Event ID 8 - CreateRemoteThread - Appends to bottom of config

[Cyber74-Brian-McCaleb]

Does anyone know why the include_all.xml for event id 8 gets appended to the bottom of the config when generating a config. It also appears that way in the sysmonconfig.xml already present. See below for example:

<RuleGroup groupRelation="or">
  <FileDeleteDetected onmatch="exclude">
    <Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
  </FileDeleteDetected>
</RuleGroup>
<RuleGroup groupRelation="or">
  <CreateRemoteThread onmatch="include">
    <SourceImage name="technique_id=T1055,technique_name=Process Injection" condition="begin with">C:\</SourceImage>
    <SourceImage name="technique_id=T1055,technique_name=Process Injection" condition="begin with">\\</SourceImage>
  </CreateRemoteThread>
</RuleGroup>
<RuleGroup groupRelation="or">
  <FileDelete onmatch="exclude">
    <Rule groupRelation="and">
      <Image condition="is">C:\Windows\System32\svchost.exe</Image>
      <TargetFilename condition="end with">.tmp</TargetFilename>
    </Rule>
  </FileDelete>
</RuleGroup>