From 3a20687cadd9d3f05cecf2ecc46c22a6d4996b01 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Date: Mon, 3 Nov 2025 11:35:44 +0200
Subject: [PATCH] Merge PR #5738 from @nasbench - rename folders and update
 readme

chore: rename folders and update readme
---
 README.md                                                     | 2 ++
 .../other}/netflow_cleartext_protocols.yml                    | 0
 .../product/qualys/qualys_default_credentials_usage.yml       | 3 ++-
 .../product/qualys/qualys_host_without_firewall.yml           | 4 ++--
 .../audit/bitbucket_audit_full_data_export_triggered.yml      | 0
 .../bitbucket_audit_global_permissions_change_detected.yml    | 0
 .../bitbucket_audit_global_secret_scanning_rule_deleted.yml   | 0
 .../bitbucket_audit_global_ssh_settings_change_detected.yml   | 0
 .../bitbucket_audit_log_configuration_update_detected.yml     | 0
 ...itbucket_audit_project_secret_scanning_allowlist_added.yml | 0
 ...ucket_audit_secret_scanning_exempt_repository_detected.yml | 0
 .../audit/bitbucket_audit_secret_scanning_rule_deleted.yml    | 0
 .../audit/bitbucket_audit_unauthorized_access_detected.yml    | 0
 ...itbucket_audit_unauthorized_full_data_export_triggered.yml | 0
 .../bitbucket_audit_user_details_export_attempt_detected.yml  | 0
 .../audit/bitbucket_audit_user_login_failure_detected.yml     | 0
 .../bitbucket_audit_user_login_failure_via_ssh_detected.yml   | 0
 ...tbucket_audit_user_permissions_export_attempt_detected.yml | 0
 .../github/audit}/github_delete_action_invoked.yml            | 0
 .../github/audit}/github_disable_high_risk_configuration.yml  | 0
 .../github_disabled_outdated_dependency_or_vulnerability.yml  | 0
 .../audit}/github_fork_private_repos_enabled_or_cleared.yml   | 0
 .../github/audit}/github_new_org_member.yml                   | 0
 .../github/audit}/github_new_secret_created.yml               | 0
 .../github/audit}/github_outside_collaborator_detected.yml    | 0
 .../github/audit}/github_pages_site_changed_to_public.yml     | 0
 .../github/audit}/github_push_protection_bypass_detected.yml  | 0
 .../github/audit}/github_push_protection_disabled.yml         | 0
 .../github/audit}/github_repo_or_org_transferred.yml          | 0
 .../audit}/github_repository_archive_status_changed.yml       | 0
 .../github/audit}/github_secret_scanning_feature_disabled.yml | 0
 .../audit}/github_self_hosted_runner_changes_detected.yml     | 0
 .../github/audit}/github_ssh_certificate_config_changed.yml   | 0
 .../cisco_duo}/cisco_duo_mfa_bypass_via_bypass_code.yml       | 0
 .../okta/okta_admin_activity_from_proxy_query.yml             | 0
 .../okta/okta_admin_role_assigned_to_user_or_group.yml        | 0
 .../okta/okta_admin_role_assignment_created.yml               | 0
 rules/{cloud => identity}/okta/okta_api_token_created.yml     | 0
 rules/{cloud => identity}/okta/okta_api_token_revoked.yml     | 0
 .../okta/okta_application_modified_or_deleted.yml             | 0
 .../okta_application_sign_on_policy_modified_or_deleted.yml   | 0
 .../okta/okta_fastpass_phishing_detection.yml                 | 0
 .../okta/okta_identity_provider_created.yml                   | 0
 .../okta/okta_mfa_reset_or_deactivated.yml                    | 0
 .../okta/okta_network_zone_deactivated_or_deleted.yml         | 0
 .../okta/okta_new_behaviours_admin_console.yml                | 0
 .../okta/okta_password_in_alternateid_field.yml               | 0
 .../okta/okta_policy_modified_or_deleted.yml                  | 0
 .../okta/okta_policy_rule_modified_or_deleted.yml             | 0
 .../okta/okta_security_threat_detected.yml                    | 0
 .../okta/okta_suspicious_activity_enduser_report.yml          | 0
 .../okta/okta_unauthorized_access_to_app.yml                  | 0
 .../{cloud => identity}/okta/okta_user_account_locked_out.yml | 0
 rules/{cloud => identity}/okta/okta_user_created.yml          | 0
 .../okta/okta_user_session_start_via_anonymised_proxy.yml     | 0
 .../onelogin/onelogin_assumed_another_user.yml                | 0
 .../onelogin/onelogin_user_account_locked.yml                 | 0
 57 files changed, 6 insertions(+), 3 deletions(-)
