From cd220c87982011d4ad156c7daecd2857c358d154 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ed=E2=81=A6?= Date: Fri, 2 Sep 2022 09:39:07 -0700 Subject: [PATCH] feat: organize queries, policies, and rules into subdirectories (#484) --- indexes/aws.md | 336 +++++++++--------- indexes/gcp.md | 12 +- indexes/github.md | 30 +- indexes/gworkspace.md | 40 +-- indexes/okta.md | 24 +- indexes/onelogin.md | 44 +-- indexes/onepass.md | 6 +- indexes/osquery.md | 24 +- indexes/saas.md | 84 ++--- indexes/snowflake.md | 24 +- indexes/standard.md | 8 +- ...s_password_policy_complexity_guidelines.py | 0 ..._password_policy_complexity_guidelines.yml | 0 .../aws_password_policy_password_age_limit.py | 0 ...aws_password_policy_password_age_limit.yml | 0 .../aws_password_policy_password_reuse.py | 0 .../aws_password_policy_password_reuse.yml | 0 .../aws_resource_minimum_tags.py | 0 .../aws_resource_minimum_tags.yml | 0 .../aws_resource_required_tags.py | 0 .../aws_resource_required_tags.yml | 0 .../aws_acm_certificate_expiration.py | 0 .../aws_acm_certificate_expiration.yml | 0 ...s_acm_certificate_has_secure_algorithms.py | 0 ..._acm_certificate_has_secure_algorithms.yml | 0 .../aws_acm_certificate_valid.py | 0 .../aws_acm_certificate_valid.yml | 0 .../aws_cloudformation_stack_drifted.py | 0 .../aws_cloudformation_stack_drifted.yml | 0 .../aws_cloudformation_stack_uses_iam_role.py | 0 ...aws_cloudformation_stack_uses_iam_role.yml | 0 ...s_cloudformation_termination_protection.py | 0 ..._cloudformation_termination_protection.yml | 0 .../aws_cloudtrail_cloudwatch_logs.py | 0 .../aws_cloudtrail_cloudwatch_logs.yml | 0 .../aws_cloudtrail_enabled.py | 0 .../aws_cloudtrail_enabled.yml | 0 .../aws_cloudtrail_log_encryption.py | 0 .../aws_cloudtrail_log_encryption.yml | 0 .../aws_cloudtrail_log_validation.py | 0 .../aws_cloudtrail_log_validation.yml | 0 ...aws_cloudtrail_s3_bucket_access_logging.py | 0 ...ws_cloudtrail_s3_bucket_access_logging.yml | 0 .../aws_cloudtrail_s3_bucket_public.py | 0 .../aws_cloudtrail_s3_bucket_public.yml | 0 .../aws_cloudwatch_loggroup_data_retention.py | 0 ...aws_cloudwatch_loggroup_data_retention.yml | 0 .../aws_cloudwatch_loggroup_encrypted.py | 0 .../aws_cloudwatch_loggroup_encrypted.yml | 0 ...cloudwatch_loggroup_sensitive_encrypted.py | 0 ...loudwatch_loggroup_sensitive_encrypted.yml | 0 .../aws_config_all_resource_types.py | 0 .../aws_config_all_resource_types.yml | 0 .../aws_config_global_resources.py | 0 .../aws_config_global_resources.yml | 0 .../aws_config_recording_enabled.py | 0 .../aws_config_recording_enabled.yml | 0 .../aws_config_recording_no_error.py | 0 .../aws_config_recording_no_error.yml | 0 .../aws_dynamodb_autoscaling.py | 0 .../aws_dynamodb_autoscaling.yml | 0 .../aws_dynamodb_autoscaling_configuration.py | 0 ...aws_dynamodb_autoscaling_configuration.yml | 0 .../aws_dynamodb_table_encryption.py | 0 .../aws_dynamodb_table_encryption.yml | 0 .../aws_dynamodb_table_ttl_enabled.py | 0 .../aws_dynamodb_table_ttl_enabled.yml | 0 .../aws_ec2_policies}/aws_ami_private.py | 0 .../aws_ec2_policies}/aws_ami_private.yml | 0 .../aws_ec2_ami_approved_host.py | 0 .../aws_ec2_ami_approved_host.yml | 0 .../aws_ec2_ami_approved_instance_type.py | 0 .../aws_ec2_ami_approved_instance_type.yml | 0 .../aws_ec2_ami_approved_tenancy.py | 0 .../aws_ec2_ami_approved_tenancy.yml | 0 .../aws_ec2_cde_volume_encrypted.py | 0 .../aws_ec2_cde_volume_encrypted.yml | 0 .../aws_ec2_instance_approved_ami.py | 0 .../aws_ec2_instance_approved_ami.yml | 0 .../aws_ec2_instance_approved_host.py | 0 .../aws_ec2_instance_approved_host.yml | 0 ...aws_ec2_instance_approved_instance_type.py | 0 ...ws_ec2_instance_approved_instance_type.yml | 0 .../aws_ec2_instance_approved_tenancy.py | 0 .../aws_ec2_instance_approved_tenancy.yml | 0 .../aws_ec2_instance_approved_vpc.py | 0 .../aws_ec2_instance_approved_vpc.yml | 0 .../aws_ec2_instance_detailed_monitoring.py | 0 .../aws_ec2_instance_detailed_monitoring.yml | 0 .../aws_ec2_instance_ebs_optimization.py | 0 .../aws_ec2_instance_ebs_optimization.yml | 0 .../aws_ec2_volume_encryption.py | 0 .../aws_ec2_volume_encryption.yml | 0 .../aws_ec2_volume_snapshot_encrypted.py | 0 .../aws_ec2_volume_snapshot_encrypted.yml | 0 .../aws_application_load_balancer_web_acl.py | 0 .../aws_application_load_balancer_web_acl.yml | 0 .../aws_guardduty_enabled.py | 0 .../aws_guardduty_enabled.yml | 0 .../aws_guardduty_master_account.py | 0 .../aws_guardduty_master_account.yml | 0 .../aws_access_key_rotation.py | 0 .../aws_access_key_rotation.yml | 0 .../aws_access_key_unused.py | 0 .../aws_access_key_unused.yml | 0 .../aws_access_keys_at_account_creation.py | 0 .../aws_access_keys_at_account_creation.yml | 0 .../aws_cloudtrail_least_privilege.py | 0 .../aws_cloudtrail_least_privilege.yml | 0 .../aws_iam_policies}/aws_iam_group_users.py | 0 .../aws_iam_policies}/aws_iam_group_users.yml | 0 ...icy_does_not_grant_network_admin_access.py | 0 ...cy_does_not_grant_network_admin_access.yml | 0 ...ws_iam_policy_administrative_privileges.py | 0 ...s_iam_policy_administrative_privileges.yml | 0 .../aws_iam_policy_assigned_to_user.py | 0 .../aws_iam_policy_assigned_to_user.yml | 0 .../aws_iam_policy_blocklist.py | 0 .../aws_iam_policy_blocklist.yml | 0 ..._iam_policy_does_not_grant_admin_access.py | 0 ...iam_policy_does_not_grant_admin_access.yml | 0 ...icy_does_not_grant_network_admin_access.py | 0 ...cy_does_not_grant_network_admin_access.yml | 0 .../aws_iam_policy_role_mapping.py | 0 .../aws_iam_policy_role_mapping.yml | 0 ...am_resource_does_not_have_inline_policy.py | 0 ...m_resource_does_not_have_inline_policy.yml | 0 .../aws_iam_role_external_permission.py | 0 .../aws_iam_role_external_permission.yml | 0 .../aws_iam_role_restricts_usage.py | 0 .../aws_iam_role_restricts_usage.yml | 0 .../aws_iam_policies}/aws_iam_user_mfa.py | 0 .../aws_iam_policies}/aws_iam_user_mfa.yml | 0 .../aws_iam_user_not_in_conflicting_groups.py | 0 ...aws_iam_user_not_in_conflicting_groups.yml | 0 .../aws_iam_policies}/aws_password_unused.py | 0 .../aws_iam_policies}/aws_password_unused.yml | 0 .../aws_root_account_access_keys.py | 0 .../aws_root_account_access_keys.yml | 0 .../aws_root_account_hardware_mfa.py | 0 .../aws_root_account_hardware_mfa.yml | 0 .../aws_iam_policies}/aws_root_account_mfa.py | 0 .../aws_root_account_mfa.yml | 0 .../aws_kms_policies}/aws_cmk_key_rotation.py | 0 .../aws_cmk_key_rotation.yml | 0 .../aws_kms_key_policy_restricts_usage.py | 0 .../aws_kms_key_policy_restricts_usage.yml | 0 .../aws_alb_ssl_policy.py | 0 .../aws_alb_ssl_policy.yml | 0 .../aws_elbv2_load_balancer_has_ssl_policy.py | 0 ...aws_elbv2_load_balancer_has_ssl_policy.yml | 0 ...ance_auto_minor_version_upgrade_enabled.py | 0 ...nce_auto_minor_version_upgrade_enabled.yml | 0 .../aws_rds_instance_backup.py | 0 .../aws_rds_instance_backup.yml | 0 ...ds_instance_backup_retention_acceptable.py | 0 ...s_instance_backup_retention_acceptable.yml | 0 .../aws_rds_instance_encryption.py | 0 .../aws_rds_instance_encryption.yml | 0 .../aws_rds_instance_high_availability.py | 0 .../aws_rds_instance_high_availability.yml | 0 .../aws_rds_instance_public_access.py | 0 .../aws_rds_instance_public_access.yml | 0 ...aws_rds_instance_snapshot_public_access.py | 0 ...ws_rds_instance_snapshot_public_access.yml | 0 .../aws_redshift_cluster_encryption.py | 0 .../aws_redshift_cluster_encryption.yml | 0 .../aws_redshift_cluster_logging.py | 0 .../aws_redshift_cluster_logging.yml | 0 ...aws_redshift_cluster_maintenance_window.py | 0 ...ws_redshift_cluster_maintenance_window.yml | 0 ...aws_redshift_cluster_snapshot_retention.py | 0 ...ws_redshift_cluster_snapshot_retention.yml | 0 ...t_cluster_snapshot_retention_acceptable.py | 0 ..._cluster_snapshot_retention_acceptable.yml | 0 .../aws_redshift_cluster_version_upgrade.py | 0 .../aws_redshift_cluster_version_upgrade.yml | 0 .../aws_s3_bucket_action_restrictions.py | 0 .../aws_s3_bucket_action_restrictions.yml | 0 .../aws_s3_bucket_encryption.py | 0 .../aws_s3_bucket_encryption.yml | 0 .../aws_s3_bucket_lifecycle_configuration.py | 0 .../aws_s3_bucket_lifecycle_configuration.yml | 0 .../aws_s3_policies}/aws_s3_bucket_logging.py | 0 .../aws_s3_bucket_logging.yml | 0 .../aws_s3_bucket_mfa_delete.py | 0 .../aws_s3_bucket_mfa_delete.yml | 0 .../aws_s3_bucket_name_dns_compliance.py | 0 .../aws_s3_bucket_name_dns_compliance.yml | 0 .../aws_s3_bucket_object_lock_configured.py | 0 .../aws_s3_bucket_object_lock_configured.yml | 0 ..._bucket_policy_allow_with_not_principal.py | 0 ...bucket_policy_allow_with_not_principal.yml | 0 .../aws_s3_bucket_principal_restrictions.py | 0 .../aws_s3_bucket_principal_restrictions.yml | 0 .../aws_s3_bucket_public_access_block.py | 0 .../aws_s3_bucket_public_access_block.yml | 0 .../aws_s3_bucket_public_read.py | 0 .../aws_s3_bucket_public_read.yml | 0 .../aws_s3_bucket_public_write.py | 0 .../aws_s3_bucket_public_write.yml | 0 .../aws_s3_bucket_secure_access.py | 0 .../aws_s3_bucket_secure_access.yml | 0 .../aws_s3_bucket_versioning.py | 0 .../aws_s3_bucket_versioning.yml | 0 .../aws_network_acl_restricted_ssh.py | 0 .../aws_network_acl_restricted_ssh.yml | 0 ...s_network_acl_restricts_inbound_traffic.py | 0 ..._network_acl_restricts_inbound_traffic.yml | 0 ...etwork_acl_restricts_insecure_protocols.py | 0 ...twork_acl_restricts_insecure_protocols.yml | 0 ..._network_acl_restricts_outbound_traffic.py | 0 ...network_acl_restricts_outbound_traffic.yml | 0 ...dmz_security_groups_publicly_accessible.py | 0 ...mz_security_groups_publicly_accessible.yml | 0 ...s_security_group_administrative_ingress.py | 0 ..._security_group_administrative_ingress.yml | 0 ..._security_group_restricts_access_to_cde.py | 0 ...security_group_restricts_access_to_cde.yml | 0 ...ecurity_group_restricts_inbound_traffic.py | 0 ...curity_group_restricts_inbound_traffic.yml | 0 ..._restricts_inter_security_group_traffic.py | 0 ...restricts_inter_security_group_traffic.yml | 0 ...curity_group_restricts_outbound_traffic.py | 0 ...urity_group_restricts_outbound_traffic.yml | 0 ...ity_group_restricts_traffic_leaving_cde.py | 0 ...ty_group_restricts_traffic_leaving_cde.yml | 0 ...group_tightly_restricts_inbound_traffic.py | 0 ...roup_tightly_restricts_inbound_traffic.yml | 0 ...roup_tightly_restricts_outbound_traffic.py | 0 ...oup_tightly_restricts_outbound_traffic.yml | 0 ...ws_security_group_unused_security_group.py | 0 ...s_security_group_unused_security_group.yml | 0 ...fault_network_acl_restricts_all_traffic.py | 0 ...ault_network_acl_restricts_all_traffic.yml | 0 .../aws_vpc_default_security_restrictions.py | 0 .../aws_vpc_default_security_restrictions.yml | 0 .../aws_vpc_policies}/aws_vpc_flow_logs.py | 0 .../aws_vpc_policies}/aws_vpc_flow_logs.yml | 0 .../aws_waf_has_xss_predicate.py | 0 .../aws_waf_has_xss_predicate.yml | 0 .../aws_waf_rule_ordering.py | 0 .../aws_waf_rule_ordering.yml | 0 .../cloudtrail_password_spraying.yml | 0 .../cloudtrail_password_spraying_query.yml | 0 .../aws_queries}/scheduled_rule_default.py | 0 .../aws_queries}/vpc_dns_tunneling.yml | 0 .../aws_queries}/vpc_dns_tunneling_query.yml | 0 .../okta_queries}/okta_activity_audit.yml | 0 .../okta_admin_access_granted.yml | 0 .../okta_mfa_password_reset_audit.yml | 0 .../okta_queries}/okta_session_id_audit.yml | 0 .../okta_queries}/okta_support_access.yml | 0 .../snowflake_account_admin_assigned.py | 0 .../snowflake_account_admin_assigned.yml | 0 ...snowflake_account_admin_assigned_query.yml | 0 .../snowflake_brute_force_ip.py | 0 .../snowflake_brute_force_ip.yml | 0 .../snowflake_brute_force_ip_query.yml | 0 .../snowflake_brute_force_username.py | 0 .../snowflake_brute_force_username.yml | 0 .../snowflake_brute_force_username_query.yml | 0 .../snowflake_key_user_password_login.py | 0 .../snowflake_key_user_password_login.yml | 0 ...nowflake_key_user_password_login_query.yml | 0 .../snowflake_login_without_mfa.py | 0 .../snowflake_login_without_mfa.yml | 0 .../snowflake_login_without_mfa_query.yml | 0 .../snowflake_network_policy_modified.py | 0 .../snowflake_network_policy_modified.yml | 0 ...nowflake_network_policy_modified_query.yml | 0 .../snowflake_privileged_object_changes.py | 0 .../snowflake_privileged_object_changes.yml | 0 ...wflake_privileged_object_changes_query.yml | 0 .../snowflake_public_role_grant.py | 0 .../snowflake_public_role_grant.yml | 0 .../snowflake_public_role_grant_query.yml | 0 .../snowflake_scim_token_created.py | 0 .../snowflake_scim_token_created.yml | 0 .../snowflake_scim_token_created_query.yml | 0 .../snowflake_unusual_login_volume.py | 0 .../snowflake_unusual_login_volume.yml | 0 .../snowflake_unusual_login_volume_query.yml | 0 .../snowflake_user_created.py | 0 .../snowflake_user_created.yml | 0 .../snowflake_user_created_query.yml | 0 .../snowflake_user_enabled.py | 0 .../snowflake_user_enabled.yml | 0 .../snowflake_user_enabled_query.yml | 0 .../aws_ami_modified_for_public_access.py | 0 .../aws_ami_modified_for_public_access.yml | 0 .../aws_cloudtrail_created.py | 0 .../aws_cloudtrail_created.yml | 0 .../aws_cloudtrail_stopped.py | 0 .../aws_cloudtrail_stopped.yml | 0 .../aws_codebuild_made_public.py | 0 .../aws_codebuild_made_public.yml | 0 .../aws_config_service_created.py | 0 .../aws_config_service_created.yml | 0 .../aws_config_service_disabled_deleted.py | 0 .../aws_config_service_disabled_deleted.yml | 0 .../aws_console_login_failed.py | 0 .../aws_console_login_failed.yml | 0 .../aws_console_login_without_mfa.py | 0 .../aws_console_login_without_mfa.yml | 0 .../aws_console_login_without_saml.py | 0 .../aws_console_login_without_saml.yml | 0 .../aws_console_root_login.py | 0 .../aws_console_root_login.yml | 0 .../aws_console_root_login_failed.py | 0 .../aws_console_root_login_failed.yml | 0 .../aws_ec2_gateway_modified.py | 0 .../aws_ec2_gateway_modified.yml | 0 .../aws_ec2_manual_security_group_changes.py | 0 .../aws_ec2_manual_security_group_changes.yml | 0 .../aws_ec2_network_acl_modified.py | 0 .../aws_ec2_network_acl_modified.yml | 0 .../aws_ec2_route_table_modified.py | 0 .../aws_ec2_route_table_modified.yml | 0 .../aws_ec2_security_group_modified.py | 0 .../aws_ec2_security_group_modified.yml | 0 .../aws_ec2_vpc_modified.py | 0 .../aws_ec2_vpc_modified.yml | 0 .../aws_iam_anything_changed.py | 0 .../aws_iam_anything_changed.yml | 0 .../aws_iam_assume_role_blocklist_ignored.py | 0 .../aws_iam_assume_role_blocklist_ignored.yml | 0 ...m_entity_created_without_cloudformation.py | 0 ..._entity_created_without_cloudformation.yml | 0 .../aws_iam_policy_modified.py | 0 .../aws_iam_policy_modified.yml | 0 .../aws_iam_user_recon_denied.py | 0 .../aws_iam_user_recon_denied.yml | 0 .../aws_key_compromised.py | 0 .../aws_key_compromised.yml | 0 .../aws_cloudtrail_rules}/aws_kms_cmk_loss.py | 0 .../aws_kms_cmk_loss.yml | 0 .../aws_network_acl_permissive_entry.py | 0 .../aws_network_acl_permissive_entry.yml | 0 .../aws_resource_made_public.py | 0 .../aws_resource_made_public.yml | 0 .../aws_root_access_key_created.py | 0 .../aws_root_access_key_created.yml | 0 .../aws_root_activity.py | 0 .../aws_root_activity.yml | 0 .../aws_root_console_login.py | 0 .../aws_root_console_login.yml | 0 .../aws_root_failed_console_login.py | 0 .../aws_root_failed_console_login.yml | 0 .../aws_root_password_changed.py | 0 .../aws_root_password_changed.yml | 0 .../aws_s3_activity_greynoise.py | 0 .../aws_s3_activity_greynoise.yml | 0 .../aws_s3_bucket_deleted.py | 0 .../aws_s3_bucket_deleted.yml | 0 .../aws_s3_bucket_policy_modified.py | 0 .../aws_s3_bucket_policy_modified.yml | 0 .../aws_security_configuration_change.py | 0 .../aws_security_configuration_change.yml | 0 .../aws_snapshot_made_public.py | 0 .../aws_snapshot_made_public.yml | 0 .../aws_unauthorized_api_call.py | 0 .../aws_unauthorized_api_call.yml | 0 .../aws_update_credentials.py | 0 .../aws_update_credentials.yml | 0 .../aws_guardduty_high_sev_findings.py | 0 .../aws_guardduty_high_sev_findings.yml | 0 .../aws_guardduty_low_sev_findings.py | 0 .../aws_guardduty_low_sev_findings.yml | 0 .../aws_guardduty_med_sev_findings.py | 0 .../aws_guardduty_med_sev_findings.yml | 0 .../aws_s3_rules}/aws_s3_access_error.py | 0 .../aws_s3_rules}/aws_s3_access_error.yml | 0 .../aws_s3_access_ip_allowlist.py | 0 .../aws_s3_access_ip_allowlist.yml | 0 .../aws_s3_rules}/aws_s3_insecure_access.py | 0 .../aws_s3_rules}/aws_s3_insecure_access.yml | 0 .../aws_s3_unauthenticated_access.py | 0 .../aws_s3_unauthenticated_access.yml | 0 .../aws_s3_unknown_requester_get_object.py | 0 .../aws_s3_unknown_requester_get_object.yml | 0 .../aws_vpc_healthy_log_status.py | 0 .../aws_vpc_healthy_log_status.yml | 0 .../aws_vpc_inbound_traffic_port_allowlist.py | 0 ...aws_vpc_inbound_traffic_port_allowlist.yml | 0 .../aws_vpc_inbound_traffic_port_blocklist.py | 0 ...aws_vpc_inbound_traffic_port_blocklist.yml | 0 .../aws_vpc_unapproved_outbound_dns.py | 0 .../aws_vpc_unapproved_outbound_dns.yml | 0 .../box_rules}/box_access_granted.py | 0 .../box_rules}/box_access_granted.yml | 0 .../box_rules}/box_anomalous_download.py | 0 .../box_rules}/box_anomalous_download.yml | 0 .../box_rules}/box_brute_force_login.py | 0 .../box_rules}/box_brute_force_login.yml | 0 .../box_event_triggered_externally.py | 0 .../box_event_triggered_externally.yml | 0 .../box_rules}/box_item_shared_externally.py | 0 .../box_rules}/box_item_shared_externally.yml | 0 .../box_rules}/box_malicious_content.py | 0 .../box_rules}/box_malicious_content.yml | 0 .../box_rules}/box_new_login.py | 0 .../box_rules}/box_new_login.yml | 0 .../box_rules}/box_policy_violation.py | 0 .../box_rules}/box_policy_violation.yml | 0 .../box_suspicious_login_or_session.py | 0 .../box_suspicious_login_or_session.yml | 0 .../box_rules}/box_untrusted_device.py | 0 .../box_rules}/box_untrusted_device.yml | 0 .../box_rules}/box_user_downloads.py | 0 .../box_rules}/box_user_downloads.yml | 0 .../box_rules}/box_user_permission_updates.py | 0 .../box_user_permission_updates.yml | 0 .../domain_blocked.py | 0 .../domain_blocked.yml | 0 .../fuzzy_matching_domains.py | 0 .../fuzzy_matching_domains.yml | 0 .../suspicious_domains.py | 0 .../suspicious_domains.yml | 0 .../cloudflare_firewall_ddos.py | 0 .../cloudflare_firewall_ddos.yml | 0 ...are_firewall_high_volume_events_blocked.py | 0 ...re_firewall_high_volume_events_blocked.yml | 0 ...ll_high_volume_events_blocked_greynoise.py | 0 ...l_high_volume_events_blocked_greynoise.yml | 0 ...are_firewall_suspicious_event_greynoise.py | 0 ...re_firewall_suspicious_event_greynoise.yml | 0 .../cloudflare_httpreq_bot_high_volume.py | 0 .../cloudflare_httpreq_bot_high_volume.yml | 0 ...flare_httpreq_bot_high_volume_greynoise.py | 0 ...lare_httpreq_bot_high_volume_greynoise.yml | 0 .../crowdstrike_detection_passthrough.py | 0 .../crowdstrike_detection_passthrough.yml | 0 .../crowdstrike_dns_request.py | 0 .../crowdstrike_dns_request.yml | 0 .../gcp_audit_rules}/gcp_gcs_iam_changes.py | 0 .../gcp_audit_rules}/gcp_gcs_iam_changes.yml | 0 .../gcp_audit_rules}/gcp_gcs_public.py | 0 .../gcp_audit_rules}/gcp_gcs_public.yml | 0 .../gcp_iam_admin_role_assigned.py | 0 .../gcp_iam_admin_role_assigned.yml | 0 .../gcp_audit_rules}/gcp_iam_corp_email.py | 0 .../gcp_audit_rules}/gcp_iam_corp_email.yml | 0 .../gcp_iam_custom_role_changes.py | 0 .../gcp_iam_custom_role_changes.yml | 0 .../gcp_iam_org_folder_changes.py | 0 .../gcp_iam_org_folder_changes.yml | 0 .../gcp_sql_config_changes.py | 0 .../gcp_sql_config_changes.yml | 0 .../gcp_audit_rules}/gcp_unused_regions.py | 0 .../gcp_audit_rules}/gcp_unused_regions.yml | 0 .../github_branch_policy_override.py | 0 .../github_branch_policy_override.yml | 0 .../github_branch_protection_disabled.py | 0 .../github_branch_protection_disabled.yml | 0 .../github_rules}/github_org_auth_modified.py | 0 .../github_org_auth_modified.yml | 0 .../github_rules}/github_org_ip_allowlist.py | 0 .../github_rules}/github_org_ip_allowlist.yml | 0 .../github_rules}/github_org_modified.py | 0 .../github_rules}/github_org_modified.yml | 0 .../github_repo_collaborator_change.py | 0 .../github_repo_collaborator_change.yml | 0 .../github_rules}/github_repo_created.py | 0 .../github_rules}/github_repo_created.yml | 0 .../github_repo_hook_modified.py | 0 .../github_repo_hook_modified.yml | 0 .../github_repo_initial_access.py | 0 .../github_repo_initial_access.yml | 0 .../github_repo_visibility_change.py | 0 .../github_repo_visibility_change.yml | 0 .../github_rules}/github_team_modified.py | 0 .../github_rules}/github_team_modified.yml | 0 .../github_user_access_key_created.py | 0 .../github_user_access_key_created.yml | 0 .../github_rules}/github_user_role_updated.py | 0 .../github_user_role_updated.yml | 0 .../teleport_auth_errors.py | 0 .../teleport_auth_errors.yml | 0 .../teleport_create_user_accounts.py | 0 .../teleport_create_user_accounts.yml | 0 .../teleport_network_scanning.py | 0 .../teleport_network_scanning.yml | 0 .../teleport_scheduled_jobs.py | 0 .../teleport_scheduled_jobs.yml | 0 .../teleport_suspicious_commands.py | 0 .../teleport_suspicious_commands.yml | 0 .../gsuite_advanced_protection.py | 0 .../gsuite_advanced_protection.yml | 0 .../gsuite_brute_force_login.py | 0 .../gsuite_brute_force_login.yml | 0 .../gsuite_doc_ownership_transfer.py | 0 .../gsuite_doc_ownership_transfer.yml | 0 .../gsuite_external_forwarding.py | 0 .../gsuite_external_forwarding.yml | 0 .../gsuite_google_access.py | 0 .../gsuite_google_access.yml | 0 .../gsuite_gov_attack.py | 0 .../gsuite_gov_attack.yml | 0 .../gsuite_group_banned_user.py | 0 .../gsuite_group_banned_user.yml | 0 .../gsuite_leaked_password.py | 0 .../gsuite_leaked_password.yml | 0 .../gsuite_login_type.py | 0 .../gsuite_login_type.yml | 0 .../gsuite_mobile_device_compromise.py | 0 .../gsuite_mobile_device_compromise.yml | 0 ...gsuite_mobile_device_screen_unlock_fail.py | 0 ...suite_mobile_device_screen_unlock_fail.yml | 0 ...suite_mobile_device_suspicious_activity.py | 0 ...uite_mobile_device_suspicious_activity.yml | 0 .../gsuite_permissions_delegated.py | 0 .../gsuite_permissions_delegated.yml | 0 .../gsuite_rule.py | 0 .../gsuite_rule.yml | 0 .../gsuite_suspicious_logins.py | 0 .../gsuite_suspicious_logins.yml | 0 .../gsuite_two_step_verification.py | 0 .../gsuite_two_step_verification.yml | 0 .../gsuite_user_suspended.py | 0 .../gsuite_user_suspended.yml | 0 .../gsuite_drive_external_share.py | 0 .../gsuite_drive_external_share.yml | 0 .../gsuite_drive_overly_visible.py | 0 .../gsuite_drive_overly_visible.yml | 0 .../gsuite_drive_visibility_change.py | 0 .../gsuite_drive_visibility_change.yml | 0 ...uite_drive_visibility_change_deprecated.py | 0 ...ite_drive_visibility_change_deprecated.yml | 0 .../new_aws_account_logging.py | 0 .../new_aws_account_logging.yml | 0 .../new_user_account_logging.py | 0 .../new_user_account_logging.yml | 0 .../okta_account_support_access.py | 0 .../okta_account_support_access.yml | 0 .../okta_rules}/okta_admin_disabled_mfa.py | 0 .../okta_rules}/okta_admin_disabled_mfa.yml | 0 .../okta_rules}/okta_admin_role_assigned.py | 0 .../okta_rules}/okta_admin_role_assigned.yml | 0 .../okta_rules}/okta_api_key_created.py | 0 .../okta_rules}/okta_api_key_created.yml | 0 .../okta_rules}/okta_api_key_revoked.py | 0 .../okta_rules}/okta_api_key_revoked.yml | 0 .../okta_rules}/okta_brute_force_logins.py | 0 .../okta_rules}/okta_brute_force_logins.yml | 0 .../okta_rules}/okta_geo_improbable_access.py | 0 .../okta_geo_improbable_access.yml | 0 .../okta_rules}/okta_support_reset.py | 0 .../okta_rules}/okta_support_reset.yml | 0 .../onelogin_active_login_activity.py | 0 .../onelogin_active_login_activity.yml | 0 .../onelogin_admin_role_assigned.py | 0 .../onelogin_admin_role_assigned.yml | 0 .../onelogin_brute_force_by_ip.py | 0 .../onelogin_brute_force_by_ip.yml | 0 .../onelogin_brute_force_by_username.py | 0 .../onelogin_brute_force_by_username.yml | 0 .../onelogin_high_risk_failed_login.py | 0 .../onelogin_high_risk_failed_login.yml | 0 .../onelogin_high_risk_login.py | 0 .../onelogin_high_risk_login.yml | 0 .../onelogin_password_accessed.py | 0 .../onelogin_password_accessed.yml | 0 .../onelogin_password_changed.py | 0 .../onelogin_password_changed.yml | 0 .../onelogin_remove_authentication_factor.py | 0 .../onelogin_remove_authentication_factor.yml | 0 .../onelogin_threshold_accounts_deleted.py | 0 .../onelogin_threshold_accounts_deleted.yml | 0 .../onelogin_threshold_accounts_modified.py | 0 .../onelogin_threshold_accounts_modified.yml | 0 .../onelogin_unauthorized_access.py | 0 .../onelogin_unauthorized_access.yml | 0 .../onelogin_rules}/onelogin_unusual_login.py | 0 .../onelogin_unusual_login.yml | 0 .../onelogin_user_account_locked.py | 0 .../onelogin_user_account_locked.yml | 0 .../onelogin_rules}/onelogin_user_assumed.py | 0 .../onelogin_rules}/onelogin_user_assumed.yml | 0 .../onepassword_lut_sensitive_item_access.py | 0 .../onepassword_lut_sensitive_item_access.yml | 0 .../onepassword_sensitive_item_access.py | 0 .../onepassword_sensitive_item_access.yml | 0 .../onepassword_unusual_client.py | 0 .../onepassword_unusual_client.yml | 0 .../osquery_linux_aws_commands.py | 0 .../osquery_linux_aws_commands.yml | 0 .../osquery_linux_logins_non_office.py | 0 .../osquery_linux_logins_non_office.yml | 0 .../osquery_mac_application_firewall.py | 0 .../osquery_mac_application_firewall.yml | 0 .../osquery_mac_enable_auto_update.py | 0 .../osquery_mac_enable_auto_update.yml | 0 .../osquery_rules}/osquery_mac_osx_attacks.py | 0 .../osquery_mac_osx_attacks.yml | 0 ...osquery_mac_osx_attacks_keyboard_events.py | 0 ...squery_mac_osx_attacks_keyboard_events.yml | 0 .../osquery_mac_unwanted_chrome_extensions.py | 0 ...osquery_mac_unwanted_chrome_extensions.yml | 0 .../osquery_rules}/osquery_ossec.py | 0 .../osquery_rules}/osquery_ossec.yml | 0 .../osquery_rules}/osquery_outdated.py | 0 .../osquery_rules}/osquery_outdated.yml | 0 .../osquery_rules}/osquery_outdated_macos.py | 0 .../osquery_rules}/osquery_outdated_macos.yml | 0 .../osquery_rules}/osquery_ssh_listener.py | 0 .../osquery_rules}/osquery_ssh_listener.yml | 0 .../osquery_rules}/osquery_suspicious_cron.py | 0 .../osquery_suspicious_cron.yml | 0 .../panther_detection_deleted.py | 0 .../panther_detection_deleted.yml | 0 .../panther_saml_modified.py | 0 .../panther_saml_modified.yml | 0 .../panther_sensitive_role_created.py | 0 .../panther_sensitive_role_created.yml | 0 .../atlassian_confluence_ip_iocs.py | 0 .../atlassian_confluence_ip_iocs.yml | 0 .../panther_ioc_rules}/log4j_exploit_iocs.py | 0 .../panther_ioc_rules}/log4j_exploit_iocs.yml | 0 .../panther_ioc_rules}/log4j_ip_iocs.py | 0 .../panther_ioc_rules}/log4j_ip_iocs.yml | 0 .../panther_ioc_rules}/sunburst_fqdn_iocs.py | 0 .../panther_ioc_rules}/sunburst_fqdn_iocs.yml | 0 .../panther_ioc_rules}/sunburst_ip_iocs.py | 0 .../panther_ioc_rules}/sunburst_ip_iocs.yml | 0 .../sunburst_sha256_iocs.py | 0 .../sunburst_sha256_iocs.yml | 0 .../slack_rules}/slack_app_access_expanded.py | 0 .../slack_app_access_expanded.yml | 0 .../slack_rules}/slack_app_added.py | 0 .../slack_rules}/slack_app_added.yml | 0 .../slack_rules}/slack_app_removed.py | 0 .../slack_rules}/slack_app_removed.yml | 0 .../slack_rules}/slack_application_dos.py | 0 .../slack_rules}/slack_application_dos.yml | 0 .../slack_rules}/slack_dlp_modified.py | 0 .../slack_rules}/slack_dlp_modified.yml | 0 .../slack_rules}/slack_ekm_config_changed.py | 0 .../slack_rules}/slack_ekm_config_changed.yml | 0 .../slack_ekm_slackbot_unenrolled.py | 0 .../slack_ekm_slackbot_unenrolled.yml | 0 .../slack_rules}/slack_ekm_unenrolled.py | 0 .../slack_rules}/slack_ekm_unenrolled.yml | 0 .../slack_idp_configuration_change.py | 0 .../slack_idp_configuration_change.yml | 0 .../slack_information_barrier_modified.py | 0 .../slack_information_barrier_modified.yml | 0 .../slack_rules}/slack_intune_mdm_disabled.py | 0 .../slack_intune_mdm_disabled.yml | 0 .../slack_legal_hold_policy_modified.py | 0 .../slack_legal_hold_policy_modified.yml | 0 .../slack_mfa_settings_changed.py | 0 .../slack_mfa_settings_changed.yml | 0 .../slack_rules}/slack_org_created.py | 0 .../slack_rules}/slack_org_created.yml | 0 .../slack_rules}/slack_org_deleted.py | 0 .../slack_rules}/slack_org_deleted.yml | 0 .../slack_rules}/slack_passthrough_anomaly.py | 0 .../slack_passthrough_anomaly.yml | 0 ...slack_potentially_malicious_file_shared.py | 0 ...lack_potentially_malicious_file_shared.yml | 0 .../slack_private_channel_made_public.py | 0 .../slack_private_channel_made_public.yml | 0 .../slack_service_owner_transferred.py | 0 .../slack_service_owner_transferred.yml | 0 .../slack_sso_settings_changed.py | 0 .../slack_sso_settings_changed.yml | 0 .../slack_user_privilege_escalation.py | 0 .../slack_user_privilege_escalation.yml | 0 .../standard_rules}/admin_assigned.py | 0 .../standard_rules}/admin_assigned.yml | 0 .../standard_rules}/brute_force_by_ip.py | 0 .../standard_rules}/brute_force_by_ip.yml | 0 .../standard_rules}/mfa_disabled.py | 0 .../standard_rules}/mfa_disabled.yml | 0 .../standard_rules}/unusual_login.py | 0 .../standard_rules}/unusual_login.yml | 0 .../zendesk_mobile_app_access.py | 0 .../zendesk_mobile_app_access.yml | 0 .../zendesk_rules}/zendesk_new_api_token.py | 0 .../zendesk_rules}/zendesk_new_api_token.yml | 0 .../zendesk_rules}/zendesk_new_owner.py | 0 .../zendesk_rules}/zendesk_new_owner.yml | 0 .../zendesk_sensitive_data_redaction.py | 0 .../zendesk_sensitive_data_redaction.yml | 0 .../zendesk_rules}/zendesk_user_assumption.py | 0 .../zendesk_user_assumption.yml | 0 .../zendesk_rules}/zendesk_user_role.py | 0 .../zendesk_rules}/zendesk_user_role.yml | 0 .../zendesk_rules}/zendesk_user_suspension.py | 0 .../zendesk_user_suspension.yml | 0 .../zoom_operation_passcode_disabled.py | 0 .../zoom_operation_passcode_disabled.yml | 0 .../zoom_operation_user_granted_admin.py | 0 .../zoom_operation_user_granted_admin.yml | 0 695 files changed, 316 insertions(+), 316 deletions(-) rename {aws_account_policies => policies/aws_account_policies}/aws_password_policy_complexity_guidelines.py (100%) rename {aws_account_policies => policies/aws_account_policies}/aws_password_policy_complexity_guidelines.yml (100%) rename {aws_account_policies => policies/aws_account_policies}/aws_password_policy_password_age_limit.py (100%) rename {aws_account_policies => policies/aws_account_policies}/aws_password_policy_password_age_limit.yml (100%) rename {aws_account_policies => policies/aws_account_policies}/aws_password_policy_password_reuse.py (100%) rename {aws_account_policies => policies/aws_account_policies}/aws_password_policy_password_reuse.yml (100%) rename {aws_account_policies => policies/aws_account_policies}/aws_resource_minimum_tags.py (100%) rename {aws_account_policies => policies/aws_account_policies}/aws_resource_minimum_tags.yml (100%) rename {aws_account_policies => policies/aws_account_policies}/aws_resource_required_tags.py (100%) rename {aws_account_policies => policies/aws_account_policies}/aws_resource_required_tags.yml (100%) rename {aws_acm_policies => policies/aws_acm_policies}/aws_acm_certificate_expiration.py (100%) rename {aws_acm_policies => policies/aws_acm_policies}/aws_acm_certificate_expiration.yml (100%) rename {aws_acm_policies => policies/aws_acm_policies}/aws_acm_certificate_has_secure_algorithms.py (100%) rename {aws_acm_policies => policies/aws_acm_policies}/aws_acm_certificate_has_secure_algorithms.yml (100%) rename {aws_acm_policies => policies/aws_acm_policies}/aws_acm_certificate_valid.py (100%) rename {aws_acm_policies => policies/aws_acm_policies}/aws_acm_certificate_valid.yml (100%) rename {aws_cloudformation_policies => policies/aws_cloudformation_policies}/aws_cloudformation_stack_drifted.py (100%) rename {aws_cloudformation_policies => policies/aws_cloudformation_policies}/aws_cloudformation_stack_drifted.yml (100%) rename {aws_cloudformation_policies => policies/aws_cloudformation_policies}/aws_cloudformation_stack_uses_iam_role.py (100%) rename {aws_cloudformation_policies => policies/aws_cloudformation_policies}/aws_cloudformation_stack_uses_iam_role.yml (100%) rename {aws_cloudformation_policies => policies/aws_cloudformation_policies}/aws_cloudformation_termination_protection.py (100%) rename {aws_cloudformation_policies => policies/aws_cloudformation_policies}/aws_cloudformation_termination_protection.yml (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_cloudwatch_logs.py (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_cloudwatch_logs.yml (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_enabled.py (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_enabled.yml (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_log_encryption.py (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_log_encryption.yml (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_log_validation.py (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_log_validation.yml (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_s3_bucket_access_logging.py (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_s3_bucket_access_logging.yml (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_s3_bucket_public.py (100%) rename {aws_cloudtrail_policies => policies/aws_cloudtrail_policies}/aws_cloudtrail_s3_bucket_public.yml (100%) rename {aws_cloudwatch_policies => policies/aws_cloudwatch_policies}/aws_cloudwatch_loggroup_data_retention.py (100%) rename {aws_cloudwatch_policies => policies/aws_cloudwatch_policies}/aws_cloudwatch_loggroup_data_retention.yml (100%) rename {aws_cloudwatch_policies => policies/aws_cloudwatch_policies}/aws_cloudwatch_loggroup_encrypted.py (100%) rename {aws_cloudwatch_policies => policies/aws_cloudwatch_policies}/aws_cloudwatch_loggroup_encrypted.yml (100%) rename {aws_cloudwatch_policies => policies/aws_cloudwatch_policies}/aws_cloudwatch_loggroup_sensitive_encrypted.py (100%) rename {aws_cloudwatch_policies => policies/aws_cloudwatch_policies}/aws_cloudwatch_loggroup_sensitive_encrypted.yml (100%) rename {aws_config_policies => policies/aws_config_policies}/aws_config_all_resource_types.py (100%) rename {aws_config_policies => policies/aws_config_policies}/aws_config_all_resource_types.yml (100%) rename {aws_config_policies => policies/aws_config_policies}/aws_config_global_resources.py (100%) rename {aws_config_policies => policies/aws_config_policies}/aws_config_global_resources.yml (100%) rename {aws_config_policies => policies/aws_config_policies}/aws_config_recording_enabled.py (100%) rename {aws_config_policies => policies/aws_config_policies}/aws_config_recording_enabled.yml (100%) rename {aws_config_policies => policies/aws_config_policies}/aws_config_recording_no_error.py (100%) rename {aws_config_policies => policies/aws_config_policies}/aws_config_recording_no_error.yml (100%) rename {aws_dynamodb_policies => policies/aws_dynamodb_policies}/aws_dynamodb_autoscaling.py (100%) rename {aws_dynamodb_policies => policies/aws_dynamodb_policies}/aws_dynamodb_autoscaling.yml (100%) rename {aws_dynamodb_policies => policies/aws_dynamodb_policies}/aws_dynamodb_autoscaling_configuration.py (100%) rename {aws_dynamodb_policies => policies/aws_dynamodb_policies}/aws_dynamodb_autoscaling_configuration.yml (100%) rename {aws_dynamodb_policies => policies/aws_dynamodb_policies}/aws_dynamodb_table_encryption.py (100%) rename {aws_dynamodb_policies => policies/aws_dynamodb_policies}/aws_dynamodb_table_encryption.yml (100%) rename {aws_dynamodb_policies => policies/aws_dynamodb_policies}/aws_dynamodb_table_ttl_enabled.py (100%) rename {aws_dynamodb_policies => policies/aws_dynamodb_policies}/aws_dynamodb_table_ttl_enabled.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ami_private.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ami_private.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_ami_approved_host.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_ami_approved_host.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_ami_approved_instance_type.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_ami_approved_instance_type.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_ami_approved_tenancy.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_ami_approved_tenancy.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_cde_volume_encrypted.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_cde_volume_encrypted.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_ami.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_ami.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_host.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_host.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_instance_type.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_instance_type.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_tenancy.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_tenancy.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_vpc.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_approved_vpc.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_detailed_monitoring.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_detailed_monitoring.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_ebs_optimization.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_instance_ebs_optimization.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_volume_encryption.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_volume_encryption.yml (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_volume_snapshot_encrypted.py (100%) rename {aws_ec2_policies => policies/aws_ec2_policies}/aws_ec2_volume_snapshot_encrypted.yml (100%) rename {aws_elb_policies => policies/aws_elb_policies}/aws_application_load_balancer_web_acl.py (100%) rename {aws_elb_policies => policies/aws_elb_policies}/aws_application_load_balancer_web_acl.yml (100%) rename {aws_guardduty_policies => policies/aws_guardduty_policies}/aws_guardduty_enabled.py (100%) rename {aws_guardduty_policies => policies/aws_guardduty_policies}/aws_guardduty_enabled.yml (100%) rename {aws_guardduty_policies => policies/aws_guardduty_policies}/aws_guardduty_master_account.py (100%) rename {aws_guardduty_policies => policies/aws_guardduty_policies}/aws_guardduty_master_account.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_access_key_rotation.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_access_key_rotation.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_access_key_unused.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_access_key_unused.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_access_keys_at_account_creation.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_access_keys_at_account_creation.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_cloudtrail_least_privilege.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_cloudtrail_least_privilege.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_group_users.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_group_users.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_inline_policy_does_not_grant_network_admin_access.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_inline_policy_does_not_grant_network_admin_access.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_administrative_privileges.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_administrative_privileges.