From 5656c48a97b26044f66ce5555ef6ad0edadeec85 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Date: Mon, 8 Dec 2025 16:03:55 +0100
Subject: [PATCH] Merge PR #5793 from @nasbench - Rename Auditd Folder Entries
 and update SYSCALL field

chore: rename auditd folders and others
update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
---
 .../azure_ad_account_created_deleted_nonapproved_user.yml     | 0
 .../azure_ad_account_signin_outside_hours.yml                 | 0
 .../{ => signin_logs}/azure_privileged_account_no_saw_paw.yml | 0
 .../azure_privileged_account_sigin_expected_controls.yml      | 0
 .../azure_privileged_account_signin_outside_hours.yml         | 0
 rules/linux/auditd/{ => execve}/lnx_auditd_binary_padding.yml | 0
 .../auditd/{ => execve}/lnx_auditd_bpfdoor_port_redirect.yml  | 0
 .../auditd/{ => execve}/lnx_auditd_capabilities_discovery.yml | 0
 .../auditd/{ => execve}/lnx_auditd_change_file_time_attr.yml  | 0
 .../{ => execve}/lnx_auditd_chattr_immutable_removal.yml      | 0
 .../auditd/{ => execve}/lnx_auditd_clipboard_collection.yml   | 0
 .../{ => execve}/lnx_auditd_clipboard_image_collection.yml    | 0
 rules/linux/auditd/{ => execve}/lnx_auditd_coinminer.yml      | 0
 .../linux/auditd/{ => execve}/lnx_auditd_data_compressed.yml  | 0
 .../linux/auditd/{ => execve}/lnx_auditd_data_exfil_wget.yml  | 0
 rules/linux/auditd/{ => execve}/lnx_auditd_dd_delete_file.yml | 0
 .../{ => execve}/lnx_auditd_file_or_folder_permissions.yml    | 0
 .../auditd/{ => execve}/lnx_auditd_find_cred_in_files.yml     | 0
 .../{ => execve}/lnx_auditd_hidden_files_directories.yml      | 0
 .../lnx_auditd_hidden_zip_files_steganography.yml             | 0
 .../auditd/{ => execve}/lnx_auditd_masquerading_crond.yml     | 0
 .../auditd/{ => execve}/lnx_auditd_modify_system_firewall.yml | 0
 .../linux/auditd/{ => execve}/lnx_auditd_network_sniffing.yml | 0
 .../auditd/{ => execve}/lnx_auditd_screencapture_import.yml   | 0
 .../auditd/{ => execve}/lnx_auditd_screencaputre_xwd.yml      | 0
 .../{ => execve}/lnx_auditd_steghide_embed_steganography.yml  | 0
 .../lnx_auditd_steghide_extract_steganography.yml             | 0
 rules/linux/auditd/{ => execve}/lnx_auditd_susp_cmds.yml      | 0
 .../{ => execve}/lnx_auditd_susp_histfile_operations.yml      | 0
 .../lnx_auditd_susp_service_reload_or_restart.yml             | 0
 .../auditd/{ => execve}/lnx_auditd_system_shutdown_reboot.yml | 0
 .../lnx_auditd_unzip_hidden_zip_files_steganography.yml       | 0
 rules/linux/auditd/{ => execve}/lnx_auditd_user_discovery.yml | 0
 rules/linux/auditd/lnx_auditd_audio_capture.yml               | 4 ++--
 rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml     | 4 ++--
 .../auditd/{ => path}/lnx_auditd_auditing_config_change.yml   | 0
 .../auditd/{ => path}/lnx_auditd_bpfdoor_file_accessed.yml    | 0
 .../auditd/{ => path}/lnx_auditd_hidden_binary_execution.yml  | 0
 .../linux/auditd/{ => path}/lnx_auditd_ld_so_preload_mod.yml  | 0
 .../auditd/{ => path}/lnx_auditd_logging_config_change.yml    | 0
 .../auditd/{ => path}/lnx_auditd_magic_system_request_key.yml | 0
 .../auditd/{ => path}/lnx_auditd_system_info_discovery2.yml   | 0
 .../auditd/{ => path}/lnx_auditd_systemd_service_creation.yml | 0
 .../lnx_auditd_unix_shell_configuration_modification.yml      | 0
 .../{ => service_stop}/lnx_auditd_disable_system_firewall.yml | 0
 .../lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml        | 4 ++--
 .../linux/auditd/{ => syscall}/lnx_auditd_create_account.yml  | 0
 .../auditd/{ => syscall}/lnx_auditd_load_module_insmod.yml    | 0
 .../{ => syscall}/lnx_auditd_network_service_scanning.yml     | 0
 .../{ => syscall}/lnx_auditd_split_file_into_pieces.yml       | 0
 .../lnx_auditd_susp_discovery_sysinfo_syscall.yml             | 3 ++-
 .../auditd/{ => syscall}/lnx_auditd_susp_exe_folders.yml      | 0
 ...nx_auditd_susp_special_file_creation_via_mknod_syscall.yml | 3 ++-
 rules/linux/auditd/{ => syscall}/lnx_auditd_web_rce.yml       | 4 ++--
 tests/logsource.json                                          | 4 ++--
 55 files changed, 14 insertions(+), 12 deletions(-)
 rename rules-placeholder/cloud/azure/{ => audit_logs}/azure_ad_account_created_deleted_nonapproved_user.yml (100%)
 rename rules-placeholder/cloud/azure/{ => signin_logs}/azure_ad_account_signin_outside_hours.yml (100%)
 rename rules-placeholder/cloud/azure/{ => signin_logs}/azure_privileged_account_no_saw_paw.yml (100%)
 rename rules-placeholder/cloud/azure/{ => signin_logs}/azure_privileged_account_sigin_expected_controls.yml (100%)
 rename rules-placeholder/cloud/azure/{ => signin_logs}/azure_privileged_account_signin_outside_hours.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_binary_padding.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_bpfdoor_port_redirect.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_capabilities_discovery.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_change_file_time_attr.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_chattr_immutable_removal.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_clipboard_collection.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_clipboard_image_collection.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_coinminer.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_data_compressed.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_data_exfil_wget.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_dd_delete_file.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_file_or_folder_permissions.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_find_cred_in_files.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_hidden_files_directories.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_hidden_zip_files_steganography.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_masquerading_crond.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_modify_system_firewall.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_network_sniffing.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_screencapture_import.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_screencaputre_xwd.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_steghide_embed_steganography.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_steghide_extract_steganography.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_susp_cmds.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_susp_histfile_operations.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_susp_service_reload_or_restart.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_system_shutdown_reboot.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_unzip_hidden_zip_files_steganography.yml (100%)
 rename rules/linux/auditd/{ => execve}/lnx_auditd_user_discovery.yml (100%)
 rename rules/linux/auditd/{ => path}/lnx_auditd_auditing_config_change.yml (100%)
 rename rules/linux/auditd/{ => path}/lnx_auditd_bpfdoor_file_accessed.yml (100%)
 rename rules/linux/auditd/{ => path}/lnx_auditd_hidden_binary_execution.yml (100%)
 rename rules/linux/auditd/{ => path}/lnx_auditd_ld_so_preload_mod.yml (100%)
 rename rules/linux/auditd/{ => path}/lnx_auditd_logging_config_change.yml (100%)
 rename rules/linux/auditd/{ => path}/lnx_auditd_magic_system_request_key.yml (100%)
 rename rules/linux/auditd/{ => path}/lnx_auditd_system_info_discovery2.yml (100%)
 rename rules/linux/auditd/{ => path}/lnx_auditd_systemd_service_creation.yml (100%)
 rename rules/linux/auditd/{ => path}/lnx_auditd_unix_shell_configuration_modification.yml (100%)
 rename rules/linux/auditd/{ => service_stop}/lnx_auditd_disable_system_firewall.yml (100%)
 rename rules/linux/auditd/{ => syscall}/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml (97%)
 rename rules/linux/auditd/{ => syscall}/lnx_auditd_create_account.yml (100%)
 rename rules/linux/auditd/{ => syscall}/lnx_auditd_load_module_insmod.yml (100%)
 rename rules/linux/auditd/{ => syscall}/lnx_auditd_network_service_scanning.yml (100%)
 rename rules/linux/auditd/{ => syscall}/lnx_auditd_split_file_into_pieces.yml (100%)
 rename rules/linux/auditd/{ => syscall}/lnx_auditd_susp_discovery_sysinfo_syscall.yml (96%)
 rename rules/linux/auditd/{ => syscall}/lnx_auditd_susp_exe_folders.yml (100%)
 rename rules/linux/auditd/{ => syscall}/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml (96%)
 rename rules/linux/auditd/{ => syscall}/lnx_auditd_web_rce.yml (96%)

diff --git a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml b/rules-placeholder/cloud/azure/audit_logs/azure_ad_account_created_deleted_nonapproved_user.yml
similarity index 100%
rename from rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml
rename to rules-placeholder/cloud/azure/audit_logs/azure_ad_account_created_deleted_nonapproved_user.yml
diff --git a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/signin_logs/azure_ad_account_signin_outside_hours.yml
similarity index 100%
rename from rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml
rename to rules-placeholder/cloud/azure/signin_logs/azure_ad_account_signin_outside_hours.yml
diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_no_saw_paw.yml
similarity index 100%
rename from rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml
rename to rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_no_saw_paw.yml
diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_sigin_expected_controls.yml
similarity index 100%
rename from rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml
rename to rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_sigin_expected_controls.yml
diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_signin_outside_hours.yml
similarity index 100%
rename from rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml
rename to rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_signin_outside_hours.yml
diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/execve/lnx_auditd_binary_padding.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_binary_padding.yml
rename to rules/linux/auditd/execve/lnx_auditd_binary_padding.yml
diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml b/rules/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml
rename to rules/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml
diff --git a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/rules/linux/auditd/execve/lnx_auditd_capabilities_discovery.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_capabilities_discovery.yml
rename to rules/linux/auditd/execve/lnx_auditd_capabilities_discovery.yml
diff --git a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_change_file_time_attr.yml
rename to rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml
diff --git a/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml b/rules/linux/auditd/execve/lnx_auditd_chattr_immutable_removal.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml
rename to rules/linux/auditd/execve/lnx_auditd_chattr_immutable_removal.yml
diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/execve/lnx_auditd_clipboard_collection.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_clipboard_collection.yml
rename to rules/linux/auditd/execve/lnx_auditd_clipboard_collection.yml
diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/execve/lnx_auditd_clipboard_image_collection.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml
rename to rules/linux/auditd/execve/lnx_auditd_clipboard_image_collection.yml
diff --git a/rules/linux/auditd/lnx_auditd_coinminer.yml b/rules/linux/auditd/execve/lnx_auditd_coinminer.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_coinminer.yml
rename to rules/linux/auditd/execve/lnx_auditd_coinminer.yml
diff --git a/rules/linux/auditd/lnx_auditd_data_compressed.yml b/rules/linux/auditd/execve/lnx_auditd_data_compressed.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_data_compressed.yml
rename to rules/linux/auditd/execve/lnx_auditd_data_compressed.yml
diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/execve/lnx_auditd_data_exfil_wget.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_data_exfil_wget.yml
rename to rules/linux/auditd/execve/lnx_auditd_data_exfil_wget.yml
diff --git a/rules/linux/auditd/lnx_auditd_dd_delete_file.yml b/rules/linux/auditd/execve/lnx_auditd_dd_delete_file.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_dd_delete_file.yml
rename to rules/linux/auditd/execve/lnx_auditd_dd_delete_file.yml
diff --git a/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml b/rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml
rename to rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml
diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/execve/lnx_auditd_find_cred_in_files.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
rename to rules/linux/auditd/execve/lnx_auditd_find_cred_in_files.yml
diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_hidden_files_directories.yml
rename to rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml
diff --git a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml b/rules/linux/auditd/execve/lnx_auditd_hidden_zip_files_steganography.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml
rename to rules/linux/auditd/execve/lnx_auditd_hidden_zip_files_steganography.yml
diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_masquerading_crond.yml
rename to rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml
diff --git a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml b/rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_modify_system_firewall.yml
rename to rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml
diff --git a/rules/linux/auditd/lnx_auditd_network_sniffing.yml b/rules/linux/auditd/execve/lnx_auditd_network_sniffing.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_network_sniffing.yml
rename to rules/linux/auditd/execve/lnx_auditd_network_sniffing.yml
diff --git a/rules/linux/auditd/lnx_auditd_screencapture_import.yml b/rules/linux/auditd/execve/lnx_auditd_screencapture_import.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_screencapture_import.yml
rename to rules/linux/auditd/execve/lnx_auditd_screencapture_import.yml
diff --git a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/rules/linux/auditd/execve/lnx_auditd_screencaputre_xwd.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml
rename to rules/linux/auditd/execve/lnx_auditd_screencaputre_xwd.yml
diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
rename to rules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml
diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/execve/lnx_auditd_steghide_extract_steganography.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
rename to rules/linux/auditd/execve/lnx_auditd_steghide_extract_steganography.yml
diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/execve/lnx_auditd_susp_cmds.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_susp_cmds.yml
rename to rules/linux/auditd/execve/lnx_auditd_susp_cmds.yml
diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/execve/lnx_auditd_susp_histfile_operations.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml
rename to rules/linux/auditd/execve/lnx_auditd_susp_histfile_operations.yml
diff --git a/rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml b/rules/linux/auditd/execve/lnx_auditd_susp_service_reload_or_restart.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml
rename to rules/linux/auditd/execve/lnx_auditd_susp_service_reload_or_restart.yml
