diff --git a/rules/windows/builtin/system/win_anydesk_service_installation.yml b/rules/windows/builtin/system/win_system_anydesk_service_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_anydesk_service_installation.yml
rename to rules/windows/builtin/system/win_system_anydesk_service_installation.yml
diff --git a/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml
similarity index 100%
rename from rules/windows/builtin/system/win_apt_carbonpaper_turla.yml
rename to rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml
diff --git a/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml
similarity index 100%
rename from rules/windows/builtin/system/win_apt_chafer_mar18_system.yml
rename to rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml
diff --git a/rules/windows/builtin/system/win_apt_stonedrill.yml b/rules/windows/builtin/system/win_system_apt_stonedrill.yml
similarity index 100%
rename from rules/windows/builtin/system/win_apt_stonedrill.yml
rename to rules/windows/builtin/system/win_system_apt_stonedrill.yml
diff --git a/rules/windows/builtin/system/win_apt_turla_service_png.yml b/rules/windows/builtin/system/win_system_apt_turla_service_png.yml
similarity index 100%
rename from rules/windows/builtin/system/win_apt_turla_service_png.yml
rename to rules/windows/builtin/system/win_system_apt_turla_service_png.yml
diff --git a/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml
similarity index 100%
rename from rules/windows/builtin/system/win_cobaltstrike_service_installs.yml
rename to rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml
diff --git a/rules/windows/builtin/system/win_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_eventlog_cleared.yml
similarity index 100%
rename from rules/windows/builtin/system/win_eventlog_cleared.yml
rename to rules/windows/builtin/system/win_system_eventlog_cleared.yml
diff --git a/rules/windows/builtin/system/win_hack_smbexec.yml b/rules/windows/builtin/system/win_system_hack_smbexec.yml
similarity index 100%
rename from rules/windows/builtin/system/win_hack_smbexec.yml
rename to rules/windows/builtin/system/win_system_hack_smbexec.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml
diff --git a/rules/windows/builtin/system/win_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_krbrelayup_service_installation.yml
rename to rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml
diff --git a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml
similarity index 100%
rename from rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
rename to rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml
diff --git a/rules/windows/builtin/system/win_lsasrv_ntlmv1.yml b/rules/windows/builtin/system/win_system_lsasrv_ntlmv1.yml
similarity index 100%
rename from rules/windows/builtin/system/win_lsasrv_ntlmv1.yml
rename to rules/windows/builtin/system/win_system_lsasrv_ntlmv1.yml
diff --git a/rules/windows/builtin/system/win_mal_creddumper.yml b/rules/windows/builtin/system/win_system_mal_creddumper.yml
similarity index 100%
rename from rules/windows/builtin/system/win_mal_creddumper.yml
rename to rules/windows/builtin/system/win_system_mal_creddumper.yml
diff --git a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
rename to rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
diff --git a/rules/windows/builtin/system/win_moriya_rootkit.yml b/rules/windows/builtin/system/win_system_moriya_rootkit.yml
similarity index 100%
rename from rules/windows/builtin/system/win_moriya_rootkit.yml
rename to rules/windows/builtin/system/win_system_moriya_rootkit.yml
diff --git a/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml
similarity index 100%
rename from rules/windows/builtin/system/win_ntfs_vuln_exploit.yml
rename to rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml
diff --git a/rules/windows/builtin/system/win_pcap_drivers.yml b/rules/windows/builtin/system/win_system_pcap_drivers.yml
similarity index 100%
rename from rules/windows/builtin/system/win_pcap_drivers.yml
rename to rules/windows/builtin/system/win_system_pcap_drivers.yml
diff --git a/rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml
similarity index 100%
rename from rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml
rename to rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml
diff --git a/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/system/win_system_powershell_script_installed_as_service.yml
similarity index 100%
rename from rules/windows/builtin/system/win_powershell_script_installed_as_service.yml
rename to rules/windows/builtin/system/win_system_powershell_script_installed_as_service.yml
diff --git a/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml
similarity index 100%
rename from rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml
rename to rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml
diff --git a/rules/windows/builtin/system/win_rare_service_installs.yml b/rules/windows/builtin/system/win_system_rare_service_installs.yml
similarity index 100%
rename from rules/windows/builtin/system/win_rare_service_installs.yml
rename to rules/windows/builtin/system/win_system_rare_service_installs.yml
diff --git a/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml
similarity index 100%
rename from rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml
rename to rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml
diff --git a/rules/windows/builtin/system/win_service_hacktools.yml b/rules/windows/builtin/system/win_system_service_hacktools.yml
similarity index 100%
rename from rules/windows/builtin/system/win_service_hacktools.yml
rename to rules/windows/builtin/system/win_system_service_hacktools.yml
diff --git a/rules/windows/builtin/system/win_service_install_pdqdeploy.yml b/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml
similarity index 100%
rename from rules/windows/builtin/system/win_service_install_pdqdeploy.yml
rename to rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml
diff --git a/rules/windows/builtin/system/win_service_install_pdqdeploy_runner.yml b/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml
similarity index 100%
rename from rules/windows/builtin/system/win_service_install_pdqdeploy_runner.yml