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_assigned_to_user.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_assigned_to_user.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_blocklist.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_blocklist.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_does_not_grant_admin_access.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_does_not_grant_admin_access.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_does_not_grant_network_admin_access.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_does_not_grant_network_admin_access.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_role_mapping.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_policy_role_mapping.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_resource_does_not_have_inline_policy.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_resource_does_not_have_inline_policy.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_role_external_permission.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_role_external_permission.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_role_restricts_usage.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_role_restricts_usage.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_user_mfa.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_user_mfa.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_user_not_in_conflicting_groups.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_iam_user_not_in_conflicting_groups.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_password_unused.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_password_unused.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_root_account_access_keys.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_root_account_access_keys.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_root_account_hardware_mfa.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_root_account_hardware_mfa.yml (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_root_account_mfa.py (100%) rename {aws_iam_policies => policies/aws_iam_policies}/aws_root_account_mfa.yml (100%) rename {aws_kms_policies => policies/aws_kms_policies}/aws_cmk_key_rotation.py (100%) rename {aws_kms_policies => policies/aws_kms_policies}/aws_cmk_key_rotation.yml (100%) rename {aws_kms_policies => policies/aws_kms_policies}/aws_kms_key_policy_restricts_usage.py (100%) rename {aws_kms_policies => policies/aws_kms_policies}/aws_kms_key_policy_restricts_usage.yml (100%) rename {aws_load_balancer_policies => policies/aws_load_balancer_policies}/aws_alb_ssl_policy.py (100%) rename {aws_load_balancer_policies => policies/aws_load_balancer_policies}/aws_alb_ssl_policy.yml (100%) rename {aws_load_balancer_policies => policies/aws_load_balancer_policies}/aws_elbv2_load_balancer_has_ssl_policy.py (100%) rename {aws_load_balancer_policies => policies/aws_load_balancer_policies}/aws_elbv2_load_balancer_has_ssl_policy.yml (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_auto_minor_version_upgrade_enabled.py (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_auto_minor_version_upgrade_enabled.yml (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_backup.py (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_backup.yml (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_backup_retention_acceptable.py (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_backup_retention_acceptable.yml (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_encryption.py (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_encryption.yml (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_high_availability.py (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_high_availability.yml (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_public_access.py (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_public_access.yml (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_snapshot_public_access.py (100%) rename {aws_rds_policies => policies/aws_rds_policies}/aws_rds_instance_snapshot_public_access.yml (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_encryption.py (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_encryption.yml (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_logging.py (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_logging.yml (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_maintenance_window.py (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_maintenance_window.yml (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_snapshot_retention.py (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_snapshot_retention.yml (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_snapshot_retention_acceptable.py (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_snapshot_retention_acceptable.yml (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_version_upgrade.py (100%) rename {aws_redshift_policies => policies/aws_redshift_policies}/aws_redshift_cluster_version_upgrade.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_action_restrictions.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_action_restrictions.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_encryption.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_encryption.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_lifecycle_configuration.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_lifecycle_configuration.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_logging.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_logging.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_mfa_delete.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_mfa_delete.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_name_dns_compliance.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_name_dns_compliance.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_object_lock_configured.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_object_lock_configured.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_policy_allow_with_not_principal.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_policy_allow_with_not_principal.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_principal_restrictions.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_principal_restrictions.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_public_access_block.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_public_access_block.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_public_read.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_public_read.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_public_write.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_public_write.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_secure_access.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_secure_access.yml (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_versioning.py (100%) rename {aws_s3_policies => policies/aws_s3_policies}/aws_s3_bucket_versioning.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_network_acl_restricted_ssh.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_network_acl_restricted_ssh.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_network_acl_restricts_inbound_traffic.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_network_acl_restricts_inbound_traffic.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_network_acl_restricts_insecure_protocols.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_network_acl_restricts_insecure_protocols.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_network_acl_restricts_outbound_traffic.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_network_acl_restricts_outbound_traffic.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_only_dmz_security_groups_publicly_accessible.