diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
index 306a153b0..7d74580cb 100644
--- a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
+++ b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
@@ -5,10 +5,10 @@ status: experimental
 date: 2021/05/04
 modified: 2022/02/24
 references:
-  - 'https://twitter.com/neu5ron/status/1346245602502443009'
-  - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma'
-  - 'https://tools.ietf.org/html/rfc2929#section-2.1'
-  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
+  - https://twitter.com/neu5ron/status/1346245602502443009
+  - https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma
+  - https://tools.ietf.org/html/rfc2929#section-2.1
+  - https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
 author: '@neu5ron, SOC Prime Team, Corelight'
 tags:
   - attack.t1095
diff --git a/rules/windows/builtin/security/win_security_service_installation_by_ unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_ unusal_client.yml
index fc52345d9..df7c6f4d0 100644
--- a/rules/windows/builtin/security/win_security_service_installation_by_ unusal_client.yml	
+++ b/rules/windows/builtin/security/win_security_service_installation_by_ unusal_client.yml	
@@ -6,7 +6,7 @@ related:
 status: experimental
 description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
 references:
-    - 'https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html'
+    - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
 author: Tim Rauch
 date: 2022/09/15
 logsource:
diff --git a/rules/windows/builtin/system/win_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/win_system_service_installation_by_unusal_client.yml
index 6ed3cb08d..086ccc18d 100644
--- a/rules/windows/builtin/system/win_system_service_installation_by_unusal_client.yml
+++ b/rules/windows/builtin/system/win_system_service_installation_by_unusal_client.yml
@@ -6,7 +6,7 @@ related:
 status: experimental
 description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
 references:
-    - 'https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html'
+    - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
 author: Tim Rauch
 date: 2022/09/15
 logsource:
diff --git a/rules/windows/file_delete/file_delete_win_webserver_access_logs_deleted.yml b/rules/windows/file_delete/file_delete_win_webserver_access_logs_deleted.yml
index 1d09df750..d5d22b190 100644
--- a/rules/windows/file_delete/file_delete_win_webserver_access_logs_deleted.yml
+++ b/rules/windows/file_delete/file_delete_win_webserver_access_logs_deleted.yml
@@ -3,7 +3,7 @@ id: 3eb8c339-a765-48cc-a150-4364c04652bf
 status: experimental
 description: Detects the deletion of WebServer access logs which may indicte the attempt to destroy forensic evidence
 references:
-    - 'https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html'
+    - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
 author: Tim Rauch
 date: 2022/09/16
 logsource:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
index 6e6163d1c..101dd704a 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
@@ -6,7 +6,7 @@ related:
 status: experimental
 description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
 references:
-    - 'https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html'
+    - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
 author: Tim Rauch
 date: 2022/09/16
 logsource:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_firewall_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_win_firewall_disabled.yml
index 3fd298b60..e66c79f9e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_win_firewall_disabled.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_win_firewall_disabled.yml
@@ -6,7 +6,7 @@ related:
 status: experimental
 description: Detects that the Windows Firewall is disabled using PowerShell
 references:
-    - 'https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html'
+    - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
 author: Tim Rauch
 date: 2022/09/14
 logsource:
diff --git a/rules/windows/process_creation/proc_creation_win_defender_exclusions_via_powershell.yml b/rules/windows/process_creation/proc_creation_win_defender_exclusions_via_powershell.yml
index a2e937c18..c2f9247e5 100644
--- a/rules/windows/process_creation/proc_creation_win_defender_exclusions_via_powershell.yml
+++ b/rules/windows/process_creation/proc_creation_win_defender_exclusions_via_powershell.yml
@@ -6,7 +6,7 @@ related:
 status: experimental
 description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
 references:
-    - 'https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html'
+    - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
 author: Tim Rauch
 date: 2022/09/16
 logsource:
diff --git a/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml b/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml
index f9f9a726e..fe6b63be9 100644
--- a/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml
+++ b/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml
@@ -6,7 +6,7 @@ related:
 status: experimental
 description: Detects that the Windows Firewall is disabled using PowerShell
 references:
-    - 'https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html'
+    - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
 author: Tim Rauch
 date: 2022/09/14
 logsource:
diff --git a/rules/windows/process_creation/proc_creation_win_network_enumeration.yml b/rules/windows/process_creation/proc_creation_win_network_enumeration.yml
index 7428bd510..c826f0435 100644
--- a/rules/windows/process_creation/proc_creation_win_network_enumeration.yml
+++ b/rules/windows/process_creation/proc_creation_win_network_enumeration.yml
@@ -3,7 +3,7 @@ id: 8aefd180-56e6-4850-a205-a26c61a24a8f
 status: experimental
 description: Detects net.exe or net1.exe used for network enumeration
 references:
-    - 'https://www.elastic.co/guide/en/security/current/windows-network-enumeration.html'
+    - https://www.elastic.co/guide/en/security/current/windows-network-enumeration.html
 author: Tim Rauch
 date: 2022/09/15
 logsource:
diff --git a/rules/windows/process_creation/proc_creation_win_script_executing_powershell.yml b/rules/windows/process_creation/proc_creation_win_script_executing_powershell.yml
index 027a79c07..d9441bdf1 100644
--- a/rules/windows/process_creation/proc_creation_win_script_executing_powershell.yml
+++ b/rules/windows/process_creation/proc_creation_win_script_executing_powershell.yml
@@ -3,7 +3,7 @@ id: c0464058-4954-4536-896d-7b16315be56f
 status: experimental
 description: Detects wscript.exe or script.exe executing powershell.exe
 references:
-    - 'https://www.elastic.co/guide/en/security/current/windows-script-executing-powershell.html'
+    - https://www.elastic.co/guide/en/security/current/windows-script-executing-powershell.html
 author: Tim Rauch
 date: 2022/09/15
 logsource:
diff --git a/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml
index 52e0763c6..89d361f68 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml
@@ -5,7 +5,7 @@ description: Execution of well known tools for data exfiltration and tunneling
 author: Florian Roth
 date: 2022/08/04
 references:
-   - 'https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/'
+   - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
 logsource:
    category: process_creation
    product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
index f62d1cef4..933d9f841 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
@@ -3,7 +3,7 @@ id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
 status: experimental
 description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
 references:
-    - 'https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack'
+    - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
 author: Tim Rauch
 date: 2022/09/27
 logsource:
diff --git a/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_conhost.yml b/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_conhost.yml
index 594221056..98762471c 100644
--- a/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_conhost.yml
+++ b/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_conhost.yml
@@ -3,7 +3,7 @@ id: 23f6015f-4b63-4bb7-a9e5-7857ef5b538f
 status: experimental
 description: Detects a suspicious Conhost child process which may be an indication of code injection activity
 references:
-    - 'https://www.elastic.co/guide/en/security/current/suspicious-process-from-conhost.html'
+    - https://www.elastic.co/guide/en/security/current/suspicious-process-from-conhost.html
 author: Tim Rauch
 date: 2022/09/27
 logsource:
diff --git a/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml b/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml
index fb2a44453..94260e1ca 100644
--- a/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml
+++ b/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml
@@ -3,7 +3,7 @@ id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
 status: experimental
 description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation
 references:
-    - 'https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html'
+    - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html
 author: Tim Rauch
 date: 2022/09/27
 logsource: