Internet Sharing
+✓ Pass: A 100 Ensure automatic checking of software updates enabled
+✓ Pass: A 100 Enable security auditing
+✓ Pass: A 100 Disable Remote Login
+✓ Pass: A 100 Ensure automatic download of software updates enabled
+✓ Pass: A 100 Enable Firewall
+
+....
+
+Scanned 1 assets
+
+macOS
+ A MacBook.localdomain
+
+For detailed output, run this scan with "-o full".
+```
+
+## Communication matrix, IPs, and DNS names
+
+For Mondoo to function properly in your environment, these communications must be allowed.
+
+| From | To | Port |
+| ------------ | ------------------------------------------------- | --------- |
+| Command Line | Mondoo Backend (\*.api.mondoo.com) | https/443 |
+| Command Line | Mondoo Install Scripts (install.mondoo.com) | https/443 |
+| Command Line | Mondoo Package Repositories (releases.mondoo.com) | https/443 |
+| Your Browser | Mondoo Console (console.mondoo.com) | https/443 |
+
+DNS names and static IP addresses for Mondoo environment:
+
+| DNS name | IP-Address |
+| :------------------ | -------------- |
+| us.api.mondoo.com | 34.160.242.34 |
+| eu.api.mondoo.com | 34.102.168.217 |
+| releases.mondoo.com | 34.110.159.213 |
+| install.mondoo.com | 216.239.34.21 |
+| install.mondoo.com | 216.239.38.21 |
+| install.mondoo.com | 216.239.36.21 |
+| install.mondoo.com | 216.239.32.21 |
+
+### Learn more
+
+- To learn more about cnspec, read [What Is cnspec?](/cnspec/cnspec-about/).
+- To learn how to register cnspec, read [Register cnspec](/cnspec/cnspec-adv-install/registration/).
+
+---
diff --git a/docs/platform/infra/opsys/overview.mdx b/docs/platform/infra/opsys/overview.mdx
new file mode 100644
index 000000000..327f7af22
--- /dev/null
+++ b/docs/platform/infra/opsys/overview.mdx
@@ -0,0 +1,47 @@
+---
+title: Overview of Server and Endpoint Security with Mondoo
+sidebar_label: Overview
+id: osoverview
+sidebar_position: 1
+description: Secure your servers and endpoints with Mondoo
+---
+
+Mondoo secures the servers and endpoints that are the backbone of your business. Mondoo's cross-platform CLI, [cnspec](/cnspec/cnspec-about/), is a core Mondoo component that finds misconfigurations and vulnerabilities in Linux, macOS, and Windows assets. You install cnspec on your servers and endpoints and register them with Mondoo so that you can continuously monitor their security.
+
+To learn about how cnspec helps power Mondoo, read [Mondoo and cnspec](/platform/infra/opsys/mondoo-cnspec).
+
+#### Basic installation and registration instructions
+
+- [Install cnspec](/cnspec/)
+
+- [Register a cnspec installation with Mondoo](/cnspec/cnspec-adv-install/registration/)
+
+#### More installation and distribution options
+
+- [Register a cnspec installation with Mondoo using a credentials file](/cnspec/cnspec-adv-install/registration-keys/)
+
+- [Run cnspec as a service](/cnspec/cnspec-adv-install/service/)
+
+- [Linux installation options](/cnspec/cnspec-adv-install/linux/)
+
+- [macOS installation options](/cnspec/cnspec-adv-install/macos/)
+
+- [Windows installation options](/cnspec/cnspec-adv-install/windows/)
+
+- [Install with a standalone binary](/cnspec/#installation-options)
+
+#### Secure deployment automation
+
+- [Ansible](/platform/infra/opsys/automation/ansible/)
+
+- [Chef Infra](/platform/infra/opsys/automation/chef/)
+
+- [cloud-init](/platform/infra/opsys/automation/cloudinit/)
+
+- [Secrets management](/platform/infra/opsys/automation/vault/)
+
+#### Get help
+
+Can't find what you need? Join our community Slack channel to chat with us and other Mondoo users.
+
+---
diff --git a/docs/platform/infra/overview.mdx b/docs/platform/infra/overview.mdx
new file mode 100644
index 000000000..0ad48c0f2
--- /dev/null
+++ b/docs/platform/infra/overview.mdx
@@ -0,0 +1,95 @@
+---
+title: Integrate Your Infrastructure with Mondoo - Overview
+sidebar_label: Overview
+sidebar_position: 1
+description: Add the assets in your infrastructure to Mondoo to assess their security and compliance
+image: /img/featured_img/mondoo-feature.jpg
+---
+
+To assess and improve the security and compliance of your infrastructure, you must first integrate it with Mondoo. The Mondoo integration for each platform is unique, whether it's a Kubernetes controller, a Lambda function for deep AWS integration, or a simple client installed on an operating system.
