refactor: first bigger log source refactoring

see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835

rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml

@@ -1,7 +1,7 @@
 title: Azure Active Directory Hybrid Health AD FS New Server
 id: 288a39fc-4914-4831-9ada-270e9dc12cb4
 description: |
-  This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
+  This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
   A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
   This can be done programmatically via HTTP requests to Azure.
 status: experimental
@@ -14,7 +14,7 @@ references:
   - https://o365blog.com/post/hybridhealthagent/
 logsource:
   product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
   selection:
     CategoryValue: 'Administrative'

rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml

@@ -1,7 +1,7 @@
 title: Azure Active Directory Hybrid Health AD FS Service Delete
 id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
 description: |
-  This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
+  This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
   A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
   The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
 status: experimental
@@ -14,7 +14,7 @@ references:
   - https://o365blog.com/post/hybridhealthagent/
 logsource:
   product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
   selection:
     CategoryValue: 'Administrative'

rules/cloud/azure/azure_account_lockout.yml

@@ -8,7 +8,7 @@ references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
   product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
   selection:
     ResultType: 50053

rules/cloud/azure/azure_app_credential_modification.yml

@@ -8,7 +8,7 @@ references:
     - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 'Update application - Certificates and secrets management'

rules/cloud/azure/azure_application_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message:

rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_change_to_authentication_method.yml

@@ -8,7 +8,7 @@ references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
   product: azure
-  service: azure.auditlogs
+  service: auditlogs
 detection:
   selection:
     LoggedByService: 'Authentication Methods'

rules/cloud/azure/azure_container_registry_created_or_deleted.yml

@@ -12,7 +12,7 @@ references:
     - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_creating_number_of_resources_detection.yml

@@ -1,15 +1,15 @@
 title: Number Of Resource Creation Or Deployment Activities
 id: d2d901db-7a75-45a1-bc39-0cbf00812192
 status: test
-description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log.
+description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:
   product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
   keywords:
     - Microsoft.Compute/virtualMachines/write

rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message|startswith: MICROSOFT.NETWORK/DNSZONES

rules/cloud/azure/azure_federation_modified.yml

@@ -8,7 +8,7 @@ references:
     - https://attack.mitre.org/techniques/T1078
 logsource:
   product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
     selection:
         properties.message: Set federation settings on domain

rules/cloud/azure/azure_firewall_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_granting_permission_detection.yml

@@ -4,12 +4,12 @@ status: test
 description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Granting_Permissions_To_Account_detection.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:
   product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
   keywords:
     - Microsoft.Authorization/roleAssignments/write

rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_keyvault_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_kubernetes_admission_controller.yml

@@ -9,7 +9,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection1:
           properties.message|startswith:

rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml

@@ -12,7 +12,7 @@ references:
     - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_kubernetes_cronjob.yml

@@ -11,7 +11,7 @@ references:
     - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
 logsource:
     product: azure
-    service: azure.activitylogs
+    service: activitylogs
 detection:
     selection1:
           properties.message|startswith:

rules/cloud/azure/azure_kubernetes_events_deleted.yml

@@ -9,7 +9,7 @@ references:
     - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection_operation_name:
           properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE

rules/cloud/azure/azure_kubernetes_network_policy_change.yml

@@ -12,7 +12,7 @@ references:
     - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_kubernetes_pods_deleted.yml

@@ -9,7 +9,7 @@ references:
     - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection_operation_name:
           properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE

rules/cloud/azure/azure_kubernetes_role_access.yml

@@ -12,7 +12,7 @@ references:
     - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml

@@ -12,7 +12,7 @@ references:
     - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml

@@ -12,7 +12,7 @@ references:
     - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml

@@ -12,7 +12,7 @@ references:
     - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_login_to_disabled_account.yml