 rename {rules/compliance => rules-compliance/other}/netflow_cleartext_protocols.yml (100%)
 rename rules/compliance/default_credentials_usage.yml => rules-compliance/product/qualys/qualys_default_credentials_usage.yml (98%)
 rename rules/compliance/host_without_firewall.yml => rules-compliance/product/qualys/qualys_host_without_firewall.yml (95%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml (100%)
 rename rules/{cloud => application}/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_delete_action_invoked.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_disable_high_risk_configuration.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_disabled_outdated_dependency_or_vulnerability.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_fork_private_repos_enabled_or_cleared.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_new_org_member.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_new_secret_created.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_outside_collaborator_detected.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_pages_site_changed_to_public.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_push_protection_bypass_detected.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_push_protection_disabled.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_repo_or_org_transferred.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_repository_archive_status_changed.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_secret_scanning_feature_disabled.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_self_hosted_runner_changes_detected.yml (100%)
 rename rules/{cloud/github => application/github/audit}/github_ssh_certificate_config_changed.yml (100%)
 rename rules/{cloud/cisco/duo => identity/cisco_duo}/cisco_duo_mfa_bypass_via_bypass_code.yml (100%)
 rename rules/{cloud => identity}/okta/okta_admin_activity_from_proxy_query.yml (100%)
 rename rules/{cloud => identity}/okta/okta_admin_role_assigned_to_user_or_group.yml (100%)
 rename rules/{cloud => identity}/okta/okta_admin_role_assignment_created.yml (100%)
 rename rules/{cloud => identity}/okta/okta_api_token_created.yml (100%)
 rename rules/{cloud => identity}/okta/okta_api_token_revoked.yml (100%)
 rename rules/{cloud => identity}/okta/okta_application_modified_or_deleted.yml (100%)
 rename rules/{cloud => identity}/okta/okta_application_sign_on_policy_modified_or_deleted.yml (100%)
 rename rules/{cloud => identity}/okta/okta_fastpass_phishing_detection.yml (100%)
 rename rules/{cloud => identity}/okta/okta_identity_provider_created.yml (100%)
 rename rules/{cloud => identity}/okta/okta_mfa_reset_or_deactivated.yml (100%)
 rename rules/{cloud => identity}/okta/okta_network_zone_deactivated_or_deleted.yml (100%)
 rename rules/{cloud => identity}/okta/okta_new_behaviours_admin_console.yml (100%)
 rename rules/{cloud => identity}/okta/okta_password_in_alternateid_field.yml (100%)
 rename rules/{cloud => identity}/okta/okta_policy_modified_or_deleted.yml (100%)
 rename rules/{cloud => identity}/okta/okta_policy_rule_modified_or_deleted.yml (100%)
 rename rules/{cloud => identity}/okta/okta_security_threat_detected.yml (100%)
 rename rules/{cloud => identity}/okta/okta_suspicious_activity_enduser_report.yml (100%)
 rename rules/{cloud => identity}/okta/okta_unauthorized_access_to_app.yml (100%)
 rename rules/{cloud => identity}/okta/okta_user_account_locked_out.yml (100%)
 rename rules/{cloud => identity}/okta/okta_user_created.yml (100%)
 rename rules/{cloud => identity}/okta/okta_user_session_start_via_anonymised_proxy.yml (100%)
 rename rules/{cloud => identity}/onelogin/onelogin_assumed_another_user.yml (100%)
 rename rules/{cloud => identity}/onelogin/onelogin_user_account_locked.yml (100%)

diff --git a/README.md b/README.md
index 0bf9de293..d0489a2de 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,8 @@ Currently the repository offers three types of rules:
 * [Generic Detection Rules](./rules/) - Are threat agnostic, their aim is to detect a behavior or an implementation of a technique or procedure that was, can or will be used by a potential threat actor.
