diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_binary_masquerading.yml b/rules-emerging-threats/2017/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_apt_lazarus_binary_masquerading.yml
rename to rules-emerging-threats/2017/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml
diff --git a/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml b/rules-emerging-threats/2019/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml
rename to rules-emerging-threats/2019/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml
diff --git a/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml b/rules-emerging-threats/2019/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml
old mode 100755
new mode 100644
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml
rename to rules-emerging-threats/2019/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml
diff --git a/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml b/rules-emerging-threats/2020/Evilnum/proc_creation_win_apt_evilnum_jul20.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml
rename to rules-emerging-threats/2020/Evilnum/proc_creation_win_apt_evilnum_jul20.yml
diff --git a/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml b/rules-emerging-threats/2020/Greenbug/proc_creation_win_apt_greenbug_may20.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml
rename to rules-emerging-threats/2020/Greenbug/proc_creation_win_apt_greenbug_may20.yml
diff --git a/rules-unsupported/aws_ec2_download_userdata.yml b/rules-unsupported/cloud/aws_ec2_download_userdata.yml
similarity index 100%
rename from rules-unsupported/aws_ec2_download_userdata.yml
rename to rules-unsupported/cloud/aws_ec2_download_userdata.yml
diff --git a/rules-unsupported/aws_enum_backup.yml b/rules-unsupported/cloud/aws_enum_backup.yml
similarity index 100%
rename from rules-unsupported/aws_enum_backup.yml
rename to rules-unsupported/cloud/aws_enum_backup.yml
diff --git a/rules-unsupported/aws_enum_listing.yml b/rules-unsupported/cloud/aws_enum_listing.yml
similarity index 100%
rename from rules-unsupported/aws_enum_listing.yml
rename to rules-unsupported/cloud/aws_enum_listing.yml
diff --git a/rules-unsupported/aws_enum_network.yml b/rules-unsupported/cloud/aws_enum_network.yml
similarity index 100%
rename from rules-unsupported/aws_enum_network.yml
rename to rules-unsupported/cloud/aws_enum_network.yml
diff --git a/rules-unsupported/aws_enum_storage.yml b/rules-unsupported/cloud/aws_enum_storage.yml
similarity index 100%
rename from rules-unsupported/aws_enum_storage.yml
rename to rules-unsupported/cloud/aws_enum_storage.yml
diff --git a/rules-unsupported/aws_lambda_function_created_or_invoked.yml b/rules-unsupported/cloud/aws_lambda_function_created_or_invoked.yml
similarity index 100%
rename from rules-unsupported/aws_lambda_function_created_or_invoked.yml
rename to rules-unsupported/cloud/aws_lambda_function_created_or_invoked.yml
diff --git a/rules-unsupported/aws_macic_evasion.yml b/rules-unsupported/cloud/aws_macic_evasion.yml
similarity index 100%
rename from rules-unsupported/aws_macic_evasion.yml
rename to rules-unsupported/cloud/aws_macic_evasion.yml
diff --git a/rules-unsupported/aws_ses_messaging_enabled.yml b/rules-unsupported/cloud/aws_ses_messaging_enabled.yml
similarity index 100%
rename from rules-unsupported/aws_ses_messaging_enabled.yml
rename to rules-unsupported/cloud/aws_ses_messaging_enabled.yml
diff --git a/rules-unsupported/azure_aad_secops_signin_failure_bad_password_threshold.yml b/rules-unsupported/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml
similarity index 100%
rename from rules-unsupported/azure_aad_secops_signin_failure_bad_password_threshold.yml
rename to rules-unsupported/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml
diff --git a/rules-unsupported/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
similarity index 100%
rename from rules-unsupported/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
rename to rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
diff --git a/rules-unsupported/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
similarity index 100%
rename from rules-unsupported/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
rename to rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
diff --git a/rules-unsupported/lnx_auditd_cve_2021_4034.yml b/rules-unsupported/linux/lnx_auditd_cve_2021_4034.yml
similarity index 100%
rename from rules-unsupported/lnx_auditd_cve_2021_4034.yml
rename to rules-unsupported/linux/lnx_auditd_cve_2021_4034.yml