+
+Find your platform and start integrating Mondoo across your systems.
+
+### [Cloud](/platform/infra/cloud/overview/)
+
+- [Amazon Web Services (AWS)](/platform/infra/cloud/aws/aws-overview/)
+
+- [Microsoft Azure](/platform/infra/cloud/azure/overview/)
+
+- [Google Cloud Platform (GCP)](/platform/infra/cloud/gcp/overview/)
+
+- [Kubernetes](/platform/infra/cloud/kubernetes/overview/)
+
+- [VMware](/platform/infra/cloud/vmware/)
+
+### [SaaS](/platform/infra/saas/overview/)
+
+- [GitHub](/platform/infra/saas/github/)
+
+- [GitLab](/platform/infra/saas/gitlab/)
+
+- [Google Workspace](/platform/infra/saas/google_workspace/)
+
+- [Microsoft 365](/platform/infra/saas/ms365/ms365-auto/)
+
+- [Okta](/platform/infra/saas/okta/)
+
+- [Slack](/platform/infra/saas/slack/)
+
+### [Network](/platform/infra/networking/overview/)
+
+- [Host (Domain or IP Address)](/platform/infra/networking/domain-ip/)
+
+### [Operating systems](/platform/infra/opsys/osoverview/)
+
+Mondoo's cross-platform CLI, [cnspec](/cnspec/cnspec-about/), is a core Mondoo component that finds misconfigurations and vulnerabilities in Linux, macOS, and Windows assets. You install cnspec on your servers and endpoints and register them with Mondoo so that you can continuously monitor their security.
+
+Integrate with a single server or endpoint:
+
+- [Install cnspec a single asset](/cnspec/)
+
+- [Register a single asset with Mondoo](/cnspec/cnspec-adv-install/registration/)
+
+Automate deployment of cnspec across your infrastructure:
+
+- [Ansible](/platform/infra/opsys/automation/ansible/)
+
+- [Chef Infra](/platform/infra/opsys/automation/chef/)
+
+- [cloud-init](/platform/infra/opsys/automation/cloudinit/)
+
+### [Supply chain](/platform/infra/supply/overview/)
+
+[Integrate with CI/CD testing:](/platform/infra/supply/cicd/overview/)
+
+- [Azure Pipelines](/platform/infra/supply/cicd/azure-pipelines/)
+
+- [CircleCI](/platform/infra/supply/cicd/circleci/)
+
+- [GitHub Actions](/platform/infra/supply/cicd/github-actions/)
+
+- [GitLab CI/CD](/platform/infra/supply/cicd/gitlab/)
+
+- [Jenkins](/platform/infra/supply/cicd/jenkins/)
+
+Use cnspec to ensure you build virtual instances that are free of security vulnerabilities:
+
+- [Docker](/cnspec/supplychain/docker/)
+
+- [HashiCorp Packer](/cnspec/supplychain/packer/)
+
+- [HashiCorp Terraform](/cnspec/supplychain/terraform/)
+
+Use cnspec to test containers for security vulnerabilities during development on your workstation before publishing to container registries:
+
+- [AWS Elastic Container Registry](/cnspec/supplychain/registry/aws_ecr/)
+
+- [Azure Container Registry](/cnspec/supplychain/registry/azure_acr/)
+
+- [Google Container Registry](/cnspec/supplychain/registry/gcp_gcr/)
+
+- [Docker Hub](/cnspec/supplychain/registry/docker_hub/)
+
+- [Harbor Container Registry](/cnspec/supplychain/registry/harbor/)
+
+---
diff --git a/docs/platform/infra/saas/_category_.json b/docs/platform/infra/saas/_category_.json
new file mode 100644
index 000000000..b753a24dc
--- /dev/null
+++ b/docs/platform/infra/saas/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "SaaS",
+ "position": 3
+}
diff --git a/docs/platform/infra/saas/github.mdx b/docs/platform/infra/saas/github.mdx
new file mode 100644
index 000000000..ea7ccfc45
--- /dev/null
+++ b/docs/platform/infra/saas/github.mdx
@@ -0,0 +1,88 @@
+---
+title: Secure GitHub with Mondoo
+sidebar_label: GitHub
+sidebar_position: 2
+description: Assess the security of your GitHub repositories and organization with Mondoo
+---
+
+You can configure Mondoo to continuously scan your GitHub organization and repositories. Mondoo scans find misconfigurations and vulnerabilities that put your organization at risk. You deploy the integration once and always get the latest security assessments.