diff --git a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml b/rules/linux/auditd/execve/lnx_auditd_system_shutdown_reboot.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml
rename to rules/linux/auditd/execve/lnx_auditd_system_shutdown_reboot.yml
diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/execve/lnx_auditd_unzip_hidden_zip_files_steganography.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml
rename to rules/linux/auditd/execve/lnx_auditd_unzip_hidden_zip_files_steganography.yml
diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/execve/lnx_auditd_user_discovery.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_user_discovery.yml
rename to rules/linux/auditd/execve/lnx_auditd_user_discovery.yml
diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml
index 7409645a0..e26afeff1 100644
--- a/rules/linux/auditd/lnx_auditd_audio_capture.yml
+++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml
@@ -9,7 +9,7 @@ references:
     - https://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions
 author: Pawel Mazur, Milad Cheraghi
 date: 2021-09-04
-modified: 2025-06-05
+modified: 2025-12-05
 tags:
     - attack.collection
     - attack.t1123
@@ -25,7 +25,7 @@ detection:
     selection_syscall_memfd_create:
         type: SYSCALL
         exe|endswith: "/ecasound"
-        syscall: 'memfd_create'
+        SYSCALL: 'memfd_create'
     condition: 1 of selection_*
 falsepositives:
     - Unknown
diff --git a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml
index 58f1090e3..2f63aa8a1 100644
--- a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml
+++ b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml
@@ -15,7 +15,7 @@ references:
     - https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
 author: Milad Cheraghi
 date: 2025-05-26
-modified: 2025-10-18
+modified: 2025-12-05
 tags:
     - attack.privilege-escalation
     - attack.defense-evasion
@@ -27,7 +27,7 @@ logsource:
 detection:
     selection_syscall:
         type: 'SYSCALL'
-        syscall: 'personality'
+        SYSCALL: 'personality'
         a0: 40000
     selection_sysctl:
         type: 'EXECVE'
diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_auditing_config_change.yml
rename to rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml
diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml b/rules/linux/auditd/path/lnx_auditd_bpfdoor_file_accessed.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml
rename to rules/linux/auditd/path/lnx_auditd_bpfdoor_file_accessed.yml
diff --git a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml b/rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml
rename to rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml
diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
rename to rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml
diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/path/lnx_auditd_logging_config_change.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_logging_config_change.yml
rename to rules/linux/auditd/path/lnx_auditd_logging_config_change.yml
diff --git a/rules/linux/auditd/lnx_auditd_magic_system_request_key.yml b/rules/linux/auditd/path/lnx_auditd_magic_system_request_key.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_magic_system_request_key.yml
rename to rules/linux/auditd/path/lnx_auditd_magic_system_request_key.yml
diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml b/rules/linux/auditd/path/lnx_auditd_system_info_discovery2.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_system_info_discovery2.yml
rename to rules/linux/auditd/path/lnx_auditd_system_info_discovery2.yml
diff --git a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/rules/linux/auditd/path/lnx_auditd_systemd_service_creation.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_systemd_service_creation.yml
rename to rules/linux/auditd/path/lnx_auditd_systemd_service_creation.yml
diff --git a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/rules/linux/auditd/path/lnx_auditd_unix_shell_configuration_modification.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml
rename to rules/linux/auditd/path/lnx_auditd_unix_shell_configuration_modification.yml
diff --git a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_disable_system_firewall.yml
rename to rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml
diff --git a/rules/linux/auditd/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml b/rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml
similarity index 97%
rename from rules/linux/auditd/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml
rename to rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml
index 5fb225b59..2af4b1f67 100644
--- a/rules/linux/auditd/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml
+++ b/rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml
@@ -11,7 +11,7 @@ references:
     - https://man7.org/linux/man-pages/man1/dmesg.1.html
 author: Milad Cheraghi
 date: 2025-05-27
-modified: 2025-06-05
+modified: 2025-12-05
 tags:
     - attack.defense-evasion
     - attack.t1070.002
@@ -29,7 +29,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        syscall: 'syslog'
