From 771c86edbf123450396e91709857c51cf3e0b611 Mon Sep 17 00:00:00 2001
From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
Date: Thu, 18 Nov 2021 08:43:13 +0900
Subject: [PATCH] change rules dir structure. addlogon timeline.

---
 .../59_T1197_BitsJobCreation.yaml             |  0
 ..._T1562.010_PowershellV2DowngradeAttack.yml |  0
 ...4103_T1059_PowershellExecutionPipeline.yml |  0
 .../1102_T1070.001_SecurityLogCleared.yml     |  0
 .../hayabusa}/Security/4673.yml               |  0
 .../hayabusa}/Security/4674.yml               |  0
 .../hayabusa}/Security/4720.yml               |  0
 .../hayabusa}/Security/4728.yml               |  0
 .../hayabusa}/Security/4732.yml               |  0
 .../hayabusa}/Security/4756.yml               |  0
 .../Security/4768_T1558.003_Kerberoasting.yml |  0
 .../4768_T1558.004_AS-REP-Roasting.yml        |  0
 .../hayabusa}/Security/_4625.yml              |  0
 .../hayabusa}/Security/_4648.yml              |  0
 .../hayabusa}/Security/_4672.yml              |  0
 rules/{ => alert-rules/hayabusa}/Sysmon/1.yml |  0
 rules/{ => alert-rules/hayabusa}/Sysmon/7.yml |  0
 .../System/104_T1070.001_SystemLogCleared.yml |  0
 .../hayabusa}/System/7030.yml                 |  0
 .../hayabusa}/System/7040.yml                 |  0
 .../hayabusa}/System/7045.yml                 |  0
 .../sigma}/av_exploiting.yml                  |  0
 .../sigma}/av_hacktool.yml                    |  0
 .../sigma}/av_password_dumper.yml             |  0
 .../av_printernightmare_cve_2021_34527.yml    |  0
 .../sigma}/av_relevant_files.yml              |  0
 .../sigma}/av_webshell.yml                    |  0
 .../sigma}/dns_net_mal_cobaltstrike.yml       |  0
 .../sigma}/dns_net_susp_ipify.yml             |  0
 ...s_query_hybridconnectionmgr_servicebus.yml |  0
 .../sigma}/dns_query_mega_nz.yml              |  0
 .../dns_query_possible_dns_rebinding.yml      |  0
 .../dns_query_regsvr32_network_activity.yml   |  0
 .../sigma}/driver_load_mal_creddumper.yml     |  0
 ...tstrike_getsystem_service_installation.yml |  0
 ...powershell_script_installed_as_service.yml |  0
 .../sigma}/driver_load_susp_temp_use.yml      |  0
 .../sigma}/driver_load_vuln_dell_driver.yml   |  0
 .../sigma}/driver_load_windivert.yml          |  0
 ...mmand_execution_by_office_applications.yml |  0
 .../sigma}/file_event_advanced_ip_scanner.yml |  0
 .../file_event_apt_unidentified_nov_18.yml    |  0
 ...cve_2021_31979_cve_2021_33771_exploits.yml |  0
 .../sigma}/file_event_hack_dumpert.yml        |  0
 .../sigma}/file_event_hktl_createminidump.yml |  0
 .../sigma}/file_event_mal_adwind.yml          |  0
 .../sigma}/file_event_mal_octopus_scanner.yml |  0
 .../sigma}/file_event_mal_vhd_download.yml    |  0
 ...ile_event_mimikatz_kirbi_file_creation.yml |  0
 .../sigma}/file_event_moriya_rootkit.yml      |  0
 .../sigma}/file_event_pingback_backdoor.yml   |  0
 ...ript_creation_by_office_using_file_ext.yml |  0
 .../sigma}/file_event_tool_psexec.yml         |  0
 .../sigma}/file_event_uac_bypass_winsat.yml   |  0
 .../sigma}/file_event_uac_bypass_wmp.yml      |  0
 .../sigma}/file_event_winrm_awl_bypass.yml    |  0
 ...ile_event_wmiprvse_wbemcomn_dll_hijack.yml |  0
 .../sigma}/image_load_pingback_backdoor.yml   |  0
 .../image_load_silenttrinity_stage_use.yml    |  0
 ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml |  0
 .../sigma}/pipe_created_tool_psexec.yml       |  0
 .../sigma}/powershell_accessing_win_api.yml   |  0
 .../sigma}/powershell_adrecon_execution.yml   |  0
 .../powershell_alternate_powershell_hosts.yml |  0
 .../powershell_automated_collection.yml       |  0
 .../sigma}/powershell_azurehound_commands.yml |  0
 .../sigma}/powershell_bad_opsec_artifacts.yml |  0
 .../powershell_cl_invocation_lolscript.yml    |  0
 ...wershell_cl_invocation_lolscript_count.yml |  0
 ...powershell_cl_mutexverifiers_lolscript.yml |  0
 ...hell_cl_mutexverifiers_lolscript_count.yml |  0
 ...ell_classic_alternate_powershell_hosts.yml |  0
 .../sigma}/powershell_classic_powercat.yml    |  0
 ...hell_classic_remote_powershell_session.yml |  0
 ...susp_athremotefxvgpudisablementcommand.yml |  0
 .../powershell_classic_susp_zip_compress.yml  |  0
 ...powershell_classic_suspicious_download.yml |  0
 .../powershell_clear_powershell_history.yml   |  0
 .../sigma}/powershell_create_local_user.yml   |  0
 .../sigma}/powershell_data_compressed.yml     |  0
 .../sigma}/powershell_decompress_commands.yml |  0
 ...powershell_delete_volume_shadow_copies.yml |  0
 .../sigma}/powershell_detect_vm_env.yml       |  0
 .../sigma}/powershell_dnscat_execution.yml    |  0
 .../sigma}/powershell_downgrade_attack.yml    |  0
 .../sigma}/powershell_exe_calling_ps.yml      |  0
 .../sigma}/powershell_get_clipboard.yml       |  0
 .../sigma}/powershell_icmp_exfiltration.yml   |  0
 .../sigma}/powershell_invoke_nightmare.yml    |  0
 .../powershell_invoke_obfuscation_clip.yml    |  0
 ...ke_obfuscation_clip_in_scriptblocktext.yml |  0
 ...hell_invoke_obfuscation_obfuscated_iex.yml |  0
 ...tion_obfuscated_iex_in_scriptblocktext.yml |  0
 .../powershell_invoke_obfuscation_stdin.yml   |  0
 ...e_obfuscation_stdin_in_scriptblocktext.yml |  0
 .../powershell_invoke_obfuscation_var.yml     |  0
 ...oke_obfuscation_var_in_scriptblocktext.yml |  0
 ...rshell_invoke_obfuscation_via_compress.yml |  0
 ...cation_via_compress_in_scriptblocktext.yml |  0
 ...wershell_invoke_obfuscation_via_rundll.yml |  0
 ...uscation_via_rundll_in_scriptblocktext.yml |  0
 ...owershell_invoke_obfuscation_via_stdin.yml |  0
 ...fuscation_via_stdin_in_scriptblocktext.yml |  0
 ...rshell_invoke_obfuscation_via_use_clip.yml |  0
 ...cation_via_use_clip_in_scriptblocktext.yml |  0
 ...shell_invoke_obfuscation_via_use_mhsta.yml |  0
 ...ation_via_use_mhsta_in_scriptblocktext.yml |  0
 ...ll_invoke_obfuscation_via_use_rundll32.yml |  0
 ...on_via_use_rundll32_in_scriptblocktext.yml |  0
 .../powershell_invoke_obfuscation_via_var.yml |  0
 ...obfuscation_via_var_in_scriptblocktext.yml |  0
 .../sigma}/powershell_keylogging.yml          |  0
 .../powershell_malicious_commandlets.yml      |  0
 .../sigma}/powershell_malicious_keywords.yml  |  0
 ...ll_memorydump_getstoragediagnosticinfo.yml |  0
 ...wershell_nishang_malicious_commandlets.yml |  0
 .../sigma}/powershell_ntfs_ads_access.yml     |  0
 .../sigma}/powershell_powercat.yml            |  0
 ...rshell_powerview_malicious_commandlets.yml |  0
 .../sigma}/powershell_prompt_credentials.yml  |  0
 .../sigma}/powershell_psattack.yml            |  0
 .../powershell_remote_powershell_session.yml  |  0
 .../sigma}/powershell_renamed_powershell.yml  |  0
 ...ershell_set_policies_to_unsecure_level.yml |  0
 .../sigma}/powershell_shellcode_b64.yml       |  0
 ...shell_shellintel_malicious_commandlets.yml |  0
 .../sigma}/powershell_software_discovery.yml  |  0
 ...ll_store_file_in_alternate_data_stream.yml |  0
 ...susp_athremotefxvgpudisablementcommand.yml |  0
 .../sigma}/powershell_susp_zip_compress.yml   |  0
 ...l_susp_zip_compress_in_scriptblocktext.yml |  0
 .../sigma}/powershell_suspicious_download.yml |  0
 ...ell_suspicious_download_in_contextinfo.yml |  0
 ...suspicious_download_in_scriptblocktext.yml |  0
 ...shell_suspicious_export_pfxcertificate.yml |  0
 ...powershell_suspicious_getprocess_lsass.yml |  0
 ...wershell_suspicious_invocation_generic.yml |  0
 ...ious_invocation_generic_in_contextinfo.yml |  0
 ..._invocation_generic_in_scriptblocktext.yml |  0
 ...ershell_suspicious_invocation_specific.yml |  0
 ...ous_invocation_specific_in_contextinfo.yml |  0
 ..._invocation_specific_in_scripblocktext.yml |  0
 .../sigma}/powershell_suspicious_keywords.yml |  0
 .../powershell_suspicious_mail_acces.yml      |  0
 ...hell_suspicious_mounted_share_deletion.yml |  0
 .../sigma}/powershell_suspicious_recon.yml    |  0
 .../powershell_suspicious_win32_pnpentity.yml |  0
 .../powershell_suspicious_windowstyle.yml     |  0
 ...owershell_syncappvpublishingserver_exe.yml |  0
 ...ppvpublishingserver_exe_in_contextinfo.yml |  0
 ...ublishingserver_exe_in_scriptblocktext.yml |  0
 ...owershell_tamper_with_windows_defender.yml |  0
 .../sigma}/powershell_timestomp.yml           |  0
 .../sigma}/powershell_trigger_profiles.yml    |  0
 .../sigma}/powershell_web_request.yml         |  0
 ...hell_windows_firewall_profile_disabled.yml |  0
 .../sigma}/powershell_winlogon_helper_dll.yml |  0
 .../sigma}/powershell_wmi_persistence.yml     |  0
 .../sigma}/powershell_wmimplant.yml           |  0
 ...shell_wsman_com_provider_no_powershell.yml |  0
 .../sigma}/powershell_xor_commandline.yml     |  0
 ...sing_windows_telemetry_for_persistence.yml |  0
 .../process_creation_advanced_ip_scanner.yml  |  0
 ...rocess_creation_alternate_data_streams.yml |  0
 .../sigma}/process_creation_apt_gallium.yml   |  0
 .../process_creation_apt_gallium_sha1.yml     |  0
 .../sigma}/process_creation_apt_pandemic.yml  |  0
 .../sigma}/process_creation_apt_slingshot.yml |  0
 ...s_creation_apt_turla_commands_critical.yml |  0
 .../sigma}/process_creation_apt_wocao.yml     |  0
 .../process_creation_automated_collection.yml |  0
 .../process_creation_c3_load_by_rundll32.yml  |  0
 .../process_creation_certoc_execution.yml     |  0
 .../sigma}/process_creation_clip.yml          |  0
 ...creation_cobaltstrike_load_by_rundll32.yml |  0
 .../process_creation_conti_cmd_ransomware.yml |  0
 .../sigma}/process_creation_coti_sqlcmd.yml   |  0
 ...process_creation_discover_private_keys.yml |  0
 ...cess_creation_dns_serverlevelplugindll.yml |  0
 .../sigma}/process_creation_dotnet.yml        |  0
 .../sigma}/process_creation_hack_dumpert.yml  |  0
 .../process_creation_infdefaultinstall.yml    |  0
 ...data_exfiltration_by_using_datasvcutil.yml |  0
 ...reation_lolbins_by_office_applications.yml |  0
 ...suspicious_driver_installed_by_pnputil.yml |  0
 ...n_lolbins_with_wmiprvse_parent_process.yml |  0
 .../process_creation_mal_blue_mockingbird.yml |  0
 ...ocess_creation_mal_darkside_ransomware.yml |  0
 ...ess_creation_mal_lockergoga_ransomware.yml |  0
 .../sigma}/process_creation_mal_ryuk.yml      |  0
 .../sigma}/process_creation_msdeploy.yml      |  0
 ..._applications_spawning_wmi_commandline.yml |  0
 ..._from_proxy_executing_regsvr32_payload.yml |  0
 ...from_proxy_executing_regsvr32_payload2.yml |  0
 ...eation_office_spawning_wmi_commandline.yml |  0
 .../process_creation_pingback_backdoor.yml    |  0
 ...eation_protocolhandler_suspicious_file.yml |  0
 ...ss_creation_root_certificate_installed.yml |  0
 .../sigma}/process_creation_sdelete.yml       |  0
 .../process_creation_software_discovery.yml   |  0
 ...ocess_creation_stickykey_like_backdoor.yml |  0
 .../process_creation_stordiag_execution.yml   |  0
 .../sigma}/process_creation_susp_7z.yml       |  0
 ...susp_athremotefxvgpudisablementcommand.yml |  0
 .../sigma}/process_creation_susp_del.yml      |  0
 .../sigma}/process_creation_susp_recon.yml    |  0
 .../process_creation_susp_web_request_cmd.yml |  0
 .../sigma}/process_creation_susp_winzip.yml   |  0
 .../process_creation_susp_zip_compress.yml    |  0
 ..._creation_syncappvpublishingserver_exe.yml |  0
 ...ingserver_execute_arbitrary_powershell.yml |  0
 ...ublishingserver_vbs_execute_powershell.yml |  0
 ...ss_creation_sysinternals_eula_accepted.yml |  0
 ...ss_creation_sysmon_uac_bypass_eventvwr.yml |  0
 .../sigma}/process_creation_tool_psexec.yml   |  0
 .../process_creation_tttracer_mod_load.yml    |  0
 ...s_creation_win_exchange_transportagent.yml |  0
 .../process_creationn_apt_chafer_mar18.yml    |  0
 .../sigma}/process_mailboxexport_share.yml    |  0
 .../sigma}/process_susp_esentutl_params.yml   |  0
 ...sing_windows_telemetry_for_persistence.yml |  0
 .../registry_event_apt_chafer_mar18.yml       |  0
 .../sigma}/registry_event_apt_pandemic.yml    |  0
 ...cve_2021_31979_cve_2021_33771_exploits.yml |  0
 .../registry_event_defender_disabled.yml      |  0
 .../registry_event_defender_exclusions.yml    |  0
 ..._defender_realtime_protection_disabled.yml |  0
 ...egistry_event_dns_serverlevelplugindll.yml |  0
 .../sigma}/registry_event_mal_adwind.yml      |  0
 .../sigma}/registry_event_mal_azorult.yml     |  0
 .../registry_event_mal_blue_mockingbird.yml   |  0
 .../sigma}/registry_event_mal_flowcloud.yml   |  0
 .../sigma}/registry_event_mal_netwire.yml     |  0
 .../sigma}/registry_event_mal_ursnif.yml      |  0
 .../registry_event_mstsc_history_cleared.yml  |  0
 .../registry_event_net_ntlm_downgrade.yml     |  0
 ...registry_event_stickykey_like_backdoor.yml |  0
 ...istry_event_sysinternals_eula_accepted.yml |  0
 .../registry_event_uac_bypass_eventvwr.yml    |  0
 .../registry_event_uac_bypass_winsat.yml      |  0
 .../sigma}/registry_event_uac_bypass_wmp.yml  |  0
 .../silenttrinity_stager_msbuild_activity.yml |  0
 .../sysmon_abusing_azure_browser_sso.yml      |  0
 .../sigma}/sysmon_abusing_debug_privilege.yml |  0
 ..._accesschk_usage_after_priv_escalation.yml |  0
 ...napi_in_powershell_credentials_dumping.yml |  0
 .../sigma}/sysmon_ads_executable.yml          |  0
 ..._alternate_powershell_hosts_moduleload.yml |  0
 ...sysmon_alternate_powershell_hosts_pipe.yml |  0
 ...levated_msi_spawned_cmd_and_powershell.yml |  0
 ...ays_install_elevated_windows_installer.yml |  0
 .../sigma}/sysmon_apt_leviathan.yml           |  0
 .../sysmon_apt_muddywater_dnstunnel.yml       |  0
 .../sigma}/sysmon_apt_oceanlotus_registry.yml |  0
 .../sigma}/sysmon_apt_sourgrum.yml            |  0
 .../sigma}/sysmon_apt_turla_namedpipes.yml    |  0
 .../sysmon_asep_reg_keys_modification.yml     |  0
 ...sian_confluence_cve_2021_26084_exploit.yml |  0
 .../sigma}/sysmon_bypass_via_wsreset.yml      |  0
 .../sigma}/sysmon_cactustorch.yml             |  0
 .../sysmon_cmstp_execution_by_access.yml      |  0
 .../sysmon_cmstp_execution_by_creation.yml    |  0
 .../sysmon_cmstp_execution_by_registry.yml    |  0
 ...mon_cobaltstrike_bof_injection_pattern.yml |  0
 .../sysmon_cobaltstrike_process_injection.yml |  0
 .../sysmon_cobaltstrike_service_installs.yml  |  0
 .../sigma}/sysmon_comhijack_sdclt.yml         |  0
 .../sysmon_config_modification_error.yml      |  0
 .../sysmon_config_modification_status.yml     |  0
 .../sysmon_createremotethread_loadlibrary.yml |  0
 .../sigma}/sysmon_creation_mavinject_dll.yml  |  0
 .../sigma}/sysmon_creation_system_file.yml    |  0
 .../sigma}/sysmon_cred_dump_lsass_access.yml  |  0
 .../sysmon_cred_dump_tools_dropped_files.yml  |  0
 .../sysmon_cred_dump_tools_named_pipes.yml    |  0
 .../sigma}/sysmon_cve_2020_1048.yml           |  0
 .../sysmon_cve_2021_26857_msexchange.yml      |  0
 .../sysmon_cve_2021_26858_msexchange.yml      |  0
 .../sysmon_dcom_iertutil_dll_hijack.yml       |  0
 .../sigma}/sysmon_delete_prefetch.yml         |  0
 .../sysmon_detect_powerup_dllhijacking.yml    |  0
 .../sigma}/sysmon_dhcp_calloutdll.yml         |  0
 .../sysmon_direct_syscall_ntopenprocess.yml   |  0
 ...ble_microsoft_office_security_features.yml |  0
 ...y_events_logging_adding_reg_key_minint.yml |  0
 ...ysmon_disable_wdigest_credential_guard.yml |  0
 ...twork_protection_on_microsoft_defender.yml |  0
 ...d_pua_protection_on_microsoft_defender.yml |  0
 ...amper_protection_on_microsoft_defender.yml |  0
 .../sigma}/sysmon_dllhost_net_connections.yml |  0
 .../sigma}/sysmon_dns_over_https_enabled.yml  |  0
 .../sigma}/sysmon_efspotato_namedpipe.yml     |  0
 ...on_enabling_cor_profiler_env_variables.yml |  0
 .../sigma}/sysmon_etw_disabled.yml            |  0
 ...smon_excel_outbound_network_connection.yml |  0
 .../sigma}/sysmon_expand_cabinet_files.yml    |  0
 .../sigma}/sysmon_foggyweb_nobelium.yml       |  0
 .../sigma}/sysmon_ghostpack_safetykatz.yml    |  0
 .../sigma}/sysmon_hack_wce.yml                |  0
 .../sigma}/sysmon_hack_wce_reg.yml            |  0
 .../sigma}/sysmon_high_integrity_sdclt.yml    |  0
 ...n_hybridconnectionmgr_svc_installation.yml |  0
 .../sysmon_in_memory_assembly_execution.yml   |  0
 .../sigma}/sysmon_in_memory_powershell.yml    |  0
 .../sigma}/sysmon_invoke_phantom.yml          |  0
 .../sysmon_lazagne_cred_dump_lsass_access.yml |  0
 ...sysmon_littlecorporal_generated_maldoc.yml |  0
 ...ndocumented_autoelevated_com_interface.yml |  0
 ...on_scripts_userinitmprlogonscript_proc.yml |  0
 ...gon_scripts_userinitmprlogonscript_reg.yml |  0
 .../sysmon_long_powershell_commandline.yml    |  0
 .../sigma}/sysmon_lsass_dump_comsvcs_dll.yml  |  0
 .../sigma}/sysmon_lsass_memdump.yml           |  0
 ...sysmon_lsass_memory_dump_file_creation.yml |  0
 .../sigma}/sysmon_mal_cobaltstrike.yml        |  0
 .../sigma}/sysmon_mal_cobaltstrike_re.yml     |  0
 .../sigma}/sysmon_mal_namedpipes.yml          |  0
 .../sysmon_malware_backconnect_ports.yml      |  0
 .../sysmon_malware_verclsid_shellcode.yml     |  0
 .../sysmon_mimikatz_detection_lsass.yml       |  0
 .../sigma}/sysmon_mimikatz_trough_winrm.yml   |  0
 .../sysmon_modify_screensaver_binary_path.yml |  0
 .../sysmon_narrator_feedback_persistance.yml  |  0
 .../sigma}/sysmon_netcat_execution.yml        |  0
 .../sysmon_new_application_appcompat.yml      |  0
 ..._dll_added_to_appcertdlls_registry_key.yml |  0
 ...dll_added_to_appinit_dlls_registry_key.yml |  0
 .../sysmon_notepad_network_connection.yml     |  0
 .../sigma}/sysmon_office_persistence.yml      |  0
 .../sigma}/sysmon_office_test_regadd.yml      |  0
 .../sigma}/sysmon_office_vsto_persistence.yml |  0
 .../sigma}/sysmon_outlook_newform.yml         |  0
 .../sigma}/sysmon_password_dumper_lsass.yml   |  0
 .../sigma}/sysmon_pcre_net_load.yml           |  0
 .../sigma}/sysmon_pcre_net_temp_file.yml      |  0
 .../sigma}/sysmon_powershell_as_service.yml   |  0
 .../sysmon_powershell_code_injection.yml      |  0
 .../sysmon_powershell_execution_pipe.yml      |  0
 .../sysmon_powershell_exploit_scripts.yml     |  0
 .../sysmon_powershell_network_connection.yml  |  0
 .../sysmon_powershell_startup_shortcuts.yml   |  0
 .../sigma}/sysmon_proxy_execution_wuauclt.yml |  0
 .../sigma}/sysmon_psexec_pipes_artifacts.yml  |  0
 ...sysmon_pypykatz_cred_dump_lsass_access.yml |  0
 .../sigma}/sysmon_quarkspw_filedump.yml       |  0
 ...w_disk_access_using_illegitimate_tools.yml |  0
 .../sigma}/sysmon_rclone_execution.yml        |  0
 .../sysmon_rdp_registry_modification.yml      |  0
 .../sigma}/sysmon_rdp_reverse_tunnel.yml      |  0
 .../sigma}/sysmon_rdp_settings_hijack.yml     |  0
 .../sysmon_redmimicry_winnti_filedrop.yml     |  0
 .../sigma}/sysmon_redmimicry_winnti_reg.yml   |  0
 .../sigma}/sysmon_reg_office_security.yml     |  0
 .../sigma}/sysmon_reg_silentprocessexit.yml   |  0
 .../sysmon_reg_silentprocessexit_lsass.yml    |  0
 .../sigma}/sysmon_reg_vbs_payload_stored.yml  |  0
 .../sigma}/sysmon_regedit_export_to_ads.yml   |  0
 .../sysmon_registry_add_local_hidden_user.yml |  0
 ...ysmon_registry_persistence_key_linking.yml |  0
 ...smon_registry_persistence_search_order.yml |  0
 .../sysmon_registry_susp_printer_driver.yml   |  0
 ...mon_registry_trust_record_modification.yml |  0
 .../sysmon_regsvr32_network_activity.yml      |  0
 ...smon_remote_powershell_session_network.yml |  0
 .../sysmon_removal_amsi_registry_key.yml      |  0
 ...mon_removal_com_hijacking_registry_key.yml |  0
 ...move_windows_defender_definition_files.yml |  0
 .../sysmon_rundll32_net_connections.yml       |  0
 .../sigma}/sysmon_runkey_winekey.yml          |  0
 .../sigma}/sysmon_runonce_persistence.yml     |  0
 ...cons_imageload_wmi_scripteventconsumer.yml |  0
 .../sigma}/sysmon_sdclt_child_process.yml     |  0
 .../sigma}/sysmon_spoolsv_dll_load.yml        |  0
 .../sigma}/sysmon_ssp_added_lsa_config.yml    |  0
 .../sysmon_startup_folder_file_write.yml      |  0
 .../sysmon_susp_adfs_namedpipe_connection.yml |  0
 .../sigma}/sysmon_susp_adsi_cache_usage.yml   |  0
 .../sigma}/sysmon_susp_atbroker_change.yml    |  0
 .../sigma}/sysmon_susp_clr_logs.yml           |  0
 ...sysmon_susp_cobaltstrike_pipe_patterns.yml |  0
 .../sigma}/sysmon_susp_desktop_ini.yml        |  0
 .../sigma}/sysmon_susp_download_run_key.yml   |  0
 .../sigma}/sysmon_susp_fax_dll.yml            |  0
 .../sigma}/sysmon_susp_image_load.yml         |  0
 .../sigma}/sysmon_susp_lsass_dll_load.yml     |  0
 .../sigma}/sysmon_susp_mic_cam_access.yml     |  0
 ...n_susp_office_dotnet_assembly_dll_load.yml |  0
 ...sysmon_susp_office_dotnet_clr_dll_load.yml |  0
 ...sysmon_susp_office_dotnet_gac_dll_load.yml |  0
 .../sysmon_susp_office_dsparse_dll_load.yml   |  0
 .../sysmon_susp_office_kerberos_dll_load.yml  |  0
 .../sigma}/sysmon_susp_pfx_file_creation.yml  |  0
 .../sysmon_susp_plink_remote_forward.yml      |  0
 .../sysmon_susp_powershell_rundll32.yml       |  0
 ...cexplorer_driver_created_in_tmp_folder.yml |  0
 ..._susp_prog_location_network_connection.yml |  0
 .../sigma}/sysmon_susp_python_image_load.yml  |  0
 .../sigma}/sysmon_susp_rdp.yml                |  0
 .../sysmon_susp_reg_persist_explorer_run.yml  |  0
 .../sigma}/sysmon_susp_run_key_img_folder.yml |  0
 ...sysmon_susp_script_dotnet_clr_dll_load.yml |  0
 .../sigma}/sysmon_susp_service_installed.yml  |  0
 .../sysmon_susp_service_modification.yml      |  0
 .../sysmon_susp_system_drawing_load.yml       |  0
 .../sysmon_susp_webdav_client_execution.yml   |  0
 .../sysmon_susp_winword_vbadll_load.yml       |  0
 .../sysmon_susp_winword_wmidll_load.yml       |  0
 .../sysmon_susp_wmi_consumer_namedpipe.yml    |  0
 ...sysmon_suspicious_dbghelp_dbgcore_load.yml |  0
 ...sysmon_suspicious_keyboard_layout_load.yml |  0
 ...uspicious_outbound_kerberos_connection.yml |  0
 ...n_suspicious_powershell_profile_create.yml |  0
 .../sysmon_suspicious_remote_thread.yml       |  0
 .../sigma}/sysmon_svchost_cred_dump.yml       |  0
 ...sysmon_svchost_dll_search_order_hijack.yml |  0
 ...mon_sysinternals_sdelete_file_deletion.yml |  0
 ...mon_sysinternals_sdelete_registry_keys.yml |  0
 .../sigma}/sysmon_taskcache_entry.yml         |  0
 .../sysmon_tsclient_filewrite_startup.yml     |  0
 .../sigma}/sysmon_tttracer_mod_load.yml       |  0
 .../sysmon_uac_bypass_consent_comctl32.yml    |  0
 .../sysmon_uac_bypass_dotnet_profiler.yml     |  0
 .../sigma}/sysmon_uac_bypass_ieinstal.yml     |  0
 .../sigma}/sysmon_uac_bypass_msconfig_gui.yml |  0
 .../sysmon_uac_bypass_ntfs_reparse_point.yml  |  0
 .../sigma}/sysmon_uac_bypass_sdclt.yml        |  0
 .../sigma}/sysmon_uac_bypass_shell_open.yml   |  0
 .../sigma}/sysmon_uac_bypass_via_dism.yml     |  0
 .../sigma}/sysmon_uac_bypass_wow64_logger.yml |  0
 .../sigma}/sysmon_uipromptforcreds_dlls.yml   |  0
 .../sysmon_uninstall_crowdstrike_falcon.yml   |  0
 ...ysmon_unsigned_image_loaded_into_lsass.yml |  0
 .../sysmon_vmtoolsd_susp_child_process.yml    |  0
 ...sysmon_volume_shadow_copy_service_keys.yml |  0
 .../sigma}/sysmon_wab_dllpath_reg_change.yml  |  0
 ...smon_wdigest_enable_uselogoncredential.yml |  0
 .../sysmon_webshell_creation_detect.yml       |  0
 .../sigma}/sysmon_win_binary_github_com.yml   |  0
 .../sigma}/sysmon_win_binary_susp_com.yml     |  0
 .../sigma}/sysmon_win_reg_persistence.yml     |  0
 .../sysmon_win_reg_telemetry_persistence.yml  |  0
 .../sigma}/sysmon_wmi_module_load.yml         |  0
 ...persistence_commandline_event_consumer.yml |  0
 ...ersistence_script_event_consumer_write.yml |  0
 .../sysmon_wmi_susp_encoded_scripts.yml       |  0
 .../sigma}/sysmon_wmi_susp_scripting.yml      |  0
 .../sysmon_wmic_remote_xsl_scripting_dlls.yml |  0
 .../sysmon_wsman_provider_image_load.yml      |  0
 .../sysmon_wuauclt_network_connection.yml     |  0
 .../win_aadhealth_mon_agent_regkey_access.yml |  0
 .../win_aadhealth_svc_agent_regkey_access.yml |  0
 .../win_account_backdoor_dcsync_rights.yml    |  0
 .../sigma}/win_account_discovery.yml          |  0
 .../sigma}/win_ad_find_discovery.yml          |  0
 .../sigma}/win_ad_object_writedac_access.yml  |  0
 ...win_ad_replication_non_machine_account.yml |  0
 .../sigma}/win_ad_user_enumeration.yml        |  0
 .../sigma}/win_admin_rdp_login.yml            |  0
 .../sigma}/win_admin_share_access.yml         |  0
 ...in_alert_active_directory_user_control.yml |  0
 .../sigma}/win_alert_ad_user_backdoors.yml    |  0
 .../win_alert_enable_weak_encryption.yml      |  0
 .../sigma}/win_alert_lsass_access.yml         |  0
 .../sigma}/win_alert_mimikatz_keywords.yml    |  0
 .../sigma}/win_alert_ruler.yml                |  0
 .../sigma}/win_anydesk_silent_install.yml     |  0
 ..._applocker_file_was_not_allowed_to_run.yml |  0
 .../sigma}/win_apt_apt29_thinktanks.yml       |  0
 .../sigma}/win_apt_babyshark.yml              |  0
 .../sigma}/win_apt_bear_activity_gtr19.yml    |  0
 .../sigma}/win_apt_bluemashroom.yml           |  0
 .../sigma}/win_apt_carbonpaper_turla.yml      |  0
 .../sigma}/win_apt_chafer_mar18_security.yml  |  0
 .../sigma}/win_apt_chafer_mar18_system.yml    |  0
 .../sigma}/win_apt_cloudhopper.yml            |  0
 .../sigma}/win_apt_dragonfly.yml              |  0
 .../sigma}/win_apt_elise.yml                  |  0
 .../sigma}/win_apt_emissarypanda_sep19.yml    |  0
 .../sigma}/win_apt_empiremonkey.yml           |  0
 .../win_apt_equationgroup_dll_u_load.yml      |  0
 .../sigma}/win_apt_evilnum_jul20.yml          |  0
 .../sigma}/win_apt_gallium.yml                |  0
 .../sigma}/win_apt_greenbug_may20.yml         |  0
 .../sigma}/win_apt_hafnium.yml                |  0
 .../sigma}/win_apt_hurricane_panda.yml        |  0
 .../sigma}/win_apt_judgement_panda_gtr19.yml  |  0
 .../sigma}/win_apt_ke3chang_regadd.yml        |  0
 .../sigma}/win_apt_lazarus_activity_apr21.yml |  0
 .../sigma}/win_apt_lazarus_activity_dec20.yml |  0
 .../sigma}/win_apt_lazarus_loader.yml         |  0
 .../win_apt_lazarus_session_highjack.yml      |  0
 .../sigma}/win_apt_mustangpanda.yml           |  0
 .../sigma}/win_apt_revil_kaseya.yml           |  0
 .../sigma}/win_apt_slingshot.yml              |  0
 .../sigma}/win_apt_sofacy.yml                 |  0
 .../sigma}/win_apt_stonedrill.yml             |  0
 .../sigma}/win_apt_ta17_293a_ps.yml           |  0
 .../sigma}/win_apt_ta505_dropper.yml          |  0
 .../sigma}/win_apt_taidoor.yml                |  0
 .../sigma}/win_apt_tropictrooper.yml          |  0
 .../sigma}/win_apt_turla_comrat_may20.yml     |  0
 .../sigma}/win_apt_turla_service_png.yml      |  0
 .../sigma}/win_apt_unc2452_cmds.yml           |  0
 .../sigma}/win_apt_unc2452_ps.yml             |  0
 .../sigma}/win_apt_unidentified_nov_18.yml    |  0
 .../sigma}/win_apt_winnti_mal_hk_jan20.yml    |  0
 .../sigma}/win_apt_winnti_pipemon.yml         |  0
 .../sigma}/win_apt_wocao.yml                  |  0
 .../sigma}/win_apt_zxshell.yml                |  0
 ...ary_shell_execution_via_settingcontent.yml |  0
 .../sigma}/win_asr_bypass_via_appvlp_re.yml   |  0
 .../sigma}/win_atsvc_task.yml                 |  0
 .../sigma}/win_attrib_hiding_files.yml        |  0
 .../sigma}/win_audit_cve.yml                  |  0
 .../sigma}/win_av_relevant_match.yml          |  0
 .../win_bad_opsec_sacrificial_processes.yml   |  0
 .../sigma}/win_bootconf_mod.yml               |  0
 .../sigma}/win_bypass_squiblytwo.yml          |  0
 .../sigma}/win_camera_microphone_access.yml   |  0
 .../win_change_default_file_association.yml   |  0
 .../sigma}/win_cl_invocation_lolscript.yml    |  0
 .../win_cl_mutexverifiers_lolscript.yml       |  0
 .../sigma}/win_class_exec_xwizard.yml         |  0
 .../sigma}/win_cmdkey_recon.yml               |  0
 .../sigma}/win_cmstp_com_object_access.yml    |  0
 .../win_cobaltstrike_process_patterns.yml     |  0
 .../win_cobaltstrike_service_installs.yml     |  0
 .../sigma}/win_commandline_path_traversal.yml |  0
 ...win_commandline_path_traversal_evasion.yml |  0
 .../sigma}/win_control_panel_item.yml         |  0
 ...g_sensitive_files_with_credential_data.yml |  0
 ..._credential_access_via_password_filter.yml |  0
 .../sigma}/win_crime_fireball.yml             |  0
 .../sigma}/win_crime_maze_ransomware.yml      |  0
 .../sigma}/win_crime_snatch_ransomware.yml    |  0
 .../sigma}/win_crypto_mining_monero.yml       |  0
 .../sigma}/win_cve_2021_1675_printspooler.yml |  0
 .../win_cve_2021_1675_printspooler_del.yml    |  0
 .../sigma}/win_data_compressed_with_rar.yml   |  0
 .../win_dce_rpc_smb_spoolss_named_pipe.yml    |  0
 .../sigma}/win_dcom_iertutil_dll_hijack.yml   |  0
 .../sigma}/win_dcsync.yml                     |  0
 .../sigma}/win_defender_amsi_trigger.yml      |  0
 .../sigma}/win_defender_bypass.yml            |  0
 .../sigma}/win_defender_disabled.yml          |  0
 .../sigma}/win_defender_exclusions.yml        |  0
 .../sigma}/win_defender_history_delete.yml    |  0
 .../sigma}/win_defender_psexec_wmi_asr.yml    |  0
 ...win_defender_tamper_protection_trigger.yml |  0
 .../sigma}/win_defender_threat.yml            |  0
 .../win_detecting_fake_instances_of_hxtsr.yml |  0
 .../sigma}/win_disable_event_logging.yml      |  0
 .../sigma}/win_dll_sideload_xwizard.yml       |  0
 .../win_dns_exfiltration_tools_execution.yml  |  0
 .../win_dnscat2_powershell_implementation.yml |  0
 .../win_dpapi_domain_backupkey_extraction.yml |  0
 ..._dpapi_domain_masterkey_backup_attempt.yml |  0
 .../sigma}/win_encoded_frombase64string.yml   |  0
 .../sigma}/win_encoded_iex.yml                |  0
 .../sigma}/win_etw_modification.yml           |  0
 .../sigma}/win_etw_modification_cmdline.yml   |  0
 .../sigma}/win_etw_trace_evasion.yml          |  0
 .../sigma}/win_event_log_cleared.yml          |  0
 .../win_exchange_proxylogon_oabvirtualdir.yml |  0
 ...ange_proxyshell_certificate_generation.yml |  0
 ...win_exchange_proxyshell_mailbox_export.yml |  0
 ...hange_proxyshell_remove_mailbox_export.yml |  0
 .../sigma}/win_exchange_transportagent.yml    |  0
 .../win_exchange_transportagent_failed.yml    |  0
 ...ltration_and_tunneling_tools_execution.yml |  0
 .../sigma}/win_exploit_cve_2015_1641.yml      |  0
 .../sigma}/win_exploit_cve_2017_0261.yml      |  0
 .../sigma}/win_exploit_cve_2017_11882.yml     |  0
 .../sigma}/win_exploit_cve_2017_8759.yml      |  0
 .../sigma}/win_exploit_cve_2019_1378.yml      |  0
 .../sigma}/win_exploit_cve_2019_1388.yml      |  0
 .../sigma}/win_exploit_cve_2020_10189.yml     |  0
 .../sigma}/win_exploit_cve_2020_1048.yml      |  0
 .../sigma}/win_exploit_cve_2020_1350.yml      |  0
 ...win_exploit_cve_2021_1675_printspooler.yml |  0
 ...cve_2021_1675_printspooler_operational.yml |  0
 ...it_cve_2021_1675_printspooler_security.yml |  0
 .../sigma}/win_exploit_systemnightmare.yml    |  0
 .../sigma}/win_external_device.yml            |  0
 .../win_file_permission_modifications.yml     |  0
 .../win_file_winword_cve_2021_40444.yml       |  0
 .../sigma}/win_global_catalog_enumeration.yml |  0
 .../sigma}/win_gpo_scheduledtasks.yml         |  0
 .../win_grabbing_sensitive_hives_via_reg.yml  |  0
 .../sigma}/win_hack_adcspwn.yml               |  0
 .../sigma}/win_hack_bloodhound.yml            |  0
 .../sigma}/win_hack_koadic.yml                |  0
 .../sigma}/win_hack_rubeus.yml                |  0
 .../sigma}/win_hack_secutyxploded.yml         |  0
 .../sigma}/win_hack_smbexec.yml               |  0
 .../sigma}/win_hh_chm.yml                     |  0
 .../sigma}/win_hidden_user_creation.yml       |  0
 .../win_hiding_malware_in_fonts_folder.yml    |  0
 .../sigma}/win_hivenightmare_file_exports.yml |  0
 .../sigma}/win_hktl_createminidump.yml        |  0
 .../sigma}/win_hktl_uacme_uac_bypass.yml      |  0
 .../sigma}/win_html_help_spawn.yml            |  0
 .../sigma}/win_hwp_exploits.yml               |  0
 ...n_hybridconnectionmgr_svc_installation.yml |  0
 .../win_hybridconnectionmgr_svc_running.yml   |  0
 .../sigma}/win_impacket_compiled_tools.yml    |  0
 .../sigma}/win_impacket_lateralization.yml    |  0
 .../sigma}/win_impacket_psexec.yml            |  0
 .../sigma}/win_impacket_secretdump.yml        |  0
 .../sigma}/win_indirect_cmd.yml               |  0
 ...n_indirect_cmd_compatibility_assistant.yml |  0
 .../win_install_reg_debugger_backdoor.yml     |  0
 .../sigma}/win_interactive_at.yml             |  0
 .../sigma}/win_invoke_obfuscation_clip.yml    |  0
 .../win_invoke_obfuscation_clip_services.yml  |  0
 ...oke_obfuscation_clip_services_security.yml |  0
 ...obfuscation_obfuscated_iex_commandline.yml |  0
 ...ke_obfuscation_obfuscated_iex_services.yml |  0
 ...ation_obfuscated_iex_services_security.yml |  0
 .../sigma}/win_invoke_obfuscation_stdin.yml   |  0
 .../win_invoke_obfuscation_stdin_services.yml |  0
 ...ke_obfuscation_stdin_services_security.yml |  0
 .../sigma}/win_invoke_obfuscation_var.yml     |  0
 .../win_invoke_obfuscation_var_services.yml   |  0
 ...voke_obfuscation_var_services_security.yml |  0
 .../win_invoke_obfuscation_via_compress.yml   |  0
 ...voke_obfuscation_via_compress_services.yml |  0
 ...scation_via_compress_services_security.yml |  0
 .../win_invoke_obfuscation_via_rundll.yml     |  0
 ...invoke_obfuscation_via_rundll_services.yml |  0
 ...fuscation_via_rundll_services_security.yml |  0
 .../win_invoke_obfuscation_via_stdin.yml      |  0
 ..._invoke_obfuscation_via_stdin_services.yml |  0
 ...bfuscation_via_stdin_services_security.yml |  0
 .../win_invoke_obfuscation_via_use_clip.yml   |  0
 ...voke_obfuscation_via_use_clip_services.yml |  0
 ...scation_via_use_clip_services_security.yml |  0
 .../win_invoke_obfuscation_via_use_mhsta.yml  |  0
 ...oke_obfuscation_via_use_mshta_services.yml |  0
 ...cation_via_use_mshta_services_security.yml |  0
 ...in_invoke_obfuscation_via_use_rundll32.yml |  0
 ..._obfuscation_via_use_rundll32_services.yml |  0
 ...ion_via_use_rundll32_services_security.yml |  0
 .../sigma}/win_invoke_obfuscation_via_var.yml |  0
 ...in_invoke_obfuscation_via_var_services.yml |  0
 ..._obfuscation_via_var_services_security.yml |  0
 .../sigma}/win_iso_mount.yml                  |  0
 .../sigma}/win_lateral_movement_condrv.yml    |  0
 .../sigma}/win_ldap_recon.yml                 |  0
 .../sigma}/win_lethalhta.yml                  |  0
 .../sigma}/win_lm_namedpipe.yml               |  0
 ...n_local_system_owner_account_discovery.yml |  0
 .../sigma}/win_lolbas_execution_of_nltest.yml |  0
 .../win_lolbas_execution_of_wuauclt.yml       |  0
 .../win_lolbin_execution_via_winget.yml       |  0
 .../win_lsass_access_non_system_account.yml   |  0
 .../sigma}/win_lsass_dump.yml                 |  0
 .../sigma}/win_mal_adwind.yml                 |  0
 .../sigma}/win_mal_creddumper.yml             |  0
 .../sigma}/win_mal_wceaux_dll.yml             |  0
 .../sigma}/win_malware_conti.yml              |  0
 .../sigma}/win_malware_conti_7zip.yml         |  0
 .../sigma}/win_malware_conti_shadowcopy.yml   |  0
 .../sigma}/win_malware_dridex.yml             |  0
 .../sigma}/win_malware_dtrack.yml             |  0
 .../sigma}/win_malware_emotet.yml             |  0
 .../sigma}/win_malware_formbook.yml           |  0
 .../sigma}/win_malware_notpetya.yml           |  0
 .../sigma}/win_malware_qbot.yml               |  0
 .../sigma}/win_malware_ryuk.yml               |  0
 .../sigma}/win_malware_script_dropper.yml     |  0
 .../win_malware_trickbot_recon_activity.yml   |  0
 .../sigma}/win_malware_trickbot_wermgr.yml    |  0
 .../sigma}/win_malware_wannacry.yml           |  0
 .../sigma}/win_manage_bde_lolbas.yml          |  0
 .../sigma}/win_mavinject_proc_inj.yml         |  0
 ...tstrike_getsystem_service_installation.yml |  0
 ...r_cobaltstrike_getsystem_service_start.yml |  0
 .../sigma}/win_mimikatz_command_line.yml      |  0
 .../sigma}/win_mmc20_lateral_movement.yml     |  0
 .../sigma}/win_mmc_spawn_shell.yml            |  0
 ..._modif_of_services_for_via_commandline.yml |  0
 ...in_monitoring_for_persistence_via_bits.yml |  0
 .../sigma}/win_moriya_rootkit.yml             |  0
 .../sigma}/win_mouse_lock.yml                 |  0
 .../sigma}/win_mshta_javascript.yml           |  0
 .../sigma}/win_mshta_spawn_shell.yml          |  0
 .../sigma}/win_net_crypto_mining.yml          |  0
 .../sigma}/win_net_enum.yml                   |  0
 .../sigma}/win_net_ntlm_downgrade.yml         |  0
 .../sigma}/win_net_use_admin_share.yml        |  0
 .../sigma}/win_net_user_add.yml               |  0
 .../sigma}/win_netsh_allow_port_rdp.yml       |  0
 .../sigma}/win_netsh_fw_add.yml               |  0
 .../sigma}/win_netsh_fw_add_susp_image.yml    |  0
 .../sigma}/win_netsh_packet_capture.yml       |  0
 .../sigma}/win_netsh_port_fwd.yml             |  0
 .../sigma}/win_netsh_port_fwd_3389.yml        |  0
 .../win_netsh_wifi_credential_harvesting.yml  |  0
 .../sigma}/win_network_sniffing.yml           |  0
 ..._renamed_user_account_with_dollar_sign.yml |  0
 .../sigma}/win_new_service_creation.yml       |  0
 .../sigma}/win_nltest_recon.yml               |  0
 .../sigma}/win_non_interactive_powershell.yml |  0
 .../sigma}/win_non_priv_reg_or_ps.yml         |  0
 .../sigma}/win_not_allowed_rdp_access.yml     |  0
 .../sigma}/win_ntfs_vuln_exploit.yml          |  0
 .../sigma}/win_office_shell.yml               |  0
 ..._office_spawn_exe_from_users_directory.yml |  0
 .../sigma}/win_outlook_c2_macro_creation.yml  |  0
 .../sigma}/win_outlook_c2_registry_key.yml    |  0
 .../sigma}/win_outlook_registry_todaypage.yml |  0
 .../sigma}/win_outlook_registry_webview.yml   |  0
 .../sigma}/win_overpass_the_hash.yml          |  0
 .../sigma}/win_pass_the_hash.yml              |  0
 .../sigma}/win_pass_the_hash_2.yml            |  0
 .../win_pc_set_policies_to_unsecure_level.yml |  0
 .../sigma}/win_pc_susp_cmdl32_lolbas.yml      |  0
 .../sigma}/win_pc_susp_schtasks_user_temp.yml |  0
 .../sigma}/win_pc_susp_zipexec.yml            |  0
 .../sigma}/win_pcap_drivers.yml               |  0
 .../sigma}/win_petitpotam_network_share.yml   |  0
 .../win_petitpotam_susp_tgt_request.yml       |  0
 .../sigma}/win_plugx_susp_exe_locations.yml   |  0
 .../sigma}/win_portproxy_registry_key.yml     |  0
 .../sigma}/win_possible_applocker_bypass.yml  |  0
 .../sigma}/win_possible_dc_shadow.yml         |  0
 ...ation_via_service_registry_permissions.yml |  0
 ...gon_exploitation_using_wellknown_tools.yml |  0
 .../sigma}/win_powershell_amsi_bypass.yml     |  0
 .../sigma}/win_powershell_audio_capture.yml   |  0
 .../sigma}/win_powershell_b64_shellcode.yml   |  0
 .../sigma}/win_powershell_bitsjob.yml         |  0
 ...in_powershell_cmdline_reversed_strings.yml |  0
 ..._powershell_cmdline_special_characters.yml |  0
 ...wershell_cmdline_specific_comb_methods.yml |  0
 .../win_powershell_defender_exclusion.yml     |  0
 .../win_powershell_disable_windef_av.yml      |  0
 .../sigma}/win_powershell_dll_execution.yml   |  0
 .../win_powershell_downgrade_attack.yml       |  0
 .../sigma}/win_powershell_download.yml        |  0
 .../win_powershell_frombase64string.yml       |  0
 ...in_powershell_reverse_shell_connection.yml |  0
 ...ershell_suspicious_parameter_variation.yml |  0
 .../sigma}/win_powershell_xor_commandline.yml |  0
 .../win_powersploit_empire_schtasks.yml       |  0
 .../sigma}/win_privesc_cve_2020_1472.yml      |  0
 .../sigma}/win_proc_wrong_parent.yml          |  0
 .../sigma}/win_procdump.yml                   |  0
 ...in_process_creation_bitsadmin_download.yml |  0
 .../sigma}/win_process_dump_rdrleakdiag.yml   |  0
 .../win_process_dump_rundll32_comsvcs.yml     |  0
 .../win_protected_storage_service_access.yml  |  0
 .../sigma}/win_psexesvc_start.yml             |  0
 .../sigma}/win_purplesharp_indicators.yml     |  0
 ...rkspwdump_clearing_hive_access_history.yml |  0
 .../sigma}/win_query_registry.yml             |  0
 .../sigma}/win_rare_schtask_creation.yml      |  0
 .../sigma}/win_rasautou_dll_execution.yml     |  0
 .../sigma}/win_rclone_exec_file.yml           |  0
 .../sigma}/win_rdp_bluekeep_poc_scanner.yml   |  0
 .../sigma}/win_rdp_hijack_shadowing.yml       |  0
 .../sigma}/win_rdp_localhost_login.yml        |  0
 .../win_rdp_potential_cve_2019_0708.yml       |  0
 .../sigma}/win_rdp_reverse_tunnel.yml         |  0
 .../sigma}/win_redmimicry_winnti_proc.yml     |  0
 .../sigma}/win_reg_add_run_key.yml            |  0
 .../win_regedit_export_critical_keys.yml      |  0
 .../sigma}/win_regedit_export_keys.yml        |  0
 .../sigma}/win_regedit_import_keys.yml        |  0
 .../sigma}/win_regedit_import_keys_ads.yml    |  0
 .../sigma}/win_regini.yml                     |  0
 .../sigma}/win_regini_ads.yml                 |  0
 ...n_register_new_logon_process_by_rubeus.yml |  0
 ...win_registry_mimikatz_printernightmare.yml |  0
 .../sigma}/win_remote_powershell_session.yml  |  0
 .../win_remote_powershell_session_process.yml |  0
 ..._registry_management_using_reg_utility.yml |  0
 .../sigma}/win_remote_time_discovery.yml      |  0
 .../sigma}/win_renamed_binary.yml             |  0
 .../win_renamed_binary_highly_relevant.yml    |  0
 .../sigma}/win_renamed_jusched.yml            |  0
 .../sigma}/win_renamed_megasync.yml           |  0
 .../sigma}/win_renamed_paexec.yml             |  0
 .../sigma}/win_renamed_powershell.yml         |  0
 .../sigma}/win_renamed_procdump.yml           |  0
 .../sigma}/win_renamed_psexec.yml             |  0
 .../sigma}/win_renamed_whoami.yml             |  0
 .../sigma}/win_root_certificate_installed.yml |  0
 .../win_run_powershell_script_from_ads.yml    |  0
 ...un_powershell_script_from_input_stream.yml |  0
 .../sigma}/win_run_virtualbox.yml             |  0
 .../win_rundll32_without_parameters.yml       |  0
 .../win_sam_registry_hive_handle_request.yml  |  0
 .../sigma}/win_scheduled_task_deletion.yml    |  0
 .../win_scm_database_handle_failure.yml       |  0
 .../win_scm_database_privileged_operation.yml |  0
 ...scrcons_remote_wmi_scripteventconsumer.yml |  0
 .../win_script_event_consumer_spawn.yml       |  0
 .../sigma}/win_sdbinst_shim_persistence.yml   |  0
 ...security_cobaltstrike_service_installs.yml |  0
 .../sigma}/win_security_mal_creddumper.yml    |  0
 .../win_security_mal_service_installs.yml     |  0
 ...or_impacket_smb_psexec_service_install.yml |  0
 ...cobaltstrike_getsystem_service_install.yml |  0
 ...powershell_script_installed_as_service.yml |  0
 .../win_security_tap_driver_installation.yml  |  0
 .../sigma}/win_security_wmi_persistence.yml   |  0
 .../sigma}/win_service_execution.yml          |  0
 .../sigma}/win_service_stop.yml               |  0
 ...in_set_oabvirtualdirectory_externalurl.yml |  0
 .../win_shadow_copies_access_symlink.yml      |  0
 .../sigma}/win_shadow_copies_creation.yml     |  0
 .../sigma}/win_shadow_copies_deletion.yml     |  0
 .../sigma}/win_shell_spawn_mshta.yml          |  0
 .../sigma}/win_shell_spawn_susp_program.yml   |  0
 .../sigma}/win_silenttrinity_stage_use.yml    |  0
 .../win_smb_file_creation_admin_shares.yml    |  0
 .../win_software_atera_rmm_agent_install.yml  |  0
 .../sigma}/win_soundrec_audio_capture.yml     |  0
 .../sigma}/win_spn_enum.yml                   |  0
 ...uthenticated_privileged_console_access.yml |  0
 .../sigma}/win_sus_auditpol_usage.yml         |  0
 .../sigma}/win_susp_add_domain_trust.yml      |  0
 .../sigma}/win_susp_add_sid_history.yml       |  0
 .../sigma}/win_susp_adfind.yml                |  0
 .../sigma}/win_susp_atbroker.yml              |  0
 .../sigma}/win_susp_backup_delete.yml         |  0
 .../sigma}/win_susp_bcdedit.yml               |  0
 .../sigma}/win_susp_bginfo.yml                |  0
 .../sigma}/win_susp_bitstransfer.yml          |  0
 .../sigma}/win_susp_calc.yml                  |  0
 .../sigma}/win_susp_cdb.yml                   |  0
 .../sigma}/win_susp_certutil_command.yml      |  0
 .../sigma}/win_susp_certutil_encode.yml       |  0
 .../win_susp_child_process_as_system_.yml     |  0
 .../sigma}/win_susp_cli_escape.yml            |  0
 .../sigma}/win_susp_cmd_http_appdata.yml      |  0
 .../sigma}/win_susp_cmd_shadowcopy_access.yml |  0
 .../win_susp_codeintegrity_check_failure.yml  |  0
 .../sigma}/win_susp_codepage_switch.yml       |  0
 .../win_susp_commands_recon_activity.yml      |  0
 .../sigma}/win_susp_compression_params.yml    |  0
 .../sigma}/win_susp_comsvcs_procdump.yml      |  0
 .../sigma}/win_susp_conhost.yml               |  0
 .../win_susp_control_cve_2021_40444.yml       |  0
 .../sigma}/win_susp_control_dll_load.yml      |  0
 .../sigma}/win_susp_copy_lateral_movement.yml |  0
 .../sigma}/win_susp_copy_system32.yml         |  0
 .../sigma}/win_susp_covenant.yml              |  0
 .../win_susp_crackmapexec_execution.yml       |  0
 ...sp_crackmapexec_powershell_obfuscation.yml |  0
 .../sigma}/win_susp_csc.yml                   |  0
 .../sigma}/win_susp_csc_folder.yml            |  0
 .../sigma}/win_susp_csi.yml                   |  0
 .../sigma}/win_susp_curl_download.yml         |  0
 .../sigma}/win_susp_curl_fileupload.yml       |  0
 .../sigma}/win_susp_curl_start_combo.yml      |  0
 .../sigma}/win_susp_dctask64_proc_inject.yml  |  0
 .../sigma}/win_susp_desktopimgdownldr.yml     |  0
 .../win_susp_desktopimgdownldr_file.yml       |  0
 .../sigma}/win_susp_devtoolslauncher.yml      |  0
 .../sigma}/win_susp_dhcp_config.yml           |  0
 .../sigma}/win_susp_dhcp_config_failed.yml    |  0
 ...susp_direct_asep_reg_keys_modification.yml |  0
 .../sigma}/win_susp_disable_eventlog.yml      |  0
 .../sigma}/win_susp_disable_ie_features.yml   |  0
 .../sigma}/win_susp_disable_raccine.yml       |  0
 .../sigma}/win_susp_diskshadow.yml            |  0
 .../sigma}/win_susp_ditsnap.yml               |  0
 .../sigma}/win_susp_dns_config.yml            |  0
 .../sigma}/win_susp_dnx.yml                   |  0
 .../sigma}/win_susp_double_extension.yml      |  0
 .../sigma}/win_susp_dsrm_password_change.yml  |  0
 .../sigma}/win_susp_dxcap.yml                 |  0
 .../win_susp_emotet_rudll32_execution.yml     |  0
 .../sigma}/win_susp_esentutl_activity.yml     |  0
 .../sigma}/win_susp_eventlog_clear.yml        |  0
 .../sigma}/win_susp_eventlog_cleared.yml      |  0
 .../sigma}/win_susp_execution_path.yml        |  0
 .../win_susp_execution_path_webserver.yml     |  0
 .../sigma}/win_susp_explorer.yml              |  0
 .../win_susp_explorer_break_proctree.yml      |  0
 .../sigma}/win_susp_failed_guest_logon.yml    |  0
 .../sigma}/win_susp_failed_logon_reasons.yml  |  0
 .../sigma}/win_susp_failed_logon_source.yml   |  0
 .../sigma}/win_susp_file_characteristics.yml  |  0
 ...p_file_download_via_gfxdownloadwrapper.yml |  0
 .../sigma}/win_susp_findstr.yml               |  0
 .../sigma}/win_susp_findstr_lnk.yml           |  0
 .../sigma}/win_susp_finger_usage.yml          |  0
 .../sigma}/win_susp_firewall_disable.yml      |  0
 .../sigma}/win_susp_fsutil_usage.yml          |  0
 .../sigma}/win_susp_ftp.yml                   |  0
 .../sigma}/win_susp_gup.yml                   |  0
 .../sigma}/win_susp_interactive_logons.yml    |  0
 .../sigma}/win_susp_iss_module_install.yml    |  0
 .../sigma}/win_susp_kerberos_manipulation.yml |  0
 .../sigma}/win_susp_ldap_dataexchange.yml     |  0
 .../win_susp_local_anon_logon_created.yml     |  0
 .../win_susp_logon_explicit_credentials.yml   |  0
 .../sigma}/win_susp_lsass_dump.yml            |  0
 .../sigma}/win_susp_lsass_dump_generic.yml    |  0
 .../win_susp_mounted_share_deletion.yml       |  0
 .../sigma}/win_susp_mpcmdrun_download.yml     |  0
 .../sigma}/win_susp_mshta_execution.yml       |  0
 .../sigma}/win_susp_mshta_pattern.yml         |  0
 .../sigma}/win_susp_msiexec_cwd.yml           |  0
 .../sigma}/win_susp_msiexec_web_install.yml   |  0
 .../sigma}/win_susp_msmpeng_crash.yml         |  0
 .../sigma}/win_susp_msoffice.yml              |  0
 ...susp_multiple_files_renamed_or_deleted.yml |  0
 .../sigma}/win_susp_net_execution.yml         |  0
 .../sigma}/win_susp_net_recon_activity.yml    |  0
 .../sigma}/win_susp_netsh_dll_persistence.yml |  0
 .../sigma}/win_susp_ngrok_pua.yml             |  0
 .../sigma}/win_susp_ntdsutil.yml              |  0
 .../sigma}/win_susp_ntlm_auth.yml             |  0
 .../sigma}/win_susp_ntlm_rdp.yml              |  0
 .../sigma}/win_susp_odbcconf.yml              |  0
 .../sigma}/win_susp_openwith.yml              |  0
 .../sigma}/win_susp_outlook.yml               |  0
 .../sigma}/win_susp_outlook_temp.yml          |  0
 .../sigma}/win_susp_pcwutl.yml                |  0
 .../sigma}/win_susp_pester.yml                |  0
 .../sigma}/win_susp_ping_hex_ip.yml           |  0
 .../win_susp_powershell_empire_launch.yml     |  0
 .../win_susp_powershell_empire_uac_bypass.yml |  0
 .../sigma}/win_susp_powershell_enc_cmd.yml    |  0
 .../win_susp_powershell_encoded_param.yml     |  0
 .../win_susp_powershell_getprocess_lsass.yml  |  0
 .../win_susp_powershell_hidden_b64_cmd.yml    |  0
 .../win_susp_powershell_parent_combo.yml      |  0
 .../win_susp_powershell_parent_process.yml    |  0
 .../sigma}/win_susp_powershell_sam_access.yml |  0
 .../sigma}/win_susp_print.yml                 |  0
 .../sigma}/win_susp_procdump.yml              |  0
 .../sigma}/win_susp_procdump_lsass.yml        |  0
 .../sigma}/win_susp_proceshacker.yml          |  0
 .../sigma}/win_susp_ps_appdata.yml            |  0
 .../sigma}/win_susp_ps_downloadfile.yml       |  0
 .../sigma}/win_susp_psexec.yml                |  0
 .../sigma}/win_susp_psexec_eula.yml           |  0
 .../sigma}/win_susp_psexex_paexec_flags.yml   |  0
 .../win_susp_psr_capture_screenshots.yml      |  0
 .../win_susp_raccess_sensitive_fext.yml       |  0
 .../sigma}/win_susp_rar_flags.yml             |  0
 .../sigma}/win_susp_rasdial_activity.yml      |  0
 .../win_susp_razorinstaller_explorer.yml      |  0
 .../sigma}/win_susp_rc4_kerberos.yml          |  0
 .../sigma}/win_susp_rclone_exec.yml           |  0
 .../sigma}/win_susp_rclone_execution.yml      |  0
 .../sigma}/win_susp_recon_activity.yml        |  0
 .../win_susp_reg_disable_sec_services.yml     |  0
 .../win_susp_regedit_trustedinstaller.yml     |  0
 .../sigma}/win_susp_register_cimprovider.yml  |  0
 .../win_susp_registration_via_cscript.yml     |  0
 .../sigma}/win_susp_regsvr32_anomalies.yml    |  0
 .../win_susp_regsvr32_flags_anomaly.yml       |  0
 .../sigma}/win_susp_regsvr32_no_dll.yml       |  0
 .../sigma}/win_susp_renamed_dctask64.yml      |  0
 .../sigma}/win_susp_renamed_debugview.yml     |  0
 .../sigma}/win_susp_renamed_paexec.yml        |  0
 .../sigma}/win_susp_rottenpotato.yml          |  0
 .../sigma}/win_susp_rpcping.yml               |  0
 .../sigma}/win_susp_run_locations.yml         |  0
 .../sigma}/win_susp_rundll32_activity.yml     |  0
 .../sigma}/win_susp_rundll32_by_ordinal.yml   |  0
 .../sigma}/win_susp_rundll32_inline_vbs.yml   |  0
 .../sigma}/win_susp_rundll32_no_params.yml    |  0
 ...p_rundll32_setupapi_installhinfsection.yml |  0
 .../sigma}/win_susp_rundll32_sys.yml          |  0
 .../sigma}/win_susp_runonce_execution.yml     |  0
 .../sigma}/win_susp_runscripthelper.yml       |  0
 .../sigma}/win_susp_sam_dump.yml              |  0
 .../sigma}/win_susp_schtask_creation.yml      |  0
 .../win_susp_schtask_creation_temp_folder.yml |  0
 .../sigma}/win_susp_screenconnect_access.yml  |  0
 .../sigma}/win_susp_screensaver_reg.yml       |  0
 .../sigma}/win_susp_script_exec_from_temp.yml |  0
 .../sigma}/win_susp_script_execution.yml      |  0
 .../sigma}/win_susp_sdelete.yml               |  0
 .../win_susp_service_dacl_modification.yml    |  0
 .../sigma}/win_susp_service_dir.yml           |  0
 .../win_susp_service_path_modification.yml    |  0
 ...susp_servu_exploitation_cve_2021_35211.yml |  0
 .../sigma}/win_susp_servu_process_pattern.yml |  0
 .../win_susp_shell_spawn_from_mssql.yml       |  0
 .../win_susp_shell_spawn_from_winrm.yml       |  0
 .../sigma}/win_susp_shimcache_flush.yml       |  0
 .../sigma}/win_susp_splwow64.yml              |  0
 .../win_susp_spoolsv_child_processes.yml      |  0
 .../sigma}/win_susp_sqldumper_activity.yml    |  0
 .../sigma}/win_susp_squirrel_lolbin.yml       |  0
 .../sigma}/win_susp_svchost.yml               |  0
 .../sigma}/win_susp_svchost_clfsw32.yml       |  0
 .../sigma}/win_susp_svchost_no_cli.yml        |  0
 .../sigma}/win_susp_sysprep_appdata.yml       |  0
 .../sigma}/win_susp_sysvol_access.yml         |  0
 .../sigma}/win_susp_taskmgr_localsystem.yml   |  0
 .../sigma}/win_susp_taskmgr_parent.yml        |  0
 .../sigma}/win_susp_time_modification.yml     |  0
 .../sigma}/win_susp_tracker_execution.yml     |  0
 .../sigma}/win_susp_tscon_localsystem.yml     |  0
 .../sigma}/win_susp_tscon_rdp_redirect.yml    |  0
 .../win_susp_uac_bypass_trustedpath.yml       |  0
 .../sigma}/win_susp_use_of_csharp_console.yml |  0
 .../sigma}/win_susp_use_of_sqlps_bin.yml      |  0
 .../sigma}/win_susp_use_of_sqltoolsps_bin.yml |  0
 .../sigma}/win_susp_use_of_te_bin.yml         |  0
 .../win_susp_use_of_vsjitdebugger_bin.yml     |  0
 .../sigma}/win_susp_userinit_child.yml        |  0
 .../sigma}/win_susp_vboxdrvinst.yml           |  0
 .../sigma}/win_susp_vbscript_unc2452.yml      |  0
 .../sigma}/win_susp_volsnap_disable.yml       |  0
 .../win_susp_vssadmin_ntds_activity.yml       |  0
 .../sigma}/win_susp_whoami.yml                |  0
 .../sigma}/win_susp_whoami_anomaly.yml        |  0
 .../sigma}/win_susp_winrm_awl_bypass.yml      |  0
 .../sigma}/win_susp_winrm_execution.yml       |  0