+
+:::tip
+
+You can also use Mondoo to automatically scan Kubernetes manifests, Terraform configuration files, and Docker containers in GitHub Actions. To learn more, read [Scan in GitHub Actions](/platform/infra/supply/cicd/github-actions/).
+
+:::
+
+## Prerequisite
+
+- [A Mondoo account](/platform/start/plat-start-acct/)
+
+- Access to a GitHub repository
+
+## Create a GitHub personal access token to give Mondoo access to the repository
+
+A _personal access token_ gives Mondoo the ability to access GitHub resources on your behalf. For Mondoo to continuously monitor your GitHub repository, you must create a personal access token.
+
+1. Log into GitHub. If you haven't verified your email address with GitHub, do that now.
+
+2. In the upper-right corner of any GitHub page, select your profile photo and then select Settings.
+
+3. In the left sidebar, select **Developer settings**.
+
+4. In the left sidebar, under **Personal access tokens**, select **Fine-grained tokens**.
+
+5. Select **Generate new token**.
+
+6. Under **Token name**, enter a name for the token, such as `mondoo-frontend-repo`.
+
+7. Under **Expiration**, specify the many days after which the token expires.
+
+8. Under **Description**, explain the purpose of the token, such as `Gives Mondoo read-only access to the frontend repo`.
+
+9. Under **Resource owner**, the owner of the repository you want to monitor. The token you create can only access resources owned by the selected resource owner.
+
+ If your organization requires approval for fine-grained personal access tokens, you see a box below the **Resource owner** drop-down list. In that box, enter your justification for the new token.
+
+ If you don't see the owner of the repository you want to monitor, it's likely that they don't support fine-grained personal access tokens. To learn more, read [Setting a personal access token policy for your organization](https://docs.github.com/en/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization).
+
+10. Under Repository access, select **Only select repositories**.
+
+11. In the **Selected repositories** list, choose the repository you want to monitor with Mondoo.
+
+12. Under **Permissions**, select **Repository permissions** and give the token **Read-only** access to every permission that has a Read-only option.
+
+13. Select the **Generate token** button. (If your resource owner requires approval for tokens, the button reads **Generate token and request access**.)
+
+To learn more, read [Creating a fine-grained personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token) in the GitHub documentation.
+
+## Set up a GitHub integration
+
+1. Access the Integrations > Add > GitHub page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then under **SaaS**, select **GitHub**.
+
+ 
+
+ - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under SaaS, select **GitHub**.
+
+ 
+
+2. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the GitHub repository.
+
+3. In the **Organization** box, enter the name of the GitHub organization containing the repository you want to monitor. In the **Repository** box, enter the name of the repository. Find these values in the URL path to the repository landing page. For example, this organization's name is _Lunalectric_ and the repository is _frontend_:
+
+ 
+
+4. In the **Provide your personal access token** box, paste the GitHub token you generated in the previous section.
+
+5. Select the **START SCANNING** button.
+
+6. On the Recommended Policies page, enable the policies on which you want to base assessments of your GitHub repository. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+ Mondoo begins scanning your GitHub repository and, when completed, presents results on the INVENTORY page.
+
+## Learn more
+
+For more information, explore the complete [Mondoo GitHub Resource Pack Reference](/mql/resources/github-pack/).
+
+---
diff --git a/docs/platform/infra/saas/gitlab.mdx b/docs/platform/infra/saas/gitlab.mdx
new file mode 100644
index 000000000..6ac26b65a
--- /dev/null
+++ b/docs/platform/infra/saas/gitlab.mdx
@@ -0,0 +1,98 @@
+---
+title: Secure GitLab with Mondoo
+sidebar_label: GitLab
+sidebar_position: 3
+description: Assess the security of your GitLab groups with Mondoo
+---
+
+You can configure Mondoo to continuously scan your GitLab groups. Mondoo scans find misconfigurations and vulnerabilities that put your organization at risk. You deploy the integration once and always get the latest security assessments.
+
+:::tip
+
+You can also use Mondoo to automatically scan Kubernetes manifests, Terraform configuration files, and Docker containers in GitLab CI/CD. To learn more, read [Scan in GitLab CI/CD](/platform/infra/supply/cicd/gitlab/).