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_only_dmz_security_groups_publicly_accessible.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_administrative_ingress.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_administrative_ingress.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_access_to_cde.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_access_to_cde.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_inbound_traffic.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_inbound_traffic.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_inter_security_group_traffic.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_inter_security_group_traffic.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_outbound_traffic.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_outbound_traffic.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_traffic_leaving_cde.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_restricts_traffic_leaving_cde.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_tightly_restricts_inbound_traffic.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_tightly_restricts_inbound_traffic.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_tightly_restricts_outbound_traffic.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_tightly_restricts_outbound_traffic.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_unused_security_group.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_security_group_unused_security_group.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_vpc_default_network_acl_restricts_all_traffic.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_vpc_default_network_acl_restricts_all_traffic.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_vpc_default_security_restrictions.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_vpc_default_security_restrictions.yml (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_vpc_flow_logs.py (100%) rename {aws_vpc_policies => policies/aws_vpc_policies}/aws_vpc_flow_logs.yml (100%) rename {aws_waf_policies => policies/aws_waf_policies}/aws_waf_has_xss_predicate.py (100%) rename {aws_waf_policies => policies/aws_waf_policies}/aws_waf_has_xss_predicate.yml (100%) rename {aws_waf_policies => policies/aws_waf_policies}/aws_waf_rule_ordering.py (100%) rename {aws_waf_policies => policies/aws_waf_policies}/aws_waf_rule_ordering.yml (100%) rename {aws_queries => queries/aws_queries}/cloudtrail_password_spraying.yml (100%) rename {aws_queries => queries/aws_queries}/cloudtrail_password_spraying_query.yml (100%) rename {aws_queries => queries/aws_queries}/scheduled_rule_default.py (100%) rename {aws_queries => queries/aws_queries}/vpc_dns_tunneling.yml (100%) rename {aws_queries => queries/aws_queries}/vpc_dns_tunneling_query.yml (100%) rename {okta_queries => queries/okta_queries}/okta_activity_audit.yml (100%) rename {okta_queries => queries/okta_queries}/okta_admin_access_granted.yml (100%) rename {okta_queries => queries/okta_queries}/okta_mfa_password_reset_audit.yml (100%) rename {okta_queries => queries/okta_queries}/okta_session_id_audit.yml (100%) rename {okta_queries => queries/okta_queries}/okta_support_access.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_account_admin_assigned.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_account_admin_assigned.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_account_admin_assigned_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_brute_force_ip.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_brute_force_ip.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_brute_force_ip_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_brute_force_username.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_brute_force_username.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_brute_force_username_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_key_user_password_login.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_key_user_password_login.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_key_user_password_login_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_login_without_mfa.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_login_without_mfa.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_login_without_mfa_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_network_policy_modified.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_network_policy_modified.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_network_policy_modified_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_privileged_object_changes.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_privileged_object_changes.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_privileged_object_changes_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_public_role_grant.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_public_role_grant.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_public_role_grant_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_scim_token_created.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_scim_token_created.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_scim_token_created_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_unusual_login_volume.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_unusual_login_volume.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_unusual_login_volume_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_user_created.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_user_created.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_user_created_query.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_user_enabled.py (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_user_enabled.yml (100%) rename {snowflake_queries => queries/snowflake_queries}/snowflake_user_enabled_query.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ami_modified_for_public_access.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ami_modified_for_public_access.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_cloudtrail_created.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_cloudtrail_created.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_cloudtrail_stopped.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_cloudtrail_stopped.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_codebuild_made_public.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_codebuild_made_public.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_config_service_created.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_config_service_created.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_config_service_disabled_deleted.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_config_service_disabled_deleted.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_login_failed.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_login_failed.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_login_without_mfa.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_login_without_mfa.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_login_without_saml.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_login_without_saml.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_root_login.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_root_login.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_root_login_failed.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_console_root_login_failed.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_gateway_modified.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_gateway_modified.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_manual_security_group_changes.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_manual_security_group_changes.