 .../sigma}/win_susp_wmi_execution.yml         |  0
 .../sigma}/win_susp_wmi_login.yml             |  0
 .../win_susp_wmic_eventconsumer_create.yml    |  0
 .../win_susp_wmic_proc_create_rundll32.yml    |  0
 ...n_susp_wmic_security_product_uninstall.yml |  0
 .../sigma}/win_susp_workfolders.yml           |  0
 .../sigma}/win_susp_wsl_lolbin.yml            |  0
 .../sigma}/win_susp_wuauclt.yml               |  0
 ...uspicious_outbound_kerberos_connection.yml |  0
 .../sigma}/win_suspicious_vss_ps_load.yml     |  0
 .../sigma}/win_svcctl_remote_service.yml      |  0
 .../sigma}/win_syskey_registry_access.yml     |  0
 .../win_sysmon_channel_reference_deletion.yml |  0
 .../sigma}/win_sysmon_driver_unload.yml       |  0
 .../sigma}/win_system_defender_disabled.yml   |  0
 .../sigma}/win_system_exe_anomaly.yml         |  0
 .../win_system_susp_eventlog_cleared.yml      |  0
 .../sigma}/win_tap_driver_installation.yml    |  0
 .../sigma}/win_tap_installer_execution.yml    |  0
 .../sigma}/win_task_folder_evasion.yml        |  0
 .../sigma}/win_termserv_proc_spawn.yml        |  0
 .../sigma}/win_tool_psexec.yml                |  0
 .../sigma}/win_tools_relay_attacks.yml        |  0
 ...ith_credential_data_via_network_shares.yml |  0
 .../sigma}/win_trust_discovery.yml            |  0
 .../sigma}/win_uac_bypass_changepk_slui.yml   |  0
 .../sigma}/win_uac_bypass_cleanmgr.yml        |  0
 .../win_uac_bypass_computerdefaults.yml       |  0
 .../win_uac_bypass_consent_comctl32.yml       |  0
 .../sigma}/win_uac_bypass_dismhost.yml        |  0
 .../sigma}/win_uac_bypass_ieinstal.yml        |  0
 .../sigma}/win_uac_bypass_msconfig_gui.yml    |  0
 .../win_uac_bypass_ntfs_reparse_point.yml     |  0
 .../sigma}/win_uac_bypass_pkgmgr_dism.yml     |  0
 .../sigma}/win_uac_bypass_winsat.yml          |  0
 .../sigma}/win_uac_bypass_wmp.yml             |  0
 .../sigma}/win_uac_bypass_wsreset.yml         |  0
 .../sigma}/win_uac_cmstp.yml                  |  0
 .../sigma}/win_uac_fodhelper.yml              |  0
 .../sigma}/win_uac_wsreset.yml                |  0
 .../sigma}/win_usb_device_plugged.yml         |  0
 ...win_user_added_to_local_administrators.yml |  0
 ...ileged_service_lsaregisterlogonprocess.yml |  0
 .../sigma}/win_user_creation.yml              |  0
 .../sigma}/win_user_driver_loaded.yml         |  0
 ..._change_sevice_image_path_by_non_admin.yml |  0
 .../win_using_settingsynchost_as_lolbin.yml   |  0
 .../sigma}/win_verclsid_runs_com.yml          |  0
 .../sigma}/win_visual_basic_compiler.yml      |  0
 .../sigma}/win_volume_shadow_copy_mount.yml   |  0
 ..._vssaudit_secevent_source_registration.yml |  0
 .../sigma}/win_vul_cve_2020_0688.yml          |  0
 .../sigma}/win_vul_cve_2020_1472.yml          |  0
 .../sigma}/win_vul_java_remote_debugging.yml  |  0
 .../sigma}/win_webshell_detection.yml         |  0
 .../sigma}/win_webshell_recon_detection.yml   |  0
 .../sigma}/win_webshell_spawn.yml             |  0
 .../sigma}/win_whoami_as_system.yml           |  0
 .../sigma}/win_whoami_priv.yml                |  0
 .../sigma}/win_win10_sched_task_0day.yml      |  0
 .../sigma}/win_winword_dll_load.yml           |  0
 ..._wmi_backdoor_exchange_transport_agent.yml |  0
 .../sigma}/win_wmi_persistence.yml            |  0
 ..._wmi_persistence_script_event_consumer.yml |  0
 .../sigma}/win_wmi_spwns_powershell.yml       |  0
 .../sigma}/win_wmiprvse_spawning_process.yml  |  0
 .../win_wmiprvse_wbemcomn_dll_hijack.yml      |  0
 .../sigma}/win_workflow_compiler.yml          |  0
 ...win_write_protect_for_storage_disabled.yml |  0
 .../sigma}/win_wsreset_uac_bypass.yml         |  0
 .../sigma}/win_xsl_script_processing.yml      |  0
 .../Logons/4624-Logon-Type-0-System.yml       | 15 +++++++++++++
 .../4624-Logon-Type-10-RemoteInteractive.yml  | 15 +++++++++++++
 .../4624-Logon-Type-11-CachedInteractive.yml  | 15 +++++++++++++
 ...-Logon-Type-12-CachedRemoteInteractive.yml | 15 +++++++++++++
 .../4624-Logon-Type-13-CachedUnlock.yml       | 15 +++++++++++++
 .../Logons/4624-Logon-Type-2-Interactive.yml  | 15 +++++++++++++
 .../Logons/4624-Logon-Type-3-Network.yml      | 22 +++++++++++++++++++
 .../Logons/4624-Logon-Type-4-Batch.yml        | 15 +++++++++++++
 .../Logons/4624-Logon-Type-5-Service.yml      | 22 +++++++++++++++++++
 .../Logons/4624-Logon-Type-7-Unlock.yml       | 15 +++++++++++++
 .../4624-Logon-Type-8-NetworkCleartext.yml    | 15 +++++++++++++
 .../4624-Logon-Type-9-NewInteractive.yml      | 15 +++++++++++++
 .../Logons/4625-Logon-Failure.yml             | 14 ++++++++++++
 rules/timeline-rules/Logons/4634-Logoff.yml   | 19 ++++++++++++++++
 .../Logons/4647-Logoff-User-Initiated.yml     | 14 ++++++++++++
 .../Logons/4672-Admin-Logon.yml               | 22 +++++++++++++++++++
 .../Logons/4768-Kerberos-TGT-Request.yml      | 14 ++++++++++++
 .../4769-Kerberos-Service-Ticket-Request.yml  | 14 ++++++++++++
 .../4776-NTLM-Logon-to-Local-Account.yml      | 14 ++++++++++++
 1110 files changed, 305 insertions(+)
 rename rules/{ => alert-rules/hayabusa}/BitsClientOperational/59_T1197_BitsJobCreation.yaml (100%)
 rename rules/{ => alert-rules/hayabusa}/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/1102_T1070.001_SecurityLogCleared.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/4673.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/4674.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/4720.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/4728.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/4732.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/4756.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/4768_T1558.003_Kerberoasting.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/4768_T1558.004_AS-REP-Roasting.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/_4625.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/_4648.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Security/_4672.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Sysmon/1.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/Sysmon/7.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/System/104_T1070.001_SystemLogCleared.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/System/7030.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/System/7040.yml (100%)
 rename rules/{ => alert-rules/hayabusa}/System/7045.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/av_exploiting.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/av_hacktool.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/av_password_dumper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/av_printernightmare_cve_2021_34527.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/av_relevant_files.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/av_webshell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/dns_net_mal_cobaltstrike.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/dns_net_susp_ipify.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/dns_query_hybridconnectionmgr_servicebus.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/dns_query_mega_nz.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/dns_query_possible_dns_rebinding.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/dns_query_regsvr32_network_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/driver_load_mal_creddumper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/driver_load_powershell_script_installed_as_service.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/driver_load_susp_temp_use.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/driver_load_vuln_dell_driver.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/driver_load_windivert.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/edr_command_execution_by_office_applications.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_advanced_ip_scanner.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_apt_unidentified_nov_18.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_cve_2021_31979_cve_2021_33771_exploits.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_hack_dumpert.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_hktl_createminidump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_mal_adwind.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_mal_octopus_scanner.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_mal_vhd_download.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_mimikatz_kirbi_file_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_moriya_rootkit.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_pingback_backdoor.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_script_creation_by_office_using_file_ext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_tool_psexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_uac_bypass_winsat.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_uac_bypass_wmp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_winrm_awl_bypass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/file_event_wmiprvse_wbemcomn_dll_hijack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/image_load_pingback_backdoor.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/image_load_silenttrinity_stage_use.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/image_load_wmiprvse_wbemcomn_dll_hijack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/pipe_created_tool_psexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_accessing_win_api.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_adrecon_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_alternate_powershell_hosts.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_automated_collection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_azurehound_commands.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_bad_opsec_artifacts.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_cl_invocation_lolscript.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_cl_invocation_lolscript_count.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_cl_mutexverifiers_lolscript.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_cl_mutexverifiers_lolscript_count.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_classic_alternate_powershell_hosts.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_classic_powercat.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_classic_remote_powershell_session.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_classic_susp_athremotefxvgpudisablementcommand.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_classic_susp_zip_compress.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_classic_suspicious_download.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_clear_powershell_history.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_create_local_user.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_data_compressed.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_decompress_commands.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_delete_volume_shadow_copies.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_detect_vm_env.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_dnscat_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_downgrade_attack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_exe_calling_ps.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_get_clipboard.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_icmp_exfiltration.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_nightmare.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_clip.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_obfuscated_iex.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_stdin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_var.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_var_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_compress.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_rundll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_stdin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_use_clip.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_use_mhsta.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_use_rundll32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_var.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_keylogging.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_malicious_commandlets.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_malicious_keywords.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_memorydump_getstoragediagnosticinfo.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_nishang_malicious_commandlets.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_ntfs_ads_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_powercat.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_powerview_malicious_commandlets.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_prompt_credentials.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_psattack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_remote_powershell_session.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_renamed_powershell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_set_policies_to_unsecure_level.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_shellcode_b64.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_shellintel_malicious_commandlets.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_software_discovery.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_store_file_in_alternate_data_stream.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_susp_athremotefxvgpudisablementcommand.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_susp_zip_compress.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_susp_zip_compress_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_download.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_download_in_contextinfo.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_download_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_export_pfxcertificate.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_getprocess_lsass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_invocation_generic.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_invocation_generic_in_contextinfo.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_invocation_generic_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_invocation_specific.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_invocation_specific_in_contextinfo.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_invocation_specific_in_scripblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_keywords.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_mail_acces.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_mounted_share_deletion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_recon.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_win32_pnpentity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_suspicious_windowstyle.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_syncappvpublishingserver_exe.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_syncappvpublishingserver_exe_in_contextinfo.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_tamper_with_windows_defender.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_timestomp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_trigger_profiles.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_web_request.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_windows_firewall_profile_disabled.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_winlogon_helper_dll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_wmi_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_wmimplant.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_wsman_com_provider_no_powershell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/powershell_xor_commandline.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_abusing_windows_telemetry_for_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_advanced_ip_scanner.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_alternate_data_streams.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_apt_gallium.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_apt_gallium_sha1.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_apt_pandemic.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_apt_slingshot.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_apt_turla_commands_critical.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_apt_wocao.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_automated_collection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_c3_load_by_rundll32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_certoc_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_clip.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_cobaltstrike_load_by_rundll32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_conti_cmd_ransomware.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_coti_sqlcmd.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_discover_private_keys.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_dns_serverlevelplugindll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_dotnet.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_hack_dumpert.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_infdefaultinstall.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_lolbins_by_office_applications.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_lolbins_with_wmiprvse_parent_process.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_mal_blue_mockingbird.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_mal_darkside_ransomware.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_mal_lockergoga_ransomware.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_mal_ryuk.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_msdeploy.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_office_applications_spawning_wmi_commandline.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_office_from_proxy_executing_regsvr32_payload.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_office_from_proxy_executing_regsvr32_payload2.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_office_spawning_wmi_commandline.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_pingback_backdoor.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_protocolhandler_suspicious_file.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_root_certificate_installed.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_sdelete.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_software_discovery.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_stickykey_like_backdoor.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_stordiag_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_susp_7z.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_susp_athremotefxvgpudisablementcommand.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_susp_del.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_susp_recon.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_susp_web_request_cmd.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_susp_winzip.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_susp_zip_compress.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_syncappvpublishingserver_exe.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_sysinternals_eula_accepted.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_sysmon_uac_bypass_eventvwr.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_tool_psexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_tttracer_mod_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creation_win_exchange_transportagent.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_creationn_apt_chafer_mar18.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_mailboxexport_share.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/process_susp_esentutl_params.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_abusing_windows_telemetry_for_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_apt_chafer_mar18.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_apt_pandemic.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_defender_disabled.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_defender_exclusions.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_defender_realtime_protection_disabled.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_dns_serverlevelplugindll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_mal_adwind.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_mal_azorult.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_mal_blue_mockingbird.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_mal_flowcloud.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_mal_netwire.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_mal_ursnif.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_mstsc_history_cleared.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_net_ntlm_downgrade.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_stickykey_like_backdoor.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_sysinternals_eula_accepted.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_uac_bypass_eventvwr.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_uac_bypass_winsat.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/registry_event_uac_bypass_wmp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/silenttrinity_stager_msbuild_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_abusing_azure_browser_sso.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_abusing_debug_privilege.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_accesschk_usage_after_priv_escalation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_ads_executable.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_alternate_powershell_hosts_moduleload.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_alternate_powershell_hosts_pipe.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_always_install_elevated_windows_installer.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_apt_leviathan.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_apt_muddywater_dnstunnel.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_apt_oceanlotus_registry.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_apt_sourgrum.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_apt_turla_namedpipes.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_asep_reg_keys_modification.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_bypass_via_wsreset.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cactustorch.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cmstp_execution_by_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cmstp_execution_by_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cmstp_execution_by_registry.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cobaltstrike_bof_injection_pattern.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cobaltstrike_process_injection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cobaltstrike_service_installs.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_comhijack_sdclt.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_config_modification_error.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_config_modification_status.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_createremotethread_loadlibrary.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_creation_mavinject_dll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_creation_system_file.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cred_dump_lsass_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cred_dump_tools_dropped_files.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cred_dump_tools_named_pipes.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cve_2020_1048.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cve_2021_26857_msexchange.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_cve_2021_26858_msexchange.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_dcom_iertutil_dll_hijack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_delete_prefetch.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_detect_powerup_dllhijacking.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_dhcp_calloutdll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_direct_syscall_ntopenprocess.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_disable_microsoft_office_security_features.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_disable_security_events_logging_adding_reg_key_minint.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_disable_wdigest_credential_guard.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_disabled_pua_protection_on_microsoft_defender.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_disabled_tamper_protection_on_microsoft_defender.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_dllhost_net_connections.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_dns_over_https_enabled.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_efspotato_namedpipe.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_enabling_cor_profiler_env_variables.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_etw_disabled.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_excel_outbound_network_connection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_expand_cabinet_files.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_foggyweb_nobelium.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_ghostpack_safetykatz.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_hack_wce.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_hack_wce_reg.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_high_integrity_sdclt.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_hybridconnectionmgr_svc_installation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_in_memory_assembly_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_in_memory_powershell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_invoke_phantom.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_lazagne_cred_dump_lsass_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_littlecorporal_generated_maldoc.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_load_undocumented_autoelevated_com_interface.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_logon_scripts_userinitmprlogonscript_proc.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_logon_scripts_userinitmprlogonscript_reg.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_long_powershell_commandline.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_lsass_dump_comsvcs_dll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_lsass_memdump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_lsass_memory_dump_file_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_mal_cobaltstrike.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_mal_cobaltstrike_re.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_mal_namedpipes.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_malware_backconnect_ports.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_malware_verclsid_shellcode.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_mimikatz_detection_lsass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_mimikatz_trough_winrm.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_modify_screensaver_binary_path.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_narrator_feedback_persistance.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_netcat_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_new_application_appcompat.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_new_dll_added_to_appcertdlls_registry_key.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_notepad_network_connection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_office_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_office_test_regadd.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_office_vsto_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_outlook_newform.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_password_dumper_lsass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_pcre_net_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_pcre_net_temp_file.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_powershell_as_service.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_powershell_code_injection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_powershell_execution_pipe.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_powershell_exploit_scripts.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_powershell_network_connection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_powershell_startup_shortcuts.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_proxy_execution_wuauclt.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_psexec_pipes_artifacts.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_pypykatz_cred_dump_lsass_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_quarkspw_filedump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_raw_disk_access_using_illegitimate_tools.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_rclone_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_rdp_registry_modification.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_rdp_reverse_tunnel.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_rdp_settings_hijack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_redmimicry_winnti_filedrop.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_redmimicry_winnti_reg.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_reg_office_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_reg_silentprocessexit.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_reg_silentprocessexit_lsass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_reg_vbs_payload_stored.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_regedit_export_to_ads.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_registry_add_local_hidden_user.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_registry_persistence_key_linking.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_registry_persistence_search_order.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_registry_susp_printer_driver.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_registry_trust_record_modification.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_regsvr32_network_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_remote_powershell_session_network.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_removal_amsi_registry_key.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_removal_com_hijacking_registry_key.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_remove_windows_defender_definition_files.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_rundll32_net_connections.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_runkey_winekey.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_runonce_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_sdclt_child_process.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_spoolsv_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_ssp_added_lsa_config.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_startup_folder_file_write.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_adfs_namedpipe_connection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_adsi_cache_usage.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_atbroker_change.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_clr_logs.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_cobaltstrike_pipe_patterns.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_desktop_ini.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_download_run_key.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_fax_dll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_image_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_lsass_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_mic_cam_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_office_dotnet_assembly_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_office_dotnet_clr_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_office_dotnet_gac_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_office_dsparse_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_office_kerberos_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_pfx_file_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_plink_remote_forward.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_powershell_rundll32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_prog_location_network_connection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_python_image_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_rdp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_reg_persist_explorer_run.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_run_key_img_folder.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_script_dotnet_clr_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_service_installed.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_service_modification.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_system_drawing_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_webdav_client_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_winword_vbadll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_winword_wmidll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_susp_wmi_consumer_namedpipe.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_suspicious_dbghelp_dbgcore_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_suspicious_keyboard_layout_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_suspicious_outbound_kerberos_connection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_suspicious_powershell_profile_create.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_suspicious_remote_thread.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_svchost_cred_dump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_svchost_dll_search_order_hijack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_sysinternals_sdelete_file_deletion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_sysinternals_sdelete_registry_keys.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_taskcache_entry.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_tsclient_filewrite_startup.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_tttracer_mod_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uac_bypass_consent_comctl32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uac_bypass_dotnet_profiler.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uac_bypass_ieinstal.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uac_bypass_msconfig_gui.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uac_bypass_ntfs_reparse_point.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uac_bypass_sdclt.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uac_bypass_shell_open.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uac_bypass_via_dism.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uac_bypass_wow64_logger.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uipromptforcreds_dlls.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_uninstall_crowdstrike_falcon.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_unsigned_image_loaded_into_lsass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_vmtoolsd_susp_child_process.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_volume_shadow_copy_service_keys.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wab_dllpath_reg_change.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wdigest_enable_uselogoncredential.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_webshell_creation_detect.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_win_binary_github_com.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_win_binary_susp_com.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_win_reg_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_win_reg_telemetry_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wmi_module_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wmi_persistence_commandline_event_consumer.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wmi_persistence_script_event_consumer_write.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wmi_susp_encoded_scripts.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wmi_susp_scripting.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wmic_remote_xsl_scripting_dlls.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wsman_provider_image_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/sysmon_wuauclt_network_connection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_aadhealth_mon_agent_regkey_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_aadhealth_svc_agent_regkey_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_account_backdoor_dcsync_rights.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_account_discovery.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_ad_find_discovery.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_ad_object_writedac_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_ad_replication_non_machine_account.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_ad_user_enumeration.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_admin_rdp_login.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_admin_share_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_alert_active_directory_user_control.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_alert_ad_user_backdoors.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_alert_enable_weak_encryption.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_alert_lsass_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_alert_mimikatz_keywords.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_alert_ruler.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_anydesk_silent_install.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_applocker_file_was_not_allowed_to_run.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_apt29_thinktanks.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_babyshark.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_bear_activity_gtr19.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_bluemashroom.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_carbonpaper_turla.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_chafer_mar18_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_chafer_mar18_system.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_cloudhopper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_dragonfly.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_elise.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_emissarypanda_sep19.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_empiremonkey.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_equationgroup_dll_u_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_evilnum_jul20.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_gallium.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_greenbug_may20.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_hafnium.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_hurricane_panda.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_judgement_panda_gtr19.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_ke3chang_regadd.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_lazarus_activity_apr21.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_lazarus_activity_dec20.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_lazarus_loader.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_lazarus_session_highjack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_mustangpanda.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_revil_kaseya.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_slingshot.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_sofacy.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_stonedrill.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_ta17_293a_ps.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_ta505_dropper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_taidoor.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_tropictrooper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_turla_comrat_may20.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_turla_service_png.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_unc2452_cmds.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_unc2452_ps.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_unidentified_nov_18.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_winnti_mal_hk_jan20.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_winnti_pipemon.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_wocao.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_apt_zxshell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_arbitrary_shell_execution_via_settingcontent.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_asr_bypass_via_appvlp_re.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_atsvc_task.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_attrib_hiding_files.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_audit_cve.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_av_relevant_match.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_bad_opsec_sacrificial_processes.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_bootconf_mod.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_bypass_squiblytwo.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_camera_microphone_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_change_default_file_association.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_cl_invocation_lolscript.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_cl_mutexverifiers_lolscript.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_class_exec_xwizard.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_cmdkey_recon.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_cmstp_com_object_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_cobaltstrike_process_patterns.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_cobaltstrike_service_installs.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_commandline_path_traversal.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_commandline_path_traversal_evasion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_control_panel_item.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_copying_sensitive_files_with_credential_data.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_credential_access_via_password_filter.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_crime_fireball.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_crime_maze_ransomware.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_crime_snatch_ransomware.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_crypto_mining_monero.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_cve_2021_1675_printspooler.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_cve_2021_1675_printspooler_del.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_data_compressed_with_rar.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_dce_rpc_smb_spoolss_named_pipe.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_dcom_iertutil_dll_hijack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_dcsync.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_defender_amsi_trigger.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_defender_bypass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_defender_disabled.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_defender_exclusions.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_defender_history_delete.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_defender_psexec_wmi_asr.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_defender_tamper_protection_trigger.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_defender_threat.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_detecting_fake_instances_of_hxtsr.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_disable_event_logging.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_dll_sideload_xwizard.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_dns_exfiltration_tools_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_dnscat2_powershell_implementation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_dpapi_domain_backupkey_extraction.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_dpapi_domain_masterkey_backup_attempt.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_encoded_frombase64string.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_encoded_iex.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_etw_modification.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_etw_modification_cmdline.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_etw_trace_evasion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_event_log_cleared.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exchange_proxylogon_oabvirtualdir.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exchange_proxyshell_certificate_generation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exchange_proxyshell_mailbox_export.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exchange_proxyshell_remove_mailbox_export.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exchange_transportagent.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exchange_transportagent_failed.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exfiltration_and_tunneling_tools_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2015_1641.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2017_0261.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2017_11882.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2017_8759.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2019_1378.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2019_1388.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2020_10189.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2020_1048.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2020_1350.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2021_1675_printspooler.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2021_1675_printspooler_operational.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_cve_2021_1675_printspooler_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_exploit_systemnightmare.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_external_device.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_file_permission_modifications.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_file_winword_cve_2021_40444.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_global_catalog_enumeration.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_gpo_scheduledtasks.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_grabbing_sensitive_hives_via_reg.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hack_adcspwn.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hack_bloodhound.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hack_koadic.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hack_rubeus.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hack_secutyxploded.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hack_smbexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hh_chm.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hidden_user_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hiding_malware_in_fonts_folder.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hivenightmare_file_exports.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hktl_createminidump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hktl_uacme_uac_bypass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_html_help_spawn.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hwp_exploits.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hybridconnectionmgr_svc_installation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_hybridconnectionmgr_svc_running.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_impacket_compiled_tools.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_impacket_lateralization.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_impacket_psexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_impacket_secretdump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_indirect_cmd.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_indirect_cmd_compatibility_assistant.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_install_reg_debugger_backdoor.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_interactive_at.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_clip.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_clip_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_clip_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_obfuscated_iex_commandline.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_obfuscated_iex_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_obfuscated_iex_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_stdin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_stdin_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_stdin_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_var.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_var_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_var_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_compress.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_compress_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_compress_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_rundll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_rundll_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_rundll_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_stdin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_stdin_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_stdin_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_use_clip.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_use_clip_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_use_clip_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_use_mhsta.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_use_mshta_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_use_mshta_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_use_rundll32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_use_rundll32_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_use_rundll32_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_var.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_var_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_invoke_obfuscation_via_var_services_security.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_iso_mount.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_lateral_movement_condrv.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_ldap_recon.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_lethalhta.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_lm_namedpipe.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_local_system_owner_account_discovery.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_lolbas_execution_of_nltest.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_lolbas_execution_of_wuauclt.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_lolbin_execution_via_winget.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_lsass_access_non_system_account.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_lsass_dump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mal_adwind.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mal_creddumper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mal_wceaux_dll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_conti.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_conti_7zip.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_conti_shadowcopy.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_dridex.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_dtrack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_emotet.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_formbook.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_notpetya.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_qbot.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_ryuk.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_script_dropper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_trickbot_recon_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_trickbot_wermgr.