+
+:::
+
+## Prerequisite
+
+- [A Mondoo account](/platform/start/plat-start-acct/)
+
+- Access to a GitLab group
+
+## Create a personal access token to give Mondoo access to the GitLab group
+
+A _personal access token_ gives Mondoo the ability to access GitLab resources on your behalf. For Mondoo to continuously monitor your GitLab groups, you must create a personal access token.
+
+1. Log into GitLab.
+
+2. In the upper-left corner of any GitLab page, select your profile photo and then select **Edit Profile**.
+
+3. In the left sidebar, select **Access Tokens**.
+
+4. In the **Token name** box, enter a name for the token, such as `mondoo-frontend-repo`.
+
+5. Under **Expiration date**, specify the date on which to expire the token.
+
+6. Under **Select scopes**, check these scopes:
+
+ - read_api
+
+ - read_user
+
+ - read_repository
+
+ - read_registry
+
+7. Select the **Create a personal access token** button.
+
+8. Scroll to the top of the page.
+
+9. When GitLab finishes creating the token, it displays this message: "Your new personal access token has been created." Below the message, locate the **Your new personal access token** box.
+
+10. Use the copy icon to the right of the box to copy **Your new personal access token**.
+
+To learn more, read [Create a personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#create-a-personal-access-token) in the GitLab documentation.
+
+## Set up a GitLab integration
+
+1. In a new browser tab, access the Integrations > Add > GitLab page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then under **SaaS**, select **GitLab**.
+
+ 
+
+ - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under SaaS, select **GitLab**.
+
+ 
+
+2. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the GitLab group.
+
+3. If you self-host GitLab, enter your custom GitLab URL in the **Provide a GitLab base URL** box. If you don't self-host GitLab, leave the box empty.
+
+4. In the **Define the GitLab group to scan** box, enter the name of the GitLab group you want to monitor. Find this value in the URL path to the group landing page. For example, this group's name is _lunalectric_:
+
+ 
+
+5. In the **Provide your personal access token** box, paste the GitLab token you generated in the previous section.
+
+6. Choose **Discovery options** to determine the extent of Mondoo scanning:
+
+ 
+
+ - To scan all the GitLab groups to which your token provides access, enable **Discover all groups the token can access**.
+
+ - To scan all the GitLab projects to which your token provides access, enable **Discover all projects the token can access**.
+
+ - To scan all Terraform files in the projects to which your token provides access, enable **Discover all Terraform files in projects**.
+
+7. Select the **START SCANNING** button.
+
+8. On the Recommended Policies page, enable the policies on which you want to base assessments of your GitLab group. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+ Mondoo begins scanning your GitLab group and, when completed, presents results on the INVENTORY page.
+
+## Learn more
+
+For more information, explore the complete [Mondoo GitLab Resource Pack Reference](/mql/resources/gitlab-pack/).
+
+---
diff --git a/docs/platform/infra/saas/google_workspace.md b/docs/platform/infra/saas/google_workspace.md
new file mode 100644
index 000000000..63546acaf
--- /dev/null
+++ b/docs/platform/infra/saas/google_workspace.md
@@ -0,0 +1,83 @@
+---
+title: Secure Google Workspace with Mondoo
+sidebar_label: Google Workspace
+sidebar_position: 4
+description: Set up a Google Workspace integration in Mondoo
+---
+
+The Mondoo Google Workspace integration lets you continuously scan your Google Workspace resources, such as users and applications. It finds misconfigurations and vulnerabilities that put your organization at risk. You deploy the integration once and always get the latest security assessments for new accounts and resources.
+
+## Configure access to the Google Workspace API
+
+:::note
+
+These steps for configuring [Admin SDK API](https://developers.google.com/admin-sdk) access to your
+Google Workspace environment rely on Google Cloud (GCP) even if you aren't otherwise using GCP.
+
+:::
+
+1. [Create a Google Workspace service account](https://support.google.com/a/answer/7378726).
+
+ - In addition to the APIs that Google requires, also enable:
+
+ - Cloud Identity API
+
+ - Google Drive API
+
+ - After creating the service account, be sure to record the **Unique ID** on the details page. This is the Client ID to use in the next step.
+
+ - Be sure to download and protect the JSON credentials file.
+
+2. Log into the [Google Workspace Admin Portal](https://admin.google.com).
+
+3. In the left-side navigation, select **Security -> Access and data controls -> API controls**.