diff --git a/rules-unsupported/lnx_auditd_debugfs_usage.yml b/rules-unsupported/linux/lnx_auditd_debugfs_usage.yml
similarity index 100%
rename from rules-unsupported/lnx_auditd_debugfs_usage.yml
rename to rules-unsupported/linux/lnx_auditd_debugfs_usage.yml
diff --git a/rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml b/rules-unsupported/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml
similarity index 100%
rename from rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml
rename to rules-unsupported/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml
diff --git a/rules-unsupported/lnx_auth_susp_failed_logons_single_source.yml b/rules-unsupported/linux/lnx_auth_susp_failed_logons_single_source.yml
similarity index 100%
rename from rules-unsupported/lnx_auth_susp_failed_logons_single_source.yml
rename to rules-unsupported/linux/lnx_auth_susp_failed_logons_single_source.yml
diff --git a/rules-unsupported/lnx_shell_priv_esc_prep.yml b/rules-unsupported/linux/lnx_shell_priv_esc_prep.yml
similarity index 100%
rename from rules-unsupported/lnx_shell_priv_esc_prep.yml
rename to rules-unsupported/linux/lnx_shell_priv_esc_prep.yml
diff --git a/rules-unsupported/net_dns_c2_detection.yml b/rules-unsupported/network/net_dns_c2_detection.yml
similarity index 100%
rename from rules-unsupported/net_dns_c2_detection.yml
rename to rules-unsupported/network/net_dns_c2_detection.yml
diff --git a/rules-unsupported/net_dns_high_bytes_out.yml b/rules-unsupported/network/net_dns_high_bytes_out.yml
similarity index 100%
rename from rules-unsupported/net_dns_high_bytes_out.yml
rename to rules-unsupported/network/net_dns_high_bytes_out.yml
diff --git a/rules-unsupported/net_dns_high_null_records_requests_rate.yml b/rules-unsupported/network/net_dns_high_null_records_requests_rate.yml
similarity index 100%
rename from rules-unsupported/net_dns_high_null_records_requests_rate.yml
rename to rules-unsupported/network/net_dns_high_null_records_requests_rate.yml
diff --git a/rules-unsupported/net_dns_high_requests_rate.yml b/rules-unsupported/network/net_dns_high_requests_rate.yml
similarity index 100%
rename from rules-unsupported/net_dns_high_requests_rate.yml
rename to rules-unsupported/network/net_dns_high_requests_rate.yml
diff --git a/rules-unsupported/net_dns_high_subdomain_rate.yml b/rules-unsupported/network/net_dns_high_subdomain_rate.yml
similarity index 100%
rename from rules-unsupported/net_dns_high_subdomain_rate.yml
rename to rules-unsupported/network/net_dns_high_subdomain_rate.yml
diff --git a/rules-unsupported/net_dns_high_txt_records_requests_rate.yml b/rules-unsupported/network/net_dns_high_txt_records_requests_rate.yml
similarity index 100%
rename from rules-unsupported/net_dns_high_txt_records_requests_rate.yml
rename to rules-unsupported/network/net_dns_high_txt_records_requests_rate.yml
diff --git a/rules-unsupported/net_dns_large_domain_name.yml b/rules-unsupported/network/net_dns_large_domain_name.yml
similarity index 100%
rename from rules-unsupported/net_dns_large_domain_name.yml
rename to rules-unsupported/network/net_dns_large_domain_name.yml
diff --git a/rules-unsupported/net_firewall_high_dns_bytes_out.yml b/rules-unsupported/network/net_firewall_high_dns_bytes_out.yml
similarity index 100%
rename from rules-unsupported/net_firewall_high_dns_bytes_out.yml
rename to rules-unsupported/network/net_firewall_high_dns_bytes_out.yml
diff --git a/rules-unsupported/net_firewall_high_dns_requests_rate.yml b/rules-unsupported/network/net_firewall_high_dns_requests_rate.yml
similarity index 100%
rename from rules-unsupported/net_firewall_high_dns_requests_rate.yml
rename to rules-unsupported/network/net_firewall_high_dns_requests_rate.yml
diff --git a/rules-unsupported/net_firewall_susp_network_scan_by_ip.yml b/rules-unsupported/network/net_firewall_susp_network_scan_by_ip.yml
similarity index 100%
rename from rules-unsupported/net_firewall_susp_network_scan_by_ip.yml
rename to rules-unsupported/network/net_firewall_susp_network_scan_by_ip.yml
diff --git a/rules-unsupported/net_firewall_susp_network_scan_by_port.yml b/rules-unsupported/network/net_firewall_susp_network_scan_by_port.yml
similarity index 100%
rename from rules-unsupported/net_firewall_susp_network_scan_by_port.yml
rename to rules-unsupported/network/net_firewall_susp_network_scan_by_port.yml
diff --git a/rules-unsupported/net_possible_dns_rebinding.yml b/rules-unsupported/network/net_possible_dns_rebinding.yml
similarity index 100%
rename from rules-unsupported/net_possible_dns_rebinding.yml
rename to rules-unsupported/network/net_possible_dns_rebinding.yml
