feat: organize queries, policies, and rules into subdirectories (#484)

indexes/gcp.md

@@ -1,12 +1,12 @@
-[ GCS Bucket Made Public](../gcp_audit_rules/gcp_gcs_public.py)
+[ GCS Bucket Made Public](../rules/gcp_audit_rules/gcp_gcs_public.py)
 
-[ GCP Resource in Unused Region](../gcp_audit_rules/gcp_unused_regions.py)
+[ GCP Resource in Unused Region](../rules/gcp_audit_rules/gcp_unused_regions.py)
 
-[ GCP SQL Config Changes](../gcp_audit_rules/gcp_sql_config_changes.py)
+[ GCP SQL Config Changes](../rules/gcp_audit_rules/gcp_sql_config_changes.py)
 
-[ GCP GCS IAM Permission Changes](../gcp_audit_rules/gcp_gcs_iam_changes.py)
+[ GCP GCS IAM Permission Changes](../rules/gcp_audit_rules/gcp_gcs_iam_changes.py)
 
-[ GCP IAM Role Has Changed](../gcp_audit_rules/gcp_iam_custom_role_changes.py)
+[ GCP IAM Role Has Changed](../rules/gcp_audit_rules/gcp_iam_custom_role_changes.py)
 
-[ GCP Corporate Email Not Used](../gcp_audit_rules/gcp_iam_corp_email.py)
+[ GCP Corporate Email Not Used](../rules/gcp_audit_rules/gcp_iam_corp_email.py)
 

indexes/github.md

@@ -1,36 +1,36 @@
 ## User Rules
 
-[ GitHub User Role Updated](../github_rules/github_user_role_updated.py)
+[ GitHub User Role Updated](../rules/github_rules/github_user_role_updated.py)
 
-[ GitHub Team Modified](../github_rules/github_team_modified.py)
+[ GitHub Team Modified](../rules/github_rules/github_team_modified.py)
 
-[ GitHub User Initial Access to Private Repo](../github_rules/github_repo_initial_access.py)
+[ GitHub User Initial Access to Private Repo](../rules/github_rules/github_repo_initial_access.py)
 
-[ GitHub Team Modified](../github_rules/github_team_modified.py)
+[ GitHub Team Modified](../rules/github_rules/github_team_modified.py)
 
-[ GitHub User Initial Access to Private Repo](../github_rules/github_repo_initial_access.py)
+[ GitHub User Initial Access to Private Repo](../rules/github_rules/github_repo_initial_access.py)
 
-[ GitHub User Added or Removed from Org](../github_rules/github_org_modified.py)
+[ GitHub User Added or Removed from Org](../rules/github_rules/github_org_modified.py)
 
-[ GitHub User Access Key Created](../github_rules/github_user_access_key_created.py)
+[ GitHub User Access Key Created](../rules/github_rules/github_user_access_key_created.py)
 
 ## Repository Rules
 
-[ GitHub Branch Protection Policy Override](../github_rules/github_branch_policy_override.py)
+[ GitHub Branch Protection Policy Override](../rules/github_rules/github_branch_policy_override.py)
 
-[ GitHub Branch Protection Disabled](../github_rules/github_branch_protection_disabled.py)
+[ GitHub Branch Protection Disabled](../rules/github_rules/github_branch_protection_disabled.py)
 
-[ GitHub Repository Created](../github_rules/github_repo_created.py)
+[ GitHub Repository Created](../rules/github_rules/github_repo_created.py)
 
-[ GitHub Repository Visibility Change](../github_rules/github_repo_collaborator_change.py)
+[ GitHub Repository Visibility Change](../rules/github_rules/github_repo_collaborator_change.py)
 
-[ GitHub Web Hook Modified](../github_rules/github_repo_hook_modified.py)
+[ GitHub Web Hook Modified](../rules/github_rules/github_repo_hook_modified.py)
 
-[ GitHub Repository Visibility Change](../github_rules/github_repo_visibility_change.py)
+[ GitHub Repository Visibility Change](../rules/github_rules/github_repo_visibility_change.py)
 