+
+4. Select [**Domain-wide Delegation**](https://developers.google.com/workspace/guides/create-credentials#delegate_domain-wide_authority_to_your_service_account) and then select **Add new**.
+
+5. For the **Client ID** enter the **Unique ID** of the service account you created.
+
+6. Paste this comma-delimited list to add all 16 read-only OAuth scopes:
+
+ ```text
+ https://www.googleapis.com/auth/admin.chrome.printers.readonly,https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-identity.groups.readonly
+ ```
+
+7. In the [Google Workspace Admin Portal](https://admin.google.com), navigate to **Account -> Account Settings** and record the **Customer ID**.
+
+## Add a new Google Workspace integration
+
+1. Access the Integrations > Add > Google Workspace page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Google Workspace**.
+
+ 
+
+ - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under SaaS, select **Google Workspace**.
+
+ 
+
+2. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the Google Workspace account.
+
+3. In the **Mandated user's email** box, enter the email address of a Google Workspace user with super admin access. Mondoo relies on this user's privileges to access the information it needs. You can choose an existing super admin or create one just for Mondoo.
+
+4. Under **Provide your Google Service Account config**, upload the GCP service account's JSON key that you downloaded in the previous section:
+
+ Drag the file and drop it in the **Drag and drop your .json file here** box.
+
+ OR
+
+ In the **Drag and drop your .json file here** box, select the cloud icon and choose the file to upload.
+
+ 
+
+5. To complete the integration, select the **START SCANNING** button.
+
+6. On the Recommended Policies page, enable the policies on which you want to base assessments of your Google Workspace environment. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+ Mondoo begins scanning the assets in your Google Workspace and, when completed, presents the results on the INVENTORY page.
+
+## Learn more
+
+For more information, explore the complete [Mondoo Google Workspace Resource Pack Reference](/mql/resources/google-workspace-pack/).
+
+---
diff --git a/docs/platform/infra/saas/ms365/_category_.json b/docs/platform/infra/saas/ms365/_category_.json
new file mode 100644
index 000000000..490c8ffdb
--- /dev/null
+++ b/docs/platform/infra/saas/ms365/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Microsoft 365",
+ "position": 5
+}
diff --git a/docs/platform/infra/saas/ms365/_include-graph.mdx b/docs/platform/infra/saas/ms365/_include-graph.mdx
new file mode 100644
index 000000000..782aecf24
--- /dev/null
+++ b/docs/platform/infra/saas/ms365/_include-graph.mdx
@@ -0,0 +1,50 @@
+1. In the navigation sidebar, select **API permissions**.
+
+
+
+By default, Microsoft grants your new application `User.Read` permission for Microsoft Graph. It's not required for Mondoo, so you can remove it.
+
+2. Select **+ Add a permission**.
+
+
+
+3. From the list of **Commonly used Microsoft APIs**, select **Microsoft Graph**.
+
+
+
+4. Because Mondoo acts as a service, select **Application permissions**.
+
+5. Select **expand all** to see all permissions. Then select the required API permissions:
+
+
+Show or hide required API permissions.
+
+| Microsoft Graph | Type | Description |
+| -------------------------------------- | ----------- | ------------------------------------------------------- |
+| IdentityProvider.Read.All | Application | Read identity providers |
+| Policy.Read.All | Application | Read your organization's policies |
+| Policy.Read.ConditionalAccess | Application | Read your organization's conditional access policies |
+| Policy.Read.PermissionGrant | Application | Read consent and permission grant policies |
+| SecurityActions.Read.All | Application | Read your organization's security actions |
+| SecurityEvents.Read.All | Application | Read your organization's security events |
+| DeviceManagementConfiguration.Read.All | Application | Read Microsoft Intune device configuration and policies |
+
+
+
+6. Select the **Add permissions** button.
+
+7. Grant Mondoo read permissions for **SharePoint**.
+
+ | SharePoint APIs | Type | Description |
+ | --------------------- | ----------- | ---------------------------------- |
+ | Sites.FullControl.All | Application | Read items in all site collections |
+
+8. Select the **Add permissions** button.