diff --git a/rules-unsupported/modsec_mulitple_blocks.yml b/rules-unsupported/other/modsec_mulitple_blocks.yml
similarity index 100%
rename from rules-unsupported/modsec_mulitple_blocks.yml
rename to rules-unsupported/other/modsec_mulitple_blocks.yml
diff --git a/rules-unsupported/web_multiple_susp_resp_codes_single_source.yml b/rules-unsupported/web/web_multiple_susp_resp_codes_single_source.yml
similarity index 100%
rename from rules-unsupported/web_multiple_susp_resp_codes_single_source.yml
rename to rules-unsupported/web/web_multiple_susp_resp_codes_single_source.yml
diff --git a/rules-unsupported/dns_query_win_possible_dns_rebinding.yml b/rules-unsupported/windows/dns_query_win_possible_dns_rebinding.yml
similarity index 100%
rename from rules-unsupported/dns_query_win_possible_dns_rebinding.yml
rename to rules-unsupported/windows/dns_query_win_possible_dns_rebinding.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml
diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml
similarity index 100%
rename from rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml
rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml
diff --git a/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules-unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
similarity index 100%
rename from rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
rename to rules-unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
diff --git a/rules-unsupported/driver_load_tap_driver_installation.yml b/rules-unsupported/windows/driver_load_tap_driver_installation.yml
similarity index 100%
rename from rules-unsupported/driver_load_tap_driver_installation.yml
rename to rules-unsupported/windows/driver_load_tap_driver_installation.yml
diff --git a/rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules-unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml
similarity index 100%
rename from rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml
rename to rules-unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml
diff --git a/rules-unsupported/image_load_mimikatz_inmemory_detection.yml b/rules-unsupported/windows/image_load_mimikatz_inmemory_detection.yml
similarity index 100%
rename from rules-unsupported/image_load_mimikatz_inmemory_detection.yml
rename to rules-unsupported/windows/image_load_mimikatz_inmemory_detection.yml
diff --git a/rules-unsupported/posh_ps_cl_invocation_lolscript_count.yml b/rules-unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml
similarity index 100%
rename from rules-unsupported/posh_ps_cl_invocation_lolscript_count.yml
rename to rules-unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml
diff --git a/rules-unsupported/posh_ps_cl_mutexverifiers_lolscript_count.yml b/rules-unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml
similarity index 100%
rename from rules-unsupported/posh_ps_cl_mutexverifiers_lolscript_count.yml
rename to rules-unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml
diff --git a/rules-unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml b/rules-unsupported/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml
similarity index 100%
rename from rules-unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml
rename to rules-unsupported/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml
diff --git a/rules-unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml b/rules-unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml
similarity index 100%
rename from rules-unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml
rename to rules-unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml
diff --git a/rules-unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml b/rules-unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml
similarity index 100%
rename from rules-unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml
rename to rules-unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml
diff --git a/rules-unsupported/proc_creation_win_correlation_multiple_susp_cli.yml b/rules-unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml
similarity index 100%
rename from rules-unsupported/proc_creation_win_correlation_multiple_susp_cli.yml
rename to rules-unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml
diff --git a/rules-unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml b/rules-unsupported/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml
similarity index 100%
rename from rules-unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml
rename to rules-unsupported/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml
diff --git a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules-unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
similarity index 100%
rename from rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
rename to rules-unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml
similarity index 100%
rename from rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml
rename to rules-unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml
diff --git a/rules-unsupported/sysmon_non_priv_program_files_move.yml b/rules-unsupported/windows/sysmon_non_priv_program_files_move.yml
similarity index 100%
rename from rules-unsupported/sysmon_non_priv_program_files_move.yml
rename to rules-unsupported/windows/sysmon_non_priv_program_files_move.yml
diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/windows/sysmon_process_reimaging.yml
similarity index 100%
rename from rules-unsupported/sysmon_process_reimaging.yml
rename to rules-unsupported/windows/sysmon_process_reimaging.yml
diff --git a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/windows/win_access_fake_files_with_stored_credentials.yml
similarity index 100%
rename from rules-unsupported/win_access_fake_files_with_stored_credentials.yml
rename to rules-unsupported/windows/win_access_fake_files_with_stored_credentials.yml
diff --git a/rules-unsupported/win_apt_apt29_tor.yml b/rules-unsupported/windows/win_apt_apt29_tor.yml
similarity index 100%
rename from rules-unsupported/win_apt_apt29_tor.yml
rename to rules-unsupported/windows/win_apt_apt29_tor.yml
diff --git a/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml b/rules-unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml
similarity index 100%
rename from rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml
rename to rules-unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml
diff --git a/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml b/rules-unsupported/windows/win_dumping_ntdsdit_via_netsync.yml
similarity index 100%
rename from rules-unsupported/win_dumping_ntdsdit_via_netsync.yml
rename to rules-unsupported/windows/win_dumping_ntdsdit_via_netsync.yml
diff --git a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules-unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
similarity index 100%
rename from rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
rename to rules-unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
diff --git a/rules-unsupported/win_mal_service_installs.yml b/rules-unsupported/windows/win_mal_service_installs.yml
similarity index 100%
rename from rules-unsupported/win_mal_service_installs.yml
rename to rules-unsupported/windows/win_mal_service_installs.yml
diff --git a/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules-unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml
similarity index 100%
rename from rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml
rename to rules-unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml
diff --git a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml b/rules-unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml
similarity index 100%
rename from rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml
rename to rules-unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml
diff --git a/rules-unsupported/win_remote_schtask.yml b/rules-unsupported/windows/win_remote_schtask.yml
similarity index 100%
rename from rules-unsupported/win_remote_schtask.yml
rename to rules-unsupported/windows/win_remote_schtask.yml
diff --git a/rules-unsupported/win_remote_service.yml b/rules-unsupported/windows/win_remote_service.yml
similarity index 100%
rename from rules-unsupported/win_remote_service.yml
rename to rules-unsupported/windows/win_remote_service.yml
diff --git a/rules-unsupported/win_security_global_catalog_enumeration.yml b/rules-unsupported/windows/win_security_global_catalog_enumeration.yml
similarity index 100%
rename from rules-unsupported/win_security_global_catalog_enumeration.yml
rename to rules-unsupported/windows/win_security_global_catalog_enumeration.yml
diff --git a/rules-unsupported/win_security_rare_schtasks_creations.yml b/rules-unsupported/windows/win_security_rare_schtasks_creations.yml
similarity index 100%
rename from rules-unsupported/win_security_rare_schtasks_creations.yml
rename to rules-unsupported/windows/win_security_rare_schtasks_creations.yml
diff --git a/rules-unsupported/win_security_susp_failed_logons_explicit_credentials.yml b/rules-unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_logons_explicit_credentials.yml