@@ -8,7 +8,7 @@ references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
   product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
   selection:
     ResultType: 50057

rules/cloud/azure/azure_mfa_disabled.yml

@@ -9,7 +9,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
 logsource:
     product: azure
-    service: azure.activitylogs
+    service: activitylogs
 detection:
     selection:
         eventSource: AzureActiveDirectory

rules/cloud/azure/azure_mfa_interrupted.yml

@@ -8,7 +8,7 @@ references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
   product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
   selection:
     ResultType: 50074

rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message:

rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message:

rules/cloud/azure/azure_network_security_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message:

rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message:

rules/cloud/azure/azure_new_cloudshell_created.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE

rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_rare_operations.yml

@@ -4,12 +4,12 @@ status: test
 description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/RareOperations.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:
   product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
   keywords:
     - Microsoft.DocumentDB/databaseAccounts/listKeys/action

rules/cloud/azure/azure_service_principal_created.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 'Add service principal'

rules/cloud/azure/azure_service_principal_removed.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: Remove service principal

rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml

@@ -8,7 +8,7 @@ references:
   - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection1:
         properties.message: 

rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml

@@ -8,7 +8,7 @@ references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation
 logsource:
   product: azure
-  service: azure.auditlogs
+  service: auditlogs
 detection:
   selection:
     Category: 'Administrative'

rules/cloud/azure/azure_suppression_rule_created.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message: 

rules/cloud/azure/azure_unusual_authentication_interruption.yml

@@ -8,7 +8,7 @@ references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
   product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
     selection1:
           ResultType: 50097

rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml

@@ -8,7 +8,7 @@ references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
   product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
   selection:
     ResultType: 53003

rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message|startswith:

rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
   product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
     selection:
         properties.message:

rules/cloud/m365/microsoft365_activity_by_terminated_user.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatDetection
+    service: threat_detection
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_impossible_travel_activity.yml

@@ -9,7 +9,7 @@ references:
 date: 2020/07/06
 modified: 2021/11/27
 logsource:
-  category: ThreatManagement
+  service: threat_management
   product: m365
 detection:
   selection:

rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_new_federated_domain_added.yml

@@ -11,7 +11,7 @@ references:
     - https://www.sygnia.co/golden-saml-advisory
     - https://o365blog.com/post/aadbackdoor/
 logsource:
-    category: Exchange
+    service: exchange
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_potential_ransomware_activity.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
     product: m365
 detection:
     selection:

rules/compliance/netflow_cleartext_protocols.yml

@@ -53,7 +53,7 @@ references:
     # - PCI DSS 3.2 7.2
     # - PCI DSS 3.2 7.3
 logsource:
-    product: netflow
+    service: netflow
 detection:
     selection:
         destination.port:

rules/web/web_apache_segfault.yml

@@ -8,7 +8,7 @@ references:
 date: 2017/02/28
 modified: 2021/11/27
 logsource:
-  product: apache
+  service: apache
 detection:
   keywords:
     - 'exit signal Segmentation Fault'

rules/web/web_apache_threading_error.yml

@@ -8,7 +8,7 @@ references:
 date: 2019/01/22
 modified: 2021/11/27
 logsource:
-  product: apache
+  service: apache
 detection:
   keywords:
     - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'

rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml

@@ -15,7 +15,6 @@ tags:
     - attack.persistence
     - attack.t1505.003
 logsource:
-    product: zoho_manageengine
     category: webserver
     definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
 detection:

rules/web/web_nginx_core_dump.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
     - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
 logsource:
-    product: apache
+    service: apache
 detection:
     keywords:
         - 'exited on signal 6 (core dumped)'

tools/config/arcsight.yml

@@ -125,9 +125,9 @@ logsources:
       deviceProduct: Spring
       categoryDeviceGroup: /Application
   apache:
-    product: apache
+    service: apache
     conditions:
-      deviceProduct: Apache
+      deviceservice: apache
       categoryDeviceGroup: /Application
   firewall:
     product: firewall

tools/config/devo-web.yml

@@ -10,7 +10,7 @@ logsources:
     category: proxy
     index: proxy.all.access
   apache:
-    product: apache
+    service: apache
     index: web.all.access
 fieldmappings:
   c-uri: url

tools/config/ecs-azure-ad_auditlogs.yml

@@ -6,6 +6,6 @@ backends:
 fieldmappings:
   category: azure.auditlogs.properties.category
   activityDisplayName: event.action
-  loggedByService: azure.auditlogs.properties.logged_by_service
+  loggedByservice: auditlogs.properties.logged_by_service
   result: event.outcome
   initiatedBy.user.userPrincipalName: azure.auditlogs.properties.initiated_by.user.userPrincipalName