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_malware_wannacry.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_manage_bde_lolbas.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mavinject_proc_inj.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mimikatz_command_line.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mmc20_lateral_movement.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mmc_spawn_shell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_modif_of_services_for_via_commandline.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_monitoring_for_persistence_via_bits.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_moriya_rootkit.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mouse_lock.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mshta_javascript.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_mshta_spawn_shell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_net_crypto_mining.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_net_enum.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_net_ntlm_downgrade.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_net_use_admin_share.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_net_user_add.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_netsh_allow_port_rdp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_netsh_fw_add.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_netsh_fw_add_susp_image.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_netsh_packet_capture.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_netsh_port_fwd.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_netsh_port_fwd_3389.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_netsh_wifi_credential_harvesting.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_network_sniffing.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_new_or_renamed_user_account_with_dollar_sign.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_new_service_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_nltest_recon.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_non_interactive_powershell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_non_priv_reg_or_ps.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_not_allowed_rdp_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_ntfs_vuln_exploit.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_office_shell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_office_spawn_exe_from_users_directory.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_outlook_c2_macro_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_outlook_c2_registry_key.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_outlook_registry_todaypage.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_outlook_registry_webview.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_overpass_the_hash.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_pass_the_hash.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_pass_the_hash_2.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_pc_set_policies_to_unsecure_level.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_pc_susp_cmdl32_lolbas.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_pc_susp_schtasks_user_temp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_pc_susp_zipexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_pcap_drivers.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_petitpotam_network_share.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_petitpotam_susp_tgt_request.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_plugx_susp_exe_locations.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_portproxy_registry_key.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_possible_applocker_bypass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_possible_dc_shadow.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_possible_privilege_escalation_via_service_registry_permissions.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_possible_zerologon_exploitation_using_wellknown_tools.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_amsi_bypass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_audio_capture.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_b64_shellcode.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_bitsjob.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_cmdline_reversed_strings.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_cmdline_special_characters.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_cmdline_specific_comb_methods.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_defender_exclusion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_disable_windef_av.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_dll_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_downgrade_attack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_download.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_frombase64string.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_reverse_shell_connection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_suspicious_parameter_variation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powershell_xor_commandline.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_powersploit_empire_schtasks.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_privesc_cve_2020_1472.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_proc_wrong_parent.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_procdump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_process_creation_bitsadmin_download.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_process_dump_rdrleakdiag.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_process_dump_rundll32_comsvcs.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_protected_storage_service_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_psexesvc_start.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_purplesharp_indicators.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_quarkspwdump_clearing_hive_access_history.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_query_registry.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_rare_schtask_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_rasautou_dll_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_rclone_exec_file.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_rdp_bluekeep_poc_scanner.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_rdp_hijack_shadowing.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_rdp_localhost_login.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_rdp_potential_cve_2019_0708.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_rdp_reverse_tunnel.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_redmimicry_winnti_proc.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_reg_add_run_key.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_regedit_export_critical_keys.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_regedit_export_keys.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_regedit_import_keys.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_regedit_import_keys_ads.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_regini.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_regini_ads.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_register_new_logon_process_by_rubeus.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_registry_mimikatz_printernightmare.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_remote_powershell_session.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_remote_powershell_session_process.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_remote_registry_management_using_reg_utility.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_remote_time_discovery.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_renamed_binary.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_renamed_binary_highly_relevant.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_renamed_jusched.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_renamed_megasync.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_renamed_paexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_renamed_powershell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_renamed_procdump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_renamed_psexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_renamed_whoami.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_root_certificate_installed.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_run_powershell_script_from_ads.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_run_powershell_script_from_input_stream.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_run_virtualbox.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_rundll32_without_parameters.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_sam_registry_hive_handle_request.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_scheduled_task_deletion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_scm_database_handle_failure.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_scm_database_privileged_operation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_scrcons_remote_wmi_scripteventconsumer.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_script_event_consumer_spawn.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_sdbinst_shim_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_security_cobaltstrike_service_installs.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_security_mal_creddumper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_security_mal_service_installs.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_security_metasploit_or_impacket_smb_psexec_service_install.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_security_powershell_script_installed_as_service.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_security_tap_driver_installation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_security_wmi_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_service_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_service_stop.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_set_oabvirtualdirectory_externalurl.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_shadow_copies_access_symlink.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_shadow_copies_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_shadow_copies_deletion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_shell_spawn_mshta.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_shell_spawn_susp_program.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_silenttrinity_stage_use.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_smb_file_creation_admin_shares.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_software_atera_rmm_agent_install.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_soundrec_audio_capture.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_spn_enum.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_sticky_keys_unauthenticated_privileged_console_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_sus_auditpol_usage.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_add_domain_trust.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_add_sid_history.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_adfind.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_atbroker.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_backup_delete.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_bcdedit.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_bginfo.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_bitstransfer.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_calc.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_cdb.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_certutil_command.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_certutil_encode.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_child_process_as_system_.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_cli_escape.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_cmd_http_appdata.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_cmd_shadowcopy_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_codeintegrity_check_failure.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_codepage_switch.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_commands_recon_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_compression_params.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_comsvcs_procdump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_conhost.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_control_cve_2021_40444.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_control_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_copy_lateral_movement.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_copy_system32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_covenant.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_crackmapexec_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_crackmapexec_powershell_obfuscation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_csc.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_csc_folder.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_csi.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_curl_download.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_curl_fileupload.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_curl_start_combo.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_dctask64_proc_inject.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_desktopimgdownldr.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_desktopimgdownldr_file.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_devtoolslauncher.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_dhcp_config.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_dhcp_config_failed.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_direct_asep_reg_keys_modification.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_disable_eventlog.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_disable_ie_features.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_disable_raccine.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_diskshadow.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ditsnap.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_dns_config.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_dnx.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_double_extension.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_dsrm_password_change.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_dxcap.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_emotet_rudll32_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_esentutl_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_eventlog_clear.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_eventlog_cleared.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_execution_path.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_execution_path_webserver.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_explorer.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_explorer_break_proctree.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_failed_guest_logon.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_failed_logon_reasons.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_failed_logon_source.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_file_characteristics.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_file_download_via_gfxdownloadwrapper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_findstr.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_findstr_lnk.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_finger_usage.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_firewall_disable.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_fsutil_usage.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ftp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_gup.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_interactive_logons.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_iss_module_install.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_kerberos_manipulation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ldap_dataexchange.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_local_anon_logon_created.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_logon_explicit_credentials.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_lsass_dump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_lsass_dump_generic.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_mounted_share_deletion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_mpcmdrun_download.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_mshta_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_mshta_pattern.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_msiexec_cwd.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_msiexec_web_install.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_msmpeng_crash.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_msoffice.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_multiple_files_renamed_or_deleted.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_net_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_net_recon_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_netsh_dll_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ngrok_pua.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ntdsutil.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ntlm_auth.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ntlm_rdp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_odbcconf.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_openwith.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_outlook.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_outlook_temp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_pcwutl.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_pester.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ping_hex_ip.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_powershell_empire_launch.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_powershell_empire_uac_bypass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_powershell_enc_cmd.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_powershell_encoded_param.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_powershell_getprocess_lsass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_powershell_hidden_b64_cmd.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_powershell_parent_combo.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_powershell_parent_process.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_powershell_sam_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_print.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_procdump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_procdump_lsass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_proceshacker.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ps_appdata.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_ps_downloadfile.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_psexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_psexec_eula.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_psexex_paexec_flags.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_psr_capture_screenshots.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_raccess_sensitive_fext.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rar_flags.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rasdial_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_razorinstaller_explorer.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rc4_kerberos.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rclone_exec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rclone_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_recon_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_reg_disable_sec_services.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_regedit_trustedinstaller.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_register_cimprovider.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_registration_via_cscript.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_regsvr32_anomalies.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_regsvr32_flags_anomaly.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_regsvr32_no_dll.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_renamed_dctask64.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_renamed_debugview.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_renamed_paexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rottenpotato.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rpcping.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_run_locations.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rundll32_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rundll32_by_ordinal.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rundll32_inline_vbs.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rundll32_no_params.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rundll32_setupapi_installhinfsection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_rundll32_sys.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_runonce_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_runscripthelper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_sam_dump.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_schtask_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_schtask_creation_temp_folder.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_screenconnect_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_screensaver_reg.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_script_exec_from_temp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_script_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_sdelete.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_service_dacl_modification.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_service_dir.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_service_path_modification.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_servu_exploitation_cve_2021_35211.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_servu_process_pattern.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_shell_spawn_from_mssql.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_shell_spawn_from_winrm.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_shimcache_flush.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_splwow64.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_spoolsv_child_processes.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_sqldumper_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_squirrel_lolbin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_svchost.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_svchost_clfsw32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_svchost_no_cli.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_sysprep_appdata.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_sysvol_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_taskmgr_localsystem.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_taskmgr_parent.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_time_modification.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_tracker_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_tscon_localsystem.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_tscon_rdp_redirect.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_uac_bypass_trustedpath.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_use_of_csharp_console.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_use_of_sqlps_bin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_use_of_sqltoolsps_bin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_use_of_te_bin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_use_of_vsjitdebugger_bin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_userinit_child.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_vboxdrvinst.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_vbscript_unc2452.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_volsnap_disable.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_vssadmin_ntds_activity.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_whoami.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_whoami_anomaly.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_winrm_awl_bypass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_winrm_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_wmi_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_wmi_login.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_wmic_eventconsumer_create.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_wmic_proc_create_rundll32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_wmic_security_product_uninstall.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_workfolders.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_wsl_lolbin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_susp_wuauclt.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_suspicious_outbound_kerberos_connection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_suspicious_vss_ps_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_svcctl_remote_service.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_syskey_registry_access.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_sysmon_channel_reference_deletion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_sysmon_driver_unload.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_system_defender_disabled.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_system_exe_anomaly.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_system_susp_eventlog_cleared.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_tap_driver_installation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_tap_installer_execution.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_task_folder_evasion.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_termserv_proc_spawn.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_tool_psexec.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_tools_relay_attacks.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_transferring_files_with_credential_data_via_network_shares.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_trust_discovery.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_changepk_slui.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_cleanmgr.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_computerdefaults.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_consent_comctl32.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_dismhost.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_ieinstal.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_msconfig_gui.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_ntfs_reparse_point.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_pkgmgr_dism.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_winsat.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_wmp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_bypass_wsreset.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_cmstp.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_fodhelper.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_uac_wsreset.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_usb_device_plugged.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_user_added_to_local_administrators.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_user_creation.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_user_driver_loaded.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_using_sc_to_change_sevice_image_path_by_non_admin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_using_settingsynchost_as_lolbin.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_verclsid_runs_com.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_visual_basic_compiler.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_volume_shadow_copy_mount.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_vssaudit_secevent_source_registration.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_vul_cve_2020_0688.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_vul_cve_2020_1472.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_vul_java_remote_debugging.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_webshell_detection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_webshell_recon_detection.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_webshell_spawn.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_whoami_as_system.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_whoami_priv.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_win10_sched_task_0day.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_winword_dll_load.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_wmi_backdoor_exchange_transport_agent.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_wmi_persistence.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_wmi_persistence_script_event_consumer.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_wmi_spwns_powershell.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_wmiprvse_spawning_process.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_wmiprvse_wbemcomn_dll_hijack.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_workflow_compiler.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_write_protect_for_storage_disabled.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_wsreset_uac_bypass.yml (100%)
 rename rules/{Sigma => alert-rules/sigma}/win_xsl_script_processing.yml (100%)
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml
 create mode 100644 rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml
 create mode 100644 rules/timeline-rules/Logons/4625-Logon-Failure.yml
 create mode 100644 rules/timeline-rules/Logons/4634-Logoff.yml
 create mode 100644 rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml
 create mode 100644 rules/timeline-rules/Logons/4672-Admin-Logon.yml
 create mode 100644 rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml
 create mode 100644 rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml
 create mode 100644 rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml

diff --git a/rules/BitsClientOperational/59_T1197_BitsJobCreation.yaml b/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml
similarity index 100%
rename from rules/BitsClientOperational/59_T1197_BitsJobCreation.yaml
rename to rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml
diff --git a/rules/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml b/rules/alert-rules/hayabusa/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml
similarity index 100%
rename from rules/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml
rename to rules/alert-rules/hayabusa/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml
diff --git a/rules/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml b/rules/alert-rules/hayabusa/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml
similarity index 100%
rename from rules/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml
rename to rules/alert-rules/hayabusa/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml
diff --git a/rules/Security/1102_T1070.001_SecurityLogCleared.yml b/rules/alert-rules/hayabusa/Security/1102_T1070.001_SecurityLogCleared.yml
similarity index 100%
rename from rules/Security/1102_T1070.001_SecurityLogCleared.yml
rename to rules/alert-rules/hayabusa/Security/1102_T1070.001_SecurityLogCleared.yml
diff --git a/rules/Security/4673.yml b/rules/alert-rules/hayabusa/Security/4673.yml
similarity index 100%
rename from rules/Security/4673.yml
rename to rules/alert-rules/hayabusa/Security/4673.yml
diff --git a/rules/Security/4674.yml b/rules/alert-rules/hayabusa/Security/4674.yml
similarity index 100%
rename from rules/Security/4674.yml
rename to rules/alert-rules/hayabusa/Security/4674.yml
diff --git a/rules/Security/4720.yml b/rules/alert-rules/hayabusa/Security/4720.yml
similarity index 100%
rename from rules/Security/4720.yml
rename to rules/alert-rules/hayabusa/Security/4720.yml
diff --git a/rules/Security/4728.yml b/rules/alert-rules/hayabusa/Security/4728.yml
similarity index 100%
rename from rules/Security/4728.yml
rename to rules/alert-rules/hayabusa/Security/4728.yml
diff --git a/rules/Security/4732.yml b/rules/alert-rules/hayabusa/Security/4732.yml
similarity index 100%
rename from rules/Security/4732.yml
rename to rules/alert-rules/hayabusa/Security/4732.yml
diff --git a/rules/Security/4756.yml b/rules/alert-rules/hayabusa/Security/4756.yml
similarity index 100%
rename from rules/Security/4756.yml
rename to rules/alert-rules/hayabusa/Security/4756.yml
diff --git a/rules/Security/4768_T1558.003_Kerberoasting.yml b/rules/alert-rules/hayabusa/Security/4768_T1558.003_Kerberoasting.yml
similarity index 100%
rename from rules/Security/4768_T1558.003_Kerberoasting.yml
rename to rules/alert-rules/hayabusa/Security/4768_T1558.003_Kerberoasting.yml
diff --git a/rules/Security/4768_T1558.004_AS-REP-Roasting.yml b/rules/alert-rules/hayabusa/Security/4768_T1558.004_AS-REP-Roasting.yml
similarity index 100%
rename from rules/Security/4768_T1558.004_AS-REP-Roasting.yml
rename to rules/alert-rules/hayabusa/Security/4768_T1558.004_AS-REP-Roasting.yml
diff --git a/rules/Security/_4625.yml b/rules/alert-rules/hayabusa/Security/_4625.yml
similarity index 100%
rename from rules/Security/_4625.yml
rename to rules/alert-rules/hayabusa/Security/_4625.yml
diff --git a/rules/Security/_4648.yml b/rules/alert-rules/hayabusa/Security/_4648.yml
similarity index 100%
rename from rules/Security/_4648.yml
rename to rules/alert-rules/hayabusa/Security/_4648.yml
diff --git a/rules/Security/_4672.yml b/rules/alert-rules/hayabusa/Security/_4672.yml
similarity index 100%
rename from rules/Security/_4672.yml
rename to rules/alert-rules/hayabusa/Security/_4672.yml
diff --git a/rules/Sysmon/1.yml b/rules/alert-rules/hayabusa/Sysmon/1.yml
similarity index 100%
rename from rules/Sysmon/1.yml
rename to rules/alert-rules/hayabusa/Sysmon/1.yml
diff --git a/rules/Sysmon/7.yml b/rules/alert-rules/hayabusa/Sysmon/7.yml
similarity index 100%
rename from rules/Sysmon/7.yml
rename to rules/alert-rules/hayabusa/Sysmon/7.yml
diff --git a/rules/System/104_T1070.001_SystemLogCleared.yml b/rules/alert-rules/hayabusa/System/104_T1070.001_SystemLogCleared.yml
similarity index 100%
rename from rules/System/104_T1070.001_SystemLogCleared.yml
rename to rules/alert-rules/hayabusa/System/104_T1070.001_SystemLogCleared.yml
diff --git a/rules/System/7030.yml b/rules/alert-rules/hayabusa/System/7030.yml
similarity index 100%
rename from rules/System/7030.yml
rename to rules/alert-rules/hayabusa/System/7030.yml
diff --git a/rules/System/7040.yml b/rules/alert-rules/hayabusa/System/7040.yml
similarity index 100%
rename from rules/System/7040.yml
rename to rules/alert-rules/hayabusa/System/7040.yml
diff --git a/rules/System/7045.yml b/rules/alert-rules/hayabusa/System/7045.yml
similarity index 100%
rename from rules/System/7045.yml
rename to rules/alert-rules/hayabusa/System/7045.yml
diff --git a/rules/Sigma/av_exploiting.yml b/rules/alert-rules/sigma/av_exploiting.yml
similarity index 100%
rename from rules/Sigma/av_exploiting.yml
rename to rules/alert-rules/sigma/av_exploiting.yml
diff --git a/rules/Sigma/av_hacktool.yml b/rules/alert-rules/sigma/av_hacktool.yml
similarity index 100%
rename from rules/Sigma/av_hacktool.yml
rename to rules/alert-rules/sigma/av_hacktool.yml
diff --git a/rules/Sigma/av_password_dumper.yml b/rules/alert-rules/sigma/av_password_dumper.yml
similarity index 100%
rename from rules/Sigma/av_password_dumper.yml
rename to rules/alert-rules/sigma/av_password_dumper.yml
diff --git a/rules/Sigma/av_printernightmare_cve_2021_34527.yml b/rules/alert-rules/sigma/av_printernightmare_cve_2021_34527.yml
similarity index 100%
rename from rules/Sigma/av_printernightmare_cve_2021_34527.yml
rename to rules/alert-rules/sigma/av_printernightmare_cve_2021_34527.yml
diff --git a/rules/Sigma/av_relevant_files.yml b/rules/alert-rules/sigma/av_relevant_files.yml
similarity index 100%
rename from rules/Sigma/av_relevant_files.yml
rename to rules/alert-rules/sigma/av_relevant_files.yml
diff --git a/rules/Sigma/av_webshell.yml b/rules/alert-rules/sigma/av_webshell.yml
similarity index 100%
rename from rules/Sigma/av_webshell.yml
rename to rules/alert-rules/sigma/av_webshell.yml
diff --git a/rules/Sigma/dns_net_mal_cobaltstrike.yml b/rules/alert-rules/sigma/dns_net_mal_cobaltstrike.yml
similarity index 100%
rename from rules/Sigma/dns_net_mal_cobaltstrike.yml
rename to rules/alert-rules/sigma/dns_net_mal_cobaltstrike.yml
diff --git a/rules/Sigma/dns_net_susp_ipify.yml b/rules/alert-rules/sigma/dns_net_susp_ipify.yml
similarity index 100%
rename from rules/Sigma/dns_net_susp_ipify.yml
rename to rules/alert-rules/sigma/dns_net_susp_ipify.yml
diff --git a/rules/Sigma/dns_query_hybridconnectionmgr_servicebus.yml b/rules/alert-rules/sigma/dns_query_hybridconnectionmgr_servicebus.yml
similarity index 100%
rename from rules/Sigma/dns_query_hybridconnectionmgr_servicebus.yml
rename to rules/alert-rules/sigma/dns_query_hybridconnectionmgr_servicebus.yml
diff --git a/rules/Sigma/dns_query_mega_nz.yml b/rules/alert-rules/sigma/dns_query_mega_nz.yml
similarity index 100%
rename from rules/Sigma/dns_query_mega_nz.yml
rename to rules/alert-rules/sigma/dns_query_mega_nz.yml
diff --git a/rules/Sigma/dns_query_possible_dns_rebinding.yml b/rules/alert-rules/sigma/dns_query_possible_dns_rebinding.yml
similarity index 100%
rename from rules/Sigma/dns_query_possible_dns_rebinding.yml
rename to rules/alert-rules/sigma/dns_query_possible_dns_rebinding.yml
diff --git a/rules/Sigma/dns_query_regsvr32_network_activity.yml b/rules/alert-rules/sigma/dns_query_regsvr32_network_activity.yml
similarity index 100%
rename from rules/Sigma/dns_query_regsvr32_network_activity.yml
rename to rules/alert-rules/sigma/dns_query_regsvr32_network_activity.yml
diff --git a/rules/Sigma/driver_load_mal_creddumper.yml b/rules/alert-rules/sigma/driver_load_mal_creddumper.yml
similarity index 100%
rename from rules/Sigma/driver_load_mal_creddumper.yml
rename to rules/alert-rules/sigma/driver_load_mal_creddumper.yml
diff --git a/rules/Sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/alert-rules/sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
similarity index 100%
rename from rules/Sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
rename to rules/alert-rules/sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
diff --git a/rules/Sigma/driver_load_powershell_script_installed_as_service.yml b/rules/alert-rules/sigma/driver_load_powershell_script_installed_as_service.yml
similarity index 100%
rename from rules/Sigma/driver_load_powershell_script_installed_as_service.yml
rename to rules/alert-rules/sigma/driver_load_powershell_script_installed_as_service.yml
diff --git a/rules/Sigma/driver_load_susp_temp_use.yml b/rules/alert-rules/sigma/driver_load_susp_temp_use.yml
similarity index 100%
rename from rules/Sigma/driver_load_susp_temp_use.yml
rename to rules/alert-rules/sigma/driver_load_susp_temp_use.yml
diff --git a/rules/Sigma/driver_load_vuln_dell_driver.yml b/rules/alert-rules/sigma/driver_load_vuln_dell_driver.yml
similarity index 100%
rename from rules/Sigma/driver_load_vuln_dell_driver.yml
rename to rules/alert-rules/sigma/driver_load_vuln_dell_driver.yml
diff --git a/rules/Sigma/driver_load_windivert.yml b/rules/alert-rules/sigma/driver_load_windivert.yml
similarity index 100%
rename from rules/Sigma/driver_load_windivert.yml
rename to rules/alert-rules/sigma/driver_load_windivert.yml
diff --git a/rules/Sigma/edr_command_execution_by_office_applications.yml b/rules/alert-rules/sigma/edr_command_execution_by_office_applications.yml
similarity index 100%
rename from rules/Sigma/edr_command_execution_by_office_applications.yml
rename to rules/alert-rules/sigma/edr_command_execution_by_office_applications.yml
diff --git a/rules/Sigma/file_event_advanced_ip_scanner.yml b/rules/alert-rules/sigma/file_event_advanced_ip_scanner.yml
similarity index 100%
rename from rules/Sigma/file_event_advanced_ip_scanner.yml
rename to rules/alert-rules/sigma/file_event_advanced_ip_scanner.yml
diff --git a/rules/Sigma/file_event_apt_unidentified_nov_18.yml b/rules/alert-rules/sigma/file_event_apt_unidentified_nov_18.yml
similarity index 100%
rename from rules/Sigma/file_event_apt_unidentified_nov_18.yml
rename to rules/alert-rules/sigma/file_event_apt_unidentified_nov_18.yml
diff --git a/rules/Sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/alert-rules/sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
similarity index 100%
rename from rules/Sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
rename to rules/alert-rules/sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
diff --git a/rules/Sigma/file_event_hack_dumpert.yml b/rules/alert-rules/sigma/file_event_hack_dumpert.yml
similarity index 100%
rename from rules/Sigma/file_event_hack_dumpert.yml
rename to rules/alert-rules/sigma/file_event_hack_dumpert.yml
diff --git a/rules/Sigma/file_event_hktl_createminidump.yml b/rules/alert-rules/sigma/file_event_hktl_createminidump.yml
similarity index 100%
rename from rules/Sigma/file_event_hktl_createminidump.yml
rename to rules/alert-rules/sigma/file_event_hktl_createminidump.yml
diff --git a/rules/Sigma/file_event_mal_adwind.yml b/rules/alert-rules/sigma/file_event_mal_adwind.yml
similarity index 100%
rename from rules/Sigma/file_event_mal_adwind.yml
rename to rules/alert-rules/sigma/file_event_mal_adwind.yml
diff --git a/rules/Sigma/file_event_mal_octopus_scanner.yml b/rules/alert-rules/sigma/file_event_mal_octopus_scanner.yml
similarity index 100%
rename from rules/Sigma/file_event_mal_octopus_scanner.yml
rename to rules/alert-rules/sigma/file_event_mal_octopus_scanner.yml
diff --git a/rules/Sigma/file_event_mal_vhd_download.yml b/rules/alert-rules/sigma/file_event_mal_vhd_download.yml
similarity index 100%
rename from rules/Sigma/file_event_mal_vhd_download.yml
rename to rules/alert-rules/sigma/file_event_mal_vhd_download.yml
diff --git a/rules/Sigma/file_event_mimikatz_kirbi_file_creation.yml b/rules/alert-rules/sigma/file_event_mimikatz_kirbi_file_creation.yml
similarity index 100%
rename from rules/Sigma/file_event_mimikatz_kirbi_file_creation.yml
rename to rules/alert-rules/sigma/file_event_mimikatz_kirbi_file_creation.yml
diff --git a/rules/Sigma/file_event_moriya_rootkit.yml b/rules/alert-rules/sigma/file_event_moriya_rootkit.yml
similarity index 100%
rename from rules/Sigma/file_event_moriya_rootkit.yml
rename to rules/alert-rules/sigma/file_event_moriya_rootkit.yml
diff --git a/rules/Sigma/file_event_pingback_backdoor.yml b/rules/alert-rules/sigma/file_event_pingback_backdoor.yml
similarity index 100%
rename from rules/Sigma/file_event_pingback_backdoor.yml
rename to rules/alert-rules/sigma/file_event_pingback_backdoor.yml
diff --git a/rules/Sigma/file_event_script_creation_by_office_using_file_ext.yml b/rules/alert-rules/sigma/file_event_script_creation_by_office_using_file_ext.yml
similarity index 100%
rename from rules/Sigma/file_event_script_creation_by_office_using_file_ext.yml
rename to rules/alert-rules/sigma/file_event_script_creation_by_office_using_file_ext.yml
diff --git a/rules/Sigma/file_event_tool_psexec.yml b/rules/alert-rules/sigma/file_event_tool_psexec.yml
similarity index 100%
rename from rules/Sigma/file_event_tool_psexec.yml
rename to rules/alert-rules/sigma/file_event_tool_psexec.yml
diff --git a/rules/Sigma/file_event_uac_bypass_winsat.yml b/rules/alert-rules/sigma/file_event_uac_bypass_winsat.yml
similarity index 100%
rename from rules/Sigma/file_event_uac_bypass_winsat.yml
rename to rules/alert-rules/sigma/file_event_uac_bypass_winsat.yml
diff --git a/rules/Sigma/file_event_uac_bypass_wmp.yml b/rules/alert-rules/sigma/file_event_uac_bypass_wmp.yml
similarity index 100%
rename from rules/Sigma/file_event_uac_bypass_wmp.yml
rename to rules/alert-rules/sigma/file_event_uac_bypass_wmp.yml
diff --git a/rules/Sigma/file_event_winrm_awl_bypass.yml b/rules/alert-rules/sigma/file_event_winrm_awl_bypass.yml
similarity index 100%
rename from rules/Sigma/file_event_winrm_awl_bypass.yml
rename to rules/alert-rules/sigma/file_event_winrm_awl_bypass.yml
diff --git a/rules/Sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/alert-rules/sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml
similarity index 100%
rename from rules/Sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml
rename to rules/alert-rules/sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml
diff --git a/rules/Sigma/image_load_pingback_backdoor.yml b/rules/alert-rules/sigma/image_load_pingback_backdoor.yml
similarity index 100%
rename from rules/Sigma/image_load_pingback_backdoor.yml
rename to rules/alert-rules/sigma/image_load_pingback_backdoor.yml
diff --git a/rules/Sigma/image_load_silenttrinity_stage_use.yml b/rules/alert-rules/sigma/image_load_silenttrinity_stage_use.yml
similarity index 100%
rename from rules/Sigma/image_load_silenttrinity_stage_use.yml
rename to rules/alert-rules/sigma/image_load_silenttrinity_stage_use.yml
diff --git a/rules/Sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/alert-rules/sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml
similarity index 100%
rename from rules/Sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml
rename to rules/alert-rules/sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml
diff --git a/rules/Sigma/pipe_created_tool_psexec.yml b/rules/alert-rules/sigma/pipe_created_tool_psexec.yml
similarity index 100%
rename from rules/Sigma/pipe_created_tool_psexec.yml
rename to rules/alert-rules/sigma/pipe_created_tool_psexec.yml
diff --git a/rules/Sigma/powershell_accessing_win_api.yml b/rules/alert-rules/sigma/powershell_accessing_win_api.yml
similarity index 100%
rename from rules/Sigma/powershell_accessing_win_api.yml
rename to rules/alert-rules/sigma/powershell_accessing_win_api.yml
diff --git a/rules/Sigma/powershell_adrecon_execution.yml b/rules/alert-rules/sigma/powershell_adrecon_execution.yml
similarity index 100%
rename from rules/Sigma/powershell_adrecon_execution.yml
rename to rules/alert-rules/sigma/powershell_adrecon_execution.yml
diff --git a/rules/Sigma/powershell_alternate_powershell_hosts.yml b/rules/alert-rules/sigma/powershell_alternate_powershell_hosts.yml
similarity index 100%
rename from rules/Sigma/powershell_alternate_powershell_hosts.yml
rename to rules/alert-rules/sigma/powershell_alternate_powershell_hosts.yml
diff --git a/rules/Sigma/powershell_automated_collection.yml b/rules/alert-rules/sigma/powershell_automated_collection.yml
similarity index 100%
rename from rules/Sigma/powershell_automated_collection.yml
rename to rules/alert-rules/sigma/powershell_automated_collection.yml
diff --git a/rules/Sigma/powershell_azurehound_commands.yml b/rules/alert-rules/sigma/powershell_azurehound_commands.yml
similarity index 100%
rename from rules/Sigma/powershell_azurehound_commands.yml
rename to rules/alert-rules/sigma/powershell_azurehound_commands.yml
diff --git a/rules/Sigma/powershell_bad_opsec_artifacts.yml b/rules/alert-rules/sigma/powershell_bad_opsec_artifacts.yml
similarity index 100%
rename from rules/Sigma/powershell_bad_opsec_artifacts.yml
rename to rules/alert-rules/sigma/powershell_bad_opsec_artifacts.yml
diff --git a/rules/Sigma/powershell_cl_invocation_lolscript.yml b/rules/alert-rules/sigma/powershell_cl_invocation_lolscript.yml
similarity index 100%
rename from rules/Sigma/powershell_cl_invocation_lolscript.yml
rename to rules/alert-rules/sigma/powershell_cl_invocation_lolscript.yml
diff --git a/rules/Sigma/powershell_cl_invocation_lolscript_count.yml b/rules/alert-rules/sigma/powershell_cl_invocation_lolscript_count.yml
similarity index 100%
rename from rules/Sigma/powershell_cl_invocation_lolscript_count.yml
rename to rules/alert-rules/sigma/powershell_cl_invocation_lolscript_count.yml
diff --git a/rules/Sigma/powershell_cl_mutexverifiers_lolscript.yml b/rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript.yml
similarity index 100%
rename from rules/Sigma/powershell_cl_mutexverifiers_lolscript.yml
rename to rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript.yml
diff --git a/rules/Sigma/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript_count.yml
similarity index 100%
rename from rules/Sigma/powershell_cl_mutexverifiers_lolscript_count.yml
rename to rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript_count.yml
diff --git a/rules/Sigma/powershell_classic_alternate_powershell_hosts.yml b/rules/alert-rules/sigma/powershell_classic_alternate_powershell_hosts.yml
similarity index 100%
rename from rules/Sigma/powershell_classic_alternate_powershell_hosts.yml
rename to rules/alert-rules/sigma/powershell_classic_alternate_powershell_hosts.yml
diff --git a/rules/Sigma/powershell_classic_powercat.yml b/rules/alert-rules/sigma/powershell_classic_powercat.yml
similarity index 100%
rename from rules/Sigma/powershell_classic_powercat.yml
rename to rules/alert-rules/sigma/powershell_classic_powercat.yml
diff --git a/rules/Sigma/powershell_classic_remote_powershell_session.yml b/rules/alert-rules/sigma/powershell_classic_remote_powershell_session.yml
similarity index 100%
rename from rules/Sigma/powershell_classic_remote_powershell_session.yml
rename to rules/alert-rules/sigma/powershell_classic_remote_powershell_session.yml
diff --git a/rules/Sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/alert-rules/sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
similarity index 100%
rename from rules/Sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
rename to rules/alert-rules/sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
diff --git a/rules/Sigma/powershell_classic_susp_zip_compress.yml b/rules/alert-rules/sigma/powershell_classic_susp_zip_compress.yml
similarity index 100%
rename from rules/Sigma/powershell_classic_susp_zip_compress.yml
rename to rules/alert-rules/sigma/powershell_classic_susp_zip_compress.yml
diff --git a/rules/Sigma/powershell_classic_suspicious_download.yml b/rules/alert-rules/sigma/powershell_classic_suspicious_download.yml
similarity index 100%
rename from rules/Sigma/powershell_classic_suspicious_download.yml
rename to rules/alert-rules/sigma/powershell_classic_suspicious_download.yml
diff --git a/rules/Sigma/powershell_clear_powershell_history.yml b/rules/alert-rules/sigma/powershell_clear_powershell_history.yml
similarity index 100%
rename from rules/Sigma/powershell_clear_powershell_history.yml
rename to rules/alert-rules/sigma/powershell_clear_powershell_history.yml
diff --git a/rules/Sigma/powershell_create_local_user.yml b/rules/alert-rules/sigma/powershell_create_local_user.yml
similarity index 100%
rename from rules/Sigma/powershell_create_local_user.yml
rename to rules/alert-rules/sigma/powershell_create_local_user.yml
diff --git a/rules/Sigma/powershell_data_compressed.yml b/rules/alert-rules/sigma/powershell_data_compressed.yml
similarity index 100%
rename from rules/Sigma/powershell_data_compressed.yml
rename to rules/alert-rules/sigma/powershell_data_compressed.yml
diff --git a/rules/Sigma/powershell_decompress_commands.yml b/rules/alert-rules/sigma/powershell_decompress_commands.yml
similarity index 100%
rename from rules/Sigma/powershell_decompress_commands.yml
rename to rules/alert-rules/sigma/powershell_decompress_commands.yml
diff --git a/rules/Sigma/powershell_delete_volume_shadow_copies.yml b/rules/alert-rules/sigma/powershell_delete_volume_shadow_copies.yml
similarity index 100%
rename from rules/Sigma/powershell_delete_volume_shadow_copies.yml
rename to rules/alert-rules/sigma/powershell_delete_volume_shadow_copies.yml
diff --git a/rules/Sigma/powershell_detect_vm_env.yml b/rules/alert-rules/sigma/powershell_detect_vm_env.yml
similarity index 100%
rename from rules/Sigma/powershell_detect_vm_env.yml
rename to rules/alert-rules/sigma/powershell_detect_vm_env.yml
diff --git a/rules/Sigma/powershell_dnscat_execution.yml b/rules/alert-rules/sigma/powershell_dnscat_execution.yml
similarity index 100%
rename from rules/Sigma/powershell_dnscat_execution.yml
rename to rules/alert-rules/sigma/powershell_dnscat_execution.yml
diff --git a/rules/Sigma/powershell_downgrade_attack.yml b/rules/alert-rules/sigma/powershell_downgrade_attack.yml
similarity index 100%
rename from rules/Sigma/powershell_downgrade_attack.yml
rename to rules/alert-rules/sigma/powershell_downgrade_attack.yml
diff --git a/rules/Sigma/powershell_exe_calling_ps.yml b/rules/alert-rules/sigma/powershell_exe_calling_ps.yml
similarity index 100%
rename from rules/Sigma/powershell_exe_calling_ps.yml
rename to rules/alert-rules/sigma/powershell_exe_calling_ps.yml
diff --git a/rules/Sigma/powershell_get_clipboard.yml b/rules/alert-rules/sigma/powershell_get_clipboard.yml
similarity index 100%
rename from rules/Sigma/powershell_get_clipboard.yml
rename to rules/alert-rules/sigma/powershell_get_clipboard.yml
diff --git a/rules/Sigma/powershell_icmp_exfiltration.yml b/rules/alert-rules/sigma/powershell_icmp_exfiltration.yml
similarity index 100%
rename from rules/Sigma/powershell_icmp_exfiltration.yml
rename to rules/alert-rules/sigma/powershell_icmp_exfiltration.yml
diff --git a/rules/Sigma/powershell_invoke_nightmare.yml b/rules/alert-rules/sigma/powershell_invoke_nightmare.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_nightmare.yml
rename to rules/alert-rules/sigma/powershell_invoke_nightmare.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_clip.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_clip.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_clip.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_clip.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_stdin.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_stdin.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_var.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_var.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_var.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_var.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_compress.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_compress.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_rundll.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_rundll.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_stdin.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_stdin.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_clip.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_use_clip.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_var.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_var.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var.yml
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_keylogging.yml b/rules/alert-rules/sigma/powershell_keylogging.yml
similarity index 100%
rename from rules/Sigma/powershell_keylogging.yml
rename to rules/alert-rules/sigma/powershell_keylogging.yml
diff --git a/rules/Sigma/powershell_malicious_commandlets.yml b/rules/alert-rules/sigma/powershell_malicious_commandlets.yml
similarity index 100%
rename from rules/Sigma/powershell_malicious_commandlets.yml
rename to rules/alert-rules/sigma/powershell_malicious_commandlets.yml
diff --git a/rules/Sigma/powershell_malicious_keywords.yml b/rules/alert-rules/sigma/powershell_malicious_keywords.yml
similarity index 100%
rename from rules/Sigma/powershell_malicious_keywords.yml
rename to rules/alert-rules/sigma/powershell_malicious_keywords.yml
diff --git a/rules/Sigma/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/alert-rules/sigma/powershell_memorydump_getstoragediagnosticinfo.yml
similarity index 100%
rename from rules/Sigma/powershell_memorydump_getstoragediagnosticinfo.yml
rename to rules/alert-rules/sigma/powershell_memorydump_getstoragediagnosticinfo.yml
diff --git a/rules/Sigma/powershell_nishang_malicious_commandlets.yml b/rules/alert-rules/sigma/powershell_nishang_malicious_commandlets.yml
similarity index 100%
rename from rules/Sigma/powershell_nishang_malicious_commandlets.yml
rename to rules/alert-rules/sigma/powershell_nishang_malicious_commandlets.yml
diff --git a/rules/Sigma/powershell_ntfs_ads_access.yml b/rules/alert-rules/sigma/powershell_ntfs_ads_access.yml
similarity index 100%
rename from rules/Sigma/powershell_ntfs_ads_access.yml
rename to rules/alert-rules/sigma/powershell_ntfs_ads_access.yml
diff --git a/rules/Sigma/powershell_powercat.yml b/rules/alert-rules/sigma/powershell_powercat.yml
similarity index 100%
rename from rules/Sigma/powershell_powercat.yml
rename to rules/alert-rules/sigma/powershell_powercat.yml
diff --git a/rules/Sigma/powershell_powerview_malicious_commandlets.yml b/rules/alert-rules/sigma/powershell_powerview_malicious_commandlets.yml
similarity index 100%
rename from rules/Sigma/powershell_powerview_malicious_commandlets.yml
rename to rules/alert-rules/sigma/powershell_powerview_malicious_commandlets.yml
diff --git a/rules/Sigma/powershell_prompt_credentials.yml b/rules/alert-rules/sigma/powershell_prompt_credentials.yml
similarity index 100%
rename from rules/Sigma/powershell_prompt_credentials.yml
rename to rules/alert-rules/sigma/powershell_prompt_credentials.yml
diff --git a/rules/Sigma/powershell_psattack.yml b/rules/alert-rules/sigma/powershell_psattack.yml
similarity index 100%
rename from rules/Sigma/powershell_psattack.yml
rename to rules/alert-rules/sigma/powershell_psattack.yml
diff --git a/rules/Sigma/powershell_remote_powershell_session.yml b/rules/alert-rules/sigma/powershell_remote_powershell_session.yml
similarity index 100%
rename from rules/Sigma/powershell_remote_powershell_session.yml
rename to rules/alert-rules/sigma/powershell_remote_powershell_session.yml
diff --git a/rules/Sigma/powershell_renamed_powershell.yml b/rules/alert-rules/sigma/powershell_renamed_powershell.yml
similarity index 100%
rename from rules/Sigma/powershell_renamed_powershell.yml
rename to rules/alert-rules/sigma/powershell_renamed_powershell.yml
diff --git a/rules/Sigma/powershell_set_policies_to_unsecure_level.yml b/rules/alert-rules/sigma/powershell_set_policies_to_unsecure_level.yml
similarity index 100%
rename from rules/Sigma/powershell_set_policies_to_unsecure_level.yml
rename to rules/alert-rules/sigma/powershell_set_policies_to_unsecure_level.yml
diff --git a/rules/Sigma/powershell_shellcode_b64.yml b/rules/alert-rules/sigma/powershell_shellcode_b64.yml
similarity index 100%
rename from rules/Sigma/powershell_shellcode_b64.yml
rename to rules/alert-rules/sigma/powershell_shellcode_b64.yml
diff --git a/rules/Sigma/powershell_shellintel_malicious_commandlets.yml b/rules/alert-rules/sigma/powershell_shellintel_malicious_commandlets.yml
similarity index 100%
rename from rules/Sigma/powershell_shellintel_malicious_commandlets.yml
rename to rules/alert-rules/sigma/powershell_shellintel_malicious_commandlets.yml
diff --git a/rules/Sigma/powershell_software_discovery.yml b/rules/alert-rules/sigma/powershell_software_discovery.yml
similarity index 100%
rename from rules/Sigma/powershell_software_discovery.yml
rename to rules/alert-rules/sigma/powershell_software_discovery.yml
diff --git a/rules/Sigma/powershell_store_file_in_alternate_data_stream.yml b/rules/alert-rules/sigma/powershell_store_file_in_alternate_data_stream.yml
similarity index 100%
rename from rules/Sigma/powershell_store_file_in_alternate_data_stream.yml
rename to rules/alert-rules/sigma/powershell_store_file_in_alternate_data_stream.yml
diff --git a/rules/Sigma/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/alert-rules/sigma/powershell_susp_athremotefxvgpudisablementcommand.yml
similarity index 100%
rename from rules/Sigma/powershell_susp_athremotefxvgpudisablementcommand.yml
rename to rules/alert-rules/sigma/powershell_susp_athremotefxvgpudisablementcommand.yml
diff --git a/rules/Sigma/powershell_susp_zip_compress.yml b/rules/alert-rules/sigma/powershell_susp_zip_compress.yml
similarity index 100%
rename from rules/Sigma/powershell_susp_zip_compress.yml
rename to rules/alert-rules/sigma/powershell_susp_zip_compress.yml
diff --git a/rules/Sigma/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_susp_zip_compress_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_susp_zip_compress_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_susp_zip_compress_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_suspicious_download.yml b/rules/alert-rules/sigma/powershell_suspicious_download.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_download.yml
rename to rules/alert-rules/sigma/powershell_suspicious_download.yml
diff --git a/rules/Sigma/powershell_suspicious_download_in_contextinfo.yml b/rules/alert-rules/sigma/powershell_suspicious_download_in_contextinfo.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_download_in_contextinfo.yml
rename to rules/alert-rules/sigma/powershell_suspicious_download_in_contextinfo.yml
diff --git a/rules/Sigma/powershell_suspicious_download_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_suspicious_download_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_download_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_suspicious_download_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_suspicious_export_pfxcertificate.yml b/rules/alert-rules/sigma/powershell_suspicious_export_pfxcertificate.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_export_pfxcertificate.yml
rename to rules/alert-rules/sigma/powershell_suspicious_export_pfxcertificate.yml
diff --git a/rules/Sigma/powershell_suspicious_getprocess_lsass.yml b/rules/alert-rules/sigma/powershell_suspicious_getprocess_lsass.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_getprocess_lsass.yml
rename to rules/alert-rules/sigma/powershell_suspicious_getprocess_lsass.yml
diff --git a/rules/Sigma/powershell_suspicious_invocation_generic.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_generic.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_invocation_generic.yml
rename to rules/alert-rules/sigma/powershell_suspicious_invocation_generic.yml
diff --git a/rules/Sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml
rename to rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml
diff --git a/rules/Sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_suspicious_invocation_specific.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_specific.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_invocation_specific.yml
rename to rules/alert-rules/sigma/powershell_suspicious_invocation_specific.yml
diff --git a/rules/Sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml
rename to rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml
diff --git a/rules/Sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml
rename to rules/alert-rules/sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml
diff --git a/rules/Sigma/powershell_suspicious_keywords.yml b/rules/alert-rules/sigma/powershell_suspicious_keywords.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_keywords.yml
rename to rules/alert-rules/sigma/powershell_suspicious_keywords.yml
diff --git a/rules/Sigma/powershell_suspicious_mail_acces.yml b/rules/alert-rules/sigma/powershell_suspicious_mail_acces.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_mail_acces.yml
rename to rules/alert-rules/sigma/powershell_suspicious_mail_acces.yml
diff --git a/rules/Sigma/powershell_suspicious_mounted_share_deletion.yml b/rules/alert-rules/sigma/powershell_suspicious_mounted_share_deletion.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_mounted_share_deletion.yml
rename to rules/alert-rules/sigma/powershell_suspicious_mounted_share_deletion.yml
diff --git a/rules/Sigma/powershell_suspicious_recon.yml b/rules/alert-rules/sigma/powershell_suspicious_recon.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_recon.yml
rename to rules/alert-rules/sigma/powershell_suspicious_recon.yml
diff --git a/rules/Sigma/powershell_suspicious_win32_pnpentity.yml b/rules/alert-rules/sigma/powershell_suspicious_win32_pnpentity.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_win32_pnpentity.yml
rename to rules/alert-rules/sigma/powershell_suspicious_win32_pnpentity.yml
diff --git a/rules/Sigma/powershell_suspicious_windowstyle.yml b/rules/alert-rules/sigma/powershell_suspicious_windowstyle.yml
similarity index 100%
rename from rules/Sigma/powershell_suspicious_windowstyle.yml
rename to rules/alert-rules/sigma/powershell_suspicious_windowstyle.yml
diff --git a/rules/Sigma/powershell_syncappvpublishingserver_exe.yml b/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe.yml
similarity index 100%
rename from rules/Sigma/powershell_syncappvpublishingserver_exe.yml
rename to rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe.yml
diff --git a/rules/Sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml
similarity index 100%
rename from rules/Sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml
rename to rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml
diff --git a/rules/Sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
similarity index 100%
rename from rules/Sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
rename to rules/alert-rules/sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
diff --git a/rules/Sigma/powershell_tamper_with_windows_defender.yml b/rules/alert-rules/sigma/powershell_tamper_with_windows_defender.yml
similarity index 100%
rename from rules/Sigma/powershell_tamper_with_windows_defender.yml
rename to rules/alert-rules/sigma/powershell_tamper_with_windows_defender.yml
diff --git a/rules/Sigma/powershell_timestomp.yml b/rules/alert-rules/sigma/powershell_timestomp.yml
similarity index 100%
rename from rules/Sigma/powershell_timestomp.yml
rename to rules/alert-rules/sigma/powershell_timestomp.yml
diff --git a/rules/Sigma/powershell_trigger_profiles.yml b/rules/alert-rules/sigma/powershell_trigger_profiles.yml
similarity index 100%
rename from rules/Sigma/powershell_trigger_profiles.yml
rename to rules/alert-rules/sigma/powershell_trigger_profiles.yml
diff --git a/rules/Sigma/powershell_web_request.yml b/rules/alert-rules/sigma/powershell_web_request.yml
similarity index 100%
rename from rules/Sigma/powershell_web_request.yml
rename to rules/alert-rules/sigma/powershell_web_request.yml
diff --git a/rules/Sigma/powershell_windows_firewall_profile_disabled.yml b/rules/alert-rules/sigma/powershell_windows_firewall_profile_disabled.yml
similarity index 100%
rename from rules/Sigma/powershell_windows_firewall_profile_disabled.yml
rename to rules/alert-rules/sigma/powershell_windows_firewall_profile_disabled.yml
diff --git a/rules/Sigma/powershell_winlogon_helper_dll.yml b/rules/alert-rules/sigma/powershell_winlogon_helper_dll.yml
similarity index 100%
rename from rules/Sigma/powershell_winlogon_helper_dll.yml
rename to rules/alert-rules/sigma/powershell_winlogon_helper_dll.yml
diff --git a/rules/Sigma/powershell_wmi_persistence.yml b/rules/alert-rules/sigma/powershell_wmi_persistence.yml
similarity index 100%
rename from rules/Sigma/powershell_wmi_persistence.yml
rename to rules/alert-rules/sigma/powershell_wmi_persistence.yml
diff --git a/rules/Sigma/powershell_wmimplant.yml b/rules/alert-rules/sigma/powershell_wmimplant.yml
similarity index 100%
rename from rules/Sigma/powershell_wmimplant.yml
rename to rules/alert-rules/sigma/powershell_wmimplant.yml
diff --git a/rules/Sigma/powershell_wsman_com_provider_no_powershell.yml b/rules/alert-rules/sigma/powershell_wsman_com_provider_no_powershell.yml
similarity index 100%
rename from rules/Sigma/powershell_wsman_com_provider_no_powershell.yml
rename to rules/alert-rules/sigma/powershell_wsman_com_provider_no_powershell.yml
diff --git a/rules/Sigma/powershell_xor_commandline.yml b/rules/alert-rules/sigma/powershell_xor_commandline.yml
similarity index 100%
rename from rules/Sigma/powershell_xor_commandline.yml
rename to rules/alert-rules/sigma/powershell_xor_commandline.yml
diff --git a/rules/Sigma/process_creation_abusing_windows_telemetry_for_persistence.yml b/rules/alert-rules/sigma/process_creation_abusing_windows_telemetry_for_persistence.yml
similarity index 100%
rename from rules/Sigma/process_creation_abusing_windows_telemetry_for_persistence.yml
rename to rules/alert-rules/sigma/process_creation_abusing_windows_telemetry_for_persistence.yml
diff --git a/rules/Sigma/process_creation_advanced_ip_scanner.yml b/rules/alert-rules/sigma/process_creation_advanced_ip_scanner.yml
similarity index 100%
rename from rules/Sigma/process_creation_advanced_ip_scanner.yml
rename to rules/alert-rules/sigma/process_creation_advanced_ip_scanner.yml
diff --git a/rules/Sigma/process_creation_alternate_data_streams.yml b/rules/alert-rules/sigma/process_creation_alternate_data_streams.yml
similarity index 100%
rename from rules/Sigma/process_creation_alternate_data_streams.yml
rename to rules/alert-rules/sigma/process_creation_alternate_data_streams.yml
diff --git a/rules/Sigma/process_creation_apt_gallium.yml b/rules/alert-rules/sigma/process_creation_apt_gallium.yml
similarity index 100%
rename from rules/Sigma/process_creation_apt_gallium.yml
rename to rules/alert-rules/sigma/process_creation_apt_gallium.yml
diff --git a/rules/Sigma/process_creation_apt_gallium_sha1.yml b/rules/alert-rules/sigma/process_creation_apt_gallium_sha1.yml
similarity index 100%
rename from rules/Sigma/process_creation_apt_gallium_sha1.yml
rename to rules/alert-rules/sigma/process_creation_apt_gallium_sha1.yml
diff --git a/rules/Sigma/process_creation_apt_pandemic.yml b/rules/alert-rules/sigma/process_creation_apt_pandemic.yml
similarity index 100%
rename from rules/Sigma/process_creation_apt_pandemic.yml
rename to rules/alert-rules/sigma/process_creation_apt_pandemic.yml
diff --git a/rules/Sigma/process_creation_apt_slingshot.yml b/rules/alert-rules/sigma/process_creation_apt_slingshot.yml
similarity index 100%
rename from rules/Sigma/process_creation_apt_slingshot.yml
rename to rules/alert-rules/sigma/process_creation_apt_slingshot.yml
diff --git a/rules/Sigma/process_creation_apt_turla_commands_critical.yml b/rules/alert-rules/sigma/process_creation_apt_turla_commands_critical.yml
similarity index 100%
rename from rules/Sigma/process_creation_apt_turla_commands_critical.yml
rename to rules/alert-rules/sigma/process_creation_apt_turla_commands_critical.yml
diff --git a/rules/Sigma/process_creation_apt_wocao.yml b/rules/alert-rules/sigma/process_creation_apt_wocao.yml
similarity index 100%
rename from rules/Sigma/process_creation_apt_wocao.yml
rename to rules/alert-rules/sigma/process_creation_apt_wocao.yml
diff --git a/rules/Sigma/process_creation_automated_collection.yml b/rules/alert-rules/sigma/process_creation_automated_collection.yml
similarity index 100%
rename from rules/Sigma/process_creation_automated_collection.yml
rename to rules/alert-rules/sigma/process_creation_automated_collection.yml
diff --git a/rules/Sigma/process_creation_c3_load_by_rundll32.yml b/rules/alert-rules/sigma/process_creation_c3_load_by_rundll32.yml
similarity index 100%
rename from rules/Sigma/process_creation_c3_load_by_rundll32.yml
rename to rules/alert-rules/sigma/process_creation_c3_load_by_rundll32.yml
diff --git a/rules/Sigma/process_creation_certoc_execution.yml b/rules/alert-rules/sigma/process_creation_certoc_execution.yml
similarity index 100%
rename from rules/Sigma/process_creation_certoc_execution.yml
rename to rules/alert-rules/sigma/process_creation_certoc_execution.yml
diff --git a/rules/Sigma/process_creation_clip.yml b/rules/alert-rules/sigma/process_creation_clip.yml
similarity index 100%
rename from rules/Sigma/process_creation_clip.yml
rename to rules/alert-rules/sigma/process_creation_clip.yml
diff --git a/rules/Sigma/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/alert-rules/sigma/process_creation_cobaltstrike_load_by_rundll32.yml
similarity index 100%
rename from rules/Sigma/process_creation_cobaltstrike_load_by_rundll32.yml
rename to rules/alert-rules/sigma/process_creation_cobaltstrike_load_by_rundll32.yml
diff --git a/rules/Sigma/process_creation_conti_cmd_ransomware.yml b/rules/alert-rules/sigma/process_creation_conti_cmd_ransomware.yml
similarity index 100%
rename from rules/Sigma/process_creation_conti_cmd_ransomware.yml
rename to rules/alert-rules/sigma/process_creation_conti_cmd_ransomware.yml
diff --git a/rules/Sigma/process_creation_coti_sqlcmd.yml b/rules/alert-rules/sigma/process_creation_coti_sqlcmd.yml
similarity index 100%
rename from rules/Sigma/process_creation_coti_sqlcmd.yml
rename to rules/alert-rules/sigma/process_creation_coti_sqlcmd.yml
diff --git a/rules/Sigma/process_creation_discover_private_keys.yml b/rules/alert-rules/sigma/process_creation_discover_private_keys.yml
similarity index 100%
rename from rules/Sigma/process_creation_discover_private_keys.yml
rename to rules/alert-rules/sigma/process_creation_discover_private_keys.yml
diff --git a/rules/Sigma/process_creation_dns_serverlevelplugindll.yml b/rules/alert-rules/sigma/process_creation_dns_serverlevelplugindll.yml
similarity index 100%
rename from rules/Sigma/process_creation_dns_serverlevelplugindll.yml
rename to rules/alert-rules/sigma/process_creation_dns_serverlevelplugindll.yml
diff --git a/rules/Sigma/process_creation_dotnet.yml b/rules/alert-rules/sigma/process_creation_dotnet.yml
similarity index 100%
rename from rules/Sigma/process_creation_dotnet.yml
rename to rules/alert-rules/sigma/process_creation_dotnet.yml
diff --git a/rules/Sigma/process_creation_hack_dumpert.yml b/rules/alert-rules/sigma/process_creation_hack_dumpert.yml
similarity index 100%
rename from rules/Sigma/process_creation_hack_dumpert.yml
rename to rules/alert-rules/sigma/process_creation_hack_dumpert.yml
diff --git a/rules/Sigma/process_creation_infdefaultinstall.yml b/rules/alert-rules/sigma/process_creation_infdefaultinstall.yml
similarity index 100%
rename from rules/Sigma/process_creation_infdefaultinstall.yml
rename to rules/alert-rules/sigma/process_creation_infdefaultinstall.yml
diff --git a/rules/Sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/alert-rules/sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
similarity index 100%
rename from rules/Sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
rename to rules/alert-rules/sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
diff --git a/rules/Sigma/process_creation_lolbins_by_office_applications.yml b/rules/alert-rules/sigma/process_creation_lolbins_by_office_applications.yml
similarity index 100%
rename from rules/Sigma/process_creation_lolbins_by_office_applications.yml
rename to rules/alert-rules/sigma/process_creation_lolbins_by_office_applications.yml
diff --git a/rules/Sigma/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/alert-rules/sigma/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
similarity index 100%
rename from rules/Sigma/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
rename to rules/alert-rules/sigma/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
diff --git a/rules/Sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/alert-rules/sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml
similarity index 100%
rename from rules/Sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml
rename to rules/alert-rules/sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml
diff --git a/rules/Sigma/process_creation_mal_blue_mockingbird.yml b/rules/alert-rules/sigma/process_creation_mal_blue_mockingbird.yml
similarity index 100%
rename from rules/Sigma/process_creation_mal_blue_mockingbird.yml
rename to rules/alert-rules/sigma/process_creation_mal_blue_mockingbird.yml
diff --git a/rules/Sigma/process_creation_mal_darkside_ransomware.yml b/rules/alert-rules/sigma/process_creation_mal_darkside_ransomware.yml
similarity index 100%
rename from rules/Sigma/process_creation_mal_darkside_ransomware.yml
rename to rules/alert-rules/sigma/process_creation_mal_darkside_ransomware.yml
diff --git a/rules/Sigma/process_creation_mal_lockergoga_ransomware.yml b/rules/alert-rules/sigma/process_creation_mal_lockergoga_ransomware.yml
similarity index 100%
rename from rules/Sigma/process_creation_mal_lockergoga_ransomware.yml
rename to rules/alert-rules/sigma/process_creation_mal_lockergoga_ransomware.yml
diff --git a/rules/Sigma/process_creation_mal_ryuk.yml b/rules/alert-rules/sigma/process_creation_mal_ryuk.yml
similarity index 100%
rename from rules/Sigma/process_creation_mal_ryuk.yml
rename to rules/alert-rules/sigma/process_creation_mal_ryuk.yml
diff --git a/rules/Sigma/process_creation_msdeploy.yml b/rules/alert-rules/sigma/process_creation_msdeploy.yml
similarity index 100%
rename from rules/Sigma/process_creation_msdeploy.yml
rename to rules/alert-rules/sigma/process_creation_msdeploy.yml
diff --git a/rules/Sigma/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/alert-rules/sigma/process_creation_office_applications_spawning_wmi_commandline.yml
similarity index 100%
rename from rules/Sigma/process_creation_office_applications_spawning_wmi_commandline.yml
rename to rules/alert-rules/sigma/process_creation_office_applications_spawning_wmi_commandline.yml
diff --git a/rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml
similarity index 100%
rename from rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml
rename to rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml
diff --git a/rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
similarity index 100%
rename from rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
rename to rules/alert-rules/sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
diff --git a/rules/Sigma/process_creation_office_spawning_wmi_commandline.yml b/rules/alert-rules/sigma/process_creation_office_spawning_wmi_commandline.yml
similarity index 100%
rename from rules/Sigma/process_creation_office_spawning_wmi_commandline.yml
rename to rules/alert-rules/sigma/process_creation_office_spawning_wmi_commandline.yml
diff --git a/rules/Sigma/process_creation_pingback_backdoor.yml b/rules/alert-rules/sigma/process_creation_pingback_backdoor.yml
similarity index 100%
rename from rules/Sigma/process_creation_pingback_backdoor.yml
rename to rules/alert-rules/sigma/process_creation_pingback_backdoor.yml
diff --git a/rules/Sigma/process_creation_protocolhandler_suspicious_file.yml b/rules/alert-rules/sigma/process_creation_protocolhandler_suspicious_file.yml
similarity index 100%
rename from rules/Sigma/process_creation_protocolhandler_suspicious_file.yml
rename to rules/alert-rules/sigma/process_creation_protocolhandler_suspicious_file.yml
diff --git a/rules/Sigma/process_creation_root_certificate_installed.yml b/rules/alert-rules/sigma/process_creation_root_certificate_installed.yml
similarity index 100%
rename from rules/Sigma/process_creation_root_certificate_installed.yml
rename to rules/alert-rules/sigma/process_creation_root_certificate_installed.yml
diff --git a/rules/Sigma/process_creation_sdelete.yml b/rules/alert-rules/sigma/process_creation_sdelete.yml
similarity index 100%
rename from rules/Sigma/process_creation_sdelete.yml
rename to rules/alert-rules/sigma/process_creation_sdelete.yml
diff --git a/rules/Sigma/process_creation_software_discovery.yml b/rules/alert-rules/sigma/process_creation_software_discovery.yml
similarity index 100%
rename from rules/Sigma/process_creation_software_discovery.yml
rename to rules/alert-rules/sigma/process_creation_software_discovery.yml
diff --git a/rules/Sigma/process_creation_stickykey_like_backdoor.yml b/rules/alert-rules/sigma/process_creation_stickykey_like_backdoor.yml
similarity index 100%
rename from rules/Sigma/process_creation_stickykey_like_backdoor.yml
rename to rules/alert-rules/sigma/process_creation_stickykey_like_backdoor.yml
diff --git a/rules/Sigma/process_creation_stordiag_execution.yml b/rules/alert-rules/sigma/process_creation_stordiag_execution.yml
similarity index 100%
rename from rules/Sigma/process_creation_stordiag_execution.yml
rename to rules/alert-rules/sigma/process_creation_stordiag_execution.yml
diff --git a/rules/Sigma/process_creation_susp_7z.yml b/rules/alert-rules/sigma/process_creation_susp_7z.yml
similarity index 100%
rename from rules/Sigma/process_creation_susp_7z.yml
rename to rules/alert-rules/sigma/process_creation_susp_7z.yml
diff --git a/rules/Sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml b/rules/alert-rules/sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml
similarity index 100%
rename from rules/Sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml
rename to rules/alert-rules/sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml
diff --git a/rules/Sigma/process_creation_susp_del.yml b/rules/alert-rules/sigma/process_creation_susp_del.yml
similarity index 100%
rename from rules/Sigma/process_creation_susp_del.yml
rename to rules/alert-rules/sigma/process_creation_susp_del.yml
diff --git a/rules/Sigma/process_creation_susp_recon.yml b/rules/alert-rules/sigma/process_creation_susp_recon.yml
similarity index 100%
rename from rules/Sigma/process_creation_susp_recon.yml
rename to rules/alert-rules/sigma/process_creation_susp_recon.yml
diff --git a/rules/Sigma/process_creation_susp_web_request_cmd.yml b/rules/alert-rules/sigma/process_creation_susp_web_request_cmd.yml
similarity index 100%
rename from rules/Sigma/process_creation_susp_web_request_cmd.yml
rename to rules/alert-rules/sigma/process_creation_susp_web_request_cmd.yml
diff --git a/rules/Sigma/process_creation_susp_winzip.yml b/rules/alert-rules/sigma/process_creation_susp_winzip.yml
similarity index 100%
rename from rules/Sigma/process_creation_susp_winzip.yml
rename to rules/alert-rules/sigma/process_creation_susp_winzip.yml
diff --git a/rules/Sigma/process_creation_susp_zip_compress.yml b/rules/alert-rules/sigma/process_creation_susp_zip_compress.yml
similarity index 100%
rename from rules/Sigma/process_creation_susp_zip_compress.yml
rename to rules/alert-rules/sigma/process_creation_susp_zip_compress.yml
diff --git a/rules/Sigma/process_creation_syncappvpublishingserver_exe.yml b/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_exe.yml
similarity index 100%
rename from rules/Sigma/process_creation_syncappvpublishingserver_exe.yml
rename to rules/alert-rules/sigma/process_creation_syncappvpublishingserver_exe.yml
diff --git a/rules/Sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml b/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
similarity index 100%
rename from rules/Sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
rename to rules/alert-rules/sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
diff --git a/rules/Sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/alert-rules/sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
similarity index 100%
rename from rules/Sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
rename to rules/alert-rules/sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
diff --git a/rules/Sigma/process_creation_sysinternals_eula_accepted.yml b/rules/alert-rules/sigma/process_creation_sysinternals_eula_accepted.yml
similarity index 100%
rename from rules/Sigma/process_creation_sysinternals_eula_accepted.yml
rename to rules/alert-rules/sigma/process_creation_sysinternals_eula_accepted.yml
diff --git a/rules/Sigma/process_creation_sysmon_uac_bypass_eventvwr.yml b/rules/alert-rules/sigma/process_creation_sysmon_uac_bypass_eventvwr.yml
similarity index 100%
rename from rules/Sigma/process_creation_sysmon_uac_bypass_eventvwr.yml
rename to rules/alert-rules/sigma/process_creation_sysmon_uac_bypass_eventvwr.yml
diff --git a/rules/Sigma/process_creation_tool_psexec.yml b/rules/alert-rules/sigma/process_creation_tool_psexec.yml
similarity index 100%
rename from rules/Sigma/process_creation_tool_psexec.yml
rename to rules/alert-rules/sigma/process_creation_tool_psexec.yml
diff --git a/rules/Sigma/process_creation_tttracer_mod_load.yml b/rules/alert-rules/sigma/process_creation_tttracer_mod_load.yml
similarity index 100%
rename from rules/Sigma/process_creation_tttracer_mod_load.yml
rename to rules/alert-rules/sigma/process_creation_tttracer_mod_load.yml
diff --git a/rules/Sigma/process_creation_win_exchange_transportagent.yml b/rules/alert-rules/sigma/process_creation_win_exchange_transportagent.yml
similarity index 100%
rename from rules/Sigma/process_creation_win_exchange_transportagent.yml
rename to rules/alert-rules/sigma/process_creation_win_exchange_transportagent.yml
diff --git a/rules/Sigma/process_creationn_apt_chafer_mar18.yml b/rules/alert-rules/sigma/process_creationn_apt_chafer_mar18.yml
similarity index 100%
rename from rules/Sigma/process_creationn_apt_chafer_mar18.yml
rename to rules/alert-rules/sigma/process_creationn_apt_chafer_mar18.yml
diff --git a/rules/Sigma/process_mailboxexport_share.yml b/rules/alert-rules/sigma/process_mailboxexport_share.yml
similarity index 100%
rename from rules/Sigma/process_mailboxexport_share.yml
rename to rules/alert-rules/sigma/process_mailboxexport_share.yml
diff --git a/rules/Sigma/process_susp_esentutl_params.yml b/rules/alert-rules/sigma/process_susp_esentutl_params.yml
similarity index 100%
rename from rules/Sigma/process_susp_esentutl_params.yml
rename to rules/alert-rules/sigma/process_susp_esentutl_params.yml
diff --git a/rules/Sigma/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/alert-rules/sigma/registry_event_abusing_windows_telemetry_for_persistence.yml
similarity index 100%
rename from rules/Sigma/registry_event_abusing_windows_telemetry_for_persistence.yml
rename to rules/alert-rules/sigma/registry_event_abusing_windows_telemetry_for_persistence.yml
diff --git a/rules/Sigma/registry_event_apt_chafer_mar18.yml b/rules/alert-rules/sigma/registry_event_apt_chafer_mar18.yml
similarity index 100%
rename from rules/Sigma/registry_event_apt_chafer_mar18.yml
rename to rules/alert-rules/sigma/registry_event_apt_chafer_mar18.yml
diff --git a/rules/Sigma/registry_event_apt_pandemic.yml b/rules/alert-rules/sigma/registry_event_apt_pandemic.yml
similarity index 100%
rename from rules/Sigma/registry_event_apt_pandemic.yml
rename to rules/alert-rules/sigma/registry_event_apt_pandemic.yml
diff --git a/rules/Sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/alert-rules/sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
similarity index 100%
rename from rules/Sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
rename to rules/alert-rules/sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
diff --git a/rules/Sigma/registry_event_defender_disabled.yml b/rules/alert-rules/sigma/registry_event_defender_disabled.yml
similarity index 100%
rename from rules/Sigma/registry_event_defender_disabled.yml
rename to rules/alert-rules/sigma/registry_event_defender_disabled.yml
diff --git a/rules/Sigma/registry_event_defender_exclusions.yml b/rules/alert-rules/sigma/registry_event_defender_exclusions.yml
similarity index 100%
rename from rules/Sigma/registry_event_defender_exclusions.yml
rename to rules/alert-rules/sigma/registry_event_defender_exclusions.yml
diff --git a/rules/Sigma/registry_event_defender_realtime_protection_disabled.yml b/rules/alert-rules/sigma/registry_event_defender_realtime_protection_disabled.yml
similarity index 100%
rename from rules/Sigma/registry_event_defender_realtime_protection_disabled.yml
rename to rules/alert-rules/sigma/registry_event_defender_realtime_protection_disabled.yml
diff --git a/rules/Sigma/registry_event_dns_serverlevelplugindll.yml b/rules/alert-rules/sigma/registry_event_dns_serverlevelplugindll.yml
similarity index 100%
rename from rules/Sigma/registry_event_dns_serverlevelplugindll.yml
rename to rules/alert-rules/sigma/registry_event_dns_serverlevelplugindll.yml
diff --git a/rules/Sigma/registry_event_mal_adwind.yml b/rules/alert-rules/sigma/registry_event_mal_adwind.yml
similarity index 100%
rename from rules/Sigma/registry_event_mal_adwind.yml
rename to rules/alert-rules/sigma/registry_event_mal_adwind.yml
diff --git a/rules/Sigma/registry_event_mal_azorult.yml b/rules/alert-rules/sigma/registry_event_mal_azorult.yml
similarity index 100%
rename from rules/Sigma/registry_event_mal_azorult.yml
rename to rules/alert-rules/sigma/registry_event_mal_azorult.yml
diff --git a/rules/Sigma/registry_event_mal_blue_mockingbird.yml b/rules/alert-rules/sigma/registry_event_mal_blue_mockingbird.yml
similarity index 100%
rename from rules/Sigma/registry_event_mal_blue_mockingbird.yml
rename to rules/alert-rules/sigma/registry_event_mal_blue_mockingbird.yml
diff --git a/rules/Sigma/registry_event_mal_flowcloud.yml b/rules/alert-rules/sigma/registry_event_mal_flowcloud.yml
similarity index 100%
rename from rules/Sigma/registry_event_mal_flowcloud.yml
rename to rules/alert-rules/sigma/registry_event_mal_flowcloud.yml
diff --git a/rules/Sigma/registry_event_mal_netwire.yml b/rules/alert-rules/sigma/registry_event_mal_netwire.yml
similarity index 100%
rename from rules/Sigma/registry_event_mal_netwire.yml
rename to rules/alert-rules/sigma/registry_event_mal_netwire.yml
diff --git a/rules/Sigma/registry_event_mal_ursnif.yml b/rules/alert-rules/sigma/registry_event_mal_ursnif.yml
similarity index 100%
rename from rules/Sigma/registry_event_mal_ursnif.yml
rename to rules/alert-rules/sigma/registry_event_mal_ursnif.yml
diff --git a/rules/Sigma/registry_event_mstsc_history_cleared.yml b/rules/alert-rules/sigma/registry_event_mstsc_history_cleared.yml
similarity index 100%
rename from rules/Sigma/registry_event_mstsc_history_cleared.yml
rename to rules/alert-rules/sigma/registry_event_mstsc_history_cleared.yml
diff --git a/rules/Sigma/registry_event_net_ntlm_downgrade.yml b/rules/alert-rules/sigma/registry_event_net_ntlm_downgrade.yml
similarity index 100%
rename from rules/Sigma/registry_event_net_ntlm_downgrade.yml
rename to rules/alert-rules/sigma/registry_event_net_ntlm_downgrade.yml
diff --git a/rules/Sigma/registry_event_stickykey_like_backdoor.yml b/rules/alert-rules/sigma/registry_event_stickykey_like_backdoor.yml
similarity index 100%
rename from rules/Sigma/registry_event_stickykey_like_backdoor.yml
rename to rules/alert-rules/sigma/registry_event_stickykey_like_backdoor.yml
diff --git a/rules/Sigma/registry_event_sysinternals_eula_accepted.yml b/rules/alert-rules/sigma/registry_event_sysinternals_eula_accepted.yml
similarity index 100%
rename from rules/Sigma/registry_event_sysinternals_eula_accepted.yml
rename to rules/alert-rules/sigma/registry_event_sysinternals_eula_accepted.yml
diff --git a/rules/Sigma/registry_event_uac_bypass_eventvwr.yml b/rules/alert-rules/sigma/registry_event_uac_bypass_eventvwr.yml
similarity index 100%
rename from rules/Sigma/registry_event_uac_bypass_eventvwr.yml
rename to rules/alert-rules/sigma/registry_event_uac_bypass_eventvwr.yml
diff --git a/rules/Sigma/registry_event_uac_bypass_winsat.yml b/rules/alert-rules/sigma/registry_event_uac_bypass_winsat.yml
similarity index 100%
rename from rules/Sigma/registry_event_uac_bypass_winsat.yml
rename to rules/alert-rules/sigma/registry_event_uac_bypass_winsat.yml
diff --git a/rules/Sigma/registry_event_uac_bypass_wmp.yml b/rules/alert-rules/sigma/registry_event_uac_bypass_wmp.yml
similarity index 100%
rename from rules/Sigma/registry_event_uac_bypass_wmp.yml
rename to rules/alert-rules/sigma/registry_event_uac_bypass_wmp.yml
diff --git a/rules/Sigma/silenttrinity_stager_msbuild_activity.yml b/rules/alert-rules/sigma/silenttrinity_stager_msbuild_activity.yml
similarity index 100%
rename from rules/Sigma/silenttrinity_stager_msbuild_activity.yml
rename to rules/alert-rules/sigma/silenttrinity_stager_msbuild_activity.yml
diff --git a/rules/Sigma/sysmon_abusing_azure_browser_sso.yml b/rules/alert-rules/sigma/sysmon_abusing_azure_browser_sso.yml
similarity index 100%
rename from rules/Sigma/sysmon_abusing_azure_browser_sso.yml
rename to rules/alert-rules/sigma/sysmon_abusing_azure_browser_sso.yml
diff --git a/rules/Sigma/sysmon_abusing_debug_privilege.yml b/rules/alert-rules/sigma/sysmon_abusing_debug_privilege.yml
similarity index 100%
rename from rules/Sigma/sysmon_abusing_debug_privilege.yml
rename to rules/alert-rules/sigma/sysmon_abusing_debug_privilege.yml
diff --git a/rules/Sigma/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/alert-rules/sigma/sysmon_accesschk_usage_after_priv_escalation.yml
similarity index 100%
rename from rules/Sigma/sysmon_accesschk_usage_after_priv_escalation.yml
rename to rules/alert-rules/sigma/sysmon_accesschk_usage_after_priv_escalation.yml
diff --git a/rules/Sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/alert-rules/sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
similarity index 100%
rename from rules/Sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
rename to rules/alert-rules/sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
diff --git a/rules/Sigma/sysmon_ads_executable.yml b/rules/alert-rules/sigma/sysmon_ads_executable.yml
similarity index 100%
rename from rules/Sigma/sysmon_ads_executable.yml
rename to rules/alert-rules/sigma/sysmon_ads_executable.yml
diff --git a/rules/Sigma/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_moduleload.yml
similarity index 100%
rename from rules/Sigma/sysmon_alternate_powershell_hosts_moduleload.yml
rename to rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_moduleload.yml
diff --git a/rules/Sigma/sysmon_alternate_powershell_hosts_pipe.yml b/rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_pipe.yml
similarity index 100%
rename from rules/Sigma/sysmon_alternate_powershell_hosts_pipe.yml
rename to rules/alert-rules/sigma/sysmon_alternate_powershell_hosts_pipe.yml
diff --git a/rules/Sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/alert-rules/sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
similarity index 100%
rename from rules/Sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
rename to rules/alert-rules/sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
diff --git a/rules/Sigma/sysmon_always_install_elevated_windows_installer.yml b/rules/alert-rules/sigma/sysmon_always_install_elevated_windows_installer.yml
similarity index 100%
rename from rules/Sigma/sysmon_always_install_elevated_windows_installer.yml
rename to rules/alert-rules/sigma/sysmon_always_install_elevated_windows_installer.yml
diff --git a/rules/Sigma/sysmon_apt_leviathan.yml b/rules/alert-rules/sigma/sysmon_apt_leviathan.yml
similarity index 100%
rename from rules/Sigma/sysmon_apt_leviathan.yml
rename to rules/alert-rules/sigma/sysmon_apt_leviathan.yml
diff --git a/rules/Sigma/sysmon_apt_muddywater_dnstunnel.yml b/rules/alert-rules/sigma/sysmon_apt_muddywater_dnstunnel.yml
similarity index 100%
rename from rules/Sigma/sysmon_apt_muddywater_dnstunnel.yml
rename to rules/alert-rules/sigma/sysmon_apt_muddywater_dnstunnel.yml
diff --git a/rules/Sigma/sysmon_apt_oceanlotus_registry.yml b/rules/alert-rules/sigma/sysmon_apt_oceanlotus_registry.yml
similarity index 100%
rename from rules/Sigma/sysmon_apt_oceanlotus_registry.yml
rename to rules/alert-rules/sigma/sysmon_apt_oceanlotus_registry.yml
diff --git a/rules/Sigma/sysmon_apt_sourgrum.yml b/rules/alert-rules/sigma/sysmon_apt_sourgrum.yml
similarity index 100%
rename from rules/Sigma/sysmon_apt_sourgrum.yml
rename to rules/alert-rules/sigma/sysmon_apt_sourgrum.yml
diff --git a/rules/Sigma/sysmon_apt_turla_namedpipes.yml b/rules/alert-rules/sigma/sysmon_apt_turla_namedpipes.yml
similarity index 100%
rename from rules/Sigma/sysmon_apt_turla_namedpipes.yml
rename to rules/alert-rules/sigma/sysmon_apt_turla_namedpipes.yml
diff --git a/rules/Sigma/sysmon_asep_reg_keys_modification.yml b/rules/alert-rules/sigma/sysmon_asep_reg_keys_modification.yml
similarity index 100%
rename from rules/Sigma/sysmon_asep_reg_keys_modification.yml
rename to rules/alert-rules/sigma/sysmon_asep_reg_keys_modification.yml
diff --git a/rules/Sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/alert-rules/sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
similarity index 100%
rename from rules/Sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
rename to rules/alert-rules/sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
diff --git a/rules/Sigma/sysmon_bypass_via_wsreset.yml b/rules/alert-rules/sigma/sysmon_bypass_via_wsreset.yml
similarity index 100%
rename from rules/Sigma/sysmon_bypass_via_wsreset.yml
rename to rules/alert-rules/sigma/sysmon_bypass_via_wsreset.yml
diff --git a/rules/Sigma/sysmon_cactustorch.yml b/rules/alert-rules/sigma/sysmon_cactustorch.yml
similarity index 100%
rename from rules/Sigma/sysmon_cactustorch.yml
rename to rules/alert-rules/sigma/sysmon_cactustorch.yml
diff --git a/rules/Sigma/sysmon_cmstp_execution_by_access.yml b/rules/alert-rules/sigma/sysmon_cmstp_execution_by_access.yml
similarity index 100%
rename from rules/Sigma/sysmon_cmstp_execution_by_access.yml
rename to rules/alert-rules/sigma/sysmon_cmstp_execution_by_access.yml
diff --git a/rules/Sigma/sysmon_cmstp_execution_by_creation.yml b/rules/alert-rules/sigma/sysmon_cmstp_execution_by_creation.yml
similarity index 100%
rename from rules/Sigma/sysmon_cmstp_execution_by_creation.yml
rename to rules/alert-rules/sigma/sysmon_cmstp_execution_by_creation.yml
diff --git a/rules/Sigma/sysmon_cmstp_execution_by_registry.yml b/rules/alert-rules/sigma/sysmon_cmstp_execution_by_registry.yml
similarity index 100%
rename from rules/Sigma/sysmon_cmstp_execution_by_registry.yml
rename to rules/alert-rules/sigma/sysmon_cmstp_execution_by_registry.yml
diff --git a/rules/Sigma/sysmon_cobaltstrike_bof_injection_pattern.yml b/rules/alert-rules/sigma/sysmon_cobaltstrike_bof_injection_pattern.yml
similarity index 100%
rename from rules/Sigma/sysmon_cobaltstrike_bof_injection_pattern.yml
rename to rules/alert-rules/sigma/sysmon_cobaltstrike_bof_injection_pattern.yml
diff --git a/rules/Sigma/sysmon_cobaltstrike_process_injection.yml b/rules/alert-rules/sigma/sysmon_cobaltstrike_process_injection.yml
similarity index 100%
rename from rules/Sigma/sysmon_cobaltstrike_process_injection.yml
rename to rules/alert-rules/sigma/sysmon_cobaltstrike_process_injection.yml
diff --git a/rules/Sigma/sysmon_cobaltstrike_service_installs.yml b/rules/alert-rules/sigma/sysmon_cobaltstrike_service_installs.yml
similarity index 100%
rename from rules/Sigma/sysmon_cobaltstrike_service_installs.yml
rename to rules/alert-rules/sigma/sysmon_cobaltstrike_service_installs.yml
diff --git a/rules/Sigma/sysmon_comhijack_sdclt.yml b/rules/alert-rules/sigma/sysmon_comhijack_sdclt.yml
similarity index 100%
rename from rules/Sigma/sysmon_comhijack_sdclt.yml
rename to rules/alert-rules/sigma/sysmon_comhijack_sdclt.yml
diff --git a/rules/Sigma/sysmon_config_modification_error.yml b/rules/alert-rules/sigma/sysmon_config_modification_error.yml
similarity index 100%
rename from rules/Sigma/sysmon_config_modification_error.yml
rename to rules/alert-rules/sigma/sysmon_config_modification_error.yml
diff --git a/rules/Sigma/sysmon_config_modification_status.yml b/rules/alert-rules/sigma/sysmon_config_modification_status.yml
similarity index 100%
rename from rules/Sigma/sysmon_config_modification_status.yml
rename to rules/alert-rules/sigma/sysmon_config_modification_status.yml
diff --git a/rules/Sigma/sysmon_createremotethread_loadlibrary.yml b/rules/alert-rules/sigma/sysmon_createremotethread_loadlibrary.yml
similarity index 100%
rename from rules/Sigma/sysmon_createremotethread_loadlibrary.yml
rename to rules/alert-rules/sigma/sysmon_createremotethread_loadlibrary.yml
diff --git a/rules/Sigma/sysmon_creation_mavinject_dll.yml b/rules/alert-rules/sigma/sysmon_creation_mavinject_dll.yml
similarity index 100%
rename from rules/Sigma/sysmon_creation_mavinject_dll.yml
rename to rules/alert-rules/sigma/sysmon_creation_mavinject_dll.yml
diff --git a/rules/Sigma/sysmon_creation_system_file.yml b/rules/alert-rules/sigma/sysmon_creation_system_file.yml
similarity index 100%
rename from rules/Sigma/sysmon_creation_system_file.yml
rename to rules/alert-rules/sigma/sysmon_creation_system_file.yml
diff --git a/rules/Sigma/sysmon_cred_dump_lsass_access.yml b/rules/alert-rules/sigma/sysmon_cred_dump_lsass_access.yml
similarity index 100%
rename from rules/Sigma/sysmon_cred_dump_lsass_access.yml
rename to rules/alert-rules/sigma/sysmon_cred_dump_lsass_access.yml
diff --git a/rules/Sigma/sysmon_cred_dump_tools_dropped_files.yml b/rules/alert-rules/sigma/sysmon_cred_dump_tools_dropped_files.yml
similarity index 100%
rename from rules/Sigma/sysmon_cred_dump_tools_dropped_files.yml
rename to rules/alert-rules/sigma/sysmon_cred_dump_tools_dropped_files.yml
diff --git a/rules/Sigma/sysmon_cred_dump_tools_named_pipes.yml b/rules/alert-rules/sigma/sysmon_cred_dump_tools_named_pipes.yml
similarity index 100%
rename from rules/Sigma/sysmon_cred_dump_tools_named_pipes.yml
rename to rules/alert-rules/sigma/sysmon_cred_dump_tools_named_pipes.yml
diff --git a/rules/Sigma/sysmon_cve_2020_1048.yml b/rules/alert-rules/sigma/sysmon_cve_2020_1048.yml
similarity index 100%
rename from rules/Sigma/sysmon_cve_2020_1048.yml
rename to rules/alert-rules/sigma/sysmon_cve_2020_1048.yml
diff --git a/rules/Sigma/sysmon_cve_2021_26857_msexchange.yml b/rules/alert-rules/sigma/sysmon_cve_2021_26857_msexchange.yml
similarity index 100%
rename from rules/Sigma/sysmon_cve_2021_26857_msexchange.yml
rename to rules/alert-rules/sigma/sysmon_cve_2021_26857_msexchange.yml
diff --git a/rules/Sigma/sysmon_cve_2021_26858_msexchange.yml b/rules/alert-rules/sigma/sysmon_cve_2021_26858_msexchange.yml
similarity index 100%
rename from rules/Sigma/sysmon_cve_2021_26858_msexchange.yml
rename to rules/alert-rules/sigma/sysmon_cve_2021_26858_msexchange.yml
diff --git a/rules/Sigma/sysmon_dcom_iertutil_dll_hijack.yml b/rules/alert-rules/sigma/sysmon_dcom_iertutil_dll_hijack.yml
similarity index 100%
rename from rules/Sigma/sysmon_dcom_iertutil_dll_hijack.yml
rename to rules/alert-rules/sigma/sysmon_dcom_iertutil_dll_hijack.yml
diff --git a/rules/Sigma/sysmon_delete_prefetch.yml b/rules/alert-rules/sigma/sysmon_delete_prefetch.yml
similarity index 100%
rename from rules/Sigma/sysmon_delete_prefetch.yml
rename to rules/alert-rules/sigma/sysmon_delete_prefetch.yml
diff --git a/rules/Sigma/sysmon_detect_powerup_dllhijacking.yml b/rules/alert-rules/sigma/sysmon_detect_powerup_dllhijacking.yml
similarity index 100%
rename from rules/Sigma/sysmon_detect_powerup_dllhijacking.yml
rename to rules/alert-rules/sigma/sysmon_detect_powerup_dllhijacking.yml
diff --git a/rules/Sigma/sysmon_dhcp_calloutdll.yml b/rules/alert-rules/sigma/sysmon_dhcp_calloutdll.yml
similarity index 100%
rename from rules/Sigma/sysmon_dhcp_calloutdll.yml
rename to rules/alert-rules/sigma/sysmon_dhcp_calloutdll.yml
diff --git a/rules/Sigma/sysmon_direct_syscall_ntopenprocess.yml b/rules/alert-rules/sigma/sysmon_direct_syscall_ntopenprocess.yml
similarity index 100%
rename from rules/Sigma/sysmon_direct_syscall_ntopenprocess.yml
rename to rules/alert-rules/sigma/sysmon_direct_syscall_ntopenprocess.yml
diff --git a/rules/Sigma/sysmon_disable_microsoft_office_security_features.yml b/rules/alert-rules/sigma/sysmon_disable_microsoft_office_security_features.yml
similarity index 100%
rename from rules/Sigma/sysmon_disable_microsoft_office_security_features.yml
rename to rules/alert-rules/sigma/sysmon_disable_microsoft_office_security_features.yml
diff --git a/rules/Sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/alert-rules/sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
similarity index 100%
rename from rules/Sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
rename to rules/alert-rules/sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
diff --git a/rules/Sigma/sysmon_disable_wdigest_credential_guard.yml b/rules/alert-rules/sigma/sysmon_disable_wdigest_credential_guard.yml
similarity index 100%
rename from rules/Sigma/sysmon_disable_wdigest_credential_guard.yml
rename to rules/alert-rules/sigma/sysmon_disable_wdigest_credential_guard.yml
diff --git a/rules/Sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml b/rules/alert-rules/sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
similarity index 100%
rename from rules/Sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
rename to rules/alert-rules/sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
diff --git a/rules/Sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/alert-rules/sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml
similarity index 100%
rename from rules/Sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml
rename to rules/alert-rules/sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml
diff --git a/rules/Sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml b/rules/alert-rules/sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
similarity index 100%
rename from rules/Sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
rename to rules/alert-rules/sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
diff --git a/rules/Sigma/sysmon_dllhost_net_connections.yml b/rules/alert-rules/sigma/sysmon_dllhost_net_connections.yml
similarity index 100%
rename from rules/Sigma/sysmon_dllhost_net_connections.yml
rename to rules/alert-rules/sigma/sysmon_dllhost_net_connections.yml
diff --git a/rules/Sigma/sysmon_dns_over_https_enabled.yml b/rules/alert-rules/sigma/sysmon_dns_over_https_enabled.yml
similarity index 100%
rename from rules/Sigma/sysmon_dns_over_https_enabled.yml
rename to rules/alert-rules/sigma/sysmon_dns_over_https_enabled.yml
diff --git a/rules/Sigma/sysmon_efspotato_namedpipe.yml b/rules/alert-rules/sigma/sysmon_efspotato_namedpipe.yml
similarity index 100%
rename from rules/Sigma/sysmon_efspotato_namedpipe.yml
rename to rules/alert-rules/sigma/sysmon_efspotato_namedpipe.yml
