[New Rule] Microsoft 365 Exchange DKIM Signing Configuration Disabled (#578)

* [New Rule] O365 Exchange DKIM Signing Configuration Disabled

* rebrand to m365

* still req non ecs schema

* Remove the ECS override

* Update _flatten_schema logic

* Allow fields with * in the path

* Allow explicit fields to overwrite implicit * fields

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

detection_rules/beats.py

@@ -83,12 +83,12 @@ def _flatten_schema(schema: list, prefix="") -> list:
             # we have what looks like zoom.zoom.*, but should actually just be zoom.*.
             # this is one quick heuristic to determine if a submodule nests fields at the parent.
             # it's probably not perfect, but we can fix other bugs as we run into them later
-            if len(schema) == 1 and nested_prefix == prefix + prefix:
-                nested_prefix = prefix
+            if len(schema) == 1 and nested_prefix.startswith(prefix + prefix):
+                nested_prefix = s["name"] + "."
             flattened.extend(_flatten_schema(s["fields"], prefix=nested_prefix))
         elif "fields" in s:
             flattened.extend(_flatten_schema(s["fields"], prefix=prefix))
-        elif "name" in s and "description" in s:
+        elif "name" in s:
             s = s.copy()
             # type is implicitly keyword if not defined
             # example: https://github.com/elastic/beats/blob/master/packetbeat/_meta/fields.common.yml#L7-L12