diff --git a/nursery/register-raw-input-devices.yml b/collection/keylog/register-raw-input-devices.yml
similarity index 55%
rename from nursery/register-raw-input-devices.yml
rename to collection/keylog/register-raw-input-devices.yml
index 2e5cb96da..3a0b2dd8f 100644
--- a/nursery/register-raw-input-devices.yml
+++ b/collection/keylog/register-raw-input-devices.yml
@@ -1,13 +1,17 @@
-# generated using capa explorer for IDA Pro
 rule:
   meta:
     name: register raw input devices
-    namespace: host-interaction/hardware
+    namespace: collection/keylog
     authors:
+      - zeze-zeze
       - michael.hunhoff@mandiant.com
     scopes:
       static: basic block
       dynamic: call
+    att&ck:
+      - Collection::Input Capture::Keylogging [T1056.001]
+    examples:
+      - 52d8e95c9883cd16d7b44e3a7adc22d6.exe_
   features:
     - or:
       - api: user32.RegisterRawInputDevices