diff --git a/rules/Sigma/sysmon_enabling_cor_profiler_env_variables.yml b/rules/alert-rules/sigma/sysmon_enabling_cor_profiler_env_variables.yml
similarity index 100%
rename from rules/Sigma/sysmon_enabling_cor_profiler_env_variables.yml
rename to rules/alert-rules/sigma/sysmon_enabling_cor_profiler_env_variables.yml
diff --git a/rules/Sigma/sysmon_etw_disabled.yml b/rules/alert-rules/sigma/sysmon_etw_disabled.yml
similarity index 100%
rename from rules/Sigma/sysmon_etw_disabled.yml
rename to rules/alert-rules/sigma/sysmon_etw_disabled.yml
diff --git a/rules/Sigma/sysmon_excel_outbound_network_connection.yml b/rules/alert-rules/sigma/sysmon_excel_outbound_network_connection.yml
similarity index 100%
rename from rules/Sigma/sysmon_excel_outbound_network_connection.yml
rename to rules/alert-rules/sigma/sysmon_excel_outbound_network_connection.yml
diff --git a/rules/Sigma/sysmon_expand_cabinet_files.yml b/rules/alert-rules/sigma/sysmon_expand_cabinet_files.yml
similarity index 100%
rename from rules/Sigma/sysmon_expand_cabinet_files.yml
rename to rules/alert-rules/sigma/sysmon_expand_cabinet_files.yml
diff --git a/rules/Sigma/sysmon_foggyweb_nobelium.yml b/rules/alert-rules/sigma/sysmon_foggyweb_nobelium.yml
similarity index 100%
rename from rules/Sigma/sysmon_foggyweb_nobelium.yml
rename to rules/alert-rules/sigma/sysmon_foggyweb_nobelium.yml
diff --git a/rules/Sigma/sysmon_ghostpack_safetykatz.yml b/rules/alert-rules/sigma/sysmon_ghostpack_safetykatz.yml
similarity index 100%
rename from rules/Sigma/sysmon_ghostpack_safetykatz.yml
rename to rules/alert-rules/sigma/sysmon_ghostpack_safetykatz.yml
diff --git a/rules/Sigma/sysmon_hack_wce.yml b/rules/alert-rules/sigma/sysmon_hack_wce.yml
similarity index 100%
rename from rules/Sigma/sysmon_hack_wce.yml
rename to rules/alert-rules/sigma/sysmon_hack_wce.yml
diff --git a/rules/Sigma/sysmon_hack_wce_reg.yml b/rules/alert-rules/sigma/sysmon_hack_wce_reg.yml
similarity index 100%
rename from rules/Sigma/sysmon_hack_wce_reg.yml
rename to rules/alert-rules/sigma/sysmon_hack_wce_reg.yml
diff --git a/rules/Sigma/sysmon_high_integrity_sdclt.yml b/rules/alert-rules/sigma/sysmon_high_integrity_sdclt.yml
similarity index 100%
rename from rules/Sigma/sysmon_high_integrity_sdclt.yml
rename to rules/alert-rules/sigma/sysmon_high_integrity_sdclt.yml
diff --git a/rules/Sigma/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/alert-rules/sigma/sysmon_hybridconnectionmgr_svc_installation.yml
similarity index 100%
rename from rules/Sigma/sysmon_hybridconnectionmgr_svc_installation.yml
rename to rules/alert-rules/sigma/sysmon_hybridconnectionmgr_svc_installation.yml
diff --git a/rules/Sigma/sysmon_in_memory_assembly_execution.yml b/rules/alert-rules/sigma/sysmon_in_memory_assembly_execution.yml
similarity index 100%
rename from rules/Sigma/sysmon_in_memory_assembly_execution.yml
rename to rules/alert-rules/sigma/sysmon_in_memory_assembly_execution.yml
diff --git a/rules/Sigma/sysmon_in_memory_powershell.yml b/rules/alert-rules/sigma/sysmon_in_memory_powershell.yml
similarity index 100%
rename from rules/Sigma/sysmon_in_memory_powershell.yml
rename to rules/alert-rules/sigma/sysmon_in_memory_powershell.yml
diff --git a/rules/Sigma/sysmon_invoke_phantom.yml b/rules/alert-rules/sigma/sysmon_invoke_phantom.yml
similarity index 100%
rename from rules/Sigma/sysmon_invoke_phantom.yml
rename to rules/alert-rules/sigma/sysmon_invoke_phantom.yml
diff --git a/rules/Sigma/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/alert-rules/sigma/sysmon_lazagne_cred_dump_lsass_access.yml
similarity index 100%
rename from rules/Sigma/sysmon_lazagne_cred_dump_lsass_access.yml
rename to rules/alert-rules/sigma/sysmon_lazagne_cred_dump_lsass_access.yml
diff --git a/rules/Sigma/sysmon_littlecorporal_generated_maldoc.yml b/rules/alert-rules/sigma/sysmon_littlecorporal_generated_maldoc.yml
similarity index 100%
rename from rules/Sigma/sysmon_littlecorporal_generated_maldoc.yml
rename to rules/alert-rules/sigma/sysmon_littlecorporal_generated_maldoc.yml
diff --git a/rules/Sigma/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/alert-rules/sigma/sysmon_load_undocumented_autoelevated_com_interface.yml
similarity index 100%
rename from rules/Sigma/sysmon_load_undocumented_autoelevated_com_interface.yml
rename to rules/alert-rules/sigma/sysmon_load_undocumented_autoelevated_com_interface.yml
diff --git a/rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
similarity index 100%
rename from rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
rename to rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
diff --git a/rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
similarity index 100%
rename from rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
rename to rules/alert-rules/sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
diff --git a/rules/Sigma/sysmon_long_powershell_commandline.yml b/rules/alert-rules/sigma/sysmon_long_powershell_commandline.yml
similarity index 100%
rename from rules/Sigma/sysmon_long_powershell_commandline.yml
rename to rules/alert-rules/sigma/sysmon_long_powershell_commandline.yml
diff --git a/rules/Sigma/sysmon_lsass_dump_comsvcs_dll.yml b/rules/alert-rules/sigma/sysmon_lsass_dump_comsvcs_dll.yml
similarity index 100%
rename from rules/Sigma/sysmon_lsass_dump_comsvcs_dll.yml
rename to rules/alert-rules/sigma/sysmon_lsass_dump_comsvcs_dll.yml
diff --git a/rules/Sigma/sysmon_lsass_memdump.yml b/rules/alert-rules/sigma/sysmon_lsass_memdump.yml
similarity index 100%
rename from rules/Sigma/sysmon_lsass_memdump.yml
rename to rules/alert-rules/sigma/sysmon_lsass_memdump.yml
diff --git a/rules/Sigma/sysmon_lsass_memory_dump_file_creation.yml b/rules/alert-rules/sigma/sysmon_lsass_memory_dump_file_creation.yml
similarity index 100%
rename from rules/Sigma/sysmon_lsass_memory_dump_file_creation.yml
rename to rules/alert-rules/sigma/sysmon_lsass_memory_dump_file_creation.yml
diff --git a/rules/Sigma/sysmon_mal_cobaltstrike.yml b/rules/alert-rules/sigma/sysmon_mal_cobaltstrike.yml
similarity index 100%
rename from rules/Sigma/sysmon_mal_cobaltstrike.yml
rename to rules/alert-rules/sigma/sysmon_mal_cobaltstrike.yml
diff --git a/rules/Sigma/sysmon_mal_cobaltstrike_re.yml b/rules/alert-rules/sigma/sysmon_mal_cobaltstrike_re.yml
similarity index 100%
rename from rules/Sigma/sysmon_mal_cobaltstrike_re.yml
rename to rules/alert-rules/sigma/sysmon_mal_cobaltstrike_re.yml
diff --git a/rules/Sigma/sysmon_mal_namedpipes.yml b/rules/alert-rules/sigma/sysmon_mal_namedpipes.yml
similarity index 100%
rename from rules/Sigma/sysmon_mal_namedpipes.yml
rename to rules/alert-rules/sigma/sysmon_mal_namedpipes.yml
diff --git a/rules/Sigma/sysmon_malware_backconnect_ports.yml b/rules/alert-rules/sigma/sysmon_malware_backconnect_ports.yml
similarity index 100%
rename from rules/Sigma/sysmon_malware_backconnect_ports.yml
rename to rules/alert-rules/sigma/sysmon_malware_backconnect_ports.yml
diff --git a/rules/Sigma/sysmon_malware_verclsid_shellcode.yml b/rules/alert-rules/sigma/sysmon_malware_verclsid_shellcode.yml
similarity index 100%
rename from rules/Sigma/sysmon_malware_verclsid_shellcode.yml
rename to rules/alert-rules/sigma/sysmon_malware_verclsid_shellcode.yml
diff --git a/rules/Sigma/sysmon_mimikatz_detection_lsass.yml b/rules/alert-rules/sigma/sysmon_mimikatz_detection_lsass.yml
similarity index 100%
rename from rules/Sigma/sysmon_mimikatz_detection_lsass.yml
rename to rules/alert-rules/sigma/sysmon_mimikatz_detection_lsass.yml
diff --git a/rules/Sigma/sysmon_mimikatz_trough_winrm.yml b/rules/alert-rules/sigma/sysmon_mimikatz_trough_winrm.yml
similarity index 100%
rename from rules/Sigma/sysmon_mimikatz_trough_winrm.yml
rename to rules/alert-rules/sigma/sysmon_mimikatz_trough_winrm.yml
diff --git a/rules/Sigma/sysmon_modify_screensaver_binary_path.yml b/rules/alert-rules/sigma/sysmon_modify_screensaver_binary_path.yml
similarity index 100%
rename from rules/Sigma/sysmon_modify_screensaver_binary_path.yml
rename to rules/alert-rules/sigma/sysmon_modify_screensaver_binary_path.yml
diff --git a/rules/Sigma/sysmon_narrator_feedback_persistance.yml b/rules/alert-rules/sigma/sysmon_narrator_feedback_persistance.yml
similarity index 100%
rename from rules/Sigma/sysmon_narrator_feedback_persistance.yml
rename to rules/alert-rules/sigma/sysmon_narrator_feedback_persistance.yml
diff --git a/rules/Sigma/sysmon_netcat_execution.yml b/rules/alert-rules/sigma/sysmon_netcat_execution.yml
similarity index 100%
rename from rules/Sigma/sysmon_netcat_execution.yml
rename to rules/alert-rules/sigma/sysmon_netcat_execution.yml
diff --git a/rules/Sigma/sysmon_new_application_appcompat.yml b/rules/alert-rules/sigma/sysmon_new_application_appcompat.yml
similarity index 100%
rename from rules/Sigma/sysmon_new_application_appcompat.yml
rename to rules/alert-rules/sigma/sysmon_new_application_appcompat.yml
diff --git a/rules/Sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/alert-rules/sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
similarity index 100%
rename from rules/Sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
rename to rules/alert-rules/sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
diff --git a/rules/Sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/alert-rules/sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
similarity index 100%
rename from rules/Sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
rename to rules/alert-rules/sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
diff --git a/rules/Sigma/sysmon_notepad_network_connection.yml b/rules/alert-rules/sigma/sysmon_notepad_network_connection.yml
similarity index 100%
rename from rules/Sigma/sysmon_notepad_network_connection.yml
rename to rules/alert-rules/sigma/sysmon_notepad_network_connection.yml
diff --git a/rules/Sigma/sysmon_office_persistence.yml b/rules/alert-rules/sigma/sysmon_office_persistence.yml
similarity index 100%
rename from rules/Sigma/sysmon_office_persistence.yml
rename to rules/alert-rules/sigma/sysmon_office_persistence.yml
diff --git a/rules/Sigma/sysmon_office_test_regadd.yml b/rules/alert-rules/sigma/sysmon_office_test_regadd.yml
similarity index 100%
rename from rules/Sigma/sysmon_office_test_regadd.yml
rename to rules/alert-rules/sigma/sysmon_office_test_regadd.yml
diff --git a/rules/Sigma/sysmon_office_vsto_persistence.yml b/rules/alert-rules/sigma/sysmon_office_vsto_persistence.yml
similarity index 100%
rename from rules/Sigma/sysmon_office_vsto_persistence.yml
rename to rules/alert-rules/sigma/sysmon_office_vsto_persistence.yml
diff --git a/rules/Sigma/sysmon_outlook_newform.yml b/rules/alert-rules/sigma/sysmon_outlook_newform.yml
similarity index 100%
rename from rules/Sigma/sysmon_outlook_newform.yml
rename to rules/alert-rules/sigma/sysmon_outlook_newform.yml
diff --git a/rules/Sigma/sysmon_password_dumper_lsass.yml b/rules/alert-rules/sigma/sysmon_password_dumper_lsass.yml
similarity index 100%
rename from rules/Sigma/sysmon_password_dumper_lsass.yml
rename to rules/alert-rules/sigma/sysmon_password_dumper_lsass.yml
diff --git a/rules/Sigma/sysmon_pcre_net_load.yml b/rules/alert-rules/sigma/sysmon_pcre_net_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_pcre_net_load.yml
rename to rules/alert-rules/sigma/sysmon_pcre_net_load.yml
diff --git a/rules/Sigma/sysmon_pcre_net_temp_file.yml b/rules/alert-rules/sigma/sysmon_pcre_net_temp_file.yml
similarity index 100%
rename from rules/Sigma/sysmon_pcre_net_temp_file.yml
rename to rules/alert-rules/sigma/sysmon_pcre_net_temp_file.yml
diff --git a/rules/Sigma/sysmon_powershell_as_service.yml b/rules/alert-rules/sigma/sysmon_powershell_as_service.yml
similarity index 100%
rename from rules/Sigma/sysmon_powershell_as_service.yml
rename to rules/alert-rules/sigma/sysmon_powershell_as_service.yml
diff --git a/rules/Sigma/sysmon_powershell_code_injection.yml b/rules/alert-rules/sigma/sysmon_powershell_code_injection.yml
similarity index 100%
rename from rules/Sigma/sysmon_powershell_code_injection.yml
rename to rules/alert-rules/sigma/sysmon_powershell_code_injection.yml
diff --git a/rules/Sigma/sysmon_powershell_execution_pipe.yml b/rules/alert-rules/sigma/sysmon_powershell_execution_pipe.yml
similarity index 100%
rename from rules/Sigma/sysmon_powershell_execution_pipe.yml
rename to rules/alert-rules/sigma/sysmon_powershell_execution_pipe.yml
diff --git a/rules/Sigma/sysmon_powershell_exploit_scripts.yml b/rules/alert-rules/sigma/sysmon_powershell_exploit_scripts.yml
similarity index 100%
rename from rules/Sigma/sysmon_powershell_exploit_scripts.yml
rename to rules/alert-rules/sigma/sysmon_powershell_exploit_scripts.yml
diff --git a/rules/Sigma/sysmon_powershell_network_connection.yml b/rules/alert-rules/sigma/sysmon_powershell_network_connection.yml
similarity index 100%
rename from rules/Sigma/sysmon_powershell_network_connection.yml
rename to rules/alert-rules/sigma/sysmon_powershell_network_connection.yml
diff --git a/rules/Sigma/sysmon_powershell_startup_shortcuts.yml b/rules/alert-rules/sigma/sysmon_powershell_startup_shortcuts.yml
similarity index 100%
rename from rules/Sigma/sysmon_powershell_startup_shortcuts.yml
rename to rules/alert-rules/sigma/sysmon_powershell_startup_shortcuts.yml
diff --git a/rules/Sigma/sysmon_proxy_execution_wuauclt.yml b/rules/alert-rules/sigma/sysmon_proxy_execution_wuauclt.yml
similarity index 100%
rename from rules/Sigma/sysmon_proxy_execution_wuauclt.yml
rename to rules/alert-rules/sigma/sysmon_proxy_execution_wuauclt.yml
diff --git a/rules/Sigma/sysmon_psexec_pipes_artifacts.yml b/rules/alert-rules/sigma/sysmon_psexec_pipes_artifacts.yml
similarity index 100%
rename from rules/Sigma/sysmon_psexec_pipes_artifacts.yml
rename to rules/alert-rules/sigma/sysmon_psexec_pipes_artifacts.yml
diff --git a/rules/Sigma/sysmon_pypykatz_cred_dump_lsass_access.yml b/rules/alert-rules/sigma/sysmon_pypykatz_cred_dump_lsass_access.yml
similarity index 100%
rename from rules/Sigma/sysmon_pypykatz_cred_dump_lsass_access.yml
rename to rules/alert-rules/sigma/sysmon_pypykatz_cred_dump_lsass_access.yml
diff --git a/rules/Sigma/sysmon_quarkspw_filedump.yml b/rules/alert-rules/sigma/sysmon_quarkspw_filedump.yml
similarity index 100%
rename from rules/Sigma/sysmon_quarkspw_filedump.yml
rename to rules/alert-rules/sigma/sysmon_quarkspw_filedump.yml
diff --git a/rules/Sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/alert-rules/sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml
similarity index 100%
rename from rules/Sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml
rename to rules/alert-rules/sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml
diff --git a/rules/Sigma/sysmon_rclone_execution.yml b/rules/alert-rules/sigma/sysmon_rclone_execution.yml
similarity index 100%
rename from rules/Sigma/sysmon_rclone_execution.yml
rename to rules/alert-rules/sigma/sysmon_rclone_execution.yml
diff --git a/rules/Sigma/sysmon_rdp_registry_modification.yml b/rules/alert-rules/sigma/sysmon_rdp_registry_modification.yml
similarity index 100%
rename from rules/Sigma/sysmon_rdp_registry_modification.yml
rename to rules/alert-rules/sigma/sysmon_rdp_registry_modification.yml
diff --git a/rules/Sigma/sysmon_rdp_reverse_tunnel.yml b/rules/alert-rules/sigma/sysmon_rdp_reverse_tunnel.yml
similarity index 100%
rename from rules/Sigma/sysmon_rdp_reverse_tunnel.yml
rename to rules/alert-rules/sigma/sysmon_rdp_reverse_tunnel.yml
diff --git a/rules/Sigma/sysmon_rdp_settings_hijack.yml b/rules/alert-rules/sigma/sysmon_rdp_settings_hijack.yml
similarity index 100%
rename from rules/Sigma/sysmon_rdp_settings_hijack.yml
rename to rules/alert-rules/sigma/sysmon_rdp_settings_hijack.yml
diff --git a/rules/Sigma/sysmon_redmimicry_winnti_filedrop.yml b/rules/alert-rules/sigma/sysmon_redmimicry_winnti_filedrop.yml
similarity index 100%
rename from rules/Sigma/sysmon_redmimicry_winnti_filedrop.yml
rename to rules/alert-rules/sigma/sysmon_redmimicry_winnti_filedrop.yml
diff --git a/rules/Sigma/sysmon_redmimicry_winnti_reg.yml b/rules/alert-rules/sigma/sysmon_redmimicry_winnti_reg.yml
similarity index 100%
rename from rules/Sigma/sysmon_redmimicry_winnti_reg.yml
rename to rules/alert-rules/sigma/sysmon_redmimicry_winnti_reg.yml
diff --git a/rules/Sigma/sysmon_reg_office_security.yml b/rules/alert-rules/sigma/sysmon_reg_office_security.yml
similarity index 100%
rename from rules/Sigma/sysmon_reg_office_security.yml
rename to rules/alert-rules/sigma/sysmon_reg_office_security.yml
diff --git a/rules/Sigma/sysmon_reg_silentprocessexit.yml b/rules/alert-rules/sigma/sysmon_reg_silentprocessexit.yml
similarity index 100%
rename from rules/Sigma/sysmon_reg_silentprocessexit.yml
rename to rules/alert-rules/sigma/sysmon_reg_silentprocessexit.yml
diff --git a/rules/Sigma/sysmon_reg_silentprocessexit_lsass.yml b/rules/alert-rules/sigma/sysmon_reg_silentprocessexit_lsass.yml
similarity index 100%
rename from rules/Sigma/sysmon_reg_silentprocessexit_lsass.yml
rename to rules/alert-rules/sigma/sysmon_reg_silentprocessexit_lsass.yml
diff --git a/rules/Sigma/sysmon_reg_vbs_payload_stored.yml b/rules/alert-rules/sigma/sysmon_reg_vbs_payload_stored.yml
similarity index 100%
rename from rules/Sigma/sysmon_reg_vbs_payload_stored.yml
rename to rules/alert-rules/sigma/sysmon_reg_vbs_payload_stored.yml
diff --git a/rules/Sigma/sysmon_regedit_export_to_ads.yml b/rules/alert-rules/sigma/sysmon_regedit_export_to_ads.yml
similarity index 100%
rename from rules/Sigma/sysmon_regedit_export_to_ads.yml
rename to rules/alert-rules/sigma/sysmon_regedit_export_to_ads.yml
diff --git a/rules/Sigma/sysmon_registry_add_local_hidden_user.yml b/rules/alert-rules/sigma/sysmon_registry_add_local_hidden_user.yml
similarity index 100%
rename from rules/Sigma/sysmon_registry_add_local_hidden_user.yml
rename to rules/alert-rules/sigma/sysmon_registry_add_local_hidden_user.yml
diff --git a/rules/Sigma/sysmon_registry_persistence_key_linking.yml b/rules/alert-rules/sigma/sysmon_registry_persistence_key_linking.yml
similarity index 100%
rename from rules/Sigma/sysmon_registry_persistence_key_linking.yml
rename to rules/alert-rules/sigma/sysmon_registry_persistence_key_linking.yml
diff --git a/rules/Sigma/sysmon_registry_persistence_search_order.yml b/rules/alert-rules/sigma/sysmon_registry_persistence_search_order.yml
similarity index 100%
rename from rules/Sigma/sysmon_registry_persistence_search_order.yml
rename to rules/alert-rules/sigma/sysmon_registry_persistence_search_order.yml
diff --git a/rules/Sigma/sysmon_registry_susp_printer_driver.yml b/rules/alert-rules/sigma/sysmon_registry_susp_printer_driver.yml
similarity index 100%
rename from rules/Sigma/sysmon_registry_susp_printer_driver.yml
rename to rules/alert-rules/sigma/sysmon_registry_susp_printer_driver.yml
diff --git a/rules/Sigma/sysmon_registry_trust_record_modification.yml b/rules/alert-rules/sigma/sysmon_registry_trust_record_modification.yml
similarity index 100%
rename from rules/Sigma/sysmon_registry_trust_record_modification.yml
rename to rules/alert-rules/sigma/sysmon_registry_trust_record_modification.yml
diff --git a/rules/Sigma/sysmon_regsvr32_network_activity.yml b/rules/alert-rules/sigma/sysmon_regsvr32_network_activity.yml
similarity index 100%
rename from rules/Sigma/sysmon_regsvr32_network_activity.yml
rename to rules/alert-rules/sigma/sysmon_regsvr32_network_activity.yml
diff --git a/rules/Sigma/sysmon_remote_powershell_session_network.yml b/rules/alert-rules/sigma/sysmon_remote_powershell_session_network.yml
similarity index 100%
rename from rules/Sigma/sysmon_remote_powershell_session_network.yml
rename to rules/alert-rules/sigma/sysmon_remote_powershell_session_network.yml
diff --git a/rules/Sigma/sysmon_removal_amsi_registry_key.yml b/rules/alert-rules/sigma/sysmon_removal_amsi_registry_key.yml
similarity index 100%
rename from rules/Sigma/sysmon_removal_amsi_registry_key.yml
rename to rules/alert-rules/sigma/sysmon_removal_amsi_registry_key.yml
diff --git a/rules/Sigma/sysmon_removal_com_hijacking_registry_key.yml b/rules/alert-rules/sigma/sysmon_removal_com_hijacking_registry_key.yml
similarity index 100%
rename from rules/Sigma/sysmon_removal_com_hijacking_registry_key.yml
rename to rules/alert-rules/sigma/sysmon_removal_com_hijacking_registry_key.yml
diff --git a/rules/Sigma/sysmon_remove_windows_defender_definition_files.yml b/rules/alert-rules/sigma/sysmon_remove_windows_defender_definition_files.yml
similarity index 100%
rename from rules/Sigma/sysmon_remove_windows_defender_definition_files.yml
rename to rules/alert-rules/sigma/sysmon_remove_windows_defender_definition_files.yml
diff --git a/rules/Sigma/sysmon_rundll32_net_connections.yml b/rules/alert-rules/sigma/sysmon_rundll32_net_connections.yml
similarity index 100%
rename from rules/Sigma/sysmon_rundll32_net_connections.yml
rename to rules/alert-rules/sigma/sysmon_rundll32_net_connections.yml
diff --git a/rules/Sigma/sysmon_runkey_winekey.yml b/rules/alert-rules/sigma/sysmon_runkey_winekey.yml
similarity index 100%
rename from rules/Sigma/sysmon_runkey_winekey.yml
rename to rules/alert-rules/sigma/sysmon_runkey_winekey.yml
diff --git a/rules/Sigma/sysmon_runonce_persistence.yml b/rules/alert-rules/sigma/sysmon_runonce_persistence.yml
similarity index 100%
rename from rules/Sigma/sysmon_runonce_persistence.yml
rename to rules/alert-rules/sigma/sysmon_runonce_persistence.yml
diff --git a/rules/Sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/alert-rules/sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
similarity index 100%
rename from rules/Sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
rename to rules/alert-rules/sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
diff --git a/rules/Sigma/sysmon_sdclt_child_process.yml b/rules/alert-rules/sigma/sysmon_sdclt_child_process.yml
similarity index 100%
rename from rules/Sigma/sysmon_sdclt_child_process.yml
rename to rules/alert-rules/sigma/sysmon_sdclt_child_process.yml
diff --git a/rules/Sigma/sysmon_spoolsv_dll_load.yml b/rules/alert-rules/sigma/sysmon_spoolsv_dll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_spoolsv_dll_load.yml
rename to rules/alert-rules/sigma/sysmon_spoolsv_dll_load.yml
diff --git a/rules/Sigma/sysmon_ssp_added_lsa_config.yml b/rules/alert-rules/sigma/sysmon_ssp_added_lsa_config.yml
similarity index 100%
rename from rules/Sigma/sysmon_ssp_added_lsa_config.yml
rename to rules/alert-rules/sigma/sysmon_ssp_added_lsa_config.yml
diff --git a/rules/Sigma/sysmon_startup_folder_file_write.yml b/rules/alert-rules/sigma/sysmon_startup_folder_file_write.yml
similarity index 100%
rename from rules/Sigma/sysmon_startup_folder_file_write.yml
rename to rules/alert-rules/sigma/sysmon_startup_folder_file_write.yml
diff --git a/rules/Sigma/sysmon_susp_adfs_namedpipe_connection.yml b/rules/alert-rules/sigma/sysmon_susp_adfs_namedpipe_connection.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_adfs_namedpipe_connection.yml
rename to rules/alert-rules/sigma/sysmon_susp_adfs_namedpipe_connection.yml
diff --git a/rules/Sigma/sysmon_susp_adsi_cache_usage.yml b/rules/alert-rules/sigma/sysmon_susp_adsi_cache_usage.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_adsi_cache_usage.yml
rename to rules/alert-rules/sigma/sysmon_susp_adsi_cache_usage.yml
diff --git a/rules/Sigma/sysmon_susp_atbroker_change.yml b/rules/alert-rules/sigma/sysmon_susp_atbroker_change.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_atbroker_change.yml
rename to rules/alert-rules/sigma/sysmon_susp_atbroker_change.yml
diff --git a/rules/Sigma/sysmon_susp_clr_logs.yml b/rules/alert-rules/sigma/sysmon_susp_clr_logs.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_clr_logs.yml
rename to rules/alert-rules/sigma/sysmon_susp_clr_logs.yml
diff --git a/rules/Sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/alert-rules/sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml
rename to rules/alert-rules/sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml
diff --git a/rules/Sigma/sysmon_susp_desktop_ini.yml b/rules/alert-rules/sigma/sysmon_susp_desktop_ini.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_desktop_ini.yml
rename to rules/alert-rules/sigma/sysmon_susp_desktop_ini.yml
diff --git a/rules/Sigma/sysmon_susp_download_run_key.yml b/rules/alert-rules/sigma/sysmon_susp_download_run_key.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_download_run_key.yml
rename to rules/alert-rules/sigma/sysmon_susp_download_run_key.yml
diff --git a/rules/Sigma/sysmon_susp_fax_dll.yml b/rules/alert-rules/sigma/sysmon_susp_fax_dll.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_fax_dll.yml
rename to rules/alert-rules/sigma/sysmon_susp_fax_dll.yml
diff --git a/rules/Sigma/sysmon_susp_image_load.yml b/rules/alert-rules/sigma/sysmon_susp_image_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_image_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_image_load.yml
diff --git a/rules/Sigma/sysmon_susp_lsass_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_lsass_dll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_lsass_dll_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_lsass_dll_load.yml
diff --git a/rules/Sigma/sysmon_susp_mic_cam_access.yml b/rules/alert-rules/sigma/sysmon_susp_mic_cam_access.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_mic_cam_access.yml
rename to rules/alert-rules/sigma/sysmon_susp_mic_cam_access.yml
diff --git a/rules/Sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml
diff --git a/rules/Sigma/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_dotnet_clr_dll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_office_dotnet_clr_dll_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_office_dotnet_clr_dll_load.yml
diff --git a/rules/Sigma/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_dotnet_gac_dll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_office_dotnet_gac_dll_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_office_dotnet_gac_dll_load.yml
diff --git a/rules/Sigma/sysmon_susp_office_dsparse_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_dsparse_dll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_office_dsparse_dll_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_office_dsparse_dll_load.yml
diff --git a/rules/Sigma/sysmon_susp_office_kerberos_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_office_kerberos_dll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_office_kerberos_dll_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_office_kerberos_dll_load.yml
diff --git a/rules/Sigma/sysmon_susp_pfx_file_creation.yml b/rules/alert-rules/sigma/sysmon_susp_pfx_file_creation.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_pfx_file_creation.yml
rename to rules/alert-rules/sigma/sysmon_susp_pfx_file_creation.yml
diff --git a/rules/Sigma/sysmon_susp_plink_remote_forward.yml b/rules/alert-rules/sigma/sysmon_susp_plink_remote_forward.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_plink_remote_forward.yml
rename to rules/alert-rules/sigma/sysmon_susp_plink_remote_forward.yml
diff --git a/rules/Sigma/sysmon_susp_powershell_rundll32.yml b/rules/alert-rules/sigma/sysmon_susp_powershell_rundll32.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_powershell_rundll32.yml
rename to rules/alert-rules/sigma/sysmon_susp_powershell_rundll32.yml
diff --git a/rules/Sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/alert-rules/sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
rename to rules/alert-rules/sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
diff --git a/rules/Sigma/sysmon_susp_prog_location_network_connection.yml b/rules/alert-rules/sigma/sysmon_susp_prog_location_network_connection.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_prog_location_network_connection.yml
rename to rules/alert-rules/sigma/sysmon_susp_prog_location_network_connection.yml
diff --git a/rules/Sigma/sysmon_susp_python_image_load.yml b/rules/alert-rules/sigma/sysmon_susp_python_image_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_python_image_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_python_image_load.yml
diff --git a/rules/Sigma/sysmon_susp_rdp.yml b/rules/alert-rules/sigma/sysmon_susp_rdp.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_rdp.yml
rename to rules/alert-rules/sigma/sysmon_susp_rdp.yml
diff --git a/rules/Sigma/sysmon_susp_reg_persist_explorer_run.yml b/rules/alert-rules/sigma/sysmon_susp_reg_persist_explorer_run.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_reg_persist_explorer_run.yml
rename to rules/alert-rules/sigma/sysmon_susp_reg_persist_explorer_run.yml
diff --git a/rules/Sigma/sysmon_susp_run_key_img_folder.yml b/rules/alert-rules/sigma/sysmon_susp_run_key_img_folder.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_run_key_img_folder.yml
rename to rules/alert-rules/sigma/sysmon_susp_run_key_img_folder.yml
diff --git a/rules/Sigma/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/alert-rules/sigma/sysmon_susp_script_dotnet_clr_dll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_script_dotnet_clr_dll_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_script_dotnet_clr_dll_load.yml
diff --git a/rules/Sigma/sysmon_susp_service_installed.yml b/rules/alert-rules/sigma/sysmon_susp_service_installed.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_service_installed.yml
rename to rules/alert-rules/sigma/sysmon_susp_service_installed.yml
diff --git a/rules/Sigma/sysmon_susp_service_modification.yml b/rules/alert-rules/sigma/sysmon_susp_service_modification.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_service_modification.yml
rename to rules/alert-rules/sigma/sysmon_susp_service_modification.yml
diff --git a/rules/Sigma/sysmon_susp_system_drawing_load.yml b/rules/alert-rules/sigma/sysmon_susp_system_drawing_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_system_drawing_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_system_drawing_load.yml
diff --git a/rules/Sigma/sysmon_susp_webdav_client_execution.yml b/rules/alert-rules/sigma/sysmon_susp_webdav_client_execution.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_webdav_client_execution.yml
rename to rules/alert-rules/sigma/sysmon_susp_webdav_client_execution.yml
diff --git a/rules/Sigma/sysmon_susp_winword_vbadll_load.yml b/rules/alert-rules/sigma/sysmon_susp_winword_vbadll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_winword_vbadll_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_winword_vbadll_load.yml
diff --git a/rules/Sigma/sysmon_susp_winword_wmidll_load.yml b/rules/alert-rules/sigma/sysmon_susp_winword_wmidll_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_winword_wmidll_load.yml
rename to rules/alert-rules/sigma/sysmon_susp_winword_wmidll_load.yml
diff --git a/rules/Sigma/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/alert-rules/sigma/sysmon_susp_wmi_consumer_namedpipe.yml
similarity index 100%
rename from rules/Sigma/sysmon_susp_wmi_consumer_namedpipe.yml
rename to rules/alert-rules/sigma/sysmon_susp_wmi_consumer_namedpipe.yml
diff --git a/rules/Sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/alert-rules/sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml
rename to rules/alert-rules/sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml
diff --git a/rules/Sigma/sysmon_suspicious_keyboard_layout_load.yml b/rules/alert-rules/sigma/sysmon_suspicious_keyboard_layout_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_suspicious_keyboard_layout_load.yml
rename to rules/alert-rules/sigma/sysmon_suspicious_keyboard_layout_load.yml
diff --git a/rules/Sigma/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/alert-rules/sigma/sysmon_suspicious_outbound_kerberos_connection.yml
similarity index 100%
rename from rules/Sigma/sysmon_suspicious_outbound_kerberos_connection.yml
rename to rules/alert-rules/sigma/sysmon_suspicious_outbound_kerberos_connection.yml
diff --git a/rules/Sigma/sysmon_suspicious_powershell_profile_create.yml b/rules/alert-rules/sigma/sysmon_suspicious_powershell_profile_create.yml
similarity index 100%
rename from rules/Sigma/sysmon_suspicious_powershell_profile_create.yml
rename to rules/alert-rules/sigma/sysmon_suspicious_powershell_profile_create.yml
diff --git a/rules/Sigma/sysmon_suspicious_remote_thread.yml b/rules/alert-rules/sigma/sysmon_suspicious_remote_thread.yml
similarity index 100%
rename from rules/Sigma/sysmon_suspicious_remote_thread.yml
rename to rules/alert-rules/sigma/sysmon_suspicious_remote_thread.yml
diff --git a/rules/Sigma/sysmon_svchost_cred_dump.yml b/rules/alert-rules/sigma/sysmon_svchost_cred_dump.yml
similarity index 100%
rename from rules/Sigma/sysmon_svchost_cred_dump.yml
rename to rules/alert-rules/sigma/sysmon_svchost_cred_dump.yml
diff --git a/rules/Sigma/sysmon_svchost_dll_search_order_hijack.yml b/rules/alert-rules/sigma/sysmon_svchost_dll_search_order_hijack.yml
similarity index 100%
rename from rules/Sigma/sysmon_svchost_dll_search_order_hijack.yml
rename to rules/alert-rules/sigma/sysmon_svchost_dll_search_order_hijack.yml
diff --git a/rules/Sigma/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/alert-rules/sigma/sysmon_sysinternals_sdelete_file_deletion.yml
similarity index 100%
rename from rules/Sigma/sysmon_sysinternals_sdelete_file_deletion.yml
rename to rules/alert-rules/sigma/sysmon_sysinternals_sdelete_file_deletion.yml
diff --git a/rules/Sigma/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/alert-rules/sigma/sysmon_sysinternals_sdelete_registry_keys.yml
similarity index 100%
rename from rules/Sigma/sysmon_sysinternals_sdelete_registry_keys.yml
rename to rules/alert-rules/sigma/sysmon_sysinternals_sdelete_registry_keys.yml
diff --git a/rules/Sigma/sysmon_taskcache_entry.yml b/rules/alert-rules/sigma/sysmon_taskcache_entry.yml
similarity index 100%
rename from rules/Sigma/sysmon_taskcache_entry.yml
rename to rules/alert-rules/sigma/sysmon_taskcache_entry.yml
diff --git a/rules/Sigma/sysmon_tsclient_filewrite_startup.yml b/rules/alert-rules/sigma/sysmon_tsclient_filewrite_startup.yml
similarity index 100%
rename from rules/Sigma/sysmon_tsclient_filewrite_startup.yml
rename to rules/alert-rules/sigma/sysmon_tsclient_filewrite_startup.yml
diff --git a/rules/Sigma/sysmon_tttracer_mod_load.yml b/rules/alert-rules/sigma/sysmon_tttracer_mod_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_tttracer_mod_load.yml
rename to rules/alert-rules/sigma/sysmon_tttracer_mod_load.yml
diff --git a/rules/Sigma/sysmon_uac_bypass_consent_comctl32.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_consent_comctl32.yml
similarity index 100%
rename from rules/Sigma/sysmon_uac_bypass_consent_comctl32.yml
rename to rules/alert-rules/sigma/sysmon_uac_bypass_consent_comctl32.yml
diff --git a/rules/Sigma/sysmon_uac_bypass_dotnet_profiler.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_dotnet_profiler.yml
similarity index 100%
rename from rules/Sigma/sysmon_uac_bypass_dotnet_profiler.yml
rename to rules/alert-rules/sigma/sysmon_uac_bypass_dotnet_profiler.yml
diff --git a/rules/Sigma/sysmon_uac_bypass_ieinstal.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_ieinstal.yml
similarity index 100%
rename from rules/Sigma/sysmon_uac_bypass_ieinstal.yml
rename to rules/alert-rules/sigma/sysmon_uac_bypass_ieinstal.yml
diff --git a/rules/Sigma/sysmon_uac_bypass_msconfig_gui.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_msconfig_gui.yml
similarity index 100%
rename from rules/Sigma/sysmon_uac_bypass_msconfig_gui.yml
rename to rules/alert-rules/sigma/sysmon_uac_bypass_msconfig_gui.yml
diff --git a/rules/Sigma/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_ntfs_reparse_point.yml
similarity index 100%
rename from rules/Sigma/sysmon_uac_bypass_ntfs_reparse_point.yml
rename to rules/alert-rules/sigma/sysmon_uac_bypass_ntfs_reparse_point.yml
diff --git a/rules/Sigma/sysmon_uac_bypass_sdclt.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_sdclt.yml
similarity index 100%
rename from rules/Sigma/sysmon_uac_bypass_sdclt.yml
rename to rules/alert-rules/sigma/sysmon_uac_bypass_sdclt.yml
diff --git a/rules/Sigma/sysmon_uac_bypass_shell_open.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_shell_open.yml
similarity index 100%
rename from rules/Sigma/sysmon_uac_bypass_shell_open.yml
rename to rules/alert-rules/sigma/sysmon_uac_bypass_shell_open.yml
diff --git a/rules/Sigma/sysmon_uac_bypass_via_dism.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_via_dism.yml
similarity index 100%
rename from rules/Sigma/sysmon_uac_bypass_via_dism.yml
rename to rules/alert-rules/sigma/sysmon_uac_bypass_via_dism.yml
diff --git a/rules/Sigma/sysmon_uac_bypass_wow64_logger.yml b/rules/alert-rules/sigma/sysmon_uac_bypass_wow64_logger.yml
similarity index 100%
rename from rules/Sigma/sysmon_uac_bypass_wow64_logger.yml
rename to rules/alert-rules/sigma/sysmon_uac_bypass_wow64_logger.yml
diff --git a/rules/Sigma/sysmon_uipromptforcreds_dlls.yml b/rules/alert-rules/sigma/sysmon_uipromptforcreds_dlls.yml
similarity index 100%
rename from rules/Sigma/sysmon_uipromptforcreds_dlls.yml
rename to rules/alert-rules/sigma/sysmon_uipromptforcreds_dlls.yml
diff --git a/rules/Sigma/sysmon_uninstall_crowdstrike_falcon.yml b/rules/alert-rules/sigma/sysmon_uninstall_crowdstrike_falcon.yml
similarity index 100%
rename from rules/Sigma/sysmon_uninstall_crowdstrike_falcon.yml
rename to rules/alert-rules/sigma/sysmon_uninstall_crowdstrike_falcon.yml
diff --git a/rules/Sigma/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/alert-rules/sigma/sysmon_unsigned_image_loaded_into_lsass.yml
similarity index 100%
rename from rules/Sigma/sysmon_unsigned_image_loaded_into_lsass.yml
rename to rules/alert-rules/sigma/sysmon_unsigned_image_loaded_into_lsass.yml
diff --git a/rules/Sigma/sysmon_vmtoolsd_susp_child_process.yml b/rules/alert-rules/sigma/sysmon_vmtoolsd_susp_child_process.yml
similarity index 100%
rename from rules/Sigma/sysmon_vmtoolsd_susp_child_process.yml
rename to rules/alert-rules/sigma/sysmon_vmtoolsd_susp_child_process.yml
diff --git a/rules/Sigma/sysmon_volume_shadow_copy_service_keys.yml b/rules/alert-rules/sigma/sysmon_volume_shadow_copy_service_keys.yml
similarity index 100%
rename from rules/Sigma/sysmon_volume_shadow_copy_service_keys.yml
rename to rules/alert-rules/sigma/sysmon_volume_shadow_copy_service_keys.yml
diff --git a/rules/Sigma/sysmon_wab_dllpath_reg_change.yml b/rules/alert-rules/sigma/sysmon_wab_dllpath_reg_change.yml
similarity index 100%
rename from rules/Sigma/sysmon_wab_dllpath_reg_change.yml
rename to rules/alert-rules/sigma/sysmon_wab_dllpath_reg_change.yml
diff --git a/rules/Sigma/sysmon_wdigest_enable_uselogoncredential.yml b/rules/alert-rules/sigma/sysmon_wdigest_enable_uselogoncredential.yml
similarity index 100%
rename from rules/Sigma/sysmon_wdigest_enable_uselogoncredential.yml
rename to rules/alert-rules/sigma/sysmon_wdigest_enable_uselogoncredential.yml
diff --git a/rules/Sigma/sysmon_webshell_creation_detect.yml b/rules/alert-rules/sigma/sysmon_webshell_creation_detect.yml
similarity index 100%
rename from rules/Sigma/sysmon_webshell_creation_detect.yml
rename to rules/alert-rules/sigma/sysmon_webshell_creation_detect.yml
diff --git a/rules/Sigma/sysmon_win_binary_github_com.yml b/rules/alert-rules/sigma/sysmon_win_binary_github_com.yml
similarity index 100%
rename from rules/Sigma/sysmon_win_binary_github_com.yml
rename to rules/alert-rules/sigma/sysmon_win_binary_github_com.yml
diff --git a/rules/Sigma/sysmon_win_binary_susp_com.yml b/rules/alert-rules/sigma/sysmon_win_binary_susp_com.yml
similarity index 100%
rename from rules/Sigma/sysmon_win_binary_susp_com.yml
rename to rules/alert-rules/sigma/sysmon_win_binary_susp_com.yml
diff --git a/rules/Sigma/sysmon_win_reg_persistence.yml b/rules/alert-rules/sigma/sysmon_win_reg_persistence.yml
similarity index 100%
rename from rules/Sigma/sysmon_win_reg_persistence.yml
rename to rules/alert-rules/sigma/sysmon_win_reg_persistence.yml
diff --git a/rules/Sigma/sysmon_win_reg_telemetry_persistence.yml b/rules/alert-rules/sigma/sysmon_win_reg_telemetry_persistence.yml
similarity index 100%
rename from rules/Sigma/sysmon_win_reg_telemetry_persistence.yml
rename to rules/alert-rules/sigma/sysmon_win_reg_telemetry_persistence.yml
diff --git a/rules/Sigma/sysmon_wmi_module_load.yml b/rules/alert-rules/sigma/sysmon_wmi_module_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_wmi_module_load.yml
rename to rules/alert-rules/sigma/sysmon_wmi_module_load.yml
diff --git a/rules/Sigma/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/alert-rules/sigma/sysmon_wmi_persistence_commandline_event_consumer.yml
similarity index 100%
rename from rules/Sigma/sysmon_wmi_persistence_commandline_event_consumer.yml
rename to rules/alert-rules/sigma/sysmon_wmi_persistence_commandline_event_consumer.yml
diff --git a/rules/Sigma/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/alert-rules/sigma/sysmon_wmi_persistence_script_event_consumer_write.yml
similarity index 100%
rename from rules/Sigma/sysmon_wmi_persistence_script_event_consumer_write.yml
rename to rules/alert-rules/sigma/sysmon_wmi_persistence_script_event_consumer_write.yml
diff --git a/rules/Sigma/sysmon_wmi_susp_encoded_scripts.yml b/rules/alert-rules/sigma/sysmon_wmi_susp_encoded_scripts.yml
similarity index 100%
rename from rules/Sigma/sysmon_wmi_susp_encoded_scripts.yml
rename to rules/alert-rules/sigma/sysmon_wmi_susp_encoded_scripts.yml
diff --git a/rules/Sigma/sysmon_wmi_susp_scripting.yml b/rules/alert-rules/sigma/sysmon_wmi_susp_scripting.yml
similarity index 100%
rename from rules/Sigma/sysmon_wmi_susp_scripting.yml
rename to rules/alert-rules/sigma/sysmon_wmi_susp_scripting.yml
diff --git a/rules/Sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/alert-rules/sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml
similarity index 100%
rename from rules/Sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml
rename to rules/alert-rules/sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml
diff --git a/rules/Sigma/sysmon_wsman_provider_image_load.yml b/rules/alert-rules/sigma/sysmon_wsman_provider_image_load.yml
similarity index 100%
rename from rules/Sigma/sysmon_wsman_provider_image_load.yml
rename to rules/alert-rules/sigma/sysmon_wsman_provider_image_load.yml
diff --git a/rules/Sigma/sysmon_wuauclt_network_connection.yml b/rules/alert-rules/sigma/sysmon_wuauclt_network_connection.yml
similarity index 100%
rename from rules/Sigma/sysmon_wuauclt_network_connection.yml
rename to rules/alert-rules/sigma/sysmon_wuauclt_network_connection.yml
diff --git a/rules/Sigma/win_aadhealth_mon_agent_regkey_access.yml b/rules/alert-rules/sigma/win_aadhealth_mon_agent_regkey_access.yml
similarity index 100%
rename from rules/Sigma/win_aadhealth_mon_agent_regkey_access.yml
rename to rules/alert-rules/sigma/win_aadhealth_mon_agent_regkey_access.yml
diff --git a/rules/Sigma/win_aadhealth_svc_agent_regkey_access.yml b/rules/alert-rules/sigma/win_aadhealth_svc_agent_regkey_access.yml
similarity index 100%
rename from rules/Sigma/win_aadhealth_svc_agent_regkey_access.yml
rename to rules/alert-rules/sigma/win_aadhealth_svc_agent_regkey_access.yml
diff --git a/rules/Sigma/win_account_backdoor_dcsync_rights.yml b/rules/alert-rules/sigma/win_account_backdoor_dcsync_rights.yml
similarity index 100%
rename from rules/Sigma/win_account_backdoor_dcsync_rights.yml
rename to rules/alert-rules/sigma/win_account_backdoor_dcsync_rights.yml
diff --git a/rules/Sigma/win_account_discovery.yml b/rules/alert-rules/sigma/win_account_discovery.yml
similarity index 100%
rename from rules/Sigma/win_account_discovery.yml
rename to rules/alert-rules/sigma/win_account_discovery.yml
diff --git a/rules/Sigma/win_ad_find_discovery.yml b/rules/alert-rules/sigma/win_ad_find_discovery.yml
similarity index 100%
rename from rules/Sigma/win_ad_find_discovery.yml
rename to rules/alert-rules/sigma/win_ad_find_discovery.yml
diff --git a/rules/Sigma/win_ad_object_writedac_access.yml b/rules/alert-rules/sigma/win_ad_object_writedac_access.yml
similarity index 100%
rename from rules/Sigma/win_ad_object_writedac_access.yml
rename to rules/alert-rules/sigma/win_ad_object_writedac_access.yml
diff --git a/rules/Sigma/win_ad_replication_non_machine_account.yml b/rules/alert-rules/sigma/win_ad_replication_non_machine_account.yml
similarity index 100%
rename from rules/Sigma/win_ad_replication_non_machine_account.yml
rename to rules/alert-rules/sigma/win_ad_replication_non_machine_account.yml
diff --git a/rules/Sigma/win_ad_user_enumeration.yml b/rules/alert-rules/sigma/win_ad_user_enumeration.yml
similarity index 100%
rename from rules/Sigma/win_ad_user_enumeration.yml
rename to rules/alert-rules/sigma/win_ad_user_enumeration.yml
diff --git a/rules/Sigma/win_admin_rdp_login.yml b/rules/alert-rules/sigma/win_admin_rdp_login.yml
similarity index 100%
rename from rules/Sigma/win_admin_rdp_login.yml
rename to rules/alert-rules/sigma/win_admin_rdp_login.yml
diff --git a/rules/Sigma/win_admin_share_access.yml b/rules/alert-rules/sigma/win_admin_share_access.yml
similarity index 100%
rename from rules/Sigma/win_admin_share_access.yml
rename to rules/alert-rules/sigma/win_admin_share_access.yml
diff --git a/rules/Sigma/win_alert_active_directory_user_control.yml b/rules/alert-rules/sigma/win_alert_active_directory_user_control.yml
similarity index 100%
rename from rules/Sigma/win_alert_active_directory_user_control.yml
rename to rules/alert-rules/sigma/win_alert_active_directory_user_control.yml
diff --git a/rules/Sigma/win_alert_ad_user_backdoors.yml b/rules/alert-rules/sigma/win_alert_ad_user_backdoors.yml
similarity index 100%
rename from rules/Sigma/win_alert_ad_user_backdoors.yml
rename to rules/alert-rules/sigma/win_alert_ad_user_backdoors.yml
diff --git a/rules/Sigma/win_alert_enable_weak_encryption.yml b/rules/alert-rules/sigma/win_alert_enable_weak_encryption.yml
similarity index 100%
rename from rules/Sigma/win_alert_enable_weak_encryption.yml
rename to rules/alert-rules/sigma/win_alert_enable_weak_encryption.yml
diff --git a/rules/Sigma/win_alert_lsass_access.yml b/rules/alert-rules/sigma/win_alert_lsass_access.yml
similarity index 100%
rename from rules/Sigma/win_alert_lsass_access.yml
rename to rules/alert-rules/sigma/win_alert_lsass_access.yml
diff --git a/rules/Sigma/win_alert_mimikatz_keywords.yml b/rules/alert-rules/sigma/win_alert_mimikatz_keywords.yml
similarity index 100%
rename from rules/Sigma/win_alert_mimikatz_keywords.yml
rename to rules/alert-rules/sigma/win_alert_mimikatz_keywords.yml
diff --git a/rules/Sigma/win_alert_ruler.yml b/rules/alert-rules/sigma/win_alert_ruler.yml
similarity index 100%
rename from rules/Sigma/win_alert_ruler.yml
rename to rules/alert-rules/sigma/win_alert_ruler.yml
diff --git a/rules/Sigma/win_anydesk_silent_install.yml b/rules/alert-rules/sigma/win_anydesk_silent_install.yml
similarity index 100%
rename from rules/Sigma/win_anydesk_silent_install.yml
rename to rules/alert-rules/sigma/win_anydesk_silent_install.yml
diff --git a/rules/Sigma/win_applocker_file_was_not_allowed_to_run.yml b/rules/alert-rules/sigma/win_applocker_file_was_not_allowed_to_run.yml
similarity index 100%
rename from rules/Sigma/win_applocker_file_was_not_allowed_to_run.yml
rename to rules/alert-rules/sigma/win_applocker_file_was_not_allowed_to_run.yml
diff --git a/rules/Sigma/win_apt_apt29_thinktanks.yml b/rules/alert-rules/sigma/win_apt_apt29_thinktanks.yml
similarity index 100%
rename from rules/Sigma/win_apt_apt29_thinktanks.yml
rename to rules/alert-rules/sigma/win_apt_apt29_thinktanks.yml
diff --git a/rules/Sigma/win_apt_babyshark.yml b/rules/alert-rules/sigma/win_apt_babyshark.yml
similarity index 100%
rename from rules/Sigma/win_apt_babyshark.yml
rename to rules/alert-rules/sigma/win_apt_babyshark.yml
diff --git a/rules/Sigma/win_apt_bear_activity_gtr19.yml b/rules/alert-rules/sigma/win_apt_bear_activity_gtr19.yml
similarity index 100%
rename from rules/Sigma/win_apt_bear_activity_gtr19.yml
rename to rules/alert-rules/sigma/win_apt_bear_activity_gtr19.yml
diff --git a/rules/Sigma/win_apt_bluemashroom.yml b/rules/alert-rules/sigma/win_apt_bluemashroom.yml
similarity index 100%
rename from rules/Sigma/win_apt_bluemashroom.yml
rename to rules/alert-rules/sigma/win_apt_bluemashroom.yml
diff --git a/rules/Sigma/win_apt_carbonpaper_turla.yml b/rules/alert-rules/sigma/win_apt_carbonpaper_turla.yml
similarity index 100%
rename from rules/Sigma/win_apt_carbonpaper_turla.yml
rename to rules/alert-rules/sigma/win_apt_carbonpaper_turla.yml
diff --git a/rules/Sigma/win_apt_chafer_mar18_security.yml b/rules/alert-rules/sigma/win_apt_chafer_mar18_security.yml
similarity index 100%
rename from rules/Sigma/win_apt_chafer_mar18_security.yml
rename to rules/alert-rules/sigma/win_apt_chafer_mar18_security.yml
diff --git a/rules/Sigma/win_apt_chafer_mar18_system.yml b/rules/alert-rules/sigma/win_apt_chafer_mar18_system.yml
similarity index 100%
rename from rules/Sigma/win_apt_chafer_mar18_system.yml
rename to rules/alert-rules/sigma/win_apt_chafer_mar18_system.yml
diff --git a/rules/Sigma/win_apt_cloudhopper.yml b/rules/alert-rules/sigma/win_apt_cloudhopper.yml
similarity index 100%
rename from rules/Sigma/win_apt_cloudhopper.yml
rename to rules/alert-rules/sigma/win_apt_cloudhopper.yml
diff --git a/rules/Sigma/win_apt_dragonfly.yml b/rules/alert-rules/sigma/win_apt_dragonfly.yml
similarity index 100%
rename from rules/Sigma/win_apt_dragonfly.yml
rename to rules/alert-rules/sigma/win_apt_dragonfly.yml
diff --git a/rules/Sigma/win_apt_elise.yml b/rules/alert-rules/sigma/win_apt_elise.yml
similarity index 100%
rename from rules/Sigma/win_apt_elise.yml
rename to rules/alert-rules/sigma/win_apt_elise.yml
diff --git a/rules/Sigma/win_apt_emissarypanda_sep19.yml b/rules/alert-rules/sigma/win_apt_emissarypanda_sep19.yml
similarity index 100%
rename from rules/Sigma/win_apt_emissarypanda_sep19.yml
rename to rules/alert-rules/sigma/win_apt_emissarypanda_sep19.yml
diff --git a/rules/Sigma/win_apt_empiremonkey.yml b/rules/alert-rules/sigma/win_apt_empiremonkey.yml
similarity index 100%
rename from rules/Sigma/win_apt_empiremonkey.yml
rename to rules/alert-rules/sigma/win_apt_empiremonkey.yml
diff --git a/rules/Sigma/win_apt_equationgroup_dll_u_load.yml b/rules/alert-rules/sigma/win_apt_equationgroup_dll_u_load.yml
similarity index 100%
rename from rules/Sigma/win_apt_equationgroup_dll_u_load.yml
rename to rules/alert-rules/sigma/win_apt_equationgroup_dll_u_load.yml
diff --git a/rules/Sigma/win_apt_evilnum_jul20.yml b/rules/alert-rules/sigma/win_apt_evilnum_jul20.yml
similarity index 100%
rename from rules/Sigma/win_apt_evilnum_jul20.yml
rename to rules/alert-rules/sigma/win_apt_evilnum_jul20.yml
diff --git a/rules/Sigma/win_apt_gallium.yml b/rules/alert-rules/sigma/win_apt_gallium.yml
similarity index 100%
rename from rules/Sigma/win_apt_gallium.yml
rename to rules/alert-rules/sigma/win_apt_gallium.yml
diff --git a/rules/Sigma/win_apt_greenbug_may20.yml b/rules/alert-rules/sigma/win_apt_greenbug_may20.yml
similarity index 100%
rename from rules/Sigma/win_apt_greenbug_may20.yml
rename to rules/alert-rules/sigma/win_apt_greenbug_may20.yml
diff --git a/rules/Sigma/win_apt_hafnium.yml b/rules/alert-rules/sigma/win_apt_hafnium.yml
similarity index 100%
rename from rules/Sigma/win_apt_hafnium.yml
rename to rules/alert-rules/sigma/win_apt_hafnium.yml
diff --git a/rules/Sigma/win_apt_hurricane_panda.yml b/rules/alert-rules/sigma/win_apt_hurricane_panda.yml
similarity index 100%
rename from rules/Sigma/win_apt_hurricane_panda.yml
rename to rules/alert-rules/sigma/win_apt_hurricane_panda.yml
diff --git a/rules/Sigma/win_apt_judgement_panda_gtr19.yml b/rules/alert-rules/sigma/win_apt_judgement_panda_gtr19.yml
similarity index 100%
rename from rules/Sigma/win_apt_judgement_panda_gtr19.yml
rename to rules/alert-rules/sigma/win_apt_judgement_panda_gtr19.yml
diff --git a/rules/Sigma/win_apt_ke3chang_regadd.yml b/rules/alert-rules/sigma/win_apt_ke3chang_regadd.yml
similarity index 100%
rename from rules/Sigma/win_apt_ke3chang_regadd.yml
rename to rules/alert-rules/sigma/win_apt_ke3chang_regadd.yml
diff --git a/rules/Sigma/win_apt_lazarus_activity_apr21.yml b/rules/alert-rules/sigma/win_apt_lazarus_activity_apr21.yml
similarity index 100%
rename from rules/Sigma/win_apt_lazarus_activity_apr21.yml
rename to rules/alert-rules/sigma/win_apt_lazarus_activity_apr21.yml
diff --git a/rules/Sigma/win_apt_lazarus_activity_dec20.yml b/rules/alert-rules/sigma/win_apt_lazarus_activity_dec20.yml
similarity index 100%
rename from rules/Sigma/win_apt_lazarus_activity_dec20.yml
rename to rules/alert-rules/sigma/win_apt_lazarus_activity_dec20.yml
diff --git a/rules/Sigma/win_apt_lazarus_loader.yml b/rules/alert-rules/sigma/win_apt_lazarus_loader.yml
similarity index 100%
rename from rules/Sigma/win_apt_lazarus_loader.yml
rename to rules/alert-rules/sigma/win_apt_lazarus_loader.yml
diff --git a/rules/Sigma/win_apt_lazarus_session_highjack.yml b/rules/alert-rules/sigma/win_apt_lazarus_session_highjack.yml
similarity index 100%
rename from rules/Sigma/win_apt_lazarus_session_highjack.yml
rename to rules/alert-rules/sigma/win_apt_lazarus_session_highjack.yml
diff --git a/rules/Sigma/win_apt_mustangpanda.yml b/rules/alert-rules/sigma/win_apt_mustangpanda.yml
similarity index 100%
rename from rules/Sigma/win_apt_mustangpanda.yml
rename to rules/alert-rules/sigma/win_apt_mustangpanda.yml
diff --git a/rules/Sigma/win_apt_revil_kaseya.yml b/rules/alert-rules/sigma/win_apt_revil_kaseya.yml
similarity index 100%
rename from rules/Sigma/win_apt_revil_kaseya.yml
rename to rules/alert-rules/sigma/win_apt_revil_kaseya.yml
diff --git a/rules/Sigma/win_apt_slingshot.yml b/rules/alert-rules/sigma/win_apt_slingshot.yml
similarity index 100%
rename from rules/Sigma/win_apt_slingshot.yml
rename to rules/alert-rules/sigma/win_apt_slingshot.yml
diff --git a/rules/Sigma/win_apt_sofacy.yml b/rules/alert-rules/sigma/win_apt_sofacy.yml
similarity index 100%
rename from rules/Sigma/win_apt_sofacy.yml
rename to rules/alert-rules/sigma/win_apt_sofacy.yml
diff --git a/rules/Sigma/win_apt_stonedrill.yml b/rules/alert-rules/sigma/win_apt_stonedrill.yml
similarity index 100%
rename from rules/Sigma/win_apt_stonedrill.yml
rename to rules/alert-rules/sigma/win_apt_stonedrill.yml
diff --git a/rules/Sigma/win_apt_ta17_293a_ps.yml b/rules/alert-rules/sigma/win_apt_ta17_293a_ps.yml
similarity index 100%
rename from rules/Sigma/win_apt_ta17_293a_ps.yml
rename to rules/alert-rules/sigma/win_apt_ta17_293a_ps.yml
diff --git a/rules/Sigma/win_apt_ta505_dropper.yml b/rules/alert-rules/sigma/win_apt_ta505_dropper.yml
similarity index 100%
rename from rules/Sigma/win_apt_ta505_dropper.yml
rename to rules/alert-rules/sigma/win_apt_ta505_dropper.yml
diff --git a/rules/Sigma/win_apt_taidoor.yml b/rules/alert-rules/sigma/win_apt_taidoor.yml
similarity index 100%
rename from rules/Sigma/win_apt_taidoor.yml
rename to rules/alert-rules/sigma/win_apt_taidoor.yml
diff --git a/rules/Sigma/win_apt_tropictrooper.yml b/rules/alert-rules/sigma/win_apt_tropictrooper.yml
similarity index 100%
rename from rules/Sigma/win_apt_tropictrooper.yml
rename to rules/alert-rules/sigma/win_apt_tropictrooper.yml
diff --git a/rules/Sigma/win_apt_turla_comrat_may20.yml b/rules/alert-rules/sigma/win_apt_turla_comrat_may20.yml
similarity index 100%
rename from rules/Sigma/win_apt_turla_comrat_may20.yml
rename to rules/alert-rules/sigma/win_apt_turla_comrat_may20.yml
diff --git a/rules/Sigma/win_apt_turla_service_png.yml b/rules/alert-rules/sigma/win_apt_turla_service_png.yml
similarity index 100%
rename from rules/Sigma/win_apt_turla_service_png.yml
rename to rules/alert-rules/sigma/win_apt_turla_service_png.yml
diff --git a/rules/Sigma/win_apt_unc2452_cmds.yml b/rules/alert-rules/sigma/win_apt_unc2452_cmds.yml
similarity index 100%
rename from rules/Sigma/win_apt_unc2452_cmds.yml
rename to rules/alert-rules/sigma/win_apt_unc2452_cmds.yml
diff --git a/rules/Sigma/win_apt_unc2452_ps.yml b/rules/alert-rules/sigma/win_apt_unc2452_ps.yml
similarity index 100%
rename from rules/Sigma/win_apt_unc2452_ps.yml
rename to rules/alert-rules/sigma/win_apt_unc2452_ps.yml
diff --git a/rules/Sigma/win_apt_unidentified_nov_18.yml b/rules/alert-rules/sigma/win_apt_unidentified_nov_18.yml
similarity index 100%
rename from rules/Sigma/win_apt_unidentified_nov_18.yml
rename to rules/alert-rules/sigma/win_apt_unidentified_nov_18.yml
diff --git a/rules/Sigma/win_apt_winnti_mal_hk_jan20.yml b/rules/alert-rules/sigma/win_apt_winnti_mal_hk_jan20.yml
similarity index 100%
rename from rules/Sigma/win_apt_winnti_mal_hk_jan20.yml
rename to rules/alert-rules/sigma/win_apt_winnti_mal_hk_jan20.yml
diff --git a/rules/Sigma/win_apt_winnti_pipemon.yml b/rules/alert-rules/sigma/win_apt_winnti_pipemon.yml
similarity index 100%
rename from rules/Sigma/win_apt_winnti_pipemon.yml
rename to rules/alert-rules/sigma/win_apt_winnti_pipemon.yml
diff --git a/rules/Sigma/win_apt_wocao.yml b/rules/alert-rules/sigma/win_apt_wocao.yml
similarity index 100%
rename from rules/Sigma/win_apt_wocao.yml
rename to rules/alert-rules/sigma/win_apt_wocao.yml
diff --git a/rules/Sigma/win_apt_zxshell.yml b/rules/alert-rules/sigma/win_apt_zxshell.yml
similarity index 100%
rename from rules/Sigma/win_apt_zxshell.yml
rename to rules/alert-rules/sigma/win_apt_zxshell.yml
diff --git a/rules/Sigma/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/alert-rules/sigma/win_arbitrary_shell_execution_via_settingcontent.yml
similarity index 100%
rename from rules/Sigma/win_arbitrary_shell_execution_via_settingcontent.yml
rename to rules/alert-rules/sigma/win_arbitrary_shell_execution_via_settingcontent.yml
diff --git a/rules/Sigma/win_asr_bypass_via_appvlp_re.yml b/rules/alert-rules/sigma/win_asr_bypass_via_appvlp_re.yml
similarity index 100%
rename from rules/Sigma/win_asr_bypass_via_appvlp_re.yml
rename to rules/alert-rules/sigma/win_asr_bypass_via_appvlp_re.yml
diff --git a/rules/Sigma/win_atsvc_task.yml b/rules/alert-rules/sigma/win_atsvc_task.yml
similarity index 100%
rename from rules/Sigma/win_atsvc_task.yml
rename to rules/alert-rules/sigma/win_atsvc_task.yml
diff --git a/rules/Sigma/win_attrib_hiding_files.yml b/rules/alert-rules/sigma/win_attrib_hiding_files.yml
similarity index 100%
rename from rules/Sigma/win_attrib_hiding_files.yml
rename to rules/alert-rules/sigma/win_attrib_hiding_files.yml
diff --git a/rules/Sigma/win_audit_cve.yml b/rules/alert-rules/sigma/win_audit_cve.yml
similarity index 100%
rename from rules/Sigma/win_audit_cve.yml
rename to rules/alert-rules/sigma/win_audit_cve.yml
diff --git a/rules/Sigma/win_av_relevant_match.yml b/rules/alert-rules/sigma/win_av_relevant_match.yml
similarity index 100%
rename from rules/Sigma/win_av_relevant_match.yml
rename to rules/alert-rules/sigma/win_av_relevant_match.yml
diff --git a/rules/Sigma/win_bad_opsec_sacrificial_processes.yml b/rules/alert-rules/sigma/win_bad_opsec_sacrificial_processes.yml
similarity index 100%
rename from rules/Sigma/win_bad_opsec_sacrificial_processes.yml
rename to rules/alert-rules/sigma/win_bad_opsec_sacrificial_processes.yml
diff --git a/rules/Sigma/win_bootconf_mod.yml b/rules/alert-rules/sigma/win_bootconf_mod.yml
similarity index 100%
rename from rules/Sigma/win_bootconf_mod.yml
rename to rules/alert-rules/sigma/win_bootconf_mod.yml
diff --git a/rules/Sigma/win_bypass_squiblytwo.yml b/rules/alert-rules/sigma/win_bypass_squiblytwo.yml
similarity index 100%
rename from rules/Sigma/win_bypass_squiblytwo.yml
rename to rules/alert-rules/sigma/win_bypass_squiblytwo.yml
diff --git a/rules/Sigma/win_camera_microphone_access.yml b/rules/alert-rules/sigma/win_camera_microphone_access.yml
similarity index 100%
rename from rules/Sigma/win_camera_microphone_access.yml
rename to rules/alert-rules/sigma/win_camera_microphone_access.yml
diff --git a/rules/Sigma/win_change_default_file_association.yml b/rules/alert-rules/sigma/win_change_default_file_association.yml
similarity index 100%
rename from rules/Sigma/win_change_default_file_association.yml
rename to rules/alert-rules/sigma/win_change_default_file_association.yml
diff --git a/rules/Sigma/win_cl_invocation_lolscript.yml b/rules/alert-rules/sigma/win_cl_invocation_lolscript.yml
similarity index 100%
rename from rules/Sigma/win_cl_invocation_lolscript.yml
rename to rules/alert-rules/sigma/win_cl_invocation_lolscript.yml
diff --git a/rules/Sigma/win_cl_mutexverifiers_lolscript.yml b/rules/alert-rules/sigma/win_cl_mutexverifiers_lolscript.yml
similarity index 100%
rename from rules/Sigma/win_cl_mutexverifiers_lolscript.yml
rename to rules/alert-rules/sigma/win_cl_mutexverifiers_lolscript.yml
diff --git a/rules/Sigma/win_class_exec_xwizard.yml b/rules/alert-rules/sigma/win_class_exec_xwizard.yml
similarity index 100%
rename from rules/Sigma/win_class_exec_xwizard.yml
rename to rules/alert-rules/sigma/win_class_exec_xwizard.yml
diff --git a/rules/Sigma/win_cmdkey_recon.yml b/rules/alert-rules/sigma/win_cmdkey_recon.yml
similarity index 100%
rename from rules/Sigma/win_cmdkey_recon.yml
rename to rules/alert-rules/sigma/win_cmdkey_recon.yml
diff --git a/rules/Sigma/win_cmstp_com_object_access.yml b/rules/alert-rules/sigma/win_cmstp_com_object_access.yml
similarity index 100%
rename from rules/Sigma/win_cmstp_com_object_access.yml
rename to rules/alert-rules/sigma/win_cmstp_com_object_access.yml
diff --git a/rules/Sigma/win_cobaltstrike_process_patterns.yml b/rules/alert-rules/sigma/win_cobaltstrike_process_patterns.yml
similarity index 100%
rename from rules/Sigma/win_cobaltstrike_process_patterns.yml
rename to rules/alert-rules/sigma/win_cobaltstrike_process_patterns.yml
diff --git a/rules/Sigma/win_cobaltstrike_service_installs.yml b/rules/alert-rules/sigma/win_cobaltstrike_service_installs.yml
similarity index 100%
rename from rules/Sigma/win_cobaltstrike_service_installs.yml
rename to rules/alert-rules/sigma/win_cobaltstrike_service_installs.yml
diff --git a/rules/Sigma/win_commandline_path_traversal.yml b/rules/alert-rules/sigma/win_commandline_path_traversal.yml
similarity index 100%
rename from rules/Sigma/win_commandline_path_traversal.yml
rename to rules/alert-rules/sigma/win_commandline_path_traversal.yml
diff --git a/rules/Sigma/win_commandline_path_traversal_evasion.yml b/rules/alert-rules/sigma/win_commandline_path_traversal_evasion.yml
similarity index 100%
rename from rules/Sigma/win_commandline_path_traversal_evasion.yml
rename to rules/alert-rules/sigma/win_commandline_path_traversal_evasion.yml
diff --git a/rules/Sigma/win_control_panel_item.yml b/rules/alert-rules/sigma/win_control_panel_item.yml
similarity index 100%
rename from rules/Sigma/win_control_panel_item.yml
rename to rules/alert-rules/sigma/win_control_panel_item.yml
diff --git a/rules/Sigma/win_copying_sensitive_files_with_credential_data.yml b/rules/alert-rules/sigma/win_copying_sensitive_files_with_credential_data.yml
similarity index 100%
rename from rules/Sigma/win_copying_sensitive_files_with_credential_data.yml
rename to rules/alert-rules/sigma/win_copying_sensitive_files_with_credential_data.yml
diff --git a/rules/Sigma/win_credential_access_via_password_filter.yml b/rules/alert-rules/sigma/win_credential_access_via_password_filter.yml
similarity index 100%
rename from rules/Sigma/win_credential_access_via_password_filter.yml
rename to rules/alert-rules/sigma/win_credential_access_via_password_filter.yml
diff --git a/rules/Sigma/win_crime_fireball.yml b/rules/alert-rules/sigma/win_crime_fireball.yml
similarity index 100%
rename from rules/Sigma/win_crime_fireball.yml
rename to rules/alert-rules/sigma/win_crime_fireball.yml
diff --git a/rules/Sigma/win_crime_maze_ransomware.yml b/rules/alert-rules/sigma/win_crime_maze_ransomware.yml
similarity index 100%
rename from rules/Sigma/win_crime_maze_ransomware.yml
rename to rules/alert-rules/sigma/win_crime_maze_ransomware.yml
diff --git a/rules/Sigma/win_crime_snatch_ransomware.yml b/rules/alert-rules/sigma/win_crime_snatch_ransomware.yml
similarity index 100%
rename from rules/Sigma/win_crime_snatch_ransomware.yml
rename to rules/alert-rules/sigma/win_crime_snatch_ransomware.yml
diff --git a/rules/Sigma/win_crypto_mining_monero.yml b/rules/alert-rules/sigma/win_crypto_mining_monero.yml
similarity index 100%
rename from rules/Sigma/win_crypto_mining_monero.yml
rename to rules/alert-rules/sigma/win_crypto_mining_monero.yml
diff --git a/rules/Sigma/win_cve_2021_1675_printspooler.yml b/rules/alert-rules/sigma/win_cve_2021_1675_printspooler.yml
similarity index 100%
rename from rules/Sigma/win_cve_2021_1675_printspooler.yml
rename to rules/alert-rules/sigma/win_cve_2021_1675_printspooler.yml
diff --git a/rules/Sigma/win_cve_2021_1675_printspooler_del.yml b/rules/alert-rules/sigma/win_cve_2021_1675_printspooler_del.yml
similarity index 100%
rename from rules/Sigma/win_cve_2021_1675_printspooler_del.yml
rename to rules/alert-rules/sigma/win_cve_2021_1675_printspooler_del.yml
diff --git a/rules/Sigma/win_data_compressed_with_rar.yml b/rules/alert-rules/sigma/win_data_compressed_with_rar.yml
similarity index 100%
rename from rules/Sigma/win_data_compressed_with_rar.yml
rename to rules/alert-rules/sigma/win_data_compressed_with_rar.yml
diff --git a/rules/Sigma/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/alert-rules/sigma/win_dce_rpc_smb_spoolss_named_pipe.yml
similarity index 100%
rename from rules/Sigma/win_dce_rpc_smb_spoolss_named_pipe.yml
rename to rules/alert-rules/sigma/win_dce_rpc_smb_spoolss_named_pipe.yml
diff --git a/rules/Sigma/win_dcom_iertutil_dll_hijack.yml b/rules/alert-rules/sigma/win_dcom_iertutil_dll_hijack.yml
similarity index 100%
rename from rules/Sigma/win_dcom_iertutil_dll_hijack.yml
rename to rules/alert-rules/sigma/win_dcom_iertutil_dll_hijack.yml
diff --git a/rules/Sigma/win_dcsync.yml b/rules/alert-rules/sigma/win_dcsync.yml
similarity index 100%
rename from rules/Sigma/win_dcsync.yml
rename to rules/alert-rules/sigma/win_dcsync.yml
diff --git a/rules/Sigma/win_defender_amsi_trigger.yml b/rules/alert-rules/sigma/win_defender_amsi_trigger.yml
similarity index 100%
rename from rules/Sigma/win_defender_amsi_trigger.yml
rename to rules/alert-rules/sigma/win_defender_amsi_trigger.yml
diff --git a/rules/Sigma/win_defender_bypass.yml b/rules/alert-rules/sigma/win_defender_bypass.yml
similarity index 100%
rename from rules/Sigma/win_defender_bypass.yml
rename to rules/alert-rules/sigma/win_defender_bypass.yml
diff --git a/rules/Sigma/win_defender_disabled.yml b/rules/alert-rules/sigma/win_defender_disabled.yml
similarity index 100%
rename from rules/Sigma/win_defender_disabled.yml
rename to rules/alert-rules/sigma/win_defender_disabled.yml
diff --git a/rules/Sigma/win_defender_exclusions.yml b/rules/alert-rules/sigma/win_defender_exclusions.yml
similarity index 100%
rename from rules/Sigma/win_defender_exclusions.yml
rename to rules/alert-rules/sigma/win_defender_exclusions.yml
diff --git a/rules/Sigma/win_defender_history_delete.yml b/rules/alert-rules/sigma/win_defender_history_delete.yml
similarity index 100%
rename from rules/Sigma/win_defender_history_delete.yml
rename to rules/alert-rules/sigma/win_defender_history_delete.yml
diff --git a/rules/Sigma/win_defender_psexec_wmi_asr.yml b/rules/alert-rules/sigma/win_defender_psexec_wmi_asr.yml
similarity index 100%
rename from rules/Sigma/win_defender_psexec_wmi_asr.yml
rename to rules/alert-rules/sigma/win_defender_psexec_wmi_asr.yml
diff --git a/rules/Sigma/win_defender_tamper_protection_trigger.yml b/rules/alert-rules/sigma/win_defender_tamper_protection_trigger.yml
similarity index 100%
rename from rules/Sigma/win_defender_tamper_protection_trigger.yml
rename to rules/alert-rules/sigma/win_defender_tamper_protection_trigger.yml
diff --git a/rules/Sigma/win_defender_threat.yml b/rules/alert-rules/sigma/win_defender_threat.yml
similarity index 100%
rename from rules/Sigma/win_defender_threat.yml
rename to rules/alert-rules/sigma/win_defender_threat.yml
diff --git a/rules/Sigma/win_detecting_fake_instances_of_hxtsr.yml b/rules/alert-rules/sigma/win_detecting_fake_instances_of_hxtsr.yml
similarity index 100%
rename from rules/Sigma/win_detecting_fake_instances_of_hxtsr.yml
rename to rules/alert-rules/sigma/win_detecting_fake_instances_of_hxtsr.yml
diff --git a/rules/Sigma/win_disable_event_logging.yml b/rules/alert-rules/sigma/win_disable_event_logging.yml
similarity index 100%
rename from rules/Sigma/win_disable_event_logging.yml
rename to rules/alert-rules/sigma/win_disable_event_logging.yml
diff --git a/rules/Sigma/win_dll_sideload_xwizard.yml b/rules/alert-rules/sigma/win_dll_sideload_xwizard.yml
similarity index 100%
rename from rules/Sigma/win_dll_sideload_xwizard.yml
rename to rules/alert-rules/sigma/win_dll_sideload_xwizard.yml
diff --git a/rules/Sigma/win_dns_exfiltration_tools_execution.yml b/rules/alert-rules/sigma/win_dns_exfiltration_tools_execution.yml
similarity index 100%
rename from rules/Sigma/win_dns_exfiltration_tools_execution.yml
rename to rules/alert-rules/sigma/win_dns_exfiltration_tools_execution.yml
diff --git a/rules/Sigma/win_dnscat2_powershell_implementation.yml b/rules/alert-rules/sigma/win_dnscat2_powershell_implementation.yml
similarity index 100%
rename from rules/Sigma/win_dnscat2_powershell_implementation.yml
rename to rules/alert-rules/sigma/win_dnscat2_powershell_implementation.yml
diff --git a/rules/Sigma/win_dpapi_domain_backupkey_extraction.yml b/rules/alert-rules/sigma/win_dpapi_domain_backupkey_extraction.yml
similarity index 100%
rename from rules/Sigma/win_dpapi_domain_backupkey_extraction.yml
rename to rules/alert-rules/sigma/win_dpapi_domain_backupkey_extraction.yml
diff --git a/rules/Sigma/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/alert-rules/sigma/win_dpapi_domain_masterkey_backup_attempt.yml
similarity index 100%
rename from rules/Sigma/win_dpapi_domain_masterkey_backup_attempt.yml
rename to rules/alert-rules/sigma/win_dpapi_domain_masterkey_backup_attempt.yml
diff --git a/rules/Sigma/win_encoded_frombase64string.yml b/rules/alert-rules/sigma/win_encoded_frombase64string.yml
similarity index 100%
rename from rules/Sigma/win_encoded_frombase64string.yml
rename to rules/alert-rules/sigma/win_encoded_frombase64string.yml
diff --git a/rules/Sigma/win_encoded_iex.yml b/rules/alert-rules/sigma/win_encoded_iex.yml
similarity index 100%
rename from rules/Sigma/win_encoded_iex.yml
rename to rules/alert-rules/sigma/win_encoded_iex.yml
diff --git a/rules/Sigma/win_etw_modification.yml b/rules/alert-rules/sigma/win_etw_modification.yml
similarity index 100%
rename from rules/Sigma/win_etw_modification.yml
rename to rules/alert-rules/sigma/win_etw_modification.yml
diff --git a/rules/Sigma/win_etw_modification_cmdline.yml b/rules/alert-rules/sigma/win_etw_modification_cmdline.yml
similarity index 100%
rename from rules/Sigma/win_etw_modification_cmdline.yml
rename to rules/alert-rules/sigma/win_etw_modification_cmdline.yml
diff --git a/rules/Sigma/win_etw_trace_evasion.yml b/rules/alert-rules/sigma/win_etw_trace_evasion.yml
similarity index 100%
rename from rules/Sigma/win_etw_trace_evasion.yml
rename to rules/alert-rules/sigma/win_etw_trace_evasion.yml
diff --git a/rules/Sigma/win_event_log_cleared.yml b/rules/alert-rules/sigma/win_event_log_cleared.yml
similarity index 100%
rename from rules/Sigma/win_event_log_cleared.yml
rename to rules/alert-rules/sigma/win_event_log_cleared.yml
diff --git a/rules/Sigma/win_exchange_proxylogon_oabvirtualdir.yml b/rules/alert-rules/sigma/win_exchange_proxylogon_oabvirtualdir.yml
similarity index 100%
rename from rules/Sigma/win_exchange_proxylogon_oabvirtualdir.yml
rename to rules/alert-rules/sigma/win_exchange_proxylogon_oabvirtualdir.yml
diff --git a/rules/Sigma/win_exchange_proxyshell_certificate_generation.yml b/rules/alert-rules/sigma/win_exchange_proxyshell_certificate_generation.yml
similarity index 100%
rename from rules/Sigma/win_exchange_proxyshell_certificate_generation.yml
rename to rules/alert-rules/sigma/win_exchange_proxyshell_certificate_generation.yml
diff --git a/rules/Sigma/win_exchange_proxyshell_mailbox_export.yml b/rules/alert-rules/sigma/win_exchange_proxyshell_mailbox_export.yml
similarity index 100%
rename from rules/Sigma/win_exchange_proxyshell_mailbox_export.yml
rename to rules/alert-rules/sigma/win_exchange_proxyshell_mailbox_export.yml
diff --git a/rules/Sigma/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/alert-rules/sigma/win_exchange_proxyshell_remove_mailbox_export.yml
similarity index 100%
rename from rules/Sigma/win_exchange_proxyshell_remove_mailbox_export.yml
rename to rules/alert-rules/sigma/win_exchange_proxyshell_remove_mailbox_export.yml
diff --git a/rules/Sigma/win_exchange_transportagent.yml b/rules/alert-rules/sigma/win_exchange_transportagent.yml
similarity index 100%
rename from rules/Sigma/win_exchange_transportagent.yml
rename to rules/alert-rules/sigma/win_exchange_transportagent.yml
diff --git a/rules/Sigma/win_exchange_transportagent_failed.yml b/rules/alert-rules/sigma/win_exchange_transportagent_failed.yml
similarity index 100%
rename from rules/Sigma/win_exchange_transportagent_failed.yml
rename to rules/alert-rules/sigma/win_exchange_transportagent_failed.yml
diff --git a/rules/Sigma/win_exfiltration_and_tunneling_tools_execution.yml b/rules/alert-rules/sigma/win_exfiltration_and_tunneling_tools_execution.yml
similarity index 100%
rename from rules/Sigma/win_exfiltration_and_tunneling_tools_execution.yml
rename to rules/alert-rules/sigma/win_exfiltration_and_tunneling_tools_execution.yml
diff --git a/rules/Sigma/win_exploit_cve_2015_1641.yml b/rules/alert-rules/sigma/win_exploit_cve_2015_1641.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2015_1641.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2015_1641.yml
diff --git a/rules/Sigma/win_exploit_cve_2017_0261.yml b/rules/alert-rules/sigma/win_exploit_cve_2017_0261.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2017_0261.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2017_0261.yml
diff --git a/rules/Sigma/win_exploit_cve_2017_11882.yml b/rules/alert-rules/sigma/win_exploit_cve_2017_11882.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2017_11882.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2017_11882.yml
diff --git a/rules/Sigma/win_exploit_cve_2017_8759.yml b/rules/alert-rules/sigma/win_exploit_cve_2017_8759.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2017_8759.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2017_8759.yml
diff --git a/rules/Sigma/win_exploit_cve_2019_1378.yml b/rules/alert-rules/sigma/win_exploit_cve_2019_1378.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2019_1378.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2019_1378.yml
diff --git a/rules/Sigma/win_exploit_cve_2019_1388.yml b/rules/alert-rules/sigma/win_exploit_cve_2019_1388.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2019_1388.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2019_1388.yml
diff --git a/rules/Sigma/win_exploit_cve_2020_10189.yml b/rules/alert-rules/sigma/win_exploit_cve_2020_10189.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2020_10189.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2020_10189.yml
diff --git a/rules/Sigma/win_exploit_cve_2020_1048.yml b/rules/alert-rules/sigma/win_exploit_cve_2020_1048.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2020_1048.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2020_1048.yml
diff --git a/rules/Sigma/win_exploit_cve_2020_1350.yml b/rules/alert-rules/sigma/win_exploit_cve_2020_1350.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2020_1350.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2020_1350.yml
diff --git a/rules/Sigma/win_exploit_cve_2021_1675_printspooler.yml b/rules/alert-rules/sigma/win_exploit_cve_2021_1675_printspooler.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2021_1675_printspooler.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2021_1675_printspooler.yml
diff --git a/rules/Sigma/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/alert-rules/sigma/win_exploit_cve_2021_1675_printspooler_operational.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2021_1675_printspooler_operational.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2021_1675_printspooler_operational.yml
diff --git a/rules/Sigma/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/alert-rules/sigma/win_exploit_cve_2021_1675_printspooler_security.yml
similarity index 100%
rename from rules/Sigma/win_exploit_cve_2021_1675_printspooler_security.yml
rename to rules/alert-rules/sigma/win_exploit_cve_2021_1675_printspooler_security.yml
diff --git a/rules/Sigma/win_exploit_systemnightmare.yml b/rules/alert-rules/sigma/win_exploit_systemnightmare.yml
similarity index 100%
rename from rules/Sigma/win_exploit_systemnightmare.yml
rename to rules/alert-rules/sigma/win_exploit_systemnightmare.yml
diff --git a/rules/Sigma/win_external_device.yml b/rules/alert-rules/sigma/win_external_device.yml
similarity index 100%
rename from rules/Sigma/win_external_device.yml
rename to rules/alert-rules/sigma/win_external_device.yml
diff --git a/rules/Sigma/win_file_permission_modifications.yml b/rules/alert-rules/sigma/win_file_permission_modifications.yml
similarity index 100%
rename from rules/Sigma/win_file_permission_modifications.yml
rename to rules/alert-rules/sigma/win_file_permission_modifications.yml
diff --git a/rules/Sigma/win_file_winword_cve_2021_40444.yml b/rules/alert-rules/sigma/win_file_winword_cve_2021_40444.yml
similarity index 100%
rename from rules/Sigma/win_file_winword_cve_2021_40444.yml
rename to rules/alert-rules/sigma/win_file_winword_cve_2021_40444.yml
diff --git a/rules/Sigma/win_global_catalog_enumeration.yml b/rules/alert-rules/sigma/win_global_catalog_enumeration.yml
similarity index 100%
rename from rules/Sigma/win_global_catalog_enumeration.yml
rename to rules/alert-rules/sigma/win_global_catalog_enumeration.yml
diff --git a/rules/Sigma/win_gpo_scheduledtasks.yml b/rules/alert-rules/sigma/win_gpo_scheduledtasks.yml
similarity index 100%
rename from rules/Sigma/win_gpo_scheduledtasks.yml
rename to rules/alert-rules/sigma/win_gpo_scheduledtasks.yml
diff --git a/rules/Sigma/win_grabbing_sensitive_hives_via_reg.yml b/rules/alert-rules/sigma/win_grabbing_sensitive_hives_via_reg.yml
similarity index 100%
rename from rules/Sigma/win_grabbing_sensitive_hives_via_reg.yml
rename to rules/alert-rules/sigma/win_grabbing_sensitive_hives_via_reg.yml
diff --git a/rules/Sigma/win_hack_adcspwn.yml b/rules/alert-rules/sigma/win_hack_adcspwn.yml
similarity index 100%
rename from rules/Sigma/win_hack_adcspwn.yml
rename to rules/alert-rules/sigma/win_hack_adcspwn.yml
diff --git a/rules/Sigma/win_hack_bloodhound.yml b/rules/alert-rules/sigma/win_hack_bloodhound.yml
similarity index 100%
rename from rules/Sigma/win_hack_bloodhound.yml
rename to rules/alert-rules/sigma/win_hack_bloodhound.yml
diff --git a/rules/Sigma/win_hack_koadic.yml b/rules/alert-rules/sigma/win_hack_koadic.yml
similarity index 100%
rename from rules/Sigma/win_hack_koadic.yml
rename to rules/alert-rules/sigma/win_hack_koadic.yml
diff --git a/rules/Sigma/win_hack_rubeus.yml b/rules/alert-rules/sigma/win_hack_rubeus.yml
similarity index 100%
rename from rules/Sigma/win_hack_rubeus.yml
rename to rules/alert-rules/sigma/win_hack_rubeus.yml
diff --git a/rules/Sigma/win_hack_secutyxploded.yml b/rules/alert-rules/sigma/win_hack_secutyxploded.yml
similarity index 100%
rename from rules/Sigma/win_hack_secutyxploded.yml
rename to rules/alert-rules/sigma/win_hack_secutyxploded.yml
diff --git a/rules/Sigma/win_hack_smbexec.yml b/rules/alert-rules/sigma/win_hack_smbexec.yml
similarity index 100%
rename from rules/Sigma/win_hack_smbexec.yml
rename to rules/alert-rules/sigma/win_hack_smbexec.yml
diff --git a/rules/Sigma/win_hh_chm.yml b/rules/alert-rules/sigma/win_hh_chm.yml
similarity index 100%
rename from rules/Sigma/win_hh_chm.yml
rename to rules/alert-rules/sigma/win_hh_chm.yml
diff --git a/rules/Sigma/win_hidden_user_creation.yml b/rules/alert-rules/sigma/win_hidden_user_creation.yml
similarity index 100%
rename from rules/Sigma/win_hidden_user_creation.yml
rename to rules/alert-rules/sigma/win_hidden_user_creation.yml
diff --git a/rules/Sigma/win_hiding_malware_in_fonts_folder.yml b/rules/alert-rules/sigma/win_hiding_malware_in_fonts_folder.yml
similarity index 100%
rename from rules/Sigma/win_hiding_malware_in_fonts_folder.yml
rename to rules/alert-rules/sigma/win_hiding_malware_in_fonts_folder.yml
diff --git a/rules/Sigma/win_hivenightmare_file_exports.yml b/rules/alert-rules/sigma/win_hivenightmare_file_exports.yml
similarity index 100%
rename from rules/Sigma/win_hivenightmare_file_exports.yml
rename to rules/alert-rules/sigma/win_hivenightmare_file_exports.yml
diff --git a/rules/Sigma/win_hktl_createminidump.yml b/rules/alert-rules/sigma/win_hktl_createminidump.yml
similarity index 100%
rename from rules/Sigma/win_hktl_createminidump.yml
rename to rules/alert-rules/sigma/win_hktl_createminidump.yml
diff --git a/rules/Sigma/win_hktl_uacme_uac_bypass.yml b/rules/alert-rules/sigma/win_hktl_uacme_uac_bypass.yml
similarity index 100%
rename from rules/Sigma/win_hktl_uacme_uac_bypass.yml
rename to rules/alert-rules/sigma/win_hktl_uacme_uac_bypass.yml
diff --git a/rules/Sigma/win_html_help_spawn.yml b/rules/alert-rules/sigma/win_html_help_spawn.yml
similarity index 100%
rename from rules/Sigma/win_html_help_spawn.yml
rename to rules/alert-rules/sigma/win_html_help_spawn.yml
diff --git a/rules/Sigma/win_hwp_exploits.yml b/rules/alert-rules/sigma/win_hwp_exploits.yml
similarity index 100%
rename from rules/Sigma/win_hwp_exploits.yml
rename to rules/alert-rules/sigma/win_hwp_exploits.yml
diff --git a/rules/Sigma/win_hybridconnectionmgr_svc_installation.yml b/rules/alert-rules/sigma/win_hybridconnectionmgr_svc_installation.yml
similarity index 100%
rename from rules/Sigma/win_hybridconnectionmgr_svc_installation.yml
rename to rules/alert-rules/sigma/win_hybridconnectionmgr_svc_installation.yml
diff --git a/rules/Sigma/win_hybridconnectionmgr_svc_running.yml b/rules/alert-rules/sigma/win_hybridconnectionmgr_svc_running.yml
similarity index 100%
rename from rules/Sigma/win_hybridconnectionmgr_svc_running.yml
rename to rules/alert-rules/sigma/win_hybridconnectionmgr_svc_running.yml
diff --git a/rules/Sigma/win_impacket_compiled_tools.yml b/rules/alert-rules/sigma/win_impacket_compiled_tools.yml
similarity index 100%
rename from rules/Sigma/win_impacket_compiled_tools.yml
rename to rules/alert-rules/sigma/win_impacket_compiled_tools.yml
diff --git a/rules/Sigma/win_impacket_lateralization.yml b/rules/alert-rules/sigma/win_impacket_lateralization.yml
similarity index 100%
rename from rules/Sigma/win_impacket_lateralization.yml
rename to rules/alert-rules/sigma/win_impacket_lateralization.yml
diff --git a/rules/Sigma/win_impacket_psexec.yml b/rules/alert-rules/sigma/win_impacket_psexec.yml
similarity index 100%
rename from rules/Sigma/win_impacket_psexec.yml
rename to rules/alert-rules/sigma/win_impacket_psexec.yml
diff --git a/rules/Sigma/win_impacket_secretdump.yml b/rules/alert-rules/sigma/win_impacket_secretdump.yml
similarity index 100%
rename from rules/Sigma/win_impacket_secretdump.yml
rename to rules/alert-rules/sigma/win_impacket_secretdump.yml
diff --git a/rules/Sigma/win_indirect_cmd.yml b/rules/alert-rules/sigma/win_indirect_cmd.yml
similarity index 100%
rename from rules/Sigma/win_indirect_cmd.yml
rename to rules/alert-rules/sigma/win_indirect_cmd.yml
diff --git a/rules/Sigma/win_indirect_cmd_compatibility_assistant.yml b/rules/alert-rules/sigma/win_indirect_cmd_compatibility_assistant.yml
similarity index 100%
rename from rules/Sigma/win_indirect_cmd_compatibility_assistant.yml
rename to rules/alert-rules/sigma/win_indirect_cmd_compatibility_assistant.yml
diff --git a/rules/Sigma/win_install_reg_debugger_backdoor.yml b/rules/alert-rules/sigma/win_install_reg_debugger_backdoor.yml
similarity index 100%
rename from rules/Sigma/win_install_reg_debugger_backdoor.yml
rename to rules/alert-rules/sigma/win_install_reg_debugger_backdoor.yml
diff --git a/rules/Sigma/win_interactive_at.yml b/rules/alert-rules/sigma/win_interactive_at.yml
similarity index 100%
rename from rules/Sigma/win_interactive_at.yml
rename to rules/alert-rules/sigma/win_interactive_at.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_clip.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_clip.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_clip.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_clip.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_clip_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_clip_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_clip_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_clip_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_clip_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_clip_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_clip_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_clip_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_obfuscated_iex_commandline.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_obfuscated_iex_commandline.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_obfuscated_iex_commandline.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_obfuscated_iex_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_obfuscated_iex_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_obfuscated_iex_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_obfuscated_iex_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_stdin.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_stdin.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_stdin.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_stdin.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_stdin_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_stdin_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_stdin_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_stdin_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_stdin_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_stdin_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_stdin_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_stdin_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_var.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_var.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_var.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_var.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_var_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_var_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_var_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_var_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_var_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_var_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_var_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_var_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_compress.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_compress.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_compress.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_compress.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_compress_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_compress_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_compress_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_compress_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_compress_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_compress_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_compress_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_compress_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_rundll.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_rundll.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_rundll.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_rundll.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_rundll_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_rundll_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_rundll_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_rundll_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_rundll_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_rundll_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_rundll_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_stdin.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_stdin.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_stdin.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_stdin.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_stdin_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_stdin_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_stdin_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_stdin_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_stdin_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_stdin_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_stdin_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_clip.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_use_clip.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_use_clip.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_use_clip.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_clip_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_use_clip_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_use_clip_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_use_clip_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_use_clip_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_use_clip_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_use_clip_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_mhsta.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_use_mhsta.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_use_mhsta.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_use_mhsta.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_use_mshta_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_use_mshta_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_use_mshta_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_use_mshta_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_use_mshta_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_use_mshta_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_rundll32.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_use_rundll32.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_use_rundll32.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_use_rundll32.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_use_rundll32_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_use_rundll32_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_use_rundll32_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_use_rundll32_services_security.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_var.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_var.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_var.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_var.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_var_services.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_var_services.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_var_services.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_var_services.yml
diff --git a/rules/Sigma/win_invoke_obfuscation_via_var_services_security.yml b/rules/alert-rules/sigma/win_invoke_obfuscation_via_var_services_security.yml
similarity index 100%
rename from rules/Sigma/win_invoke_obfuscation_via_var_services_security.yml
rename to rules/alert-rules/sigma/win_invoke_obfuscation_via_var_services_security.yml
diff --git a/rules/Sigma/win_iso_mount.yml b/rules/alert-rules/sigma/win_iso_mount.yml
similarity index 100%
rename from rules/Sigma/win_iso_mount.yml
rename to rules/alert-rules/sigma/win_iso_mount.yml
diff --git a/rules/Sigma/win_lateral_movement_condrv.yml b/rules/alert-rules/sigma/win_lateral_movement_condrv.yml
similarity index 100%
rename from rules/Sigma/win_lateral_movement_condrv.yml
rename to rules/alert-rules/sigma/win_lateral_movement_condrv.yml
diff --git a/rules/Sigma/win_ldap_recon.yml b/rules/alert-rules/sigma/win_ldap_recon.yml
similarity index 100%
rename from rules/Sigma/win_ldap_recon.yml
rename to rules/alert-rules/sigma/win_ldap_recon.yml
diff --git a/rules/Sigma/win_lethalhta.yml b/rules/alert-rules/sigma/win_lethalhta.yml
similarity index 100%
rename from rules/Sigma/win_lethalhta.yml
rename to rules/alert-rules/sigma/win_lethalhta.yml
diff --git a/rules/Sigma/win_lm_namedpipe.yml b/rules/alert-rules/sigma/win_lm_namedpipe.yml
similarity index 100%
rename from rules/Sigma/win_lm_namedpipe.yml
rename to rules/alert-rules/sigma/win_lm_namedpipe.yml
diff --git a/rules/Sigma/win_local_system_owner_account_discovery.yml b/rules/alert-rules/sigma/win_local_system_owner_account_discovery.yml
similarity index 100%
rename from rules/Sigma/win_local_system_owner_account_discovery.yml
rename to rules/alert-rules/sigma/win_local_system_owner_account_discovery.yml
diff --git a/rules/Sigma/win_lolbas_execution_of_nltest.yml b/rules/alert-rules/sigma/win_lolbas_execution_of_nltest.yml
similarity index 100%
rename from rules/Sigma/win_lolbas_execution_of_nltest.yml
rename to rules/alert-rules/sigma/win_lolbas_execution_of_nltest.yml
diff --git a/rules/Sigma/win_lolbas_execution_of_wuauclt.yml b/rules/alert-rules/sigma/win_lolbas_execution_of_wuauclt.yml
similarity index 100%
rename from rules/Sigma/win_lolbas_execution_of_wuauclt.yml
rename to rules/alert-rules/sigma/win_lolbas_execution_of_wuauclt.yml
diff --git a/rules/Sigma/win_lolbin_execution_via_winget.yml b/rules/alert-rules/sigma/win_lolbin_execution_via_winget.yml
similarity index 100%
rename from rules/Sigma/win_lolbin_execution_via_winget.yml
rename to rules/alert-rules/sigma/win_lolbin_execution_via_winget.yml
diff --git a/rules/Sigma/win_lsass_access_non_system_account.yml b/rules/alert-rules/sigma/win_lsass_access_non_system_account.yml
similarity index 100%
rename from rules/Sigma/win_lsass_access_non_system_account.yml
rename to rules/alert-rules/sigma/win_lsass_access_non_system_account.yml
diff --git a/rules/Sigma/win_lsass_dump.yml b/rules/alert-rules/sigma/win_lsass_dump.yml
similarity index 100%
rename from rules/Sigma/win_lsass_dump.yml
rename to rules/alert-rules/sigma/win_lsass_dump.yml
diff --git a/rules/Sigma/win_mal_adwind.yml b/rules/alert-rules/sigma/win_mal_adwind.yml
similarity index 100%
rename from rules/Sigma/win_mal_adwind.yml
rename to rules/alert-rules/sigma/win_mal_adwind.yml
diff --git a/rules/Sigma/win_mal_creddumper.yml b/rules/alert-rules/sigma/win_mal_creddumper.yml
similarity index 100%
rename from rules/Sigma/win_mal_creddumper.yml
rename to rules/alert-rules/sigma/win_mal_creddumper.yml
diff --git a/rules/Sigma/win_mal_wceaux_dll.yml b/rules/alert-rules/sigma/win_mal_wceaux_dll.yml
similarity index 100%
rename from rules/Sigma/win_mal_wceaux_dll.yml
rename to rules/alert-rules/sigma/win_mal_wceaux_dll.yml
diff --git a/rules/Sigma/win_malware_conti.yml b/rules/alert-rules/sigma/win_malware_conti.yml
similarity index 100%
rename from rules/Sigma/win_malware_conti.yml
rename to rules/alert-rules/sigma/win_malware_conti.yml
diff --git a/rules/Sigma/win_malware_conti_7zip.yml b/rules/alert-rules/sigma/win_malware_conti_7zip.yml
similarity index 100%
rename from rules/Sigma/win_malware_conti_7zip.yml
rename to rules/alert-rules/sigma/win_malware_conti_7zip.yml
diff --git a/rules/Sigma/win_malware_conti_shadowcopy.yml b/rules/alert-rules/sigma/win_malware_conti_shadowcopy.yml
similarity index 100%
rename from rules/Sigma/win_malware_conti_shadowcopy.yml
rename to rules/alert-rules/sigma/win_malware_conti_shadowcopy.yml
diff --git a/rules/Sigma/win_malware_dridex.yml b/rules/alert-rules/sigma/win_malware_dridex.yml
similarity index 100%
rename from rules/Sigma/win_malware_dridex.yml
rename to rules/alert-rules/sigma/win_malware_dridex.yml
diff --git a/rules/Sigma/win_malware_dtrack.yml b/rules/alert-rules/sigma/win_malware_dtrack.yml
similarity index 100%
rename from rules/Sigma/win_malware_dtrack.yml
rename to rules/alert-rules/sigma/win_malware_dtrack.yml
diff --git a/rules/Sigma/win_malware_emotet.yml b/rules/alert-rules/sigma/win_malware_emotet.yml
similarity index 100%
rename from rules/Sigma/win_malware_emotet.yml
rename to rules/alert-rules/sigma/win_malware_emotet.yml
diff --git a/rules/Sigma/win_malware_formbook.yml b/rules/alert-rules/sigma/win_malware_formbook.yml
similarity index 100%
rename from rules/Sigma/win_malware_formbook.yml
rename to rules/alert-rules/sigma/win_malware_formbook.yml
diff --git a/rules/Sigma/win_malware_notpetya.yml b/rules/alert-rules/sigma/win_malware_notpetya.yml
similarity index 100%
rename from rules/Sigma/win_malware_notpetya.yml
rename to rules/alert-rules/sigma/win_malware_notpetya.yml
diff --git a/rules/Sigma/win_malware_qbot.yml b/rules/alert-rules/sigma/win_malware_qbot.yml
similarity index 100%
rename from rules/Sigma/win_malware_qbot.yml
rename to rules/alert-rules/sigma/win_malware_qbot.yml
diff --git a/rules/Sigma/win_malware_ryuk.yml b/rules/alert-rules/sigma/win_malware_ryuk.yml
similarity index 100%
rename from rules/Sigma/win_malware_ryuk.yml
rename to rules/alert-rules/sigma/win_malware_ryuk.yml
diff --git a/rules/Sigma/win_malware_script_dropper.yml b/rules/alert-rules/sigma/win_malware_script_dropper.yml
similarity index 100%
rename from rules/Sigma/win_malware_script_dropper.yml
rename to rules/alert-rules/sigma/win_malware_script_dropper.yml
diff --git a/rules/Sigma/win_malware_trickbot_recon_activity.yml b/rules/alert-rules/sigma/win_malware_trickbot_recon_activity.yml
similarity index 100%
rename from rules/Sigma/win_malware_trickbot_recon_activity.yml
rename to rules/alert-rules/sigma/win_malware_trickbot_recon_activity.yml
diff --git a/rules/Sigma/win_malware_trickbot_wermgr.yml b/rules/alert-rules/sigma/win_malware_trickbot_wermgr.yml
similarity index 100%
rename from rules/Sigma/win_malware_trickbot_wermgr.yml
rename to rules/alert-rules/sigma/win_malware_trickbot_wermgr.yml
diff --git a/rules/Sigma/win_malware_wannacry.yml b/rules/alert-rules/sigma/win_malware_wannacry.yml
similarity index 100%
rename from rules/Sigma/win_malware_wannacry.yml
rename to rules/alert-rules/sigma/win_malware_wannacry.yml
diff --git a/rules/Sigma/win_manage_bde_lolbas.yml b/rules/alert-rules/sigma/win_manage_bde_lolbas.yml
similarity index 100%
rename from rules/Sigma/win_manage_bde_lolbas.yml
rename to rules/alert-rules/sigma/win_manage_bde_lolbas.yml
diff --git a/rules/Sigma/win_mavinject_proc_inj.yml b/rules/alert-rules/sigma/win_mavinject_proc_inj.yml
similarity index 100%
rename from rules/Sigma/win_mavinject_proc_inj.yml
rename to rules/alert-rules/sigma/win_mavinject_proc_inj.yml
diff --git a/rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/alert-rules/sigma/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
similarity index 100%
rename from rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
rename to rules/alert-rules/sigma/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
diff --git a/rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/alert-rules/sigma/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
similarity index 100%
rename from rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
rename to rules/alert-rules/sigma/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
diff --git a/rules/Sigma/win_mimikatz_command_line.yml b/rules/alert-rules/sigma/win_mimikatz_command_line.yml
similarity index 100%
rename from rules/Sigma/win_mimikatz_command_line.yml
rename to rules/alert-rules/sigma/win_mimikatz_command_line.yml
diff --git a/rules/Sigma/win_mmc20_lateral_movement.yml b/rules/alert-rules/sigma/win_mmc20_lateral_movement.yml
similarity index 100%
rename from rules/Sigma/win_mmc20_lateral_movement.yml
rename to rules/alert-rules/sigma/win_mmc20_lateral_movement.yml
diff --git a/rules/Sigma/win_mmc_spawn_shell.yml b/rules/alert-rules/sigma/win_mmc_spawn_shell.yml
similarity index 100%
rename from rules/Sigma/win_mmc_spawn_shell.yml
rename to rules/alert-rules/sigma/win_mmc_spawn_shell.yml
diff --git a/rules/Sigma/win_modif_of_services_for_via_commandline.yml b/rules/alert-rules/sigma/win_modif_of_services_for_via_commandline.yml
similarity index 100%
rename from rules/Sigma/win_modif_of_services_for_via_commandline.yml
rename to rules/alert-rules/sigma/win_modif_of_services_for_via_commandline.yml
diff --git a/rules/Sigma/win_monitoring_for_persistence_via_bits.yml b/rules/alert-rules/sigma/win_monitoring_for_persistence_via_bits.yml
similarity index 100%
rename from rules/Sigma/win_monitoring_for_persistence_via_bits.yml
rename to rules/alert-rules/sigma/win_monitoring_for_persistence_via_bits.yml
diff --git a/rules/Sigma/win_moriya_rootkit.yml b/rules/alert-rules/sigma/win_moriya_rootkit.yml
similarity index 100%
rename from rules/Sigma/win_moriya_rootkit.yml
rename to rules/alert-rules/sigma/win_moriya_rootkit.yml
diff --git a/rules/Sigma/win_mouse_lock.yml b/rules/alert-rules/sigma/win_mouse_lock.yml
similarity index 100%
rename from rules/Sigma/win_mouse_lock.yml
rename to rules/alert-rules/sigma/win_mouse_lock.yml
diff --git a/rules/Sigma/win_mshta_javascript.yml b/rules/alert-rules/sigma/win_mshta_javascript.yml
similarity index 100%
rename from rules/Sigma/win_mshta_javascript.yml
rename to rules/alert-rules/sigma/win_mshta_javascript.yml
diff --git a/rules/Sigma/win_mshta_spawn_shell.yml b/rules/alert-rules/sigma/win_mshta_spawn_shell.yml
similarity index 100%
rename from rules/Sigma/win_mshta_spawn_shell.yml
rename to rules/alert-rules/sigma/win_mshta_spawn_shell.yml
diff --git a/rules/Sigma/win_net_crypto_mining.yml b/rules/alert-rules/sigma/win_net_crypto_mining.yml
similarity index 100%
rename from rules/Sigma/win_net_crypto_mining.yml
rename to rules/alert-rules/sigma/win_net_crypto_mining.yml
diff --git a/rules/Sigma/win_net_enum.yml b/rules/alert-rules/sigma/win_net_enum.yml
similarity index 100%
rename from rules/Sigma/win_net_enum.yml
rename to rules/alert-rules/sigma/win_net_enum.yml
diff --git a/rules/Sigma/win_net_ntlm_downgrade.yml b/rules/alert-rules/sigma/win_net_ntlm_downgrade.yml
similarity index 100%
rename from rules/Sigma/win_net_ntlm_downgrade.yml
rename to rules/alert-rules/sigma/win_net_ntlm_downgrade.yml
diff --git a/rules/Sigma/win_net_use_admin_share.yml b/rules/alert-rules/sigma/win_net_use_admin_share.yml
similarity index 100%
rename from rules/Sigma/win_net_use_admin_share.yml
rename to rules/alert-rules/sigma/win_net_use_admin_share.yml
diff --git a/rules/Sigma/win_net_user_add.yml b/rules/alert-rules/sigma/win_net_user_add.yml
similarity index 100%
rename from rules/Sigma/win_net_user_add.yml
rename to rules/alert-rules/sigma/win_net_user_add.yml
diff --git a/rules/Sigma/win_netsh_allow_port_rdp.yml b/rules/alert-rules/sigma/win_netsh_allow_port_rdp.yml
similarity index 100%
rename from rules/Sigma/win_netsh_allow_port_rdp.yml
rename to rules/alert-rules/sigma/win_netsh_allow_port_rdp.yml
diff --git a/rules/Sigma/win_netsh_fw_add.yml b/rules/alert-rules/sigma/win_netsh_fw_add.yml
similarity index 100%
rename from rules/Sigma/win_netsh_fw_add.yml
rename to rules/alert-rules/sigma/win_netsh_fw_add.yml
diff --git a/rules/Sigma/win_netsh_fw_add_susp_image.yml b/rules/alert-rules/sigma/win_netsh_fw_add_susp_image.yml
similarity index 100%
rename from rules/Sigma/win_netsh_fw_add_susp_image.yml
rename to rules/alert-rules/sigma/win_netsh_fw_add_susp_image.yml
diff --git a/rules/Sigma/win_netsh_packet_capture.yml b/rules/alert-rules/sigma/win_netsh_packet_capture.yml
similarity index 100%
rename from rules/Sigma/win_netsh_packet_capture.yml
rename to rules/alert-rules/sigma/win_netsh_packet_capture.yml
diff --git a/rules/Sigma/win_netsh_port_fwd.yml b/rules/alert-rules/sigma/win_netsh_port_fwd.yml
similarity index 100%
rename from rules/Sigma/win_netsh_port_fwd.yml
rename to rules/alert-rules/sigma/win_netsh_port_fwd.yml
diff --git a/rules/Sigma/win_netsh_port_fwd_3389.yml b/rules/alert-rules/sigma/win_netsh_port_fwd_3389.yml
similarity index 100%
rename from rules/Sigma/win_netsh_port_fwd_3389.yml
rename to rules/alert-rules/sigma/win_netsh_port_fwd_3389.yml
diff --git a/rules/Sigma/win_netsh_wifi_credential_harvesting.yml b/rules/alert-rules/sigma/win_netsh_wifi_credential_harvesting.yml
similarity index 100%
rename from rules/Sigma/win_netsh_wifi_credential_harvesting.yml
rename to rules/alert-rules/sigma/win_netsh_wifi_credential_harvesting.yml
diff --git a/rules/Sigma/win_network_sniffing.yml b/rules/alert-rules/sigma/win_network_sniffing.yml
similarity index 100%
rename from rules/Sigma/win_network_sniffing.yml
rename to rules/alert-rules/sigma/win_network_sniffing.yml
diff --git a/rules/Sigma/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/alert-rules/sigma/win_new_or_renamed_user_account_with_dollar_sign.yml
similarity index 100%
rename from rules/Sigma/win_new_or_renamed_user_account_with_dollar_sign.yml
rename to rules/alert-rules/sigma/win_new_or_renamed_user_account_with_dollar_sign.yml
diff --git a/rules/Sigma/win_new_service_creation.yml b/rules/alert-rules/sigma/win_new_service_creation.yml
similarity index 100%
rename from rules/Sigma/win_new_service_creation.yml
rename to rules/alert-rules/sigma/win_new_service_creation.yml
diff --git a/rules/Sigma/win_nltest_recon.yml b/rules/alert-rules/sigma/win_nltest_recon.yml
similarity index 100%
rename from rules/Sigma/win_nltest_recon.yml
rename to rules/alert-rules/sigma/win_nltest_recon.yml
diff --git a/rules/Sigma/win_non_interactive_powershell.yml b/rules/alert-rules/sigma/win_non_interactive_powershell.yml
similarity index 100%
rename from rules/Sigma/win_non_interactive_powershell.yml
rename to rules/alert-rules/sigma/win_non_interactive_powershell.yml
diff --git a/rules/Sigma/win_non_priv_reg_or_ps.yml b/rules/alert-rules/sigma/win_non_priv_reg_or_ps.yml
similarity index 100%
rename from rules/Sigma/win_non_priv_reg_or_ps.yml
rename to rules/alert-rules/sigma/win_non_priv_reg_or_ps.yml
diff --git a/rules/Sigma/win_not_allowed_rdp_access.yml b/rules/alert-rules/sigma/win_not_allowed_rdp_access.yml
similarity index 100%
rename from rules/Sigma/win_not_allowed_rdp_access.yml
rename to rules/alert-rules/sigma/win_not_allowed_rdp_access.yml
diff --git a/rules/Sigma/win_ntfs_vuln_exploit.yml b/rules/alert-rules/sigma/win_ntfs_vuln_exploit.yml