rename to rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml
diff --git a/rules/windows/builtin/system/win_service_install_susp_double_ampersand.yml b/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml
similarity index 100%
rename from rules/windows/builtin/system/win_service_install_susp_double_ampersand.yml
rename to rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml
diff --git a/rules/windows/builtin/system/win_sliver_service_installs.yml b/rules/windows/builtin/system/win_system_sliver_service_installs.yml
similarity index 100%
rename from rules/windows/builtin/system/win_sliver_service_installs.yml
rename to rules/windows/builtin/system/win_system_sliver_service_installs.yml
diff --git a/rules/windows/builtin/system/win_susp_dhcp_config.yml b/rules/windows/builtin/system/win_system_susp_dhcp_config.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_dhcp_config.yml
rename to rules/windows/builtin/system/win_system_susp_dhcp_config.yml
diff --git a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_dhcp_config_failed.yml
rename to rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml
diff --git a/rules/windows/builtin/system/win_susp_proceshacker.yml b/rules/windows/builtin/system/win_system_susp_proceshacker.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_proceshacker.yml
rename to rules/windows/builtin/system/win_system_susp_proceshacker.yml
diff --git a/rules/windows/builtin/system/win_susp_rtcore64_service_install.yml b/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_rtcore64_service_install.yml
rename to rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml
diff --git a/rules/windows/builtin/system/win_susp_sam_dump.yml b/rules/windows/builtin/system/win_system_susp_sam_dump.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_sam_dump.yml
rename to rules/windows/builtin/system/win_system_susp_sam_dump.yml
diff --git a/rules/windows/builtin/system/win_susp_service_installation.yml b/rules/windows/builtin/system/win_system_susp_service_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_service_installation.yml
rename to rules/windows/builtin/system/win_system_susp_service_installation.yml
diff --git a/rules/windows/builtin/system/win_susp_service_installation_folder.yml b/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_service_installation_folder.yml
rename to rules/windows/builtin/system/win_system_susp_service_installation_folder.yml
diff --git a/rules/windows/builtin/system/win_susp_service_installation_folder_pattern.yml b/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_service_installation_folder_pattern.yml
rename to rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml
diff --git a/rules/windows/builtin/system/win_susp_service_installation_script.yml b/rules/windows/builtin/system/win_system_susp_service_installation_script.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_service_installation_script.yml
rename to rules/windows/builtin/system/win_system_susp_service_installation_script.yml
diff --git a/rules/windows/builtin/system/win_susp_system_update_error.yml b/rules/windows/builtin/system/win_system_susp_system_update_error.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_system_update_error.yml
rename to rules/windows/builtin/system/win_system_susp_system_update_error.yml
diff --git a/rules/windows/builtin/system/win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules/windows/builtin/system/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
rename to rules/windows/builtin/system/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
diff --git a/rules/windows/builtin/system/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/win_system_system_application_sysmon_crash.yml
similarity index 100%
rename from rules/windows/builtin/system/win_system_application_sysmon_crash.yml
rename to rules/windows/builtin/system/win_system_system_application_sysmon_crash.yml
diff --git a/rules/windows/builtin/system/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_system_defender_disabled.yml
similarity index 100%
rename from rules/windows/builtin/system/win_system_defender_disabled.yml
rename to rules/windows/builtin/system/win_system_system_defender_disabled.yml
diff --git a/rules/windows/builtin/system/win_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml
similarity index 100%
rename from rules/windows/builtin/system/win_system_service_installation_by_unusal_client.yml
rename to rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml
diff --git a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_system_susp_eventlog_cleared.yml
similarity index 100%
rename from rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml
rename to rules/windows/builtin/system/win_system_system_susp_eventlog_cleared.yml
diff --git a/rules/windows/builtin/system/win_tap_driver_installation.yml b/rules/windows/builtin/system/win_system_tap_driver_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_tap_driver_installation.yml
rename to rules/windows/builtin/system/win_system_tap_driver_installation.yml
diff --git a/rules/windows/builtin/system/win_tool_psexec.yml b/rules/windows/builtin/system/win_system_tool_psexec.yml
similarity index 100%
rename from rules/windows/builtin/system/win_tool_psexec.yml
rename to rules/windows/builtin/system/win_system_tool_psexec.yml
diff --git a/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml b/rules/windows/builtin/system/win_system_volume_shadow_copy_mount.yml
similarity index 100%
rename from rules/windows/builtin/system/win_volume_shadow_copy_mount.yml
rename to rules/windows/builtin/system/win_system_volume_shadow_copy_mount.yml
diff --git a/rules/windows/builtin/system/win_vul_cve_2020_1472.yml b/rules/windows/builtin/system/win_system_vul_cve_2020_1472.yml
similarity index 100%
rename from rules/windows/builtin/system/win_vul_cve_2020_1472.yml
rename to rules/windows/builtin/system/win_system_vul_cve_2020_1472.yml
diff --git a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml b/rules/windows/builtin/system/win_system_vul_cve_2021_42278_or_cve_2021_42287.yml
similarity index 100%
rename from rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
rename to rules/windows/builtin/system/win_system_vul_cve_2021_42278_or_cve_2021_42287.yml