 * [Threat Hunting Rules](./rules-threat-hunting/) - Are broader in scope and are meant to give the analyst a starting point to hunt for potential suspicious or malicious activity
 * [Emerging Threat Rules](./rules-emerging-threats/) - Are rules that cover specific threats, that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.
+* [Compliance Rules](./rules-compliance/) - Are rules that help you identify compliance violations based on well known security frameworks such as CIS Controls, NIST, ISO 27001,...etc.
+* [Placeholder Rules](./rules-placeholder/) - Are rules that get their final meaning at conversion or usage time of the rule.
 
 ## Explore Sigma
 
diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules-compliance/other/netflow_cleartext_protocols.yml
similarity index 100%
rename from rules/compliance/netflow_cleartext_protocols.yml
rename to rules-compliance/other/netflow_cleartext_protocols.yml
diff --git a/rules/compliance/default_credentials_usage.yml b/rules-compliance/product/qualys/qualys_default_credentials_usage.yml
similarity index 98%
rename from rules/compliance/default_credentials_usage.yml
rename to rules-compliance/product/qualys/qualys_default_credentials_usage.yml
index f4fdad725..53e964b40 100644
--- a/rules/compliance/default_credentials_usage.yml
+++ b/rules-compliance/product/qualys/qualys_default_credentials_usage.yml
@@ -1,6 +1,6 @@
 title: Default Credentials Usage
 id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
-status: stable
+status: experimental
 description: |
     Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
     Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
@@ -11,6 +11,7 @@ references:
     - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
 author: Alexandr Yampolskyi, SOC Prime
 date: 2019-03-26
+modified: 2025-11-01
 tags:
     - attack.initial-access
     # - CSC4
diff --git a/rules/compliance/host_without_firewall.yml b/rules-compliance/product/qualys/qualys_host_without_firewall.yml
similarity index 95%
rename from rules/compliance/host_without_firewall.yml
rename to rules-compliance/product/qualys/qualys_host_without_firewall.yml
index 1677b7ecc..0b3f131fe 100644
--- a/rules/compliance/host_without_firewall.yml
+++ b/rules-compliance/product/qualys/qualys_host_without_firewall.yml
@@ -1,6 +1,6 @@
 title: Host Without Firewall
 id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9
-status: stable
+status: experimental
 description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
 references:
     - https://www.cisecurity.org/controls/cis-controls-list/
@@ -8,7 +8,7 @@ references:
     - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
 author: Alexandr Yampolskyi, SOC Prime
 date: 2019-03-19
-modified: 2022-10-05
+modified: 2025-11-01
 # tags:
     # - CSC9
     # - CSC9.4
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml b/rules/application/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml b/rules/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml b/rules/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml b/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml b/rules/application/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml
diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml
similarity index 100%
rename from rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml
rename to rules/application/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml
diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/application/github/audit/github_delete_action_invoked.yml
similarity index 100%
rename from rules/cloud/github/github_delete_action_invoked.yml
rename to rules/application/github/audit/github_delete_action_invoked.yml
diff --git a/rules/cloud/github/github_disable_high_risk_configuration.yml b/rules/application/github/audit/github_disable_high_risk_configuration.yml
similarity index 100%
rename from rules/cloud/github/github_disable_high_risk_configuration.yml
rename to rules/application/github/audit/github_disable_high_risk_configuration.yml
diff --git a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml b/rules/application/github/audit/github_disabled_outdated_dependency_or_vulnerability.yml
similarity index 100%
rename from rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml
rename to rules/application/github/audit/github_disabled_outdated_dependency_or_vulnerability.yml
diff --git a/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml b/rules/application/github/audit/github_fork_private_repos_enabled_or_cleared.yml
similarity index 100%
rename from rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml
rename to rules/application/github/audit/github_fork_private_repos_enabled_or_cleared.yml
diff --git a/rules/cloud/github/github_new_org_member.yml b/rules/application/github/audit/github_new_org_member.yml
similarity index 100%