+
+9. Grant Mondoo read permissions for **Office 365 Exchange Online**. You need to search in **APIs my organization uses**
+
+ | Office 365 Exchange Online | Type | Description |
+ | -------------------------- | ----------- | ----------------------------------------- |
+ | Exchange.ManageAsApp | Application | Have full control of all site collections |
+
+10. To complete the process, select **Grant admin consent for (your tenant name)** and select the **Yes** button to confirm.
diff --git a/docs/platform/infra/saas/ms365/ms365-auto.md b/docs/platform/infra/saas/ms365/ms365-auto.md
new file mode 100644
index 000000000..c189f095c
--- /dev/null
+++ b/docs/platform/infra/saas/ms365/ms365-auto.md
@@ -0,0 +1,277 @@
+---
+title: Quick Setup - MS 365 Continuous Scanning
+sidebar_label: Quick Setup - MS 365 Continuous Scanning
+sidebar_position: 1
+description: Set up Mondoo to assess Microsoft 365 for security misconfigurations.
+image: /img/featured_img/mondoo-365.jpg
+---
+
+The Mondoo Microsoft 365 integration lets you continuously scan your Microsoft 365 resources, such as users and applications. It finds misconfigurations and vulnerabilities that put your organization at risk. You deploy the integration once and always get the latest security assessments for new accounts and resources.
+
+## Prerequisites
+
+Before you integrate Microsoft 365 with Mondoo, be sure you:
+
+- Have a [Mondoo account](/platform/start/plat-start-acct/) with Editor or Owner permissions for the space in which you want to add the integration.
+
+- Have an [Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) with an active subscription and permission to manage applications in Microsoft Entra ID (formerly Active Directory). Any of these [Microsoft Entra ID roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference) include the required permissions:
+
+ - [Global Administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator) - Create and manage all aspects of app registrations and enterprise apps.
+
+ - [Application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator) - Create and manage all aspects of app registrations and enterprise apps.
+
+ - [Cloud application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator) - Create and manage all aspects of app registrations and enterprise apps except App Proxy.
+
+- Are logged into Azure using the Azure CLI.
+
+ - If you use the Azure Cloud Shell, you don't need to also log into the Azure CLI. To learn more, read the [Quick start for Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/quickstart?tabs=azurecli).
+
+ - If you use a Linux shell or macOS shell, log into the Azure CLI.
+
+
+ If you're not already an Azure CLI user:
+
+ Log into the Azure CLI from PowerShell or a Linux/macOS CLI by
+ entering:
+
+ az login --allow-no-subscriptions
+
+ Azure opens your web browser and prompts you to log in. After you do
+ so, you can return to the CLI.
+
+
+
+
+
+## Register an Azure app
+
+Continuous scanning of Microsoft 365 requires a Microsoft Entra ID app registration in your Azure tenant. Registering Mondoo with Azure establishes a trust relationship between Mondoo and the Microsoft identity platform. The trust is unidirectional: Mondoo trusts the Microsoft identity platform, and not the other way around. The Azure app registration creates a [service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#what-are-service-principals-and-where-do-they-come-from) to represent Mondoo in any tenants and subscriptions in which it acts.
+
+:::note
+
+This section describes Microsoft's automatic app registration. This approach works in simpler Microsoft 365 environments and doesn't let you use your own certificates for authentication.
+
+If you want to use your own certificate or if you have a very complex Microsoft 365 environment, use the [manual app registration approach](/platform/infra/saas/ms365/ms365-manual/). Manual registration is more involved, but is a reliable way to implement a permanent, production-ready integration in all environments.
+
+:::
+
+To configure your Azure resources, you must:
+
+Step A. Create the app registration and certificate
+
+Step B. Grant permissions to access Microsoft Graph (API permissions)
+
+Step C: Assign the Global Reader role to the app
+
+Like any service that integrates with Azure, Mondoo must have an app registration and service principal. To learn more about creating a new app registration and service principal, read [App registration, app objects, and service principals](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals) in the Azure documentation.
+
+You create and register the app using the Azure CLI.
+
+### Step A: Create the app and certificate
+
+A single command in the Azure CLI performs these tasks:
+
+- Creates the application registration and service principal in Microsoft Entra ID.
+
+- Creates a certificate and assigns it to the newly created app.
+
+1. In the Azure CLI, enter:
+
+```bash
+az ad sp create-for-rbac --name "mondoo-ms365" --create-cert
+```
+
+When successful, the Azure CLI returns results like these:
+
+```bash
+"appId": "63c35483-c62f-2600-a097-a6e44d8dcdf6",
+"displayName": "mondoo-ms365",
+"fileWithCertAndPrivateKey": "/Users/stella/tmpkqyme3rm.pem",
+"password": null,
+"tenant": "e4e2600a-2d3d-2600-aa70-b9d8c8ec2600"
+```
+
+2. Copy your results and paste them somewhere handy; you'll need them later in this process.
+
+3. Copy the created PEM file (in the example above, it's named tmpkqyme3rm.pem) and save it; you'll need it later in this process.
+
+#### Step B: Grant permissions to access Microsoft Graph (API permissions)
+
+1. Copy this content and save it in a file on your local your system (in this example, the file name is app-manifest.json):
+
+```json
+[
+ {
+ "resourceAppId": "00000003-0000-0000-c000-000000000000",
+ "resourceAccess": [
+ {
+ "id": "e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0",
+ "type": "Role"
+ },
+ {
+ "id": "246dd0d5-5bd0-4def-940b-0421030a5b68",
+ "type": "Role"
+ },
+ {
+ "id": "37730810-e9ba-4e46-b07e-8ca78d182097",
+ "type": "Role"
+ },
+ {
+ "id": "9e640839-a198-48fb-8b9a-013fd6f6cbcd",
+ "type": "Role"
+ },
+ {
+ "id": "5e0edab9-c148-49d0-b423-ac253e121825",
+ "type": "Role"
+ },
+ {
+ "id": "bf394140-e372-4bf9-a898-299cfc7564e5",
+ "type": "Role"
+ },
+ {
+ "id": "dc377aa6-52d8-4e23-b271-2a7ae04cedf3",
+ "type": "Role"
+ }
+ ]
+ },
+ {
+ "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
+ "resourceAccess": [
+ {
+ "id": "678536fe-1083-478a-9c59-b99265e6b0d3",
+ "type": "Role"
+ }
+ ]
+ },
+ {
+ "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
+ "resourceAccess": [
+ {
+ "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
+ "type": "Role"
+ }
+ ]
+ }
+]
+```
+
+
+Show or hide descriptions of the above API permissions.
+
+These tables show the permissions that the JSON file above grants. If you prefer, you can [add them manually](/platform/infra/saas/ms365/ms365-manual/#step-b-grant-permissions-to-access-microsoft-graph-api-permissions) in the Azure Portal.
+
+| Microsoft Graph | Type | Description |
+| -------------------------------------- | ----------- | ------------------------------------------------------- |
+| IdentityProvider.Read.All | Application | Read identity providers |
+| Policy.Read.All | Application | Read your organization's policies |
+| Policy.Read.ConditionalAccess | Application | Read your organization's conditional access policies |
+| Policy.Read.PermissionGrant | Application | Read consent and permission grant policies |
+| SecurityActions.Read.All | Application | Read your organization's security actions |
+| SecurityEvents.Read.All | Application | Read your organization's security events |
+| DeviceManagementConfiguration.Read.All | Application | Read Microsoft Intune device configuration and policies |
+
+| SharePoint APIs | Type | Description |
+| --------------------- | ----------- | ---------------------------------- |
+| Sites.FullControl.All | Application | Read items in all site collections |
+
+| Office 365 Exchange Online | Type | Description |
+| -------------------------- | ----------- | ----------------------------------------- |
+| Exchange.ManageAsApp | Application | Have full control of all site collections |
+
+
+
+2. Run these commands to grant the permissions in the JSON file and give administrator consent:
+
+```
+az ad app update --id YOUR-APP-ID --required-resource-accesses @app-manifest.json
+
+az ad app permission admin-consent --id YOUR-APP-ID
+```
+
+For YOUR-APP-ID, substitute the ID of the app you created.
+
+### Step C: Assign the Global Reader role to the app
+
+1. In the Entra ID portal, go to **Identity (Roles & admins)**.
+
+2. Use the search box to find the Global Reader role. Select the name of the role (not the check box). THe Assignments page opens.
+
+3. Select **+ Add assignments**.
+
+4. Find and select the newly created app, **mondoo-ms365**.
+
+5. Assign the **mondoo-ms365** app the **Global Reader** role.
+
+6. When you return to the Assignments page, select **Refresh** and verify that the mondoo-ms365 app has been assigned the Global Reader role.
+
+## Add a new Microsoft 365 integration in the Mondoo Console
+
+After you've created and granted permissions to a new app registration, you can create a Mondoo Microsoft 365 integration. You need some values from the app registration you created in the instructions above.
+
+1. Access the Integrations > Add > Microsoft 365 page in one of two ways:
+
+ - New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select **BROWSE INTEGRATIONS** and then select **Microsoft 365**.
+
+ 
+
+ - INTEGRATIONS page: In the side navigation bar, under **INTEGRATIONS**, select **Add New Integration**. Under Cloud Security, select **Microsoft 365**.