 
 ## Organization Rules
 
-[ GitHub Org Authentication Method Changed](../github_rules/github_org_auth_modified.py)
+[ GitHub Org Authentication Method Changed](../rules/github_rules/github_org_auth_modified.py)
 
-[ GitHub Org IP Allow List modified](../github_rules/github_org_ip_allowlist.py)
+[ GitHub Org IP Allow List modified](../rules/github_rules/github_org_ip_allowlist.py)

indexes/gworkspace.md

@@ -1,44 +1,44 @@
 ## Drive and Docs 
-[ External GSuite File Share](../gsuite_reports_rules/gsuite_drive_external_share.py)
+[ External GSuite File Share](../rules/gsuite_reports_rules/gsuite_drive_external_share.py)
 
-[ GSuite Document External Ownership Transfer](../gsuite_activityevent_rules/gsuite_doc_ownership_transfer.py)
+[ GSuite Document External Ownership Transfer](../rules/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.py)
 
-[ GSuite External Drive Document](../gsuite_reports_rules/gsuite_drive_visibility_change.py)
+[ GSuite External Drive Document](../rules/gsuite_reports_rules/gsuite_drive_visibility_change.py)
 
-[ GSuite Overly Visible Drive Document](../gsuite_reports_rules/gsuite_drive_overly_visible.py)
+[ GSuite Overly Visible Drive Document](../rules/gsuite_reports_rules/gsuite_drive_overly_visible.py)
 
 ## User Specific 
 
-[ GSuite Device Suspicious Activity](../gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.py)
+[ GSuite Device Suspicious Activity](../rules/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.py)
 
-[ GSuite User Advanced Protection Change](../gsuite_activityevent_rules/gsuite_advanced_protection.py)
+[ GSuite User Advanced Protection Change](../rules/gsuite_activityevent_rules/gsuite_advanced_protection.py)
 
-[ GSuite User Banned from Group](../gsuite_activityevent_rules/gsuite_group_banned_user.py)
+[ GSuite User Banned from Group](../rules/gsuite_activityevent_rules/gsuite_group_banned_user.py)
 
-[ GSuite User Device Compromised](../gsuite_activityevent_rules/gsuite_mobile_device_compromise.py)
+[ GSuite User Device Compromised](../rules/gsuite_activityevent_rules/gsuite_mobile_device_compromise.py)
 
-[ GSuite User Device Unlock Failures](../gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.py)
+[ GSuite User Device Unlock Failures](../rules/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.py)
 
-[ GSuite User Password Leaked](../gsuite_activityevent_rules/gsuite_leaked_password.py)
+[ GSuite User Password Leaked](../rules/gsuite_activityevent_rules/gsuite_leaked_password.py)
 
-[ GSuite User Suspended](../gsuite_activityevent_rules/gsuite_user_suspended.py)
+[ GSuite User Suspended](../rules/gsuite_activityevent_rules/gsuite_user_suspended.py)
 
-[ GSuite User Two Step Verification Change](../gsuite_activityevent_rules/gsuite_two_step_verification.py)
+[ GSuite User Two Step Verification Change](../rules/gsuite_activityevent_rules/gsuite_two_step_verification.py)
 
-[ Gsuite Mail forwarded to external domain](../gsuite_activityevent_rules/gsuite_external_forwarding.py)
+[ Gsuite Mail forwarded to external domain](../rules/gsuite_activityevent_rules/gsuite_external_forwarding.py)
 
-[ Suspicious GSuite Login](../gsuite_activityevent_rules/gsuite_suspicious_logins.py)
+[ Suspicious GSuite Login](../rules/gsuite_activityevent_rules/gsuite_suspicious_logins.py)
 
-[ GSuite Unapproved Login Type](../gsuite_activityevent_rules/gsuite_login_type.py)
+[ GSuite Unapproved Login Type](../rules/gsuite_activityevent_rules/gsuite_login_type.py)
 