rename to rules-unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml
diff --git a/rules-unsupported/win_security_susp_failed_logons_single_process.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_process.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_logons_single_process.yml
rename to rules-unsupported/windows/win_security_susp_failed_logons_single_process.yml
diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_logons_single_source.yml
rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source.yml
diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source2.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source2.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_logons_single_source2.yml
rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source2.yml
diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_kerberos.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_logons_single_source_kerberos.yml
rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml
diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_kerberos2.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_logons_single_source_kerberos2.yml
rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml
diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_kerberos3.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_logons_single_source_kerberos3.yml
rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml
diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_ntlm.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_logons_single_source_ntlm.yml
rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml
diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_ntlm2.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_logons_single_source_ntlm2.yml
rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml
diff --git a/rules-unsupported/win_security_susp_failed_remote_logons_single_source.yml b/rules-unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_failed_remote_logons_single_source.yml
rename to rules-unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml
diff --git a/rules-unsupported/win_security_susp_multiple_files_renamed_or_deleted.yml b/rules-unsupported/windows/win_security_susp_multiple_files_renamed_or_deleted.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_multiple_files_renamed_or_deleted.yml
rename to rules-unsupported/windows/win_security_susp_multiple_files_renamed_or_deleted.yml
diff --git a/rules-unsupported/win_security_susp_samr_pwset.yml b/rules-unsupported/windows/win_security_susp_samr_pwset.yml
similarity index 100%
rename from rules-unsupported/win_security_susp_samr_pwset.yml
rename to rules-unsupported/windows/win_security_susp_samr_pwset.yml
diff --git a/rules-unsupported/win_susp_failed_hidden_share_mount.yml b/rules-unsupported/windows/win_susp_failed_hidden_share_mount.yml
similarity index 100%
rename from rules-unsupported/win_susp_failed_hidden_share_mount.yml
rename to rules-unsupported/windows/win_susp_failed_hidden_share_mount.yml
diff --git a/rules-unsupported/win_suspicious_werfault_connection_outbound.yml b/rules-unsupported/windows/win_suspicious_werfault_connection_outbound.yml
similarity index 100%
rename from rules-unsupported/win_suspicious_werfault_connection_outbound.yml
rename to rules-unsupported/windows/win_suspicious_werfault_connection_outbound.yml
diff --git a/rules-unsupported/win_system_rare_service_installs.yml b/rules-unsupported/windows/win_system_rare_service_installs.yml
similarity index 100%
rename from rules-unsupported/win_system_rare_service_installs.yml
rename to rules-unsupported/windows/win_system_rare_service_installs.yml
diff --git a/rules-unsupported/win_taskscheduler_rare_schtask_creation.yml b/rules-unsupported/windows/win_taskscheduler_rare_schtask_creation.yml
similarity index 100%
rename from rules-unsupported/win_taskscheduler_rare_schtask_creation.yml
rename to rules-unsupported/windows/win_taskscheduler_rare_schtask_creation.yml
diff --git a/rules-unsupported/zeek_dce_rpc_domain_user_enumeration.yml b/rules-unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml
similarity index 100%
rename from rules-unsupported/zeek_dce_rpc_domain_user_enumeration.yml
rename to rules-unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml
diff --git a/rules-unsupported/zeek_http_exfiltration_compressed_files.yml b/rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml
similarity index 100%
rename from rules-unsupported/zeek_http_exfiltration_compressed_files.yml
rename to rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml