diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yaml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml
similarity index 100%
rename from rules/cloud/azure/azure_creating_number_of_resources_detection.yaml
rename to rules/cloud/azure/azure_creating_number_of_resources_detection.yml
diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml
index f45df3408..281e37796 100644
--- a/rules/network/zeek/zeek_dns_mining_pools.yml
+++ b/rules/network/zeek/zeek_dns_mining_pools.yml
@@ -1,10 +1,9 @@
 id: bf74135c-18e8-4a72-a926-0e4f47888c19
 title: DNS events related to mining pools
-description: |
-  'Identifies IPs that may be performing DNS lookups associated with common currency mining pools.'
+description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools.
 reference: Azure Sentinel
 author: Saw Winn Naung
-severity: Medium
+severity: medium
 logsource:                     
     service: dns  
     product: zeek 
diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml
index 1249c6ade..6a3e8a77f 100644
--- a/rules/network/zeek/zeek_dns_torproxy.yml
+++ b/rules/network/zeek/zeek_dns_torproxy.yml
@@ -4,7 +4,7 @@ description: |
   'Identifies IPs performing DNS lookups associated with common Tor proxies.'
 reference: Azure Sentinel
 author: Saw Winn Naung
-severity: Medium
+severity: medium
 logsource: 
     service: dns  
     product: zeek 
diff --git a/rules/windows/builtin/win_anomaly_process_execution.yml b/rules/windows/builtin/win_anomaly_process_execution.yml
index 1a38f02aa..2746bf8f0 100644
--- a/rules/windows/builtin/win_anomaly_process_execution.yml
+++ b/rules/windows/builtin/win_anomaly_process_execution.yml
@@ -2,16 +2,15 @@ title: Process execution anomaly
 id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8
 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.'
 references: Azure Sentinel
-level: Medium
+level: medium
 logsource:          
-    service: Security 
     product: windows 
+    category: process_creation 
 tags:
   - attack.execution
   - attack.t1064
 detection:
     selection:
-        EventID: 4688
         NewProcessName|contains: 
           - 'powershell.exe'
           - 'cmd.exe'
diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml
index 2540d98e5..ac7e1691e 100644
--- a/rules/windows/builtin/win_event_log_cleared.yml
+++ b/rules/windows/builtin/win_event_log_cleared.yml
@@ -5,7 +5,7 @@ description: |
   'Checks for event id 1102 which indicates the security event log was cleared.'
 reference: Azure Sentinel
 author: Saw Winn Naung
-severity: Medium
+severity: medium
 logsource:                     
     service: security  
     product: windows 
diff --git a/rules/windows/builtin/win_powershelll_empire.yml b/rules/windows/builtin/win_powershelll_empire.yml
index f3883029c..e4883f3e9 100644
--- a/rules/windows/builtin/win_powershelll_empire.yml
+++ b/rules/windows/builtin/win_powershelll_empire.yml
@@ -1,19 +1,17 @@
 title: Powershell Empire cmdlets seen in command line
 id: ef88eb96-861c-43a0-ab16-f3835a97c928
-description: |
-  'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.'
+description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data.
 references: Azure Sentinel
-level: Medium
+level: medium
 logsource: 
-    service: Security
-    product: windows    
+    product: windows
+    category: process_creation 
 tags:
   - attack.execution
   - attack.persistence
   - attack.t1208
 detection:
     selection1:
-        EventID: 4688
         CommandLine|contains: ' -encodedCommand'
     selection2:
         CommandLine:
diff --git a/rules/windows/builtin/win_user_acc_added_removed.yml b/rules/windows/builtin/win_user_acc_added_removed.yml
index d827a04c6..e3fe87b96 100644
--- a/rules/windows/builtin/win_user_acc_added_removed.yml
+++ b/rules/windows/builtin/win_user_acc_added_removed.yml
@@ -2,7 +2,7 @@ title: Account added and removed from privileged groups
 id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60
 description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' 
 references: Azure Sentinel  
-level: Low
+level: low
 logsource:          
     service: Security 
     product: windows 
diff --git a/rules/windows/builtin/win_user_acc_created_deleted.yml b/rules/windows/builtin/win_user_acc_created_deleted.yml
deleted file mode 100644
index 48bd4be5e..000000000
--- a/rules/windows/builtin/win_user_acc_created_deleted.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-title: User account created and deleted within 10 mins
-id: 4b93c5af-d20b-4236-b696-a28b8c51407f
-description: 'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and
-  an adversary attempting to hide in the noise.'
-references: Azure Sentinel  
-level: Medium
-logsource:          
-    service: Security 
-    product: windows 
-tags:
-  - attack.persistence
-  - attack.privilege_escalation
-  - attack.t1098
-  - attack.t1078
-detection:
-    selection:
-        EventID: 4720
-    condition: selection  
\ No newline at end of file
diff --git a/rules/windows/builtin/win_user_acc_enabled_disabled.yml b/rules/windows/builtin/win_user_acc_enabled_disabled.yml
index 915592020..a6cd343c6 100644
--- a/rules/windows/builtin/win_user_acc_enabled_disabled.yml
+++ b/rules/windows/builtin/win_user_acc_enabled_disabled.yml
@@ -3,7 +3,7 @@ id: 3d023f64-8225-41a2-9570-2bd7c2c4535e
 description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and
   an adversary attempting to hide in the noise.'
 references: Azure Sentinel  
-level: Medium
+level: medium
 logsource:          
     service: Security 
     product: windows 
diff --git a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml
index 831dfea24..639debc51 100644
--- a/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml
+++ b/rules/windows/builtin/win_user_created_added_to_bultin_admins.yml
@@ -3,7 +3,7 @@ id: aa1eff90-29d4-49dc-a3ea-b65199f516db
 description: 'Identifies when a user account was created and then added to the builtin Administrators group.
   This should be monitored closely and all additions reviewed.'
 references: Azure Sentinel  
-level: Low
+level: low
 logsource:          
     service: Security 
     product: windows