similarity index 100%
rename from rules/Sigma/win_ntfs_vuln_exploit.yml
rename to rules/alert-rules/sigma/win_ntfs_vuln_exploit.yml
diff --git a/rules/Sigma/win_office_shell.yml b/rules/alert-rules/sigma/win_office_shell.yml
similarity index 100%
rename from rules/Sigma/win_office_shell.yml
rename to rules/alert-rules/sigma/win_office_shell.yml
diff --git a/rules/Sigma/win_office_spawn_exe_from_users_directory.yml b/rules/alert-rules/sigma/win_office_spawn_exe_from_users_directory.yml
similarity index 100%
rename from rules/Sigma/win_office_spawn_exe_from_users_directory.yml
rename to rules/alert-rules/sigma/win_office_spawn_exe_from_users_directory.yml
diff --git a/rules/Sigma/win_outlook_c2_macro_creation.yml b/rules/alert-rules/sigma/win_outlook_c2_macro_creation.yml
similarity index 100%
rename from rules/Sigma/win_outlook_c2_macro_creation.yml
rename to rules/alert-rules/sigma/win_outlook_c2_macro_creation.yml
diff --git a/rules/Sigma/win_outlook_c2_registry_key.yml b/rules/alert-rules/sigma/win_outlook_c2_registry_key.yml
similarity index 100%
rename from rules/Sigma/win_outlook_c2_registry_key.yml
rename to rules/alert-rules/sigma/win_outlook_c2_registry_key.yml
diff --git a/rules/Sigma/win_outlook_registry_todaypage.yml b/rules/alert-rules/sigma/win_outlook_registry_todaypage.yml
similarity index 100%
rename from rules/Sigma/win_outlook_registry_todaypage.yml
rename to rules/alert-rules/sigma/win_outlook_registry_todaypage.yml
diff --git a/rules/Sigma/win_outlook_registry_webview.yml b/rules/alert-rules/sigma/win_outlook_registry_webview.yml
similarity index 100%
rename from rules/Sigma/win_outlook_registry_webview.yml
rename to rules/alert-rules/sigma/win_outlook_registry_webview.yml
diff --git a/rules/Sigma/win_overpass_the_hash.yml b/rules/alert-rules/sigma/win_overpass_the_hash.yml
similarity index 100%
rename from rules/Sigma/win_overpass_the_hash.yml
rename to rules/alert-rules/sigma/win_overpass_the_hash.yml
diff --git a/rules/Sigma/win_pass_the_hash.yml b/rules/alert-rules/sigma/win_pass_the_hash.yml
similarity index 100%
rename from rules/Sigma/win_pass_the_hash.yml
rename to rules/alert-rules/sigma/win_pass_the_hash.yml
diff --git a/rules/Sigma/win_pass_the_hash_2.yml b/rules/alert-rules/sigma/win_pass_the_hash_2.yml
similarity index 100%
rename from rules/Sigma/win_pass_the_hash_2.yml
rename to rules/alert-rules/sigma/win_pass_the_hash_2.yml
diff --git a/rules/Sigma/win_pc_set_policies_to_unsecure_level.yml b/rules/alert-rules/sigma/win_pc_set_policies_to_unsecure_level.yml
similarity index 100%
rename from rules/Sigma/win_pc_set_policies_to_unsecure_level.yml
rename to rules/alert-rules/sigma/win_pc_set_policies_to_unsecure_level.yml
diff --git a/rules/Sigma/win_pc_susp_cmdl32_lolbas.yml b/rules/alert-rules/sigma/win_pc_susp_cmdl32_lolbas.yml
similarity index 100%
rename from rules/Sigma/win_pc_susp_cmdl32_lolbas.yml
rename to rules/alert-rules/sigma/win_pc_susp_cmdl32_lolbas.yml
diff --git a/rules/Sigma/win_pc_susp_schtasks_user_temp.yml b/rules/alert-rules/sigma/win_pc_susp_schtasks_user_temp.yml
similarity index 100%
rename from rules/Sigma/win_pc_susp_schtasks_user_temp.yml
rename to rules/alert-rules/sigma/win_pc_susp_schtasks_user_temp.yml
diff --git a/rules/Sigma/win_pc_susp_zipexec.yml b/rules/alert-rules/sigma/win_pc_susp_zipexec.yml
similarity index 100%
rename from rules/Sigma/win_pc_susp_zipexec.yml
rename to rules/alert-rules/sigma/win_pc_susp_zipexec.yml
diff --git a/rules/Sigma/win_pcap_drivers.yml b/rules/alert-rules/sigma/win_pcap_drivers.yml
similarity index 100%
rename from rules/Sigma/win_pcap_drivers.yml
rename to rules/alert-rules/sigma/win_pcap_drivers.yml
diff --git a/rules/Sigma/win_petitpotam_network_share.yml b/rules/alert-rules/sigma/win_petitpotam_network_share.yml
similarity index 100%
rename from rules/Sigma/win_petitpotam_network_share.yml
rename to rules/alert-rules/sigma/win_petitpotam_network_share.yml
diff --git a/rules/Sigma/win_petitpotam_susp_tgt_request.yml b/rules/alert-rules/sigma/win_petitpotam_susp_tgt_request.yml
similarity index 100%
rename from rules/Sigma/win_petitpotam_susp_tgt_request.yml
rename to rules/alert-rules/sigma/win_petitpotam_susp_tgt_request.yml
diff --git a/rules/Sigma/win_plugx_susp_exe_locations.yml b/rules/alert-rules/sigma/win_plugx_susp_exe_locations.yml
similarity index 100%
rename from rules/Sigma/win_plugx_susp_exe_locations.yml
rename to rules/alert-rules/sigma/win_plugx_susp_exe_locations.yml
diff --git a/rules/Sigma/win_portproxy_registry_key.yml b/rules/alert-rules/sigma/win_portproxy_registry_key.yml
similarity index 100%
rename from rules/Sigma/win_portproxy_registry_key.yml
rename to rules/alert-rules/sigma/win_portproxy_registry_key.yml
diff --git a/rules/Sigma/win_possible_applocker_bypass.yml b/rules/alert-rules/sigma/win_possible_applocker_bypass.yml
similarity index 100%
rename from rules/Sigma/win_possible_applocker_bypass.yml
rename to rules/alert-rules/sigma/win_possible_applocker_bypass.yml
diff --git a/rules/Sigma/win_possible_dc_shadow.yml b/rules/alert-rules/sigma/win_possible_dc_shadow.yml
similarity index 100%
rename from rules/Sigma/win_possible_dc_shadow.yml
rename to rules/alert-rules/sigma/win_possible_dc_shadow.yml
diff --git a/rules/Sigma/win_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/alert-rules/sigma/win_possible_privilege_escalation_via_service_registry_permissions.yml
similarity index 100%
rename from rules/Sigma/win_possible_privilege_escalation_via_service_registry_permissions.yml
rename to rules/alert-rules/sigma/win_possible_privilege_escalation_via_service_registry_permissions.yml
diff --git a/rules/Sigma/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/alert-rules/sigma/win_possible_zerologon_exploitation_using_wellknown_tools.yml
similarity index 100%
rename from rules/Sigma/win_possible_zerologon_exploitation_using_wellknown_tools.yml
rename to rules/alert-rules/sigma/win_possible_zerologon_exploitation_using_wellknown_tools.yml
diff --git a/rules/Sigma/win_powershell_amsi_bypass.yml b/rules/alert-rules/sigma/win_powershell_amsi_bypass.yml
similarity index 100%
rename from rules/Sigma/win_powershell_amsi_bypass.yml
rename to rules/alert-rules/sigma/win_powershell_amsi_bypass.yml
diff --git a/rules/Sigma/win_powershell_audio_capture.yml b/rules/alert-rules/sigma/win_powershell_audio_capture.yml
similarity index 100%
rename from rules/Sigma/win_powershell_audio_capture.yml
rename to rules/alert-rules/sigma/win_powershell_audio_capture.yml
diff --git a/rules/Sigma/win_powershell_b64_shellcode.yml b/rules/alert-rules/sigma/win_powershell_b64_shellcode.yml
similarity index 100%
rename from rules/Sigma/win_powershell_b64_shellcode.yml
rename to rules/alert-rules/sigma/win_powershell_b64_shellcode.yml
diff --git a/rules/Sigma/win_powershell_bitsjob.yml b/rules/alert-rules/sigma/win_powershell_bitsjob.yml
similarity index 100%
rename from rules/Sigma/win_powershell_bitsjob.yml
rename to rules/alert-rules/sigma/win_powershell_bitsjob.yml
diff --git a/rules/Sigma/win_powershell_cmdline_reversed_strings.yml b/rules/alert-rules/sigma/win_powershell_cmdline_reversed_strings.yml
similarity index 100%
rename from rules/Sigma/win_powershell_cmdline_reversed_strings.yml
rename to rules/alert-rules/sigma/win_powershell_cmdline_reversed_strings.yml
diff --git a/rules/Sigma/win_powershell_cmdline_special_characters.yml b/rules/alert-rules/sigma/win_powershell_cmdline_special_characters.yml
similarity index 100%
rename from rules/Sigma/win_powershell_cmdline_special_characters.yml
rename to rules/alert-rules/sigma/win_powershell_cmdline_special_characters.yml
diff --git a/rules/Sigma/win_powershell_cmdline_specific_comb_methods.yml b/rules/alert-rules/sigma/win_powershell_cmdline_specific_comb_methods.yml
similarity index 100%
rename from rules/Sigma/win_powershell_cmdline_specific_comb_methods.yml
rename to rules/alert-rules/sigma/win_powershell_cmdline_specific_comb_methods.yml
diff --git a/rules/Sigma/win_powershell_defender_exclusion.yml b/rules/alert-rules/sigma/win_powershell_defender_exclusion.yml
similarity index 100%
rename from rules/Sigma/win_powershell_defender_exclusion.yml
rename to rules/alert-rules/sigma/win_powershell_defender_exclusion.yml
diff --git a/rules/Sigma/win_powershell_disable_windef_av.yml b/rules/alert-rules/sigma/win_powershell_disable_windef_av.yml
similarity index 100%
rename from rules/Sigma/win_powershell_disable_windef_av.yml
rename to rules/alert-rules/sigma/win_powershell_disable_windef_av.yml
diff --git a/rules/Sigma/win_powershell_dll_execution.yml b/rules/alert-rules/sigma/win_powershell_dll_execution.yml
similarity index 100%
rename from rules/Sigma/win_powershell_dll_execution.yml
rename to rules/alert-rules/sigma/win_powershell_dll_execution.yml
diff --git a/rules/Sigma/win_powershell_downgrade_attack.yml b/rules/alert-rules/sigma/win_powershell_downgrade_attack.yml
similarity index 100%
rename from rules/Sigma/win_powershell_downgrade_attack.yml
rename to rules/alert-rules/sigma/win_powershell_downgrade_attack.yml
diff --git a/rules/Sigma/win_powershell_download.yml b/rules/alert-rules/sigma/win_powershell_download.yml
similarity index 100%
rename from rules/Sigma/win_powershell_download.yml
rename to rules/alert-rules/sigma/win_powershell_download.yml
diff --git a/rules/Sigma/win_powershell_frombase64string.yml b/rules/alert-rules/sigma/win_powershell_frombase64string.yml
similarity index 100%
rename from rules/Sigma/win_powershell_frombase64string.yml
rename to rules/alert-rules/sigma/win_powershell_frombase64string.yml
diff --git a/rules/Sigma/win_powershell_reverse_shell_connection.yml b/rules/alert-rules/sigma/win_powershell_reverse_shell_connection.yml
similarity index 100%
rename from rules/Sigma/win_powershell_reverse_shell_connection.yml
rename to rules/alert-rules/sigma/win_powershell_reverse_shell_connection.yml
diff --git a/rules/Sigma/win_powershell_suspicious_parameter_variation.yml b/rules/alert-rules/sigma/win_powershell_suspicious_parameter_variation.yml
similarity index 100%
rename from rules/Sigma/win_powershell_suspicious_parameter_variation.yml
rename to rules/alert-rules/sigma/win_powershell_suspicious_parameter_variation.yml
diff --git a/rules/Sigma/win_powershell_xor_commandline.yml b/rules/alert-rules/sigma/win_powershell_xor_commandline.yml
similarity index 100%
rename from rules/Sigma/win_powershell_xor_commandline.yml
rename to rules/alert-rules/sigma/win_powershell_xor_commandline.yml
diff --git a/rules/Sigma/win_powersploit_empire_schtasks.yml b/rules/alert-rules/sigma/win_powersploit_empire_schtasks.yml
similarity index 100%
rename from rules/Sigma/win_powersploit_empire_schtasks.yml
rename to rules/alert-rules/sigma/win_powersploit_empire_schtasks.yml
diff --git a/rules/Sigma/win_privesc_cve_2020_1472.yml b/rules/alert-rules/sigma/win_privesc_cve_2020_1472.yml
similarity index 100%
rename from rules/Sigma/win_privesc_cve_2020_1472.yml
rename to rules/alert-rules/sigma/win_privesc_cve_2020_1472.yml
diff --git a/rules/Sigma/win_proc_wrong_parent.yml b/rules/alert-rules/sigma/win_proc_wrong_parent.yml
similarity index 100%
rename from rules/Sigma/win_proc_wrong_parent.yml
rename to rules/alert-rules/sigma/win_proc_wrong_parent.yml
diff --git a/rules/Sigma/win_procdump.yml b/rules/alert-rules/sigma/win_procdump.yml
similarity index 100%
rename from rules/Sigma/win_procdump.yml
rename to rules/alert-rules/sigma/win_procdump.yml
diff --git a/rules/Sigma/win_process_creation_bitsadmin_download.yml b/rules/alert-rules/sigma/win_process_creation_bitsadmin_download.yml
similarity index 100%
rename from rules/Sigma/win_process_creation_bitsadmin_download.yml
rename to rules/alert-rules/sigma/win_process_creation_bitsadmin_download.yml
diff --git a/rules/Sigma/win_process_dump_rdrleakdiag.yml b/rules/alert-rules/sigma/win_process_dump_rdrleakdiag.yml
similarity index 100%
rename from rules/Sigma/win_process_dump_rdrleakdiag.yml
rename to rules/alert-rules/sigma/win_process_dump_rdrleakdiag.yml
diff --git a/rules/Sigma/win_process_dump_rundll32_comsvcs.yml b/rules/alert-rules/sigma/win_process_dump_rundll32_comsvcs.yml
similarity index 100%
rename from rules/Sigma/win_process_dump_rundll32_comsvcs.yml
rename to rules/alert-rules/sigma/win_process_dump_rundll32_comsvcs.yml
diff --git a/rules/Sigma/win_protected_storage_service_access.yml b/rules/alert-rules/sigma/win_protected_storage_service_access.yml
similarity index 100%
rename from rules/Sigma/win_protected_storage_service_access.yml
rename to rules/alert-rules/sigma/win_protected_storage_service_access.yml
diff --git a/rules/Sigma/win_psexesvc_start.yml b/rules/alert-rules/sigma/win_psexesvc_start.yml
similarity index 100%
rename from rules/Sigma/win_psexesvc_start.yml
rename to rules/alert-rules/sigma/win_psexesvc_start.yml
diff --git a/rules/Sigma/win_purplesharp_indicators.yml b/rules/alert-rules/sigma/win_purplesharp_indicators.yml
similarity index 100%
rename from rules/Sigma/win_purplesharp_indicators.yml
rename to rules/alert-rules/sigma/win_purplesharp_indicators.yml
diff --git a/rules/Sigma/win_quarkspwdump_clearing_hive_access_history.yml b/rules/alert-rules/sigma/win_quarkspwdump_clearing_hive_access_history.yml
similarity index 100%
rename from rules/Sigma/win_quarkspwdump_clearing_hive_access_history.yml
rename to rules/alert-rules/sigma/win_quarkspwdump_clearing_hive_access_history.yml
diff --git a/rules/Sigma/win_query_registry.yml b/rules/alert-rules/sigma/win_query_registry.yml
similarity index 100%
rename from rules/Sigma/win_query_registry.yml
rename to rules/alert-rules/sigma/win_query_registry.yml
diff --git a/rules/Sigma/win_rare_schtask_creation.yml b/rules/alert-rules/sigma/win_rare_schtask_creation.yml
similarity index 100%
rename from rules/Sigma/win_rare_schtask_creation.yml
rename to rules/alert-rules/sigma/win_rare_schtask_creation.yml
diff --git a/rules/Sigma/win_rasautou_dll_execution.yml b/rules/alert-rules/sigma/win_rasautou_dll_execution.yml
similarity index 100%
rename from rules/Sigma/win_rasautou_dll_execution.yml
rename to rules/alert-rules/sigma/win_rasautou_dll_execution.yml
diff --git a/rules/Sigma/win_rclone_exec_file.yml b/rules/alert-rules/sigma/win_rclone_exec_file.yml
similarity index 100%
rename from rules/Sigma/win_rclone_exec_file.yml
rename to rules/alert-rules/sigma/win_rclone_exec_file.yml
diff --git a/rules/Sigma/win_rdp_bluekeep_poc_scanner.yml b/rules/alert-rules/sigma/win_rdp_bluekeep_poc_scanner.yml
similarity index 100%
rename from rules/Sigma/win_rdp_bluekeep_poc_scanner.yml
rename to rules/alert-rules/sigma/win_rdp_bluekeep_poc_scanner.yml
diff --git a/rules/Sigma/win_rdp_hijack_shadowing.yml b/rules/alert-rules/sigma/win_rdp_hijack_shadowing.yml
similarity index 100%
rename from rules/Sigma/win_rdp_hijack_shadowing.yml
rename to rules/alert-rules/sigma/win_rdp_hijack_shadowing.yml
diff --git a/rules/Sigma/win_rdp_localhost_login.yml b/rules/alert-rules/sigma/win_rdp_localhost_login.yml
similarity index 100%
rename from rules/Sigma/win_rdp_localhost_login.yml
rename to rules/alert-rules/sigma/win_rdp_localhost_login.yml
diff --git a/rules/Sigma/win_rdp_potential_cve_2019_0708.yml b/rules/alert-rules/sigma/win_rdp_potential_cve_2019_0708.yml
similarity index 100%
rename from rules/Sigma/win_rdp_potential_cve_2019_0708.yml
rename to rules/alert-rules/sigma/win_rdp_potential_cve_2019_0708.yml
diff --git a/rules/Sigma/win_rdp_reverse_tunnel.yml b/rules/alert-rules/sigma/win_rdp_reverse_tunnel.yml
similarity index 100%
rename from rules/Sigma/win_rdp_reverse_tunnel.yml
rename to rules/alert-rules/sigma/win_rdp_reverse_tunnel.yml
diff --git a/rules/Sigma/win_redmimicry_winnti_proc.yml b/rules/alert-rules/sigma/win_redmimicry_winnti_proc.yml
similarity index 100%
rename from rules/Sigma/win_redmimicry_winnti_proc.yml
rename to rules/alert-rules/sigma/win_redmimicry_winnti_proc.yml
diff --git a/rules/Sigma/win_reg_add_run_key.yml b/rules/alert-rules/sigma/win_reg_add_run_key.yml
similarity index 100%
rename from rules/Sigma/win_reg_add_run_key.yml
rename to rules/alert-rules/sigma/win_reg_add_run_key.yml
diff --git a/rules/Sigma/win_regedit_export_critical_keys.yml b/rules/alert-rules/sigma/win_regedit_export_critical_keys.yml
similarity index 100%
rename from rules/Sigma/win_regedit_export_critical_keys.yml
rename to rules/alert-rules/sigma/win_regedit_export_critical_keys.yml
diff --git a/rules/Sigma/win_regedit_export_keys.yml b/rules/alert-rules/sigma/win_regedit_export_keys.yml
similarity index 100%
rename from rules/Sigma/win_regedit_export_keys.yml
rename to rules/alert-rules/sigma/win_regedit_export_keys.yml
diff --git a/rules/Sigma/win_regedit_import_keys.yml b/rules/alert-rules/sigma/win_regedit_import_keys.yml
similarity index 100%
rename from rules/Sigma/win_regedit_import_keys.yml
rename to rules/alert-rules/sigma/win_regedit_import_keys.yml
diff --git a/rules/Sigma/win_regedit_import_keys_ads.yml b/rules/alert-rules/sigma/win_regedit_import_keys_ads.yml
similarity index 100%
rename from rules/Sigma/win_regedit_import_keys_ads.yml
rename to rules/alert-rules/sigma/win_regedit_import_keys_ads.yml
diff --git a/rules/Sigma/win_regini.yml b/rules/alert-rules/sigma/win_regini.yml
similarity index 100%
rename from rules/Sigma/win_regini.yml
rename to rules/alert-rules/sigma/win_regini.yml
diff --git a/rules/Sigma/win_regini_ads.yml b/rules/alert-rules/sigma/win_regini_ads.yml
similarity index 100%
rename from rules/Sigma/win_regini_ads.yml
rename to rules/alert-rules/sigma/win_regini_ads.yml
diff --git a/rules/Sigma/win_register_new_logon_process_by_rubeus.yml b/rules/alert-rules/sigma/win_register_new_logon_process_by_rubeus.yml
similarity index 100%
rename from rules/Sigma/win_register_new_logon_process_by_rubeus.yml
rename to rules/alert-rules/sigma/win_register_new_logon_process_by_rubeus.yml
diff --git a/rules/Sigma/win_registry_mimikatz_printernightmare.yml b/rules/alert-rules/sigma/win_registry_mimikatz_printernightmare.yml
similarity index 100%
rename from rules/Sigma/win_registry_mimikatz_printernightmare.yml
rename to rules/alert-rules/sigma/win_registry_mimikatz_printernightmare.yml
diff --git a/rules/Sigma/win_remote_powershell_session.yml b/rules/alert-rules/sigma/win_remote_powershell_session.yml
similarity index 100%
rename from rules/Sigma/win_remote_powershell_session.yml
rename to rules/alert-rules/sigma/win_remote_powershell_session.yml
diff --git a/rules/Sigma/win_remote_powershell_session_process.yml b/rules/alert-rules/sigma/win_remote_powershell_session_process.yml
similarity index 100%
rename from rules/Sigma/win_remote_powershell_session_process.yml
rename to rules/alert-rules/sigma/win_remote_powershell_session_process.yml
diff --git a/rules/Sigma/win_remote_registry_management_using_reg_utility.yml b/rules/alert-rules/sigma/win_remote_registry_management_using_reg_utility.yml
similarity index 100%
rename from rules/Sigma/win_remote_registry_management_using_reg_utility.yml
rename to rules/alert-rules/sigma/win_remote_registry_management_using_reg_utility.yml
diff --git a/rules/Sigma/win_remote_time_discovery.yml b/rules/alert-rules/sigma/win_remote_time_discovery.yml
similarity index 100%
rename from rules/Sigma/win_remote_time_discovery.yml
rename to rules/alert-rules/sigma/win_remote_time_discovery.yml
diff --git a/rules/Sigma/win_renamed_binary.yml b/rules/alert-rules/sigma/win_renamed_binary.yml
similarity index 100%
rename from rules/Sigma/win_renamed_binary.yml
rename to rules/alert-rules/sigma/win_renamed_binary.yml
diff --git a/rules/Sigma/win_renamed_binary_highly_relevant.yml b/rules/alert-rules/sigma/win_renamed_binary_highly_relevant.yml
similarity index 100%
rename from rules/Sigma/win_renamed_binary_highly_relevant.yml
rename to rules/alert-rules/sigma/win_renamed_binary_highly_relevant.yml
diff --git a/rules/Sigma/win_renamed_jusched.yml b/rules/alert-rules/sigma/win_renamed_jusched.yml
similarity index 100%
rename from rules/Sigma/win_renamed_jusched.yml
rename to rules/alert-rules/sigma/win_renamed_jusched.yml
diff --git a/rules/Sigma/win_renamed_megasync.yml b/rules/alert-rules/sigma/win_renamed_megasync.yml
similarity index 100%
rename from rules/Sigma/win_renamed_megasync.yml
rename to rules/alert-rules/sigma/win_renamed_megasync.yml
diff --git a/rules/Sigma/win_renamed_paexec.yml b/rules/alert-rules/sigma/win_renamed_paexec.yml
similarity index 100%
rename from rules/Sigma/win_renamed_paexec.yml
rename to rules/alert-rules/sigma/win_renamed_paexec.yml
diff --git a/rules/Sigma/win_renamed_powershell.yml b/rules/alert-rules/sigma/win_renamed_powershell.yml
similarity index 100%
rename from rules/Sigma/win_renamed_powershell.yml
rename to rules/alert-rules/sigma/win_renamed_powershell.yml
diff --git a/rules/Sigma/win_renamed_procdump.yml b/rules/alert-rules/sigma/win_renamed_procdump.yml
similarity index 100%
rename from rules/Sigma/win_renamed_procdump.yml
rename to rules/alert-rules/sigma/win_renamed_procdump.yml
diff --git a/rules/Sigma/win_renamed_psexec.yml b/rules/alert-rules/sigma/win_renamed_psexec.yml
similarity index 100%
rename from rules/Sigma/win_renamed_psexec.yml
rename to rules/alert-rules/sigma/win_renamed_psexec.yml
diff --git a/rules/Sigma/win_renamed_whoami.yml b/rules/alert-rules/sigma/win_renamed_whoami.yml
similarity index 100%
rename from rules/Sigma/win_renamed_whoami.yml
rename to rules/alert-rules/sigma/win_renamed_whoami.yml
diff --git a/rules/Sigma/win_root_certificate_installed.yml b/rules/alert-rules/sigma/win_root_certificate_installed.yml
similarity index 100%
rename from rules/Sigma/win_root_certificate_installed.yml
rename to rules/alert-rules/sigma/win_root_certificate_installed.yml
diff --git a/rules/Sigma/win_run_powershell_script_from_ads.yml b/rules/alert-rules/sigma/win_run_powershell_script_from_ads.yml
similarity index 100%
rename from rules/Sigma/win_run_powershell_script_from_ads.yml
rename to rules/alert-rules/sigma/win_run_powershell_script_from_ads.yml
diff --git a/rules/Sigma/win_run_powershell_script_from_input_stream.yml b/rules/alert-rules/sigma/win_run_powershell_script_from_input_stream.yml
similarity index 100%
rename from rules/Sigma/win_run_powershell_script_from_input_stream.yml
rename to rules/alert-rules/sigma/win_run_powershell_script_from_input_stream.yml
diff --git a/rules/Sigma/win_run_virtualbox.yml b/rules/alert-rules/sigma/win_run_virtualbox.yml
similarity index 100%
rename from rules/Sigma/win_run_virtualbox.yml
rename to rules/alert-rules/sigma/win_run_virtualbox.yml
diff --git a/rules/Sigma/win_rundll32_without_parameters.yml b/rules/alert-rules/sigma/win_rundll32_without_parameters.yml
similarity index 100%
rename from rules/Sigma/win_rundll32_without_parameters.yml
rename to rules/alert-rules/sigma/win_rundll32_without_parameters.yml
diff --git a/rules/Sigma/win_sam_registry_hive_handle_request.yml b/rules/alert-rules/sigma/win_sam_registry_hive_handle_request.yml
similarity index 100%
rename from rules/Sigma/win_sam_registry_hive_handle_request.yml
rename to rules/alert-rules/sigma/win_sam_registry_hive_handle_request.yml
diff --git a/rules/Sigma/win_scheduled_task_deletion.yml b/rules/alert-rules/sigma/win_scheduled_task_deletion.yml
similarity index 100%
rename from rules/Sigma/win_scheduled_task_deletion.yml
rename to rules/alert-rules/sigma/win_scheduled_task_deletion.yml
diff --git a/rules/Sigma/win_scm_database_handle_failure.yml b/rules/alert-rules/sigma/win_scm_database_handle_failure.yml
similarity index 100%
rename from rules/Sigma/win_scm_database_handle_failure.yml
rename to rules/alert-rules/sigma/win_scm_database_handle_failure.yml
diff --git a/rules/Sigma/win_scm_database_privileged_operation.yml b/rules/alert-rules/sigma/win_scm_database_privileged_operation.yml
similarity index 100%
rename from rules/Sigma/win_scm_database_privileged_operation.yml
rename to rules/alert-rules/sigma/win_scm_database_privileged_operation.yml
diff --git a/rules/Sigma/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/alert-rules/sigma/win_scrcons_remote_wmi_scripteventconsumer.yml
similarity index 100%
rename from rules/Sigma/win_scrcons_remote_wmi_scripteventconsumer.yml
rename to rules/alert-rules/sigma/win_scrcons_remote_wmi_scripteventconsumer.yml
diff --git a/rules/Sigma/win_script_event_consumer_spawn.yml b/rules/alert-rules/sigma/win_script_event_consumer_spawn.yml
similarity index 100%
rename from rules/Sigma/win_script_event_consumer_spawn.yml
rename to rules/alert-rules/sigma/win_script_event_consumer_spawn.yml
diff --git a/rules/Sigma/win_sdbinst_shim_persistence.yml b/rules/alert-rules/sigma/win_sdbinst_shim_persistence.yml
similarity index 100%
rename from rules/Sigma/win_sdbinst_shim_persistence.yml
rename to rules/alert-rules/sigma/win_sdbinst_shim_persistence.yml
diff --git a/rules/Sigma/win_security_cobaltstrike_service_installs.yml b/rules/alert-rules/sigma/win_security_cobaltstrike_service_installs.yml
similarity index 100%
rename from rules/Sigma/win_security_cobaltstrike_service_installs.yml
rename to rules/alert-rules/sigma/win_security_cobaltstrike_service_installs.yml
diff --git a/rules/Sigma/win_security_mal_creddumper.yml b/rules/alert-rules/sigma/win_security_mal_creddumper.yml
similarity index 100%
rename from rules/Sigma/win_security_mal_creddumper.yml
rename to rules/alert-rules/sigma/win_security_mal_creddumper.yml
diff --git a/rules/Sigma/win_security_mal_service_installs.yml b/rules/alert-rules/sigma/win_security_mal_service_installs.yml
similarity index 100%
rename from rules/Sigma/win_security_mal_service_installs.yml
rename to rules/alert-rules/sigma/win_security_mal_service_installs.yml
diff --git a/rules/Sigma/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/alert-rules/sigma/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
similarity index 100%
rename from rules/Sigma/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
rename to rules/alert-rules/sigma/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
diff --git a/rules/Sigma/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/alert-rules/sigma/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
similarity index 100%
rename from rules/Sigma/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
rename to rules/alert-rules/sigma/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
diff --git a/rules/Sigma/win_security_powershell_script_installed_as_service.yml b/rules/alert-rules/sigma/win_security_powershell_script_installed_as_service.yml
similarity index 100%
rename from rules/Sigma/win_security_powershell_script_installed_as_service.yml
rename to rules/alert-rules/sigma/win_security_powershell_script_installed_as_service.yml
diff --git a/rules/Sigma/win_security_tap_driver_installation.yml b/rules/alert-rules/sigma/win_security_tap_driver_installation.yml
similarity index 100%
rename from rules/Sigma/win_security_tap_driver_installation.yml
rename to rules/alert-rules/sigma/win_security_tap_driver_installation.yml
diff --git a/rules/Sigma/win_security_wmi_persistence.yml b/rules/alert-rules/sigma/win_security_wmi_persistence.yml
similarity index 100%
rename from rules/Sigma/win_security_wmi_persistence.yml
rename to rules/alert-rules/sigma/win_security_wmi_persistence.yml
diff --git a/rules/Sigma/win_service_execution.yml b/rules/alert-rules/sigma/win_service_execution.yml
similarity index 100%
rename from rules/Sigma/win_service_execution.yml
rename to rules/alert-rules/sigma/win_service_execution.yml
diff --git a/rules/Sigma/win_service_stop.yml b/rules/alert-rules/sigma/win_service_stop.yml
similarity index 100%
rename from rules/Sigma/win_service_stop.yml
rename to rules/alert-rules/sigma/win_service_stop.yml
diff --git a/rules/Sigma/win_set_oabvirtualdirectory_externalurl.yml b/rules/alert-rules/sigma/win_set_oabvirtualdirectory_externalurl.yml
similarity index 100%
rename from rules/Sigma/win_set_oabvirtualdirectory_externalurl.yml
rename to rules/alert-rules/sigma/win_set_oabvirtualdirectory_externalurl.yml
diff --git a/rules/Sigma/win_shadow_copies_access_symlink.yml b/rules/alert-rules/sigma/win_shadow_copies_access_symlink.yml
similarity index 100%
rename from rules/Sigma/win_shadow_copies_access_symlink.yml
rename to rules/alert-rules/sigma/win_shadow_copies_access_symlink.yml
diff --git a/rules/Sigma/win_shadow_copies_creation.yml b/rules/alert-rules/sigma/win_shadow_copies_creation.yml
similarity index 100%
rename from rules/Sigma/win_shadow_copies_creation.yml
rename to rules/alert-rules/sigma/win_shadow_copies_creation.yml
diff --git a/rules/Sigma/win_shadow_copies_deletion.yml b/rules/alert-rules/sigma/win_shadow_copies_deletion.yml
similarity index 100%
rename from rules/Sigma/win_shadow_copies_deletion.yml
rename to rules/alert-rules/sigma/win_shadow_copies_deletion.yml
diff --git a/rules/Sigma/win_shell_spawn_mshta.yml b/rules/alert-rules/sigma/win_shell_spawn_mshta.yml
similarity index 100%
rename from rules/Sigma/win_shell_spawn_mshta.yml
rename to rules/alert-rules/sigma/win_shell_spawn_mshta.yml
diff --git a/rules/Sigma/win_shell_spawn_susp_program.yml b/rules/alert-rules/sigma/win_shell_spawn_susp_program.yml
similarity index 100%
rename from rules/Sigma/win_shell_spawn_susp_program.yml
rename to rules/alert-rules/sigma/win_shell_spawn_susp_program.yml
diff --git a/rules/Sigma/win_silenttrinity_stage_use.yml b/rules/alert-rules/sigma/win_silenttrinity_stage_use.yml
similarity index 100%
rename from rules/Sigma/win_silenttrinity_stage_use.yml
rename to rules/alert-rules/sigma/win_silenttrinity_stage_use.yml
diff --git a/rules/Sigma/win_smb_file_creation_admin_shares.yml b/rules/alert-rules/sigma/win_smb_file_creation_admin_shares.yml
similarity index 100%
rename from rules/Sigma/win_smb_file_creation_admin_shares.yml
rename to rules/alert-rules/sigma/win_smb_file_creation_admin_shares.yml
diff --git a/rules/Sigma/win_software_atera_rmm_agent_install.yml b/rules/alert-rules/sigma/win_software_atera_rmm_agent_install.yml
similarity index 100%
rename from rules/Sigma/win_software_atera_rmm_agent_install.yml
rename to rules/alert-rules/sigma/win_software_atera_rmm_agent_install.yml
diff --git a/rules/Sigma/win_soundrec_audio_capture.yml b/rules/alert-rules/sigma/win_soundrec_audio_capture.yml
similarity index 100%
rename from rules/Sigma/win_soundrec_audio_capture.yml
rename to rules/alert-rules/sigma/win_soundrec_audio_capture.yml
diff --git a/rules/Sigma/win_spn_enum.yml b/rules/alert-rules/sigma/win_spn_enum.yml
similarity index 100%
rename from rules/Sigma/win_spn_enum.yml
rename to rules/alert-rules/sigma/win_spn_enum.yml
diff --git a/rules/Sigma/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/alert-rules/sigma/win_sticky_keys_unauthenticated_privileged_console_access.yml
similarity index 100%
rename from rules/Sigma/win_sticky_keys_unauthenticated_privileged_console_access.yml
rename to rules/alert-rules/sigma/win_sticky_keys_unauthenticated_privileged_console_access.yml
diff --git a/rules/Sigma/win_sus_auditpol_usage.yml b/rules/alert-rules/sigma/win_sus_auditpol_usage.yml
similarity index 100%
rename from rules/Sigma/win_sus_auditpol_usage.yml
rename to rules/alert-rules/sigma/win_sus_auditpol_usage.yml
diff --git a/rules/Sigma/win_susp_add_domain_trust.yml b/rules/alert-rules/sigma/win_susp_add_domain_trust.yml
similarity index 100%
rename from rules/Sigma/win_susp_add_domain_trust.yml
rename to rules/alert-rules/sigma/win_susp_add_domain_trust.yml
diff --git a/rules/Sigma/win_susp_add_sid_history.yml b/rules/alert-rules/sigma/win_susp_add_sid_history.yml
similarity index 100%
rename from rules/Sigma/win_susp_add_sid_history.yml
rename to rules/alert-rules/sigma/win_susp_add_sid_history.yml
diff --git a/rules/Sigma/win_susp_adfind.yml b/rules/alert-rules/sigma/win_susp_adfind.yml
similarity index 100%
rename from rules/Sigma/win_susp_adfind.yml
rename to rules/alert-rules/sigma/win_susp_adfind.yml
diff --git a/rules/Sigma/win_susp_atbroker.yml b/rules/alert-rules/sigma/win_susp_atbroker.yml
similarity index 100%
rename from rules/Sigma/win_susp_atbroker.yml
rename to rules/alert-rules/sigma/win_susp_atbroker.yml
diff --git a/rules/Sigma/win_susp_backup_delete.yml b/rules/alert-rules/sigma/win_susp_backup_delete.yml
similarity index 100%
rename from rules/Sigma/win_susp_backup_delete.yml
rename to rules/alert-rules/sigma/win_susp_backup_delete.yml
diff --git a/rules/Sigma/win_susp_bcdedit.yml b/rules/alert-rules/sigma/win_susp_bcdedit.yml
similarity index 100%
rename from rules/Sigma/win_susp_bcdedit.yml
rename to rules/alert-rules/sigma/win_susp_bcdedit.yml
diff --git a/rules/Sigma/win_susp_bginfo.yml b/rules/alert-rules/sigma/win_susp_bginfo.yml
similarity index 100%
rename from rules/Sigma/win_susp_bginfo.yml
rename to rules/alert-rules/sigma/win_susp_bginfo.yml
diff --git a/rules/Sigma/win_susp_bitstransfer.yml b/rules/alert-rules/sigma/win_susp_bitstransfer.yml
similarity index 100%
rename from rules/Sigma/win_susp_bitstransfer.yml
rename to rules/alert-rules/sigma/win_susp_bitstransfer.yml
diff --git a/rules/Sigma/win_susp_calc.yml b/rules/alert-rules/sigma/win_susp_calc.yml
similarity index 100%
rename from rules/Sigma/win_susp_calc.yml
rename to rules/alert-rules/sigma/win_susp_calc.yml
diff --git a/rules/Sigma/win_susp_cdb.yml b/rules/alert-rules/sigma/win_susp_cdb.yml
similarity index 100%
rename from rules/Sigma/win_susp_cdb.yml
rename to rules/alert-rules/sigma/win_susp_cdb.yml
diff --git a/rules/Sigma/win_susp_certutil_command.yml b/rules/alert-rules/sigma/win_susp_certutil_command.yml
similarity index 100%
rename from rules/Sigma/win_susp_certutil_command.yml
rename to rules/alert-rules/sigma/win_susp_certutil_command.yml
diff --git a/rules/Sigma/win_susp_certutil_encode.yml b/rules/alert-rules/sigma/win_susp_certutil_encode.yml
similarity index 100%
rename from rules/Sigma/win_susp_certutil_encode.yml
rename to rules/alert-rules/sigma/win_susp_certutil_encode.yml
diff --git a/rules/Sigma/win_susp_child_process_as_system_.yml b/rules/alert-rules/sigma/win_susp_child_process_as_system_.yml
similarity index 100%
rename from rules/Sigma/win_susp_child_process_as_system_.yml
rename to rules/alert-rules/sigma/win_susp_child_process_as_system_.yml
diff --git a/rules/Sigma/win_susp_cli_escape.yml b/rules/alert-rules/sigma/win_susp_cli_escape.yml
similarity index 100%
rename from rules/Sigma/win_susp_cli_escape.yml
rename to rules/alert-rules/sigma/win_susp_cli_escape.yml
diff --git a/rules/Sigma/win_susp_cmd_http_appdata.yml b/rules/alert-rules/sigma/win_susp_cmd_http_appdata.yml
similarity index 100%
rename from rules/Sigma/win_susp_cmd_http_appdata.yml
rename to rules/alert-rules/sigma/win_susp_cmd_http_appdata.yml
diff --git a/rules/Sigma/win_susp_cmd_shadowcopy_access.yml b/rules/alert-rules/sigma/win_susp_cmd_shadowcopy_access.yml
similarity index 100%
rename from rules/Sigma/win_susp_cmd_shadowcopy_access.yml
rename to rules/alert-rules/sigma/win_susp_cmd_shadowcopy_access.yml
diff --git a/rules/Sigma/win_susp_codeintegrity_check_failure.yml b/rules/alert-rules/sigma/win_susp_codeintegrity_check_failure.yml
similarity index 100%
rename from rules/Sigma/win_susp_codeintegrity_check_failure.yml
rename to rules/alert-rules/sigma/win_susp_codeintegrity_check_failure.yml
diff --git a/rules/Sigma/win_susp_codepage_switch.yml b/rules/alert-rules/sigma/win_susp_codepage_switch.yml
similarity index 100%
rename from rules/Sigma/win_susp_codepage_switch.yml
rename to rules/alert-rules/sigma/win_susp_codepage_switch.yml
diff --git a/rules/Sigma/win_susp_commands_recon_activity.yml b/rules/alert-rules/sigma/win_susp_commands_recon_activity.yml
similarity index 100%
rename from rules/Sigma/win_susp_commands_recon_activity.yml
rename to rules/alert-rules/sigma/win_susp_commands_recon_activity.yml
diff --git a/rules/Sigma/win_susp_compression_params.yml b/rules/alert-rules/sigma/win_susp_compression_params.yml
similarity index 100%
rename from rules/Sigma/win_susp_compression_params.yml
rename to rules/alert-rules/sigma/win_susp_compression_params.yml
diff --git a/rules/Sigma/win_susp_comsvcs_procdump.yml b/rules/alert-rules/sigma/win_susp_comsvcs_procdump.yml
similarity index 100%
rename from rules/Sigma/win_susp_comsvcs_procdump.yml
rename to rules/alert-rules/sigma/win_susp_comsvcs_procdump.yml
diff --git a/rules/Sigma/win_susp_conhost.yml b/rules/alert-rules/sigma/win_susp_conhost.yml
similarity index 100%
rename from rules/Sigma/win_susp_conhost.yml
rename to rules/alert-rules/sigma/win_susp_conhost.yml
diff --git a/rules/Sigma/win_susp_control_cve_2021_40444.yml b/rules/alert-rules/sigma/win_susp_control_cve_2021_40444.yml
similarity index 100%
rename from rules/Sigma/win_susp_control_cve_2021_40444.yml
rename to rules/alert-rules/sigma/win_susp_control_cve_2021_40444.yml
diff --git a/rules/Sigma/win_susp_control_dll_load.yml b/rules/alert-rules/sigma/win_susp_control_dll_load.yml
similarity index 100%
rename from rules/Sigma/win_susp_control_dll_load.yml
rename to rules/alert-rules/sigma/win_susp_control_dll_load.yml
diff --git a/rules/Sigma/win_susp_copy_lateral_movement.yml b/rules/alert-rules/sigma/win_susp_copy_lateral_movement.yml
similarity index 100%
rename from rules/Sigma/win_susp_copy_lateral_movement.yml
rename to rules/alert-rules/sigma/win_susp_copy_lateral_movement.yml
diff --git a/rules/Sigma/win_susp_copy_system32.yml b/rules/alert-rules/sigma/win_susp_copy_system32.yml
similarity index 100%
rename from rules/Sigma/win_susp_copy_system32.yml
rename to rules/alert-rules/sigma/win_susp_copy_system32.yml
diff --git a/rules/Sigma/win_susp_covenant.yml b/rules/alert-rules/sigma/win_susp_covenant.yml
similarity index 100%
rename from rules/Sigma/win_susp_covenant.yml
rename to rules/alert-rules/sigma/win_susp_covenant.yml
diff --git a/rules/Sigma/win_susp_crackmapexec_execution.yml b/rules/alert-rules/sigma/win_susp_crackmapexec_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_crackmapexec_execution.yml
rename to rules/alert-rules/sigma/win_susp_crackmapexec_execution.yml
diff --git a/rules/Sigma/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/alert-rules/sigma/win_susp_crackmapexec_powershell_obfuscation.yml
similarity index 100%
rename from rules/Sigma/win_susp_crackmapexec_powershell_obfuscation.yml
rename to rules/alert-rules/sigma/win_susp_crackmapexec_powershell_obfuscation.yml
diff --git a/rules/Sigma/win_susp_csc.yml b/rules/alert-rules/sigma/win_susp_csc.yml
similarity index 100%
rename from rules/Sigma/win_susp_csc.yml
rename to rules/alert-rules/sigma/win_susp_csc.yml
diff --git a/rules/Sigma/win_susp_csc_folder.yml b/rules/alert-rules/sigma/win_susp_csc_folder.yml
similarity index 100%
rename from rules/Sigma/win_susp_csc_folder.yml
rename to rules/alert-rules/sigma/win_susp_csc_folder.yml
diff --git a/rules/Sigma/win_susp_csi.yml b/rules/alert-rules/sigma/win_susp_csi.yml
similarity index 100%
rename from rules/Sigma/win_susp_csi.yml
rename to rules/alert-rules/sigma/win_susp_csi.yml
diff --git a/rules/Sigma/win_susp_curl_download.yml b/rules/alert-rules/sigma/win_susp_curl_download.yml
similarity index 100%
rename from rules/Sigma/win_susp_curl_download.yml
rename to rules/alert-rules/sigma/win_susp_curl_download.yml
diff --git a/rules/Sigma/win_susp_curl_fileupload.yml b/rules/alert-rules/sigma/win_susp_curl_fileupload.yml
similarity index 100%
rename from rules/Sigma/win_susp_curl_fileupload.yml
rename to rules/alert-rules/sigma/win_susp_curl_fileupload.yml
diff --git a/rules/Sigma/win_susp_curl_start_combo.yml b/rules/alert-rules/sigma/win_susp_curl_start_combo.yml
similarity index 100%
rename from rules/Sigma/win_susp_curl_start_combo.yml
rename to rules/alert-rules/sigma/win_susp_curl_start_combo.yml
diff --git a/rules/Sigma/win_susp_dctask64_proc_inject.yml b/rules/alert-rules/sigma/win_susp_dctask64_proc_inject.yml
similarity index 100%
rename from rules/Sigma/win_susp_dctask64_proc_inject.yml
rename to rules/alert-rules/sigma/win_susp_dctask64_proc_inject.yml
diff --git a/rules/Sigma/win_susp_desktopimgdownldr.yml b/rules/alert-rules/sigma/win_susp_desktopimgdownldr.yml
similarity index 100%
rename from rules/Sigma/win_susp_desktopimgdownldr.yml
rename to rules/alert-rules/sigma/win_susp_desktopimgdownldr.yml
diff --git a/rules/Sigma/win_susp_desktopimgdownldr_file.yml b/rules/alert-rules/sigma/win_susp_desktopimgdownldr_file.yml
similarity index 100%
rename from rules/Sigma/win_susp_desktopimgdownldr_file.yml
rename to rules/alert-rules/sigma/win_susp_desktopimgdownldr_file.yml
diff --git a/rules/Sigma/win_susp_devtoolslauncher.yml b/rules/alert-rules/sigma/win_susp_devtoolslauncher.yml
similarity index 100%
rename from rules/Sigma/win_susp_devtoolslauncher.yml
rename to rules/alert-rules/sigma/win_susp_devtoolslauncher.yml
diff --git a/rules/Sigma/win_susp_dhcp_config.yml b/rules/alert-rules/sigma/win_susp_dhcp_config.yml
similarity index 100%
rename from rules/Sigma/win_susp_dhcp_config.yml
rename to rules/alert-rules/sigma/win_susp_dhcp_config.yml
diff --git a/rules/Sigma/win_susp_dhcp_config_failed.yml b/rules/alert-rules/sigma/win_susp_dhcp_config_failed.yml
similarity index 100%
rename from rules/Sigma/win_susp_dhcp_config_failed.yml
rename to rules/alert-rules/sigma/win_susp_dhcp_config_failed.yml
diff --git a/rules/Sigma/win_susp_direct_asep_reg_keys_modification.yml b/rules/alert-rules/sigma/win_susp_direct_asep_reg_keys_modification.yml
similarity index 100%
rename from rules/Sigma/win_susp_direct_asep_reg_keys_modification.yml
rename to rules/alert-rules/sigma/win_susp_direct_asep_reg_keys_modification.yml
diff --git a/rules/Sigma/win_susp_disable_eventlog.yml b/rules/alert-rules/sigma/win_susp_disable_eventlog.yml
similarity index 100%
rename from rules/Sigma/win_susp_disable_eventlog.yml
rename to rules/alert-rules/sigma/win_susp_disable_eventlog.yml
diff --git a/rules/Sigma/win_susp_disable_ie_features.yml b/rules/alert-rules/sigma/win_susp_disable_ie_features.yml
similarity index 100%
rename from rules/Sigma/win_susp_disable_ie_features.yml
rename to rules/alert-rules/sigma/win_susp_disable_ie_features.yml
diff --git a/rules/Sigma/win_susp_disable_raccine.yml b/rules/alert-rules/sigma/win_susp_disable_raccine.yml
similarity index 100%
rename from rules/Sigma/win_susp_disable_raccine.yml
rename to rules/alert-rules/sigma/win_susp_disable_raccine.yml
diff --git a/rules/Sigma/win_susp_diskshadow.yml b/rules/alert-rules/sigma/win_susp_diskshadow.yml
similarity index 100%
rename from rules/Sigma/win_susp_diskshadow.yml
rename to rules/alert-rules/sigma/win_susp_diskshadow.yml
diff --git a/rules/Sigma/win_susp_ditsnap.yml b/rules/alert-rules/sigma/win_susp_ditsnap.yml
similarity index 100%
rename from rules/Sigma/win_susp_ditsnap.yml
rename to rules/alert-rules/sigma/win_susp_ditsnap.yml
diff --git a/rules/Sigma/win_susp_dns_config.yml b/rules/alert-rules/sigma/win_susp_dns_config.yml
similarity index 100%
rename from rules/Sigma/win_susp_dns_config.yml
rename to rules/alert-rules/sigma/win_susp_dns_config.yml
diff --git a/rules/Sigma/win_susp_dnx.yml b/rules/alert-rules/sigma/win_susp_dnx.yml
similarity index 100%
rename from rules/Sigma/win_susp_dnx.yml
rename to rules/alert-rules/sigma/win_susp_dnx.yml
diff --git a/rules/Sigma/win_susp_double_extension.yml b/rules/alert-rules/sigma/win_susp_double_extension.yml
similarity index 100%
rename from rules/Sigma/win_susp_double_extension.yml
rename to rules/alert-rules/sigma/win_susp_double_extension.yml
diff --git a/rules/Sigma/win_susp_dsrm_password_change.yml b/rules/alert-rules/sigma/win_susp_dsrm_password_change.yml
similarity index 100%
rename from rules/Sigma/win_susp_dsrm_password_change.yml
rename to rules/alert-rules/sigma/win_susp_dsrm_password_change.yml
diff --git a/rules/Sigma/win_susp_dxcap.yml b/rules/alert-rules/sigma/win_susp_dxcap.yml
similarity index 100%
rename from rules/Sigma/win_susp_dxcap.yml
rename to rules/alert-rules/sigma/win_susp_dxcap.yml
diff --git a/rules/Sigma/win_susp_emotet_rudll32_execution.yml b/rules/alert-rules/sigma/win_susp_emotet_rudll32_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_emotet_rudll32_execution.yml
rename to rules/alert-rules/sigma/win_susp_emotet_rudll32_execution.yml
diff --git a/rules/Sigma/win_susp_esentutl_activity.yml b/rules/alert-rules/sigma/win_susp_esentutl_activity.yml
similarity index 100%
rename from rules/Sigma/win_susp_esentutl_activity.yml
rename to rules/alert-rules/sigma/win_susp_esentutl_activity.yml
diff --git a/rules/Sigma/win_susp_eventlog_clear.yml b/rules/alert-rules/sigma/win_susp_eventlog_clear.yml
similarity index 100%
rename from rules/Sigma/win_susp_eventlog_clear.yml
rename to rules/alert-rules/sigma/win_susp_eventlog_clear.yml
diff --git a/rules/Sigma/win_susp_eventlog_cleared.yml b/rules/alert-rules/sigma/win_susp_eventlog_cleared.yml
similarity index 100%
rename from rules/Sigma/win_susp_eventlog_cleared.yml
rename to rules/alert-rules/sigma/win_susp_eventlog_cleared.yml
diff --git a/rules/Sigma/win_susp_execution_path.yml b/rules/alert-rules/sigma/win_susp_execution_path.yml
similarity index 100%
rename from rules/Sigma/win_susp_execution_path.yml
rename to rules/alert-rules/sigma/win_susp_execution_path.yml
diff --git a/rules/Sigma/win_susp_execution_path_webserver.yml b/rules/alert-rules/sigma/win_susp_execution_path_webserver.yml
similarity index 100%
rename from rules/Sigma/win_susp_execution_path_webserver.yml
rename to rules/alert-rules/sigma/win_susp_execution_path_webserver.yml
diff --git a/rules/Sigma/win_susp_explorer.yml b/rules/alert-rules/sigma/win_susp_explorer.yml
similarity index 100%
rename from rules/Sigma/win_susp_explorer.yml
rename to rules/alert-rules/sigma/win_susp_explorer.yml
diff --git a/rules/Sigma/win_susp_explorer_break_proctree.yml b/rules/alert-rules/sigma/win_susp_explorer_break_proctree.yml
similarity index 100%
rename from rules/Sigma/win_susp_explorer_break_proctree.yml
rename to rules/alert-rules/sigma/win_susp_explorer_break_proctree.yml
diff --git a/rules/Sigma/win_susp_failed_guest_logon.yml b/rules/alert-rules/sigma/win_susp_failed_guest_logon.yml
similarity index 100%
rename from rules/Sigma/win_susp_failed_guest_logon.yml
rename to rules/alert-rules/sigma/win_susp_failed_guest_logon.yml
diff --git a/rules/Sigma/win_susp_failed_logon_reasons.yml b/rules/alert-rules/sigma/win_susp_failed_logon_reasons.yml
similarity index 100%
rename from rules/Sigma/win_susp_failed_logon_reasons.yml
rename to rules/alert-rules/sigma/win_susp_failed_logon_reasons.yml
diff --git a/rules/Sigma/win_susp_failed_logon_source.yml b/rules/alert-rules/sigma/win_susp_failed_logon_source.yml
similarity index 100%
rename from rules/Sigma/win_susp_failed_logon_source.yml
rename to rules/alert-rules/sigma/win_susp_failed_logon_source.yml
diff --git a/rules/Sigma/win_susp_file_characteristics.yml b/rules/alert-rules/sigma/win_susp_file_characteristics.yml
similarity index 100%
rename from rules/Sigma/win_susp_file_characteristics.yml
rename to rules/alert-rules/sigma/win_susp_file_characteristics.yml
diff --git a/rules/Sigma/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/alert-rules/sigma/win_susp_file_download_via_gfxdownloadwrapper.yml
similarity index 100%
rename from rules/Sigma/win_susp_file_download_via_gfxdownloadwrapper.yml
rename to rules/alert-rules/sigma/win_susp_file_download_via_gfxdownloadwrapper.yml
diff --git a/rules/Sigma/win_susp_findstr.yml b/rules/alert-rules/sigma/win_susp_findstr.yml
similarity index 100%
rename from rules/Sigma/win_susp_findstr.yml
rename to rules/alert-rules/sigma/win_susp_findstr.yml
diff --git a/rules/Sigma/win_susp_findstr_lnk.yml b/rules/alert-rules/sigma/win_susp_findstr_lnk.yml
similarity index 100%
rename from rules/Sigma/win_susp_findstr_lnk.yml
rename to rules/alert-rules/sigma/win_susp_findstr_lnk.yml
diff --git a/rules/Sigma/win_susp_finger_usage.yml b/rules/alert-rules/sigma/win_susp_finger_usage.yml
similarity index 100%
rename from rules/Sigma/win_susp_finger_usage.yml
rename to rules/alert-rules/sigma/win_susp_finger_usage.yml
diff --git a/rules/Sigma/win_susp_firewall_disable.yml b/rules/alert-rules/sigma/win_susp_firewall_disable.yml
similarity index 100%
rename from rules/Sigma/win_susp_firewall_disable.yml
rename to rules/alert-rules/sigma/win_susp_firewall_disable.yml
diff --git a/rules/Sigma/win_susp_fsutil_usage.yml b/rules/alert-rules/sigma/win_susp_fsutil_usage.yml
similarity index 100%
rename from rules/Sigma/win_susp_fsutil_usage.yml
rename to rules/alert-rules/sigma/win_susp_fsutil_usage.yml
diff --git a/rules/Sigma/win_susp_ftp.yml b/rules/alert-rules/sigma/win_susp_ftp.yml
similarity index 100%
rename from rules/Sigma/win_susp_ftp.yml
rename to rules/alert-rules/sigma/win_susp_ftp.yml
diff --git a/rules/Sigma/win_susp_gup.yml b/rules/alert-rules/sigma/win_susp_gup.yml
similarity index 100%
rename from rules/Sigma/win_susp_gup.yml
rename to rules/alert-rules/sigma/win_susp_gup.yml
diff --git a/rules/Sigma/win_susp_interactive_logons.yml b/rules/alert-rules/sigma/win_susp_interactive_logons.yml
similarity index 100%
rename from rules/Sigma/win_susp_interactive_logons.yml
rename to rules/alert-rules/sigma/win_susp_interactive_logons.yml
diff --git a/rules/Sigma/win_susp_iss_module_install.yml b/rules/alert-rules/sigma/win_susp_iss_module_install.yml
similarity index 100%
rename from rules/Sigma/win_susp_iss_module_install.yml
rename to rules/alert-rules/sigma/win_susp_iss_module_install.yml
diff --git a/rules/Sigma/win_susp_kerberos_manipulation.yml b/rules/alert-rules/sigma/win_susp_kerberos_manipulation.yml
similarity index 100%
rename from rules/Sigma/win_susp_kerberos_manipulation.yml
rename to rules/alert-rules/sigma/win_susp_kerberos_manipulation.yml
diff --git a/rules/Sigma/win_susp_ldap_dataexchange.yml b/rules/alert-rules/sigma/win_susp_ldap_dataexchange.yml
similarity index 100%
rename from rules/Sigma/win_susp_ldap_dataexchange.yml
rename to rules/alert-rules/sigma/win_susp_ldap_dataexchange.yml
diff --git a/rules/Sigma/win_susp_local_anon_logon_created.yml b/rules/alert-rules/sigma/win_susp_local_anon_logon_created.yml
similarity index 100%
rename from rules/Sigma/win_susp_local_anon_logon_created.yml
rename to rules/alert-rules/sigma/win_susp_local_anon_logon_created.yml
diff --git a/rules/Sigma/win_susp_logon_explicit_credentials.yml b/rules/alert-rules/sigma/win_susp_logon_explicit_credentials.yml
similarity index 100%
rename from rules/Sigma/win_susp_logon_explicit_credentials.yml
rename to rules/alert-rules/sigma/win_susp_logon_explicit_credentials.yml
diff --git a/rules/Sigma/win_susp_lsass_dump.yml b/rules/alert-rules/sigma/win_susp_lsass_dump.yml
similarity index 100%
rename from rules/Sigma/win_susp_lsass_dump.yml
rename to rules/alert-rules/sigma/win_susp_lsass_dump.yml
diff --git a/rules/Sigma/win_susp_lsass_dump_generic.yml b/rules/alert-rules/sigma/win_susp_lsass_dump_generic.yml
similarity index 100%
rename from rules/Sigma/win_susp_lsass_dump_generic.yml
rename to rules/alert-rules/sigma/win_susp_lsass_dump_generic.yml
diff --git a/rules/Sigma/win_susp_mounted_share_deletion.yml b/rules/alert-rules/sigma/win_susp_mounted_share_deletion.yml
similarity index 100%
rename from rules/Sigma/win_susp_mounted_share_deletion.yml
rename to rules/alert-rules/sigma/win_susp_mounted_share_deletion.yml
diff --git a/rules/Sigma/win_susp_mpcmdrun_download.yml b/rules/alert-rules/sigma/win_susp_mpcmdrun_download.yml
similarity index 100%
rename from rules/Sigma/win_susp_mpcmdrun_download.yml
rename to rules/alert-rules/sigma/win_susp_mpcmdrun_download.yml
diff --git a/rules/Sigma/win_susp_mshta_execution.yml b/rules/alert-rules/sigma/win_susp_mshta_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_mshta_execution.yml
rename to rules/alert-rules/sigma/win_susp_mshta_execution.yml
diff --git a/rules/Sigma/win_susp_mshta_pattern.yml b/rules/alert-rules/sigma/win_susp_mshta_pattern.yml
similarity index 100%
rename from rules/Sigma/win_susp_mshta_pattern.yml
rename to rules/alert-rules/sigma/win_susp_mshta_pattern.yml
diff --git a/rules/Sigma/win_susp_msiexec_cwd.yml b/rules/alert-rules/sigma/win_susp_msiexec_cwd.yml
similarity index 100%
rename from rules/Sigma/win_susp_msiexec_cwd.yml
rename to rules/alert-rules/sigma/win_susp_msiexec_cwd.yml
diff --git a/rules/Sigma/win_susp_msiexec_web_install.yml b/rules/alert-rules/sigma/win_susp_msiexec_web_install.yml
similarity index 100%
rename from rules/Sigma/win_susp_msiexec_web_install.yml
rename to rules/alert-rules/sigma/win_susp_msiexec_web_install.yml
diff --git a/rules/Sigma/win_susp_msmpeng_crash.yml b/rules/alert-rules/sigma/win_susp_msmpeng_crash.yml
similarity index 100%
rename from rules/Sigma/win_susp_msmpeng_crash.yml
rename to rules/alert-rules/sigma/win_susp_msmpeng_crash.yml
diff --git a/rules/Sigma/win_susp_msoffice.yml b/rules/alert-rules/sigma/win_susp_msoffice.yml
similarity index 100%
rename from rules/Sigma/win_susp_msoffice.yml
rename to rules/alert-rules/sigma/win_susp_msoffice.yml
diff --git a/rules/Sigma/win_susp_multiple_files_renamed_or_deleted.yml b/rules/alert-rules/sigma/win_susp_multiple_files_renamed_or_deleted.yml
similarity index 100%
rename from rules/Sigma/win_susp_multiple_files_renamed_or_deleted.yml
rename to rules/alert-rules/sigma/win_susp_multiple_files_renamed_or_deleted.yml