rename from rules/cloud/github/github_new_org_member.yml
rename to rules/application/github/audit/github_new_org_member.yml
diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/application/github/audit/github_new_secret_created.yml
similarity index 100%
rename from rules/cloud/github/github_new_secret_created.yml
rename to rules/application/github/audit/github_new_secret_created.yml
diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/application/github/audit/github_outside_collaborator_detected.yml
similarity index 100%
rename from rules/cloud/github/github_outside_collaborator_detected.yml
rename to rules/application/github/audit/github_outside_collaborator_detected.yml
diff --git a/rules/cloud/github/github_pages_site_changed_to_public.yml b/rules/application/github/audit/github_pages_site_changed_to_public.yml
similarity index 100%
rename from rules/cloud/github/github_pages_site_changed_to_public.yml
rename to rules/application/github/audit/github_pages_site_changed_to_public.yml
diff --git a/rules/cloud/github/github_push_protection_bypass_detected.yml b/rules/application/github/audit/github_push_protection_bypass_detected.yml
similarity index 100%
rename from rules/cloud/github/github_push_protection_bypass_detected.yml
rename to rules/application/github/audit/github_push_protection_bypass_detected.yml
diff --git a/rules/cloud/github/github_push_protection_disabled.yml b/rules/application/github/audit/github_push_protection_disabled.yml
similarity index 100%
rename from rules/cloud/github/github_push_protection_disabled.yml
rename to rules/application/github/audit/github_push_protection_disabled.yml
diff --git a/rules/cloud/github/github_repo_or_org_transferred.yml b/rules/application/github/audit/github_repo_or_org_transferred.yml
similarity index 100%
rename from rules/cloud/github/github_repo_or_org_transferred.yml
rename to rules/application/github/audit/github_repo_or_org_transferred.yml
diff --git a/rules/cloud/github/github_repository_archive_status_changed.yml b/rules/application/github/audit/github_repository_archive_status_changed.yml
similarity index 100%
rename from rules/cloud/github/github_repository_archive_status_changed.yml
rename to rules/application/github/audit/github_repository_archive_status_changed.yml
diff --git a/rules/cloud/github/github_secret_scanning_feature_disabled.yml b/rules/application/github/audit/github_secret_scanning_feature_disabled.yml
similarity index 100%
rename from rules/cloud/github/github_secret_scanning_feature_disabled.yml
rename to rules/application/github/audit/github_secret_scanning_feature_disabled.yml
diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/application/github/audit/github_self_hosted_runner_changes_detected.yml
similarity index 100%
rename from rules/cloud/github/github_self_hosted_runner_changes_detected.yml
rename to rules/application/github/audit/github_self_hosted_runner_changes_detected.yml
diff --git a/rules/cloud/github/github_ssh_certificate_config_changed.yml b/rules/application/github/audit/github_ssh_certificate_config_changed.yml
similarity index 100%
rename from rules/cloud/github/github_ssh_certificate_config_changed.yml
rename to rules/application/github/audit/github_ssh_certificate_config_changed.yml
diff --git a/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml b/rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml
similarity index 100%
rename from rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml
rename to rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml
diff --git a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml b/rules/identity/okta/okta_admin_activity_from_proxy_query.yml
similarity index 100%
rename from rules/cloud/okta/okta_admin_activity_from_proxy_query.yml
rename to rules/identity/okta/okta_admin_activity_from_proxy_query.yml
diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/identity/okta/okta_admin_role_assigned_to_user_or_group.yml
similarity index 100%
rename from rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml
rename to rules/identity/okta/okta_admin_role_assigned_to_user_or_group.yml
diff --git a/rules/cloud/okta/okta_admin_role_assignment_created.yml b/rules/identity/okta/okta_admin_role_assignment_created.yml
similarity index 100%
rename from rules/cloud/okta/okta_admin_role_assignment_created.yml
rename to rules/identity/okta/okta_admin_role_assignment_created.yml
diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/identity/okta/okta_api_token_created.yml
similarity index 100%
rename from rules/cloud/okta/okta_api_token_created.yml
rename to rules/identity/okta/okta_api_token_created.yml
diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/identity/okta/okta_api_token_revoked.yml
similarity index 100%
rename from rules/cloud/okta/okta_api_token_revoked.yml
rename to rules/identity/okta/okta_api_token_revoked.yml
diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/identity/okta/okta_application_modified_or_deleted.yml
similarity index 100%
rename from rules/cloud/okta/okta_application_modified_or_deleted.yml
rename to rules/identity/okta/okta_application_modified_or_deleted.yml
diff --git a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/rules/identity/okta/okta_application_sign_on_policy_modified_or_deleted.yml
similarity index 100%
rename from rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml
rename to rules/identity/okta/okta_application_sign_on_policy_modified_or_deleted.yml
diff --git a/rules/cloud/okta/okta_fastpass_phishing_detection.yml b/rules/identity/okta/okta_fastpass_phishing_detection.yml
similarity index 100%
rename from rules/cloud/okta/okta_fastpass_phishing_detection.yml
rename to rules/identity/okta/okta_fastpass_phishing_detection.yml
diff --git a/rules/cloud/okta/okta_identity_provider_created.yml b/rules/identity/okta/okta_identity_provider_created.yml
similarity index 100%
rename from rules/cloud/okta/okta_identity_provider_created.yml
rename to rules/identity/okta/okta_identity_provider_created.yml
diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/identity/okta/okta_mfa_reset_or_deactivated.yml
similarity index 100%
rename from rules/cloud/okta/okta_mfa_reset_or_deactivated.yml
rename to rules/identity/okta/okta_mfa_reset_or_deactivated.yml
diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/identity/okta/okta_network_zone_deactivated_or_deleted.yml
similarity index 100%
rename from rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml
rename to rules/identity/okta/okta_network_zone_deactivated_or_deleted.yml
diff --git a/rules/cloud/okta/okta_new_behaviours_admin_console.yml b/rules/identity/okta/okta_new_behaviours_admin_console.yml
similarity index 100%
rename from rules/cloud/okta/okta_new_behaviours_admin_console.yml
rename to rules/identity/okta/okta_new_behaviours_admin_console.yml
diff --git a/rules/cloud/okta/okta_password_in_alternateid_field.yml b/rules/identity/okta/okta_password_in_alternateid_field.yml
similarity index 100%
rename from rules/cloud/okta/okta_password_in_alternateid_field.yml
rename to rules/identity/okta/okta_password_in_alternateid_field.yml
diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/identity/okta/okta_policy_modified_or_deleted.yml
similarity index 100%
rename from rules/cloud/okta/okta_policy_modified_or_deleted.yml
rename to rules/identity/okta/okta_policy_modified_or_deleted.yml
diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/identity/okta/okta_policy_rule_modified_or_deleted.yml
similarity index 100%
rename from rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml
rename to rules/identity/okta/okta_policy_rule_modified_or_deleted.yml
diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/identity/okta/okta_security_threat_detected.yml
similarity index 100%
rename from rules/cloud/okta/okta_security_threat_detected.yml
rename to rules/identity/okta/okta_security_threat_detected.yml
diff --git a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml b/rules/identity/okta/okta_suspicious_activity_enduser_report.yml
similarity index 100%
rename from rules/cloud/okta/okta_suspicious_activity_enduser_report.yml
rename to rules/identity/okta/okta_suspicious_activity_enduser_report.yml
diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/identity/okta/okta_unauthorized_access_to_app.yml
similarity index 100%
rename from rules/cloud/okta/okta_unauthorized_access_to_app.yml
rename to rules/identity/okta/okta_unauthorized_access_to_app.yml
diff --git a/rules/cloud/okta/okta_user_account_locked_out.yml b/rules/identity/okta/okta_user_account_locked_out.yml
similarity index 100%
rename from rules/cloud/okta/okta_user_account_locked_out.yml
rename to rules/identity/okta/okta_user_account_locked_out.yml
diff --git a/rules/cloud/okta/okta_user_created.yml b/rules/identity/okta/okta_user_created.yml
similarity index 100%
rename from rules/cloud/okta/okta_user_created.yml
rename to rules/identity/okta/okta_user_created.yml
diff --git a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml b/rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml
similarity index 100%
rename from rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml
rename to rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml
diff --git a/rules/cloud/onelogin/onelogin_assumed_another_user.yml b/rules/identity/onelogin/onelogin_assumed_another_user.yml
similarity index 100%
rename from rules/cloud/onelogin/onelogin_assumed_another_user.yml
rename to rules/identity/onelogin/onelogin_assumed_another_user.yml
diff --git a/rules/cloud/onelogin/onelogin_user_account_locked.yml b/rules/identity/onelogin/onelogin_user_account_locked.yml
similarity index 100%
rename from rules/cloud/onelogin/onelogin_user_account_locked.yml
rename to rules/identity/onelogin/onelogin_user_account_locked.yml