 ## Account Alerts
 
-[ GSuite Government Backed Attack](../gsuite_activityevent_rules/gsuite_gov_attack.py)
+[ GSuite Government Backed Attack](../rules/gsuite_activityevent_rules/gsuite_gov_attack.py)
 
-[ GSuite Low Severity Rule Triggered](../gsuite_activityevent_rules/gsuite_low_severity_rule.py)
+[ GSuite Low Severity Rule Triggered](../rules/gsuite_activityevent_rules/gsuite_low_severity_rule.py)
 
-[ GSuite Medium Severity Rule Triggered](../gsuite_activityevent_rules/gsuite_medium_severity_rule.py)
+[ GSuite Medium Severity Rule Triggered](../rules/gsuite_activityevent_rules/gsuite_medium_severity_rule.py)
 
-[ GSuite High Severity Rule Triggered](../gsuite_activityevent_rules/gsuite_high_severity_rule.py)
+[ GSuite High Severity Rule Triggered](../rules/gsuite_activityevent_rules/gsuite_high_severity_rule.py)
 
-[ Google Accessed a GSuite Resource](../gsuite_activityevent_rules/gsuite_google_access.py)
+[ Google Accessed a GSuite Resource](../rules/gsuite_activityevent_rules/gsuite_google_access.py)

indexes/okta.md

@@ -1,28 +1,28 @@
 ## Rules 
 
-[ Okta MFA Globally Disabled](../okta_rules/okta_admin_disabled_mfa.py)
+[ Okta MFA Globally Disabled](../rules/okta_rules/okta_admin_disabled_mfa.py)
 
-[ Okta API Key Revoked](../okta_rules/okta_api_key_revoked.py)
+[ Okta API Key Revoked](../rules/okta_rules/okta_api_key_revoked.py)
 
-[ Geographically Improbable Okta Login](../okta_rules/okta_geo_improbable_access.py)
+[ Geographically Improbable Okta Login](../rules/okta_rules/okta_geo_improbable_access.py)
 
-[ Okta Support Reset Credential](../okta_rules/okta_support_reset.py)
+[ Okta Support Reset Credential](../rules/okta_rules/okta_support_reset.py)
 
-[ Okta Admin Role Assigned](../okta_rules/okta_admin_role_assigned.py)
+[ Okta Admin Role Assigned](../rules/okta_rules/okta_admin_role_assigned.py)
 
-[ Okta API Key Created](../okta_rules/okta_api_key_created.py)
+[ Okta API Key Created](../rules/okta_rules/okta_api_key_created.py)
 
-[ Okta Support Access Granted](../okta_rules/okta_account_support_access.py)
+[ Okta Support Access Granted](../rules/okta_rules/okta_account_support_access.py)
 
 
 ## Investigative Queries 
 
-[Session ID Audit ](../okta_queries/okta_session_id_audit.yml)
+[Session ID Audit ](../queries/okta_queries/okta_session_id_audit.yml)
 
-[MFA and Password Reset Audit ](../okta_queries/okta_mfa_password_reset_audit.yml)
+[MFA and Password Reset Audit ](../queries/okta_queries/okta_mfa_password_reset_audit.yml)
 
-[Admin Access Granted](../okta_queries/okta_admin_access_granted.yml)
+[Admin Access Granted](../queries/okta_queries/okta_admin_access_granted.yml)
 
-[Support Access](../okta_queries/okta_support_access.yml)
+[Support Access](../queries/okta_queries/okta_support_access.yml)
 
-[User Activity Audit](../okta_queries/okta_activity_audit.yml)
+[User Activity Audit](../queries/okta_queries/okta_activity_audit.yml)

indexes/onelogin.md

@@ -1,43 +1,43 @@
-[ OneLogin High Risk Login](../onelogin_rules/onelogin_high_risk_login.py)
+[ OneLogin High Risk Login](../rules/onelogin_rules/onelogin_high_risk_login.py)
 
-[ OneLogin Multiple Accounts Deleted](../onelogin_rules/onelogin_threshold_accounts_deleted.py)
+[ OneLogin Multiple Accounts Deleted](../rules/onelogin_rules/onelogin_threshold_accounts_deleted.py)
 
-[ OneLogin Password Access](../onelogin_rules/onelogin_password_accessed.py)
+[ OneLogin Password Access](../rules/onelogin_rules/onelogin_password_accessed.py)
 
-[ OneLogin Authentication Factor Removed](../onelogin_rules/onelogin_remove_authentication_factor.py)
+[ OneLogin Authentication Factor Removed](../rules/onelogin_rules/onelogin_remove_authentication_factor.py)
 
-[ OneLogin Failed High Risk Login](../onelogin_rules/onelogin_high_risk_failed_login.py)
+[ OneLogin Failed High Risk Login](../rules/onelogin_rules/onelogin_high_risk_failed_login.py)
 
-[ OneLogin Multiple Accounts Modified](../onelogin_rules/onelogin_threshold_accounts_modified.py)
+[ OneLogin Multiple Accounts Modified](../rules/onelogin_rules/onelogin_threshold_accounts_modified.py)
 
-[ OneLogin User Locked](../onelogin_rules/onelogin_user_account_locked.py)
+[ OneLogin User Locked](../rules/onelogin_rules/onelogin_user_account_locked.py)
 
-[ OneLogin User Password Changed](../onelogin_rules/onelogin_password_changed.py)
+[ OneLogin User Password Changed](../rules/onelogin_rules/onelogin_password_changed.py)
 
-[ OneLogin User Assumed Another User](../onelogin_rules/onelogin_user_assumed.py)
+[ OneLogin User Assumed Another User](../rules/onelogin_rules/onelogin_user_assumed.py)
 
-[ OneLogin Unauthorized Access](../onelogin_rules/onelogin_unauthorized_access.py)
+[ OneLogin Unauthorized Access](../rules/onelogin_rules/onelogin_unauthorized_access.py)
 
-[ OneLogin Active Login Activity](../onelogin_rules/onelogin_active_login_activity.py)
+[ OneLogin Active Login Activity](../rules/onelogin_rules/onelogin_active_login_activity.py)
 
-[ OneLogin High Risk Login](../onelogin_rules/onelogin_high_risk_login.py)
+[ OneLogin High Risk Login](../rules/onelogin_rules/onelogin_high_risk_login.py)
 
-[ OneLogin Multiple Accounts Deleted](../onelogin_rules/onelogin_threshold_accounts_deleted.py)
+[ OneLogin Multiple Accounts Deleted](../rules/onelogin_rules/onelogin_threshold_accounts_deleted.py)
 
-[ OneLogin Password Access](../onelogin_rules/onelogin_password_accessed.py)
+[ OneLogin Password Access](../rules/onelogin_rules/onelogin_password_accessed.py)
 
-[ OneLogin Authentication Factor Removed](../onelogin_rules/onelogin_remove_authentication_factor.py)
+[ OneLogin Authentication Factor Removed](../rules/onelogin_rules/onelogin_remove_authentication_factor.py)
 
-[ OneLogin Failed High Risk Login](../onelogin_rules/onelogin_high_risk_failed_login.py)
+[ OneLogin Failed High Risk Login](../rules/onelogin_rules/onelogin_high_risk_failed_login.py)
 
-[ OneLogin Multiple Accounts Modified](../onelogin_rules/onelogin_threshold_accounts_modified.py)
+[ OneLogin Multiple Accounts Modified](../rules/onelogin_rules/onelogin_threshold_accounts_modified.py)
 
-[ OneLogin User Locked](../onelogin_rules/onelogin_user_account_locked.py)
+[ OneLogin User Locked](../rules/onelogin_rules/onelogin_user_account_locked.py)
 
-[ OneLogin User Password Changed](../onelogin_rules/onelogin_password_changed.py)
+[ OneLogin User Password Changed](../rules/onelogin_rules/onelogin_password_changed.py)
 
-[ OneLogin User Assumed Another User](../onelogin_rules/onelogin_user_assumed.py)
+[ OneLogin User Assumed Another User](../rules/onelogin_rules/onelogin_user_assumed.py)
 
-[ OneLogin Unauthorized Access](../onelogin_rules/onelogin_unauthorized_access.py)
+[ OneLogin Unauthorized Access](../rules/onelogin_rules/onelogin_unauthorized_access.py)
 
-[ OneLogin Active Login Activity](../onelogin_rules/onelogin_active_login_activity.py)
+[ OneLogin Active Login Activity](../rules/onelogin_rules/onelogin_active_login_activity.py)

indexes/onepass.md

@@ -1,6 +1,6 @@
-[ Unusual 1Password Client Detected](../onepassword_rules/onepassword_unusual_client.py)
+[ Unusual 1Password Client Detected](../rules/onepassword_rules/onepassword_unusual_client.py)
 
-[ BETA - Sensitive 1Password Item Accessed](../onepassword_rules/onepassword_lut_sensitive_item_access.py)
+[ BETA - Sensitive 1Password Item Accessed](../rules/onepassword_rules/onepassword_lut_sensitive_item_access.py)
 
-[ Configuration Required - Sensitive 1Password Item Accessed](../onepassword_rules/onepassword_sensitive_item_access.py)
+[ Configuration Required - Sensitive 1Password Item Accessed](../rules/onepassword_rules/onepassword_sensitive_item_access.py)
 

indexes/osquery.md

@@ -1,28 +1,28 @@
 ## Linux 
 
-[ A Login from Outside the Corporate Office](../osquery_rules/osquery_linux_logins_non_office.py)
+[ A Login from Outside the Corporate Office](../rules/osquery_rules/osquery_linux_logins_non_office.py)
 
-[ AWS command executed on the command line](../osquery_rules/osquery_linux_aws_commands.py)
+[ AWS command executed on the command line](../rules/osquery_rules/osquery_linux_aws_commands.py)
 
 ## MacOS 
-[ OSQuery Reports Application Firewall Disabled](../osquery_rules/osquery_mac_enable_auto_update.py)
+[ OSQuery Reports Application Firewall Disabled](../rules/osquery_rules/osquery_mac_enable_auto_update.py)
 
-[ Unsupported macOS version](../osquery_rules/osquery_outdated_macos.py)
+[ Unsupported macOS version](../rules/osquery_rules/osquery_outdated_macos.py)
 
-[ MacOS ALF is misconfigured](../osquery_rules/osquery_mac_application_firewall.py)
+[ MacOS ALF is misconfigured](../rules/osquery_rules/osquery_mac_application_firewall.py)
 
-[ MacOS Keyboard Events](../osquery_rules/osquery_mac_osx_attacks_keyboard_events.py)
+[ MacOS Keyboard Events](../rules/osquery_rules/osquery_mac_osx_attacks_keyboard_events.py)
 
-[ macOS Malware Detected with osquery](../osquery_rules/osquery_mac_osx_attacks.py)
+[ macOS Malware Detected with osquery](../rules/osquery_rules/osquery_mac_osx_attacks.py)
 
 ## OSQuery Config and Universal  
-[ OSQuery Detected SSH Listener](../osquery_rules/osquery_ssh_listener.py)
+[ OSQuery Detected SSH Listener](../rules/osquery_rules/osquery_ssh_listener.py)
 
-[ Suspicious cron detected](../osquery_rules/osquery_suspicious_cron.py)
+[ Suspicious cron detected](../rules/osquery_rules/osquery_suspicious_cron.py)
 
-[ OSQuery Detected Unwanted Chrome Extensions](../osquery_rules/osquery_mac_unwanted_chrome_extensions.py)
+[ OSQuery Detected Unwanted Chrome Extensions](../rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.py)
 
-[ Osquery Agent Outdated](../osquery_rules/osquery_outdated.py)
+[ Osquery Agent Outdated](../rules/osquery_rules/osquery_outdated.py)
 
-[ OSSEC Rootkit Detected via Osquery](../osquery_rules/osquery_ossec.py)
+[ OSSEC Rootkit Detected via Osquery](../rules/osquery_rules/osquery_ossec.py)