diff --git a/rules/Sigma/win_susp_net_execution.yml b/rules/alert-rules/sigma/win_susp_net_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_net_execution.yml
rename to rules/alert-rules/sigma/win_susp_net_execution.yml
diff --git a/rules/Sigma/win_susp_net_recon_activity.yml b/rules/alert-rules/sigma/win_susp_net_recon_activity.yml
similarity index 100%
rename from rules/Sigma/win_susp_net_recon_activity.yml
rename to rules/alert-rules/sigma/win_susp_net_recon_activity.yml
diff --git a/rules/Sigma/win_susp_netsh_dll_persistence.yml b/rules/alert-rules/sigma/win_susp_netsh_dll_persistence.yml
similarity index 100%
rename from rules/Sigma/win_susp_netsh_dll_persistence.yml
rename to rules/alert-rules/sigma/win_susp_netsh_dll_persistence.yml
diff --git a/rules/Sigma/win_susp_ngrok_pua.yml b/rules/alert-rules/sigma/win_susp_ngrok_pua.yml
similarity index 100%
rename from rules/Sigma/win_susp_ngrok_pua.yml
rename to rules/alert-rules/sigma/win_susp_ngrok_pua.yml
diff --git a/rules/Sigma/win_susp_ntdsutil.yml b/rules/alert-rules/sigma/win_susp_ntdsutil.yml
similarity index 100%
rename from rules/Sigma/win_susp_ntdsutil.yml
rename to rules/alert-rules/sigma/win_susp_ntdsutil.yml
diff --git a/rules/Sigma/win_susp_ntlm_auth.yml b/rules/alert-rules/sigma/win_susp_ntlm_auth.yml
similarity index 100%
rename from rules/Sigma/win_susp_ntlm_auth.yml
rename to rules/alert-rules/sigma/win_susp_ntlm_auth.yml
diff --git a/rules/Sigma/win_susp_ntlm_rdp.yml b/rules/alert-rules/sigma/win_susp_ntlm_rdp.yml
similarity index 100%
rename from rules/Sigma/win_susp_ntlm_rdp.yml
rename to rules/alert-rules/sigma/win_susp_ntlm_rdp.yml
diff --git a/rules/Sigma/win_susp_odbcconf.yml b/rules/alert-rules/sigma/win_susp_odbcconf.yml
similarity index 100%
rename from rules/Sigma/win_susp_odbcconf.yml
rename to rules/alert-rules/sigma/win_susp_odbcconf.yml
diff --git a/rules/Sigma/win_susp_openwith.yml b/rules/alert-rules/sigma/win_susp_openwith.yml
similarity index 100%
rename from rules/Sigma/win_susp_openwith.yml
rename to rules/alert-rules/sigma/win_susp_openwith.yml
diff --git a/rules/Sigma/win_susp_outlook.yml b/rules/alert-rules/sigma/win_susp_outlook.yml
similarity index 100%
rename from rules/Sigma/win_susp_outlook.yml
rename to rules/alert-rules/sigma/win_susp_outlook.yml
diff --git a/rules/Sigma/win_susp_outlook_temp.yml b/rules/alert-rules/sigma/win_susp_outlook_temp.yml
similarity index 100%
rename from rules/Sigma/win_susp_outlook_temp.yml
rename to rules/alert-rules/sigma/win_susp_outlook_temp.yml
diff --git a/rules/Sigma/win_susp_pcwutl.yml b/rules/alert-rules/sigma/win_susp_pcwutl.yml
similarity index 100%
rename from rules/Sigma/win_susp_pcwutl.yml
rename to rules/alert-rules/sigma/win_susp_pcwutl.yml
diff --git a/rules/Sigma/win_susp_pester.yml b/rules/alert-rules/sigma/win_susp_pester.yml
similarity index 100%
rename from rules/Sigma/win_susp_pester.yml
rename to rules/alert-rules/sigma/win_susp_pester.yml
diff --git a/rules/Sigma/win_susp_ping_hex_ip.yml b/rules/alert-rules/sigma/win_susp_ping_hex_ip.yml
similarity index 100%
rename from rules/Sigma/win_susp_ping_hex_ip.yml
rename to rules/alert-rules/sigma/win_susp_ping_hex_ip.yml
diff --git a/rules/Sigma/win_susp_powershell_empire_launch.yml b/rules/alert-rules/sigma/win_susp_powershell_empire_launch.yml
similarity index 100%
rename from rules/Sigma/win_susp_powershell_empire_launch.yml
rename to rules/alert-rules/sigma/win_susp_powershell_empire_launch.yml
diff --git a/rules/Sigma/win_susp_powershell_empire_uac_bypass.yml b/rules/alert-rules/sigma/win_susp_powershell_empire_uac_bypass.yml
similarity index 100%
rename from rules/Sigma/win_susp_powershell_empire_uac_bypass.yml
rename to rules/alert-rules/sigma/win_susp_powershell_empire_uac_bypass.yml
diff --git a/rules/Sigma/win_susp_powershell_enc_cmd.yml b/rules/alert-rules/sigma/win_susp_powershell_enc_cmd.yml
similarity index 100%
rename from rules/Sigma/win_susp_powershell_enc_cmd.yml
rename to rules/alert-rules/sigma/win_susp_powershell_enc_cmd.yml
diff --git a/rules/Sigma/win_susp_powershell_encoded_param.yml b/rules/alert-rules/sigma/win_susp_powershell_encoded_param.yml
similarity index 100%
rename from rules/Sigma/win_susp_powershell_encoded_param.yml
rename to rules/alert-rules/sigma/win_susp_powershell_encoded_param.yml
diff --git a/rules/Sigma/win_susp_powershell_getprocess_lsass.yml b/rules/alert-rules/sigma/win_susp_powershell_getprocess_lsass.yml
similarity index 100%
rename from rules/Sigma/win_susp_powershell_getprocess_lsass.yml
rename to rules/alert-rules/sigma/win_susp_powershell_getprocess_lsass.yml
diff --git a/rules/Sigma/win_susp_powershell_hidden_b64_cmd.yml b/rules/alert-rules/sigma/win_susp_powershell_hidden_b64_cmd.yml
similarity index 100%
rename from rules/Sigma/win_susp_powershell_hidden_b64_cmd.yml
rename to rules/alert-rules/sigma/win_susp_powershell_hidden_b64_cmd.yml
diff --git a/rules/Sigma/win_susp_powershell_parent_combo.yml b/rules/alert-rules/sigma/win_susp_powershell_parent_combo.yml
similarity index 100%
rename from rules/Sigma/win_susp_powershell_parent_combo.yml
rename to rules/alert-rules/sigma/win_susp_powershell_parent_combo.yml
diff --git a/rules/Sigma/win_susp_powershell_parent_process.yml b/rules/alert-rules/sigma/win_susp_powershell_parent_process.yml
similarity index 100%
rename from rules/Sigma/win_susp_powershell_parent_process.yml
rename to rules/alert-rules/sigma/win_susp_powershell_parent_process.yml
diff --git a/rules/Sigma/win_susp_powershell_sam_access.yml b/rules/alert-rules/sigma/win_susp_powershell_sam_access.yml
similarity index 100%
rename from rules/Sigma/win_susp_powershell_sam_access.yml
rename to rules/alert-rules/sigma/win_susp_powershell_sam_access.yml
diff --git a/rules/Sigma/win_susp_print.yml b/rules/alert-rules/sigma/win_susp_print.yml
similarity index 100%
rename from rules/Sigma/win_susp_print.yml
rename to rules/alert-rules/sigma/win_susp_print.yml
diff --git a/rules/Sigma/win_susp_procdump.yml b/rules/alert-rules/sigma/win_susp_procdump.yml
similarity index 100%
rename from rules/Sigma/win_susp_procdump.yml
rename to rules/alert-rules/sigma/win_susp_procdump.yml
diff --git a/rules/Sigma/win_susp_procdump_lsass.yml b/rules/alert-rules/sigma/win_susp_procdump_lsass.yml
similarity index 100%
rename from rules/Sigma/win_susp_procdump_lsass.yml
rename to rules/alert-rules/sigma/win_susp_procdump_lsass.yml
diff --git a/rules/Sigma/win_susp_proceshacker.yml b/rules/alert-rules/sigma/win_susp_proceshacker.yml
similarity index 100%
rename from rules/Sigma/win_susp_proceshacker.yml
rename to rules/alert-rules/sigma/win_susp_proceshacker.yml
diff --git a/rules/Sigma/win_susp_ps_appdata.yml b/rules/alert-rules/sigma/win_susp_ps_appdata.yml
similarity index 100%
rename from rules/Sigma/win_susp_ps_appdata.yml
rename to rules/alert-rules/sigma/win_susp_ps_appdata.yml
diff --git a/rules/Sigma/win_susp_ps_downloadfile.yml b/rules/alert-rules/sigma/win_susp_ps_downloadfile.yml
similarity index 100%
rename from rules/Sigma/win_susp_ps_downloadfile.yml
rename to rules/alert-rules/sigma/win_susp_ps_downloadfile.yml
diff --git a/rules/Sigma/win_susp_psexec.yml b/rules/alert-rules/sigma/win_susp_psexec.yml
similarity index 100%
rename from rules/Sigma/win_susp_psexec.yml
rename to rules/alert-rules/sigma/win_susp_psexec.yml
diff --git a/rules/Sigma/win_susp_psexec_eula.yml b/rules/alert-rules/sigma/win_susp_psexec_eula.yml
similarity index 100%
rename from rules/Sigma/win_susp_psexec_eula.yml
rename to rules/alert-rules/sigma/win_susp_psexec_eula.yml
diff --git a/rules/Sigma/win_susp_psexex_paexec_flags.yml b/rules/alert-rules/sigma/win_susp_psexex_paexec_flags.yml
similarity index 100%
rename from rules/Sigma/win_susp_psexex_paexec_flags.yml
rename to rules/alert-rules/sigma/win_susp_psexex_paexec_flags.yml
diff --git a/rules/Sigma/win_susp_psr_capture_screenshots.yml b/rules/alert-rules/sigma/win_susp_psr_capture_screenshots.yml
similarity index 100%
rename from rules/Sigma/win_susp_psr_capture_screenshots.yml
rename to rules/alert-rules/sigma/win_susp_psr_capture_screenshots.yml
diff --git a/rules/Sigma/win_susp_raccess_sensitive_fext.yml b/rules/alert-rules/sigma/win_susp_raccess_sensitive_fext.yml
similarity index 100%
rename from rules/Sigma/win_susp_raccess_sensitive_fext.yml
rename to rules/alert-rules/sigma/win_susp_raccess_sensitive_fext.yml
diff --git a/rules/Sigma/win_susp_rar_flags.yml b/rules/alert-rules/sigma/win_susp_rar_flags.yml
similarity index 100%
rename from rules/Sigma/win_susp_rar_flags.yml
rename to rules/alert-rules/sigma/win_susp_rar_flags.yml
diff --git a/rules/Sigma/win_susp_rasdial_activity.yml b/rules/alert-rules/sigma/win_susp_rasdial_activity.yml
similarity index 100%
rename from rules/Sigma/win_susp_rasdial_activity.yml
rename to rules/alert-rules/sigma/win_susp_rasdial_activity.yml
diff --git a/rules/Sigma/win_susp_razorinstaller_explorer.yml b/rules/alert-rules/sigma/win_susp_razorinstaller_explorer.yml
similarity index 100%
rename from rules/Sigma/win_susp_razorinstaller_explorer.yml
rename to rules/alert-rules/sigma/win_susp_razorinstaller_explorer.yml
diff --git a/rules/Sigma/win_susp_rc4_kerberos.yml b/rules/alert-rules/sigma/win_susp_rc4_kerberos.yml
similarity index 100%
rename from rules/Sigma/win_susp_rc4_kerberos.yml
rename to rules/alert-rules/sigma/win_susp_rc4_kerberos.yml
diff --git a/rules/Sigma/win_susp_rclone_exec.yml b/rules/alert-rules/sigma/win_susp_rclone_exec.yml
similarity index 100%
rename from rules/Sigma/win_susp_rclone_exec.yml
rename to rules/alert-rules/sigma/win_susp_rclone_exec.yml
diff --git a/rules/Sigma/win_susp_rclone_execution.yml b/rules/alert-rules/sigma/win_susp_rclone_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_rclone_execution.yml
rename to rules/alert-rules/sigma/win_susp_rclone_execution.yml
diff --git a/rules/Sigma/win_susp_recon_activity.yml b/rules/alert-rules/sigma/win_susp_recon_activity.yml
similarity index 100%
rename from rules/Sigma/win_susp_recon_activity.yml
rename to rules/alert-rules/sigma/win_susp_recon_activity.yml
diff --git a/rules/Sigma/win_susp_reg_disable_sec_services.yml b/rules/alert-rules/sigma/win_susp_reg_disable_sec_services.yml
similarity index 100%
rename from rules/Sigma/win_susp_reg_disable_sec_services.yml
rename to rules/alert-rules/sigma/win_susp_reg_disable_sec_services.yml
diff --git a/rules/Sigma/win_susp_regedit_trustedinstaller.yml b/rules/alert-rules/sigma/win_susp_regedit_trustedinstaller.yml
similarity index 100%
rename from rules/Sigma/win_susp_regedit_trustedinstaller.yml
rename to rules/alert-rules/sigma/win_susp_regedit_trustedinstaller.yml
diff --git a/rules/Sigma/win_susp_register_cimprovider.yml b/rules/alert-rules/sigma/win_susp_register_cimprovider.yml
similarity index 100%
rename from rules/Sigma/win_susp_register_cimprovider.yml
rename to rules/alert-rules/sigma/win_susp_register_cimprovider.yml
diff --git a/rules/Sigma/win_susp_registration_via_cscript.yml b/rules/alert-rules/sigma/win_susp_registration_via_cscript.yml
similarity index 100%
rename from rules/Sigma/win_susp_registration_via_cscript.yml
rename to rules/alert-rules/sigma/win_susp_registration_via_cscript.yml
diff --git a/rules/Sigma/win_susp_regsvr32_anomalies.yml b/rules/alert-rules/sigma/win_susp_regsvr32_anomalies.yml
similarity index 100%
rename from rules/Sigma/win_susp_regsvr32_anomalies.yml
rename to rules/alert-rules/sigma/win_susp_regsvr32_anomalies.yml
diff --git a/rules/Sigma/win_susp_regsvr32_flags_anomaly.yml b/rules/alert-rules/sigma/win_susp_regsvr32_flags_anomaly.yml
similarity index 100%
rename from rules/Sigma/win_susp_regsvr32_flags_anomaly.yml
rename to rules/alert-rules/sigma/win_susp_regsvr32_flags_anomaly.yml
diff --git a/rules/Sigma/win_susp_regsvr32_no_dll.yml b/rules/alert-rules/sigma/win_susp_regsvr32_no_dll.yml
similarity index 100%
rename from rules/Sigma/win_susp_regsvr32_no_dll.yml
rename to rules/alert-rules/sigma/win_susp_regsvr32_no_dll.yml
diff --git a/rules/Sigma/win_susp_renamed_dctask64.yml b/rules/alert-rules/sigma/win_susp_renamed_dctask64.yml
similarity index 100%
rename from rules/Sigma/win_susp_renamed_dctask64.yml
rename to rules/alert-rules/sigma/win_susp_renamed_dctask64.yml
diff --git a/rules/Sigma/win_susp_renamed_debugview.yml b/rules/alert-rules/sigma/win_susp_renamed_debugview.yml
similarity index 100%
rename from rules/Sigma/win_susp_renamed_debugview.yml
rename to rules/alert-rules/sigma/win_susp_renamed_debugview.yml
diff --git a/rules/Sigma/win_susp_renamed_paexec.yml b/rules/alert-rules/sigma/win_susp_renamed_paexec.yml
similarity index 100%
rename from rules/Sigma/win_susp_renamed_paexec.yml
rename to rules/alert-rules/sigma/win_susp_renamed_paexec.yml
diff --git a/rules/Sigma/win_susp_rottenpotato.yml b/rules/alert-rules/sigma/win_susp_rottenpotato.yml
similarity index 100%
rename from rules/Sigma/win_susp_rottenpotato.yml
rename to rules/alert-rules/sigma/win_susp_rottenpotato.yml
diff --git a/rules/Sigma/win_susp_rpcping.yml b/rules/alert-rules/sigma/win_susp_rpcping.yml
similarity index 100%
rename from rules/Sigma/win_susp_rpcping.yml
rename to rules/alert-rules/sigma/win_susp_rpcping.yml
diff --git a/rules/Sigma/win_susp_run_locations.yml b/rules/alert-rules/sigma/win_susp_run_locations.yml
similarity index 100%
rename from rules/Sigma/win_susp_run_locations.yml
rename to rules/alert-rules/sigma/win_susp_run_locations.yml
diff --git a/rules/Sigma/win_susp_rundll32_activity.yml b/rules/alert-rules/sigma/win_susp_rundll32_activity.yml
similarity index 100%
rename from rules/Sigma/win_susp_rundll32_activity.yml
rename to rules/alert-rules/sigma/win_susp_rundll32_activity.yml
diff --git a/rules/Sigma/win_susp_rundll32_by_ordinal.yml b/rules/alert-rules/sigma/win_susp_rundll32_by_ordinal.yml
similarity index 100%
rename from rules/Sigma/win_susp_rundll32_by_ordinal.yml
rename to rules/alert-rules/sigma/win_susp_rundll32_by_ordinal.yml
diff --git a/rules/Sigma/win_susp_rundll32_inline_vbs.yml b/rules/alert-rules/sigma/win_susp_rundll32_inline_vbs.yml
similarity index 100%
rename from rules/Sigma/win_susp_rundll32_inline_vbs.yml
rename to rules/alert-rules/sigma/win_susp_rundll32_inline_vbs.yml
diff --git a/rules/Sigma/win_susp_rundll32_no_params.yml b/rules/alert-rules/sigma/win_susp_rundll32_no_params.yml
similarity index 100%
rename from rules/Sigma/win_susp_rundll32_no_params.yml
rename to rules/alert-rules/sigma/win_susp_rundll32_no_params.yml
diff --git a/rules/Sigma/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/alert-rules/sigma/win_susp_rundll32_setupapi_installhinfsection.yml
similarity index 100%
rename from rules/Sigma/win_susp_rundll32_setupapi_installhinfsection.yml
rename to rules/alert-rules/sigma/win_susp_rundll32_setupapi_installhinfsection.yml
diff --git a/rules/Sigma/win_susp_rundll32_sys.yml b/rules/alert-rules/sigma/win_susp_rundll32_sys.yml
similarity index 100%
rename from rules/Sigma/win_susp_rundll32_sys.yml
rename to rules/alert-rules/sigma/win_susp_rundll32_sys.yml
diff --git a/rules/Sigma/win_susp_runonce_execution.yml b/rules/alert-rules/sigma/win_susp_runonce_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_runonce_execution.yml
rename to rules/alert-rules/sigma/win_susp_runonce_execution.yml
diff --git a/rules/Sigma/win_susp_runscripthelper.yml b/rules/alert-rules/sigma/win_susp_runscripthelper.yml
similarity index 100%
rename from rules/Sigma/win_susp_runscripthelper.yml
rename to rules/alert-rules/sigma/win_susp_runscripthelper.yml
diff --git a/rules/Sigma/win_susp_sam_dump.yml b/rules/alert-rules/sigma/win_susp_sam_dump.yml
similarity index 100%
rename from rules/Sigma/win_susp_sam_dump.yml
rename to rules/alert-rules/sigma/win_susp_sam_dump.yml
diff --git a/rules/Sigma/win_susp_schtask_creation.yml b/rules/alert-rules/sigma/win_susp_schtask_creation.yml
similarity index 100%
rename from rules/Sigma/win_susp_schtask_creation.yml
rename to rules/alert-rules/sigma/win_susp_schtask_creation.yml
diff --git a/rules/Sigma/win_susp_schtask_creation_temp_folder.yml b/rules/alert-rules/sigma/win_susp_schtask_creation_temp_folder.yml
similarity index 100%
rename from rules/Sigma/win_susp_schtask_creation_temp_folder.yml
rename to rules/alert-rules/sigma/win_susp_schtask_creation_temp_folder.yml
diff --git a/rules/Sigma/win_susp_screenconnect_access.yml b/rules/alert-rules/sigma/win_susp_screenconnect_access.yml
similarity index 100%
rename from rules/Sigma/win_susp_screenconnect_access.yml
rename to rules/alert-rules/sigma/win_susp_screenconnect_access.yml
diff --git a/rules/Sigma/win_susp_screensaver_reg.yml b/rules/alert-rules/sigma/win_susp_screensaver_reg.yml
similarity index 100%
rename from rules/Sigma/win_susp_screensaver_reg.yml
rename to rules/alert-rules/sigma/win_susp_screensaver_reg.yml
diff --git a/rules/Sigma/win_susp_script_exec_from_temp.yml b/rules/alert-rules/sigma/win_susp_script_exec_from_temp.yml
similarity index 100%
rename from rules/Sigma/win_susp_script_exec_from_temp.yml
rename to rules/alert-rules/sigma/win_susp_script_exec_from_temp.yml
diff --git a/rules/Sigma/win_susp_script_execution.yml b/rules/alert-rules/sigma/win_susp_script_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_script_execution.yml
rename to rules/alert-rules/sigma/win_susp_script_execution.yml
diff --git a/rules/Sigma/win_susp_sdelete.yml b/rules/alert-rules/sigma/win_susp_sdelete.yml
similarity index 100%
rename from rules/Sigma/win_susp_sdelete.yml
rename to rules/alert-rules/sigma/win_susp_sdelete.yml
diff --git a/rules/Sigma/win_susp_service_dacl_modification.yml b/rules/alert-rules/sigma/win_susp_service_dacl_modification.yml
similarity index 100%
rename from rules/Sigma/win_susp_service_dacl_modification.yml
rename to rules/alert-rules/sigma/win_susp_service_dacl_modification.yml
diff --git a/rules/Sigma/win_susp_service_dir.yml b/rules/alert-rules/sigma/win_susp_service_dir.yml
similarity index 100%
rename from rules/Sigma/win_susp_service_dir.yml
rename to rules/alert-rules/sigma/win_susp_service_dir.yml
diff --git a/rules/Sigma/win_susp_service_path_modification.yml b/rules/alert-rules/sigma/win_susp_service_path_modification.yml
similarity index 100%
rename from rules/Sigma/win_susp_service_path_modification.yml
rename to rules/alert-rules/sigma/win_susp_service_path_modification.yml
diff --git a/rules/Sigma/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/alert-rules/sigma/win_susp_servu_exploitation_cve_2021_35211.yml
similarity index 100%
rename from rules/Sigma/win_susp_servu_exploitation_cve_2021_35211.yml
rename to rules/alert-rules/sigma/win_susp_servu_exploitation_cve_2021_35211.yml
diff --git a/rules/Sigma/win_susp_servu_process_pattern.yml b/rules/alert-rules/sigma/win_susp_servu_process_pattern.yml
similarity index 100%
rename from rules/Sigma/win_susp_servu_process_pattern.yml
rename to rules/alert-rules/sigma/win_susp_servu_process_pattern.yml
diff --git a/rules/Sigma/win_susp_shell_spawn_from_mssql.yml b/rules/alert-rules/sigma/win_susp_shell_spawn_from_mssql.yml
similarity index 100%
rename from rules/Sigma/win_susp_shell_spawn_from_mssql.yml
rename to rules/alert-rules/sigma/win_susp_shell_spawn_from_mssql.yml
diff --git a/rules/Sigma/win_susp_shell_spawn_from_winrm.yml b/rules/alert-rules/sigma/win_susp_shell_spawn_from_winrm.yml
similarity index 100%
rename from rules/Sigma/win_susp_shell_spawn_from_winrm.yml
rename to rules/alert-rules/sigma/win_susp_shell_spawn_from_winrm.yml
diff --git a/rules/Sigma/win_susp_shimcache_flush.yml b/rules/alert-rules/sigma/win_susp_shimcache_flush.yml
similarity index 100%
rename from rules/Sigma/win_susp_shimcache_flush.yml
rename to rules/alert-rules/sigma/win_susp_shimcache_flush.yml
diff --git a/rules/Sigma/win_susp_splwow64.yml b/rules/alert-rules/sigma/win_susp_splwow64.yml
similarity index 100%
rename from rules/Sigma/win_susp_splwow64.yml
rename to rules/alert-rules/sigma/win_susp_splwow64.yml
diff --git a/rules/Sigma/win_susp_spoolsv_child_processes.yml b/rules/alert-rules/sigma/win_susp_spoolsv_child_processes.yml
similarity index 100%
rename from rules/Sigma/win_susp_spoolsv_child_processes.yml
rename to rules/alert-rules/sigma/win_susp_spoolsv_child_processes.yml
diff --git a/rules/Sigma/win_susp_sqldumper_activity.yml b/rules/alert-rules/sigma/win_susp_sqldumper_activity.yml
similarity index 100%
rename from rules/Sigma/win_susp_sqldumper_activity.yml
rename to rules/alert-rules/sigma/win_susp_sqldumper_activity.yml
diff --git a/rules/Sigma/win_susp_squirrel_lolbin.yml b/rules/alert-rules/sigma/win_susp_squirrel_lolbin.yml
similarity index 100%
rename from rules/Sigma/win_susp_squirrel_lolbin.yml
rename to rules/alert-rules/sigma/win_susp_squirrel_lolbin.yml
diff --git a/rules/Sigma/win_susp_svchost.yml b/rules/alert-rules/sigma/win_susp_svchost.yml
similarity index 100%
rename from rules/Sigma/win_susp_svchost.yml
rename to rules/alert-rules/sigma/win_susp_svchost.yml
diff --git a/rules/Sigma/win_susp_svchost_clfsw32.yml b/rules/alert-rules/sigma/win_susp_svchost_clfsw32.yml
similarity index 100%
rename from rules/Sigma/win_susp_svchost_clfsw32.yml
rename to rules/alert-rules/sigma/win_susp_svchost_clfsw32.yml
diff --git a/rules/Sigma/win_susp_svchost_no_cli.yml b/rules/alert-rules/sigma/win_susp_svchost_no_cli.yml
similarity index 100%
rename from rules/Sigma/win_susp_svchost_no_cli.yml
rename to rules/alert-rules/sigma/win_susp_svchost_no_cli.yml
diff --git a/rules/Sigma/win_susp_sysprep_appdata.yml b/rules/alert-rules/sigma/win_susp_sysprep_appdata.yml
similarity index 100%
rename from rules/Sigma/win_susp_sysprep_appdata.yml
rename to rules/alert-rules/sigma/win_susp_sysprep_appdata.yml
diff --git a/rules/Sigma/win_susp_sysvol_access.yml b/rules/alert-rules/sigma/win_susp_sysvol_access.yml
similarity index 100%
rename from rules/Sigma/win_susp_sysvol_access.yml
rename to rules/alert-rules/sigma/win_susp_sysvol_access.yml
diff --git a/rules/Sigma/win_susp_taskmgr_localsystem.yml b/rules/alert-rules/sigma/win_susp_taskmgr_localsystem.yml
similarity index 100%
rename from rules/Sigma/win_susp_taskmgr_localsystem.yml
rename to rules/alert-rules/sigma/win_susp_taskmgr_localsystem.yml
diff --git a/rules/Sigma/win_susp_taskmgr_parent.yml b/rules/alert-rules/sigma/win_susp_taskmgr_parent.yml
similarity index 100%
rename from rules/Sigma/win_susp_taskmgr_parent.yml
rename to rules/alert-rules/sigma/win_susp_taskmgr_parent.yml
diff --git a/rules/Sigma/win_susp_time_modification.yml b/rules/alert-rules/sigma/win_susp_time_modification.yml
similarity index 100%
rename from rules/Sigma/win_susp_time_modification.yml
rename to rules/alert-rules/sigma/win_susp_time_modification.yml
diff --git a/rules/Sigma/win_susp_tracker_execution.yml b/rules/alert-rules/sigma/win_susp_tracker_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_tracker_execution.yml
rename to rules/alert-rules/sigma/win_susp_tracker_execution.yml
diff --git a/rules/Sigma/win_susp_tscon_localsystem.yml b/rules/alert-rules/sigma/win_susp_tscon_localsystem.yml
similarity index 100%
rename from rules/Sigma/win_susp_tscon_localsystem.yml
rename to rules/alert-rules/sigma/win_susp_tscon_localsystem.yml
diff --git a/rules/Sigma/win_susp_tscon_rdp_redirect.yml b/rules/alert-rules/sigma/win_susp_tscon_rdp_redirect.yml
similarity index 100%
rename from rules/Sigma/win_susp_tscon_rdp_redirect.yml
rename to rules/alert-rules/sigma/win_susp_tscon_rdp_redirect.yml
diff --git a/rules/Sigma/win_susp_uac_bypass_trustedpath.yml b/rules/alert-rules/sigma/win_susp_uac_bypass_trustedpath.yml
similarity index 100%
rename from rules/Sigma/win_susp_uac_bypass_trustedpath.yml
rename to rules/alert-rules/sigma/win_susp_uac_bypass_trustedpath.yml
diff --git a/rules/Sigma/win_susp_use_of_csharp_console.yml b/rules/alert-rules/sigma/win_susp_use_of_csharp_console.yml
similarity index 100%
rename from rules/Sigma/win_susp_use_of_csharp_console.yml
rename to rules/alert-rules/sigma/win_susp_use_of_csharp_console.yml
diff --git a/rules/Sigma/win_susp_use_of_sqlps_bin.yml b/rules/alert-rules/sigma/win_susp_use_of_sqlps_bin.yml
similarity index 100%
rename from rules/Sigma/win_susp_use_of_sqlps_bin.yml
rename to rules/alert-rules/sigma/win_susp_use_of_sqlps_bin.yml
diff --git a/rules/Sigma/win_susp_use_of_sqltoolsps_bin.yml b/rules/alert-rules/sigma/win_susp_use_of_sqltoolsps_bin.yml
similarity index 100%
rename from rules/Sigma/win_susp_use_of_sqltoolsps_bin.yml
rename to rules/alert-rules/sigma/win_susp_use_of_sqltoolsps_bin.yml
diff --git a/rules/Sigma/win_susp_use_of_te_bin.yml b/rules/alert-rules/sigma/win_susp_use_of_te_bin.yml
similarity index 100%
rename from rules/Sigma/win_susp_use_of_te_bin.yml
rename to rules/alert-rules/sigma/win_susp_use_of_te_bin.yml
diff --git a/rules/Sigma/win_susp_use_of_vsjitdebugger_bin.yml b/rules/alert-rules/sigma/win_susp_use_of_vsjitdebugger_bin.yml
similarity index 100%
rename from rules/Sigma/win_susp_use_of_vsjitdebugger_bin.yml
rename to rules/alert-rules/sigma/win_susp_use_of_vsjitdebugger_bin.yml
diff --git a/rules/Sigma/win_susp_userinit_child.yml b/rules/alert-rules/sigma/win_susp_userinit_child.yml
similarity index 100%
rename from rules/Sigma/win_susp_userinit_child.yml
rename to rules/alert-rules/sigma/win_susp_userinit_child.yml
diff --git a/rules/Sigma/win_susp_vboxdrvinst.yml b/rules/alert-rules/sigma/win_susp_vboxdrvinst.yml
similarity index 100%
rename from rules/Sigma/win_susp_vboxdrvinst.yml
rename to rules/alert-rules/sigma/win_susp_vboxdrvinst.yml
diff --git a/rules/Sigma/win_susp_vbscript_unc2452.yml b/rules/alert-rules/sigma/win_susp_vbscript_unc2452.yml
similarity index 100%
rename from rules/Sigma/win_susp_vbscript_unc2452.yml
rename to rules/alert-rules/sigma/win_susp_vbscript_unc2452.yml
diff --git a/rules/Sigma/win_susp_volsnap_disable.yml b/rules/alert-rules/sigma/win_susp_volsnap_disable.yml
similarity index 100%
rename from rules/Sigma/win_susp_volsnap_disable.yml
rename to rules/alert-rules/sigma/win_susp_volsnap_disable.yml
diff --git a/rules/Sigma/win_susp_vssadmin_ntds_activity.yml b/rules/alert-rules/sigma/win_susp_vssadmin_ntds_activity.yml
similarity index 100%
rename from rules/Sigma/win_susp_vssadmin_ntds_activity.yml
rename to rules/alert-rules/sigma/win_susp_vssadmin_ntds_activity.yml
diff --git a/rules/Sigma/win_susp_whoami.yml b/rules/alert-rules/sigma/win_susp_whoami.yml
similarity index 100%
rename from rules/Sigma/win_susp_whoami.yml
rename to rules/alert-rules/sigma/win_susp_whoami.yml
diff --git a/rules/Sigma/win_susp_whoami_anomaly.yml b/rules/alert-rules/sigma/win_susp_whoami_anomaly.yml
similarity index 100%
rename from rules/Sigma/win_susp_whoami_anomaly.yml
rename to rules/alert-rules/sigma/win_susp_whoami_anomaly.yml
diff --git a/rules/Sigma/win_susp_winrm_awl_bypass.yml b/rules/alert-rules/sigma/win_susp_winrm_awl_bypass.yml
similarity index 100%
rename from rules/Sigma/win_susp_winrm_awl_bypass.yml
rename to rules/alert-rules/sigma/win_susp_winrm_awl_bypass.yml
diff --git a/rules/Sigma/win_susp_winrm_execution.yml b/rules/alert-rules/sigma/win_susp_winrm_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_winrm_execution.yml
rename to rules/alert-rules/sigma/win_susp_winrm_execution.yml
diff --git a/rules/Sigma/win_susp_wmi_execution.yml b/rules/alert-rules/sigma/win_susp_wmi_execution.yml
similarity index 100%
rename from rules/Sigma/win_susp_wmi_execution.yml
rename to rules/alert-rules/sigma/win_susp_wmi_execution.yml
diff --git a/rules/Sigma/win_susp_wmi_login.yml b/rules/alert-rules/sigma/win_susp_wmi_login.yml
similarity index 100%
rename from rules/Sigma/win_susp_wmi_login.yml
rename to rules/alert-rules/sigma/win_susp_wmi_login.yml
diff --git a/rules/Sigma/win_susp_wmic_eventconsumer_create.yml b/rules/alert-rules/sigma/win_susp_wmic_eventconsumer_create.yml
similarity index 100%
rename from rules/Sigma/win_susp_wmic_eventconsumer_create.yml
rename to rules/alert-rules/sigma/win_susp_wmic_eventconsumer_create.yml
diff --git a/rules/Sigma/win_susp_wmic_proc_create_rundll32.yml b/rules/alert-rules/sigma/win_susp_wmic_proc_create_rundll32.yml
similarity index 100%
rename from rules/Sigma/win_susp_wmic_proc_create_rundll32.yml
rename to rules/alert-rules/sigma/win_susp_wmic_proc_create_rundll32.yml
diff --git a/rules/Sigma/win_susp_wmic_security_product_uninstall.yml b/rules/alert-rules/sigma/win_susp_wmic_security_product_uninstall.yml
similarity index 100%
rename from rules/Sigma/win_susp_wmic_security_product_uninstall.yml
rename to rules/alert-rules/sigma/win_susp_wmic_security_product_uninstall.yml
diff --git a/rules/Sigma/win_susp_workfolders.yml b/rules/alert-rules/sigma/win_susp_workfolders.yml
similarity index 100%
rename from rules/Sigma/win_susp_workfolders.yml
rename to rules/alert-rules/sigma/win_susp_workfolders.yml
diff --git a/rules/Sigma/win_susp_wsl_lolbin.yml b/rules/alert-rules/sigma/win_susp_wsl_lolbin.yml
similarity index 100%
rename from rules/Sigma/win_susp_wsl_lolbin.yml
rename to rules/alert-rules/sigma/win_susp_wsl_lolbin.yml
diff --git a/rules/Sigma/win_susp_wuauclt.yml b/rules/alert-rules/sigma/win_susp_wuauclt.yml
similarity index 100%
rename from rules/Sigma/win_susp_wuauclt.yml
rename to rules/alert-rules/sigma/win_susp_wuauclt.yml
diff --git a/rules/Sigma/win_suspicious_outbound_kerberos_connection.yml b/rules/alert-rules/sigma/win_suspicious_outbound_kerberos_connection.yml
similarity index 100%
rename from rules/Sigma/win_suspicious_outbound_kerberos_connection.yml
rename to rules/alert-rules/sigma/win_suspicious_outbound_kerberos_connection.yml
diff --git a/rules/Sigma/win_suspicious_vss_ps_load.yml b/rules/alert-rules/sigma/win_suspicious_vss_ps_load.yml
similarity index 100%
rename from rules/Sigma/win_suspicious_vss_ps_load.yml
rename to rules/alert-rules/sigma/win_suspicious_vss_ps_load.yml
diff --git a/rules/Sigma/win_svcctl_remote_service.yml b/rules/alert-rules/sigma/win_svcctl_remote_service.yml
similarity index 100%
rename from rules/Sigma/win_svcctl_remote_service.yml
rename to rules/alert-rules/sigma/win_svcctl_remote_service.yml
diff --git a/rules/Sigma/win_syskey_registry_access.yml b/rules/alert-rules/sigma/win_syskey_registry_access.yml
similarity index 100%
rename from rules/Sigma/win_syskey_registry_access.yml
rename to rules/alert-rules/sigma/win_syskey_registry_access.yml
diff --git a/rules/Sigma/win_sysmon_channel_reference_deletion.yml b/rules/alert-rules/sigma/win_sysmon_channel_reference_deletion.yml
similarity index 100%
rename from rules/Sigma/win_sysmon_channel_reference_deletion.yml
rename to rules/alert-rules/sigma/win_sysmon_channel_reference_deletion.yml
diff --git a/rules/Sigma/win_sysmon_driver_unload.yml b/rules/alert-rules/sigma/win_sysmon_driver_unload.yml
similarity index 100%
rename from rules/Sigma/win_sysmon_driver_unload.yml
rename to rules/alert-rules/sigma/win_sysmon_driver_unload.yml
diff --git a/rules/Sigma/win_system_defender_disabled.yml b/rules/alert-rules/sigma/win_system_defender_disabled.yml
similarity index 100%
rename from rules/Sigma/win_system_defender_disabled.yml
rename to rules/alert-rules/sigma/win_system_defender_disabled.yml
diff --git a/rules/Sigma/win_system_exe_anomaly.yml b/rules/alert-rules/sigma/win_system_exe_anomaly.yml
similarity index 100%
rename from rules/Sigma/win_system_exe_anomaly.yml
rename to rules/alert-rules/sigma/win_system_exe_anomaly.yml
diff --git a/rules/Sigma/win_system_susp_eventlog_cleared.yml b/rules/alert-rules/sigma/win_system_susp_eventlog_cleared.yml
similarity index 100%
rename from rules/Sigma/win_system_susp_eventlog_cleared.yml
rename to rules/alert-rules/sigma/win_system_susp_eventlog_cleared.yml
diff --git a/rules/Sigma/win_tap_driver_installation.yml b/rules/alert-rules/sigma/win_tap_driver_installation.yml
similarity index 100%
rename from rules/Sigma/win_tap_driver_installation.yml
rename to rules/alert-rules/sigma/win_tap_driver_installation.yml
diff --git a/rules/Sigma/win_tap_installer_execution.yml b/rules/alert-rules/sigma/win_tap_installer_execution.yml
similarity index 100%
rename from rules/Sigma/win_tap_installer_execution.yml
rename to rules/alert-rules/sigma/win_tap_installer_execution.yml
diff --git a/rules/Sigma/win_task_folder_evasion.yml b/rules/alert-rules/sigma/win_task_folder_evasion.yml
similarity index 100%
rename from rules/Sigma/win_task_folder_evasion.yml
rename to rules/alert-rules/sigma/win_task_folder_evasion.yml
diff --git a/rules/Sigma/win_termserv_proc_spawn.yml b/rules/alert-rules/sigma/win_termserv_proc_spawn.yml
similarity index 100%
rename from rules/Sigma/win_termserv_proc_spawn.yml
rename to rules/alert-rules/sigma/win_termserv_proc_spawn.yml
diff --git a/rules/Sigma/win_tool_psexec.yml b/rules/alert-rules/sigma/win_tool_psexec.yml
similarity index 100%
rename from rules/Sigma/win_tool_psexec.yml
rename to rules/alert-rules/sigma/win_tool_psexec.yml
diff --git a/rules/Sigma/win_tools_relay_attacks.yml b/rules/alert-rules/sigma/win_tools_relay_attacks.yml
similarity index 100%
rename from rules/Sigma/win_tools_relay_attacks.yml
rename to rules/alert-rules/sigma/win_tools_relay_attacks.yml
diff --git a/rules/Sigma/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/alert-rules/sigma/win_transferring_files_with_credential_data_via_network_shares.yml
similarity index 100%
rename from rules/Sigma/win_transferring_files_with_credential_data_via_network_shares.yml
rename to rules/alert-rules/sigma/win_transferring_files_with_credential_data_via_network_shares.yml
diff --git a/rules/Sigma/win_trust_discovery.yml b/rules/alert-rules/sigma/win_trust_discovery.yml
similarity index 100%
rename from rules/Sigma/win_trust_discovery.yml
rename to rules/alert-rules/sigma/win_trust_discovery.yml
diff --git a/rules/Sigma/win_uac_bypass_changepk_slui.yml b/rules/alert-rules/sigma/win_uac_bypass_changepk_slui.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_changepk_slui.yml
rename to rules/alert-rules/sigma/win_uac_bypass_changepk_slui.yml
diff --git a/rules/Sigma/win_uac_bypass_cleanmgr.yml b/rules/alert-rules/sigma/win_uac_bypass_cleanmgr.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_cleanmgr.yml
rename to rules/alert-rules/sigma/win_uac_bypass_cleanmgr.yml
diff --git a/rules/Sigma/win_uac_bypass_computerdefaults.yml b/rules/alert-rules/sigma/win_uac_bypass_computerdefaults.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_computerdefaults.yml
rename to rules/alert-rules/sigma/win_uac_bypass_computerdefaults.yml
diff --git a/rules/Sigma/win_uac_bypass_consent_comctl32.yml b/rules/alert-rules/sigma/win_uac_bypass_consent_comctl32.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_consent_comctl32.yml
rename to rules/alert-rules/sigma/win_uac_bypass_consent_comctl32.yml
diff --git a/rules/Sigma/win_uac_bypass_dismhost.yml b/rules/alert-rules/sigma/win_uac_bypass_dismhost.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_dismhost.yml
rename to rules/alert-rules/sigma/win_uac_bypass_dismhost.yml
diff --git a/rules/Sigma/win_uac_bypass_ieinstal.yml b/rules/alert-rules/sigma/win_uac_bypass_ieinstal.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_ieinstal.yml
rename to rules/alert-rules/sigma/win_uac_bypass_ieinstal.yml
diff --git a/rules/Sigma/win_uac_bypass_msconfig_gui.yml b/rules/alert-rules/sigma/win_uac_bypass_msconfig_gui.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_msconfig_gui.yml
rename to rules/alert-rules/sigma/win_uac_bypass_msconfig_gui.yml
diff --git a/rules/Sigma/win_uac_bypass_ntfs_reparse_point.yml b/rules/alert-rules/sigma/win_uac_bypass_ntfs_reparse_point.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_ntfs_reparse_point.yml
rename to rules/alert-rules/sigma/win_uac_bypass_ntfs_reparse_point.yml
diff --git a/rules/Sigma/win_uac_bypass_pkgmgr_dism.yml b/rules/alert-rules/sigma/win_uac_bypass_pkgmgr_dism.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_pkgmgr_dism.yml
rename to rules/alert-rules/sigma/win_uac_bypass_pkgmgr_dism.yml
diff --git a/rules/Sigma/win_uac_bypass_winsat.yml b/rules/alert-rules/sigma/win_uac_bypass_winsat.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_winsat.yml
rename to rules/alert-rules/sigma/win_uac_bypass_winsat.yml
diff --git a/rules/Sigma/win_uac_bypass_wmp.yml b/rules/alert-rules/sigma/win_uac_bypass_wmp.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_wmp.yml
rename to rules/alert-rules/sigma/win_uac_bypass_wmp.yml
diff --git a/rules/Sigma/win_uac_bypass_wsreset.yml b/rules/alert-rules/sigma/win_uac_bypass_wsreset.yml
similarity index 100%
rename from rules/Sigma/win_uac_bypass_wsreset.yml
rename to rules/alert-rules/sigma/win_uac_bypass_wsreset.yml
diff --git a/rules/Sigma/win_uac_cmstp.yml b/rules/alert-rules/sigma/win_uac_cmstp.yml
similarity index 100%
rename from rules/Sigma/win_uac_cmstp.yml
rename to rules/alert-rules/sigma/win_uac_cmstp.yml
diff --git a/rules/Sigma/win_uac_fodhelper.yml b/rules/alert-rules/sigma/win_uac_fodhelper.yml
similarity index 100%
rename from rules/Sigma/win_uac_fodhelper.yml
rename to rules/alert-rules/sigma/win_uac_fodhelper.yml
diff --git a/rules/Sigma/win_uac_wsreset.yml b/rules/alert-rules/sigma/win_uac_wsreset.yml
similarity index 100%
rename from rules/Sigma/win_uac_wsreset.yml
rename to rules/alert-rules/sigma/win_uac_wsreset.yml
diff --git a/rules/Sigma/win_usb_device_plugged.yml b/rules/alert-rules/sigma/win_usb_device_plugged.yml
similarity index 100%
rename from rules/Sigma/win_usb_device_plugged.yml
rename to rules/alert-rules/sigma/win_usb_device_plugged.yml
diff --git a/rules/Sigma/win_user_added_to_local_administrators.yml b/rules/alert-rules/sigma/win_user_added_to_local_administrators.yml
similarity index 100%
rename from rules/Sigma/win_user_added_to_local_administrators.yml
rename to rules/alert-rules/sigma/win_user_added_to_local_administrators.yml
diff --git a/rules/Sigma/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/alert-rules/sigma/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
similarity index 100%
rename from rules/Sigma/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
rename to rules/alert-rules/sigma/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
diff --git a/rules/Sigma/win_user_creation.yml b/rules/alert-rules/sigma/win_user_creation.yml
similarity index 100%
rename from rules/Sigma/win_user_creation.yml
rename to rules/alert-rules/sigma/win_user_creation.yml
diff --git a/rules/Sigma/win_user_driver_loaded.yml b/rules/alert-rules/sigma/win_user_driver_loaded.yml
similarity index 100%
rename from rules/Sigma/win_user_driver_loaded.yml
rename to rules/alert-rules/sigma/win_user_driver_loaded.yml
diff --git a/rules/Sigma/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/alert-rules/sigma/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
similarity index 100%
rename from rules/Sigma/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
rename to rules/alert-rules/sigma/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
diff --git a/rules/Sigma/win_using_settingsynchost_as_lolbin.yml b/rules/alert-rules/sigma/win_using_settingsynchost_as_lolbin.yml
similarity index 100%
rename from rules/Sigma/win_using_settingsynchost_as_lolbin.yml
rename to rules/alert-rules/sigma/win_using_settingsynchost_as_lolbin.yml
diff --git a/rules/Sigma/win_verclsid_runs_com.yml b/rules/alert-rules/sigma/win_verclsid_runs_com.yml
similarity index 100%
rename from rules/Sigma/win_verclsid_runs_com.yml
rename to rules/alert-rules/sigma/win_verclsid_runs_com.yml
diff --git a/rules/Sigma/win_visual_basic_compiler.yml b/rules/alert-rules/sigma/win_visual_basic_compiler.yml
similarity index 100%
rename from rules/Sigma/win_visual_basic_compiler.yml
rename to rules/alert-rules/sigma/win_visual_basic_compiler.yml
diff --git a/rules/Sigma/win_volume_shadow_copy_mount.yml b/rules/alert-rules/sigma/win_volume_shadow_copy_mount.yml
similarity index 100%
rename from rules/Sigma/win_volume_shadow_copy_mount.yml
rename to rules/alert-rules/sigma/win_volume_shadow_copy_mount.yml
diff --git a/rules/Sigma/win_vssaudit_secevent_source_registration.yml b/rules/alert-rules/sigma/win_vssaudit_secevent_source_registration.yml
similarity index 100%
rename from rules/Sigma/win_vssaudit_secevent_source_registration.yml
rename to rules/alert-rules/sigma/win_vssaudit_secevent_source_registration.yml
diff --git a/rules/Sigma/win_vul_cve_2020_0688.yml b/rules/alert-rules/sigma/win_vul_cve_2020_0688.yml
similarity index 100%
rename from rules/Sigma/win_vul_cve_2020_0688.yml
rename to rules/alert-rules/sigma/win_vul_cve_2020_0688.yml
diff --git a/rules/Sigma/win_vul_cve_2020_1472.yml b/rules/alert-rules/sigma/win_vul_cve_2020_1472.yml
similarity index 100%
rename from rules/Sigma/win_vul_cve_2020_1472.yml
rename to rules/alert-rules/sigma/win_vul_cve_2020_1472.yml
diff --git a/rules/Sigma/win_vul_java_remote_debugging.yml b/rules/alert-rules/sigma/win_vul_java_remote_debugging.yml
similarity index 100%
rename from rules/Sigma/win_vul_java_remote_debugging.yml
rename to rules/alert-rules/sigma/win_vul_java_remote_debugging.yml
diff --git a/rules/Sigma/win_webshell_detection.yml b/rules/alert-rules/sigma/win_webshell_detection.yml
similarity index 100%
rename from rules/Sigma/win_webshell_detection.yml
rename to rules/alert-rules/sigma/win_webshell_detection.yml
diff --git a/rules/Sigma/win_webshell_recon_detection.yml b/rules/alert-rules/sigma/win_webshell_recon_detection.yml
similarity index 100%
rename from rules/Sigma/win_webshell_recon_detection.yml
rename to rules/alert-rules/sigma/win_webshell_recon_detection.yml
diff --git a/rules/Sigma/win_webshell_spawn.yml b/rules/alert-rules/sigma/win_webshell_spawn.yml
similarity index 100%
rename from rules/Sigma/win_webshell_spawn.yml
rename to rules/alert-rules/sigma/win_webshell_spawn.yml
diff --git a/rules/Sigma/win_whoami_as_system.yml b/rules/alert-rules/sigma/win_whoami_as_system.yml
similarity index 100%
rename from rules/Sigma/win_whoami_as_system.yml
rename to rules/alert-rules/sigma/win_whoami_as_system.yml
diff --git a/rules/Sigma/win_whoami_priv.yml b/rules/alert-rules/sigma/win_whoami_priv.yml
similarity index 100%
rename from rules/Sigma/win_whoami_priv.yml
rename to rules/alert-rules/sigma/win_whoami_priv.yml
diff --git a/rules/Sigma/win_win10_sched_task_0day.yml b/rules/alert-rules/sigma/win_win10_sched_task_0day.yml
similarity index 100%
rename from rules/Sigma/win_win10_sched_task_0day.yml
rename to rules/alert-rules/sigma/win_win10_sched_task_0day.yml
diff --git a/rules/Sigma/win_winword_dll_load.yml b/rules/alert-rules/sigma/win_winword_dll_load.yml
similarity index 100%
rename from rules/Sigma/win_winword_dll_load.yml
rename to rules/alert-rules/sigma/win_winword_dll_load.yml
diff --git a/rules/Sigma/win_wmi_backdoor_exchange_transport_agent.yml b/rules/alert-rules/sigma/win_wmi_backdoor_exchange_transport_agent.yml
similarity index 100%
rename from rules/Sigma/win_wmi_backdoor_exchange_transport_agent.yml
rename to rules/alert-rules/sigma/win_wmi_backdoor_exchange_transport_agent.yml
diff --git a/rules/Sigma/win_wmi_persistence.yml b/rules/alert-rules/sigma/win_wmi_persistence.yml
similarity index 100%
rename from rules/Sigma/win_wmi_persistence.yml
rename to rules/alert-rules/sigma/win_wmi_persistence.yml
diff --git a/rules/Sigma/win_wmi_persistence_script_event_consumer.yml b/rules/alert-rules/sigma/win_wmi_persistence_script_event_consumer.yml
similarity index 100%
rename from rules/Sigma/win_wmi_persistence_script_event_consumer.yml
rename to rules/alert-rules/sigma/win_wmi_persistence_script_event_consumer.yml
diff --git a/rules/Sigma/win_wmi_spwns_powershell.yml b/rules/alert-rules/sigma/win_wmi_spwns_powershell.yml
similarity index 100%
rename from rules/Sigma/win_wmi_spwns_powershell.yml
rename to rules/alert-rules/sigma/win_wmi_spwns_powershell.yml
diff --git a/rules/Sigma/win_wmiprvse_spawning_process.yml b/rules/alert-rules/sigma/win_wmiprvse_spawning_process.yml
similarity index 100%
rename from rules/Sigma/win_wmiprvse_spawning_process.yml
rename to rules/alert-rules/sigma/win_wmiprvse_spawning_process.yml
diff --git a/rules/Sigma/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/alert-rules/sigma/win_wmiprvse_wbemcomn_dll_hijack.yml
similarity index 100%
rename from rules/Sigma/win_wmiprvse_wbemcomn_dll_hijack.yml
rename to rules/alert-rules/sigma/win_wmiprvse_wbemcomn_dll_hijack.yml
diff --git a/rules/Sigma/win_workflow_compiler.yml b/rules/alert-rules/sigma/win_workflow_compiler.yml
similarity index 100%
rename from rules/Sigma/win_workflow_compiler.yml
rename to rules/alert-rules/sigma/win_workflow_compiler.yml
diff --git a/rules/Sigma/win_write_protect_for_storage_disabled.yml b/rules/alert-rules/sigma/win_write_protect_for_storage_disabled.yml
similarity index 100%
rename from rules/Sigma/win_write_protect_for_storage_disabled.yml
rename to rules/alert-rules/sigma/win_write_protect_for_storage_disabled.yml
diff --git a/rules/Sigma/win_wsreset_uac_bypass.yml b/rules/alert-rules/sigma/win_wsreset_uac_bypass.yml
similarity index 100%
rename from rules/Sigma/win_wsreset_uac_bypass.yml
rename to rules/alert-rules/sigma/win_wsreset_uac_bypass.yml
diff --git a/rules/Sigma/win_xsl_script_processing.yml b/rules/alert-rules/sigma/win_xsl_script_processing.yml
similarity index 100%
rename from rules/Sigma/win_xsl_script_processing.yml
rename to rules/alert-rules/sigma/win_xsl_script_processing.yml
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml b/rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml
new file mode 100644
index 00000000..32ad52d2
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml
@@ -0,0 +1,15 @@
+title: Logon Type 0 - System
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 0
+
+falsepositives:
+    - normal system usage
+output: 'Bootup'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml
new file mode 100644
index 00000000..3c4916b4
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml
@@ -0,0 +1,15 @@
+title: Logon Type 10 - RDP (Remote Interactive)
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 10
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml
new file mode 100644
index 00000000..ce7c6043
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml
@@ -0,0 +1,15 @@
+title: Logon Type 11 - CachedInteractive
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 11
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml
new file mode 100644
index 00000000..99bec874
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml
@@ -0,0 +1,15 @@
+title: Logon Type 12 - CachedRemoteInteractive
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 12
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml b/rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml
new file mode 100644
index 00000000..30f6ad2e
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml
@@ -0,0 +1,15 @@
+title: Logon Type 13 - CachedUnlock
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 13
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml
new file mode 100644
index 00000000..05b70687
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml
@@ -0,0 +1,15 @@
+title: Logon Type 2 - Interactive
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 2
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml b/rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml
new file mode 100644
index 00000000..bd0d14e3
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml
@@ -0,0 +1,22 @@
+title: Logon Type 3 - Network
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 3
+
+    filter:
+        - IpAddress: "-"
+        - IpAddress: "127.0.0.1"
+        - IpAddress: "::1"
+        
+    condition: selection and not filter
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml b/rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml
new file mode 100644
index 00000000..31748b24
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml
@@ -0,0 +1,15 @@
+title: Logon Type 4 - Batch
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 4
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml b/rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml
new file mode 100644
index 00000000..f300048e
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml
@@ -0,0 +1,22 @@
+title: Logon Type 5 - Service
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 5
+    
+    filter:
+        - TargetUserName: "SYSTEM"
+        - TargetUserName: "NETWORK SERVICE"
+        - TargetUserName: "LOCAL SERVICE"
+
+    condition: selection and not filter
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml b/rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml
new file mode 100644
index 00000000..28c7f23b
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml
@@ -0,0 +1,15 @@
+title: Logon Type 7 - Unlock
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 7
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml b/rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml
new file mode 100644
index 00000000..9f03bcf4
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml
@@ -0,0 +1,15 @@
+title: Logon Type 8 - NetworkCleartext
+description: Prints logon information
+author: Zach Mathis
+level: low
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 8
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml
new file mode 100644
index 00000000..160e4cb0
--- /dev/null
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml
@@ -0,0 +1,15 @@
+title: Logon Type 9 - NewCredentials
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4624
+        LogonType: 9
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4625-Logon-Failure.yml b/rules/timeline-rules/Logons/4625-Logon-Failure.yml
new file mode 100644
index 00000000..281afb3c
--- /dev/null
+++ b/rules/timeline-rules/Logons/4625-Logon-Failure.yml
@@ -0,0 +1,14 @@
+title: Logon Failure
+description: Prints logon information
+author: Zach Mathis
+level: low
+detection:
+    selection:
+        Channel: Security
+        EventID: 4625
+
+falsepositives:
+    - normal system usage
+output: 'User: %TargetUserName% Type: %LogonType% Workstation: %Workstation% IP Address: %IpAddress% SubStatus: %SubStatus% AuthPackage: %AuthenticationPackageName%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4634-Logoff.yml b/rules/timeline-rules/Logons/4634-Logoff.yml
new file mode 100644
index 00000000..a6eacc07
--- /dev/null
+++ b/rules/timeline-rules/Logons/4634-Logoff.yml
@@ -0,0 +1,19 @@
+title: Logoff
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4634
+    
+    filter:
+        TargetUserName|endswith: "$"
+    
+    condition: selection and not filter
+    
+falsepositives:
+    - normal system usage
+output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml b/rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml
new file mode 100644
index 00000000..630828eb
--- /dev/null
+++ b/rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml
@@ -0,0 +1,14 @@
+title: Logoff - User Initiated
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4647
+    
+falsepositives:
+    - normal system usage
+output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4672-Admin-Logon.yml b/rules/timeline-rules/Logons/4672-Admin-Logon.yml
new file mode 100644
index 00000000..1f56c794
--- /dev/null
+++ b/rules/timeline-rules/Logons/4672-Admin-Logon.yml
@@ -0,0 +1,22 @@
+title: Admin Logon
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4672
+    
+    filter:
+        - SubjectUserName: "SYSTEM"
+        - SubjectUserName: "LOCAL SERVICE"
+        - SubjectUserName: "NETWORK SERVICE"
+        - SubjectUserName|endswith: "$"
+
+    condition: selection and not filter
+
+falsepositives:
+    - normal system usage
+output: 'User: %SubjectUserName% LogonID: %SubjectLogonId%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml b/rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml
new file mode 100644
index 00000000..99a4f265
--- /dev/null
+++ b/rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml
@@ -0,0 +1,14 @@
+title: Kerberos TGT was requested
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4768
+
+falsepositives:
+    - normal system usage
+output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status% PreAuthType: %PreAuthType%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml b/rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml
new file mode 100644
index 00000000..5df28446
--- /dev/null
+++ b/rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml
@@ -0,0 +1,14 @@
+title: Kerberos Service Ticket Requested
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4769
+
+falsepositives:
+    - normal system usage
+output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file
diff --git a/rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml b/rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml
new file mode 100644
index 00000000..f941aaa8
--- /dev/null
+++ b/rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml
@@ -0,0 +1,14 @@
+title: NTLM Logon to Local Account
+description: Prints logon information
+author: Zach Mathis
+level: info
+detection:
+    selection:
+        Channel: Security
+        EventID: 4776
+
+falsepositives:
+    - normal system usage
+output: 'Username: %TargetUserName% Workstation %WorkstationName% Status: %Status%'
+creation_date: 2021/11/17
+updated_date: 2021/11/17
\ No newline at end of file