tools/config/fireeye-helix.yml

@@ -116,7 +116,7 @@ logsources:
         category: firewall
         index: firewall
     connection:
-        category: netflow
+        service: netflow
         index: connection
     proxy:
         category: proxy

tools/config/generic/m365.yml

@@ -1,33 +1,33 @@
 title: Microsoft 365 Rules
 order: 10
 logsources:
-    ThreatManagement:
+    threat_management:
         product: m365
-        category: ThreatManagement
+        service: threat_management
         conditions:
             eventSource: SecurityComplianceCenter
-    AccessGovernance:
+    access_governance:
         product: m365
-        category: AccessGovernance
+        service: access_governance
         conditions:
             eventSource: SecurityComplianceCenter
-    CloudDiscovery:
+    cloud_discovery:
         product: m365
-        category: CloudDiscovery
+        service: cloud_discovery
         conditions:
             eventSource: SecurityComplianceCenter
-    DataLossPrevention:
+    data_loss_prevention:
         product: m365
-        category: DataLossPrevention
+        service: data_loss_prevention
         conditions:
             eventSource: SecurityComplianceCenter
-    ThreatDetection:
+    threat_detection:
         product: m365
-        category: ThreatDetection
+        service: threat_detection
         conditions:
             eventSource: SecurityComplianceCenter
-    SharingControl:
+            sharing_control:
         product: m365
-        category: SharingControl
+    service: sharing_control
         conditions:
             eventSource: SecurityComplianceCenter

tools/config/hawk.yml

@@ -8,7 +8,7 @@ logsources:
    conditions:
      vendor_type: 'Antivirus'
  apache:
-   product: apache
+   service: apache
    conditions:
      product_name: 
        - 'apache*'
@@ -41,13 +41,13 @@ logsources:
     vendor_name: "Microsoft"
     product_name: "Onelogin" 
  microsoft365:
-   category: ThreatManagement
+   service: threat_management
    service: Microsoft365
    conditions:
     vendor_name: "Microsoft"
     product_name: "365"
  m365:
-   category: ThreatManagement
+   service: threat_management
    service: m365
    conditions:
     vendor_name: "Microsoft"
@@ -218,22 +218,22 @@ logsources:
   conditions:
     vendor_name: "Zeek IDS"
  azure-signin:
-  service: azure.signinlogs
+  service: signinlogs
   conditions:
     vendor_name: "Microsoft"
     product_name: "Azure"
  azure-auditlogs:
-   service: azure.auditlogs
+   service: auditlogs
    conditions:
     vendor_name: "Microsoft"
     product_name: "Azure"
  azure-activitylogs:
-   service: azure.activitylogs
+   service: activitylogs
    conditions:
     vendor_name: "Microsoft"
     product_name: "Azure"
  azure-activity:
-   service: AzureActivity
+   service: azureactivity
    conditions:
     vendor_name: "Microsoft"
     product_name: "Azure"
@@ -382,7 +382,7 @@ logsources:
  qflow:
    product: qflow
  netflow:
-   product: netflow
+   service: netflow
  ipfix:
    product: ipfix
  flow:

tools/config/limacharlie.yml

@@ -8,4 +8,4 @@ logsources:
   linux:
     product: linux
   netflow:
-    product: netflow
+    service: netflow

tools/config/qradar.yml

@@ -4,7 +4,7 @@ backends:
 order: 20
 logsources:
  apache:
-   product: apache
+   service: apache
    index: apache
    conditions:
      LOGSOURCETYPENAME(devicetype): '*apache*'
@@ -17,7 +17,7 @@ logsources:
    product: qflow
    index: flows
  netflow:
-   product: netflow
+   service: netflow
    index: flows
  ipfix:
    product: ipfix

tools/config/sumologic-cse.yml

@@ -64,11 +64,10 @@ logsources:
     product: gsuite
     index: gsuite
   apache:
-    product: apache
     service: apache
     index: Apache
   apache2:
-    product: apache
+    service: apache
     index: Apache
   nginx:
     product: nginx

tools/config/sumologic.yml

@@ -107,11 +107,10 @@ logsources:
     conditions:
       EventChannel: 'Microsoft-Windows-Bits-Client/Operational' 
   apache:
-    product: apache
     service: apache
     index: WEBSERVER
   apache2:
-    product: apache
+    service: apache
     index: WEBSERVER
   webserver:
     category: webserver