+        SYSCALL: 'syslog'
         a0:
             - 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log
             - 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)
diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/syscall/lnx_auditd_create_account.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_create_account.yml
rename to rules/linux/auditd/syscall/lnx_auditd_create_account.yml
diff --git a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml b/rules/linux/auditd/syscall/lnx_auditd_load_module_insmod.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_load_module_insmod.yml
rename to rules/linux/auditd/syscall/lnx_auditd_load_module_insmod.yml
diff --git a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml b/rules/linux/auditd/syscall/lnx_auditd_network_service_scanning.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_network_service_scanning.yml
rename to rules/linux/auditd/syscall/lnx_auditd_network_service_scanning.yml
diff --git a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml b/rules/linux/auditd/syscall/lnx_auditd_split_file_into_pieces.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml
rename to rules/linux/auditd/syscall/lnx_auditd_split_file_into_pieces.yml
diff --git a/rules/linux/auditd/lnx_auditd_susp_discovery_sysinfo_syscall.yml b/rules/linux/auditd/syscall/lnx_auditd_susp_discovery_sysinfo_syscall.yml
similarity index 96%
rename from rules/linux/auditd/lnx_auditd_susp_discovery_sysinfo_syscall.yml
rename to rules/linux/auditd/syscall/lnx_auditd_susp_discovery_sysinfo_syscall.yml
index 37f9ebd89..2dcbe91d1 100644
--- a/rules/linux/auditd/lnx_auditd_susp_discovery_sysinfo_syscall.yml
+++ b/rules/linux/auditd/syscall/lnx_auditd_susp_discovery_sysinfo_syscall.yml
@@ -9,6 +9,7 @@ references:
     - https://man7.org/linux/man-pages/man2/sysinfo.2.html
 author: Milad Cheraghi
 date: 2025-05-30
+modified: 2025-12-05
 tags:
     - attack.discovery
     - attack.t1057
@@ -23,7 +24,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        syscall: 'sysinfo'
+        SYSCALL: 'sysinfo'
     filter_optional_splunk:
         exe|endswith: '/bin/splunkd'
     condition: selection and not 1 of filter_optional_*
diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/syscall/lnx_auditd_susp_exe_folders.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
rename to rules/linux/auditd/syscall/lnx_auditd_susp_exe_folders.yml
diff --git a/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml b/rules/linux/auditd/syscall/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml
similarity index 96%
rename from rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml
rename to rules/linux/auditd/syscall/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml
index b3315cd20..5f7a0cb20 100644
--- a/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml
+++ b/rules/linux/auditd/syscall/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml
@@ -12,6 +12,7 @@ references:
     - https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
 author: Milad Cheraghi
 date: 2025-05-31
+modified: 2025-12-05
 tags:
     - attack.privilege-escalation
     - attack.persistence
@@ -22,7 +23,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        syscall: 'mknod'
+        SYSCALL: 'mknod'
     condition: selection
 falsepositives:
     - Device creation by legitimate scripts or init systems (udevadm, MAKEDEV)
diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/syscall/lnx_auditd_web_rce.yml
similarity index 96%
rename from rules/linux/auditd/lnx_auditd_web_rce.yml
rename to rules/linux/auditd/syscall/lnx_auditd_web_rce.yml
index d54e38c1d..0bf57a548 100644
--- a/rules/linux/auditd/lnx_auditd_web_rce.yml
+++ b/rules/linux/auditd/syscall/lnx_auditd_web_rce.yml
@@ -7,7 +7,7 @@ references:
     - https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
 author: Ilyas Ochkov, Beyu Denis, oscd.community
 date: 2019-10-12
-modified: 2025-06-03
+modified: 2025-12-05
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -24,7 +24,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        syscall:
+        SYSCALL:
             - 'execve'
             - 'execveat'
         euid: 33
diff --git a/tests/logsource.json b/tests/logsource.json
index a8cdb17db..28763f390 100644
--- a/tests/logsource.json
+++ b/tests/logsource.json
@@ -1,6 +1,6 @@
 {
     "title": "Field name by logsource",
-    "version": "20230113",
+    "version": "20251205",
     "legit":{
         "windows":{
             "common": ["EventID", "Provider_Name","Channel","Computer","Security_UserID"],
@@ -134,7 +134,7 @@
                     "oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer",
                     "proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid",
                     "scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid",
-                    "sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
+                    "sport", "state", "subj", "success", "suid", "syscall", "SYSCALL", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
                     "uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"],
                 "vsftpd":[],
                 "sshd":[],