+
+ 
+
+2. In the **Choose an integration name** box, enter a name for the integration. Make it a name that lets you easily recognize the Microsoft 365 tenant.
+
+3. In the **Enter Application (client) ID** box, enter the value from the app registration's **Application (client) ID** box.
+
+4. In the **Enter the Directory (tenant) ID** box, enter the value from the app registration's **Directory (tenant) ID** box.
+
+5. Specify the subscriptions for Mondoo to continuously scan.
+
+ - To continuously scan all subscriptions in the tenant, leave the **Scan all subscriptions connected to the Directory (tenant) ID** toggle enabled.
+
+ - To choose the subscriptions to scan, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle, select Allowlist, and enter the subscription ID to scan.
+
+ - To scan **all** subscriptions except those you specify, disable the **Scan all subscriptions connected to the Directory (tenant) ID** toggle, select Denylist, and enter the names of the subscriptions you don't want Mondoo to scan.
+
+6. Provide a certificate (a [PEM](https://aboutssl.org/what-is-pem-certificate-file/) (privacy-enhanced mail) file) for Mondoo to securely authenticate with the app (service principal) you created.
+
+The certificate file must have the `.pem` extension and must contain both the private key and the certificate in this order:
+
+```
+-----BEGIN PRIVATE KEY-----
+key goes here
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+certificate goes here
+-----END CERTIFICATE-----
+```
+
+Upload the certificate to Mondoo: In the **Drag and drop your .pem file here** box, select the cloud icon and choose the file to upload.
+
+
+
+7. To complete the integration, select the **START SCANNING** button.
+
+8. On the Recommended Policies page, enable the policies on which you want to base assessments of your ms365 environment. To learn more, read [Manage Policies](/platform/security/posture/policies/).
+
+Mondoo begins scanning your Microsoft 365 resources. When it completes, you can see results on the INVENTORY page. To learn more, read [Monitor Your Infrastructure Security](/platform/security/posture/monitor/).
+
+:::info Didn't get the expected results?
+
+Read [Test and Troubleshoot Microsoft 365 Configuration](/platform/infra/saas/ms365/troubleshoot/).
+
+:::
+
+## Next steps
+
+- [Learn more about Mondoo](/platform/start/plat-what-is/)
+
+- [Integrate Mondoo with other cloud platforms in your infrastructure](/platform/infra/cloud/overview/)
+
+---
diff --git a/docs/platform/infra/saas/ms365/ms365-manual.mdx b/docs/platform/infra/saas/ms365/ms365-manual.mdx
new file mode 100644
index 000000000..bf6c5cbb6
--- /dev/null
+++ b/docs/platform/infra/saas/ms365/ms365-manual.mdx
@@ -0,0 +1,230 @@
+---
+title: Manual Setup - MS 365 Continuous Scanning
+sidebar_label: Manual Setup - MS 365 Continuous Scanning
+sidebar_position: 2
+description: Take the manual approach to configuring the Mondoo MS365 integration to scan Microsoft 365 resources.
+image: /img/featured_img/mondoo-365.jpg
+---
+
+## Prerequisites
+
+Before you integrate Microsoft 365 with Mondoo, be sure you:
+
+- Have a [Mondoo account](/platform/start/plat-start-acct/) with Editor or Owner permissions for the space in which you want to add the integration.
+
+- Have an [Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) with an active subscription and permission to manage applications in Microsoft Entra ID (formerly Active Directory). Any of these [Microsoft Entra ID roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference) include the required permissions:
+
+ - [Global Administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator) - Create and manage all aspects of app registrations and enterprise apps.
+
+ - [Application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator) - Create and manage all aspects of app registrations and enterprise apps.
+
+ - [Cloud application administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator) - Create and manage all aspects of app registrations and enterprise apps except App Proxy.
+
+- Are logged into Azure using the Azure CLI.
+
+ - If you use the Azure Cloud Shell, you don't need to also log into the Azure CLI. To learn more, read the [Quick start for Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/quickstart?tabs=azurecli).
+
+ - If you use a Linux shell or macOS shell, log into the Azure CLI.
+
+
+ If you're not already an Azure CLI user:
+
+ Log into the Azure CLI from PowerShell or a Linux/macOS CLI by
+ entering:
+
+ az login --allow-no-subscriptions
+
+ Azure opens your web browser and prompts you to log in. After you do
+ so, you can return to the CLI.
+