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_network_acl_modified.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_network_acl_modified.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_route_table_modified.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_route_table_modified.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_security_group_modified.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_security_group_modified.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_vpc_modified.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_ec2_vpc_modified.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_anything_changed.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_anything_changed.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_assume_role_blocklist_ignored.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_assume_role_blocklist_ignored.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_entity_created_without_cloudformation.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_entity_created_without_cloudformation.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_policy_modified.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_policy_modified.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_user_recon_denied.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_iam_user_recon_denied.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_key_compromised.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_key_compromised.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_kms_cmk_loss.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_kms_cmk_loss.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_network_acl_permissive_entry.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_network_acl_permissive_entry.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_resource_made_public.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_resource_made_public.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_access_key_created.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_access_key_created.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_activity.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_activity.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_console_login.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_console_login.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_failed_console_login.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_failed_console_login.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_password_changed.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_root_password_changed.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_s3_activity_greynoise.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_s3_activity_greynoise.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_s3_bucket_deleted.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_s3_bucket_deleted.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_s3_bucket_policy_modified.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_s3_bucket_policy_modified.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_security_configuration_change.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_security_configuration_change.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_snapshot_made_public.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_snapshot_made_public.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_unauthorized_api_call.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_unauthorized_api_call.yml (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_update_credentials.py (100%) rename {aws_cloudtrail_rules => rules/aws_cloudtrail_rules}/aws_update_credentials.yml (100%) rename {aws_guardduty_rules => rules/aws_guardduty_rules}/aws_guardduty_high_sev_findings.py (100%) rename {aws_guardduty_rules => rules/aws_guardduty_rules}/aws_guardduty_high_sev_findings.yml (100%) rename {aws_guardduty_rules => rules/aws_guardduty_rules}/aws_guardduty_low_sev_findings.py (100%) rename {aws_guardduty_rules => rules/aws_guardduty_rules}/aws_guardduty_low_sev_findings.yml (100%) rename {aws_guardduty_rules => rules/aws_guardduty_rules}/aws_guardduty_med_sev_findings.py (100%) rename {aws_guardduty_rules => rules/aws_guardduty_rules}/aws_guardduty_med_sev_findings.yml (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_access_error.py (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_access_error.yml (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_access_ip_allowlist.py (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_access_ip_allowlist.yml (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_insecure_access.py (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_insecure_access.yml (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_unauthenticated_access.py (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_unauthenticated_access.yml (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_unknown_requester_get_object.py (100%) rename {aws_s3_rules => rules/aws_s3_rules}/aws_s3_unknown_requester_get_object.yml (100%) rename {aws_vpc_flow_rules => rules/aws_vpc_flow_rules}/aws_vpc_healthy_log_status.py (100%) rename {aws_vpc_flow_rules => rules/aws_vpc_flow_rules}/aws_vpc_healthy_log_status.yml (100%) rename {aws_vpc_flow_rules => rules/aws_vpc_flow_rules}/aws_vpc_inbound_traffic_port_allowlist.py (100%) rename {aws_vpc_flow_rules => rules/aws_vpc_flow_rules}/aws_vpc_inbound_traffic_port_allowlist.yml (100%) rename {aws_vpc_flow_rules => rules/aws_vpc_flow_rules}/aws_vpc_inbound_traffic_port_blocklist.py (100%) rename {aws_vpc_flow_rules => rules/aws_vpc_flow_rules}/aws_vpc_inbound_traffic_port_blocklist.yml (100%) rename {aws_vpc_flow_rules => rules/aws_vpc_flow_rules}/aws_vpc_unapproved_outbound_dns.py (100%) rename {aws_vpc_flow_rules => rules/aws_vpc_flow_rules}/aws_vpc_unapproved_outbound_dns.yml (100%) rename {box_rules => rules/box_rules}/box_access_granted.py (100%) rename {box_rules => rules/box_rules}/box_access_granted.yml (100%) rename {box_rules => rules/box_rules}/box_anomalous_download.py (100%) rename {box_rules => rules/box_rules}/box_anomalous_download.yml (100%) rename {box_rules => rules/box_rules}/box_brute_force_login.py (100%) rename {box_rules => rules/box_rules}/box_brute_force_login.yml (100%) rename {box_rules => rules/box_rules}/box_event_triggered_externally.py (100%) rename {box_rules => rules/box_rules}/box_event_triggered_externally.yml (100%) rename {box_rules => rules/box_rules}/box_item_shared_externally.py (100%) rename {box_rules => rules/box_rules}/box_item_shared_externally.yml (100%) rename {box_rules => rules/box_rules}/box_malicious_content.py (100%) rename {box_rules => rules/box_rules}/box_malicious_content.yml (100%) rename {box_rules => rules/box_rules}/box_new_login.py (100%) rename {box_rules => rules/box_rules}/box_new_login.yml (100%) rename {box_rules => rules/box_rules}/box_policy_violation.py (100%) rename {box_rules => rules/box_rules}/box_policy_violation.yml (100%) rename {box_rules => rules/box_rules}/box_suspicious_login_or_session.py (100%) rename {box_rules => rules/box_rules}/box_suspicious_login_or_session.yml (100%) rename {box_rules => rules/box_rules}/box_untrusted_device.py (100%) rename {box_rules => rules/box_rules}/box_untrusted_device.yml (100%) rename {box_rules => rules/box_rules}/box_user_downloads.py (100%) rename {box_rules => rules/box_rules}/box_user_downloads.yml (100%) rename {box_rules => rules/box_rules}/box_user_permission_updates.py (100%) rename {box_rules => rules/box_rules}/box_user_permission_updates.yml (100%) rename {cisco_umbrella_dns_rules => rules/cisco_umbrella_dns_rules}/domain_blocked.py (100%) rename {cisco_umbrella_dns_rules => rules/cisco_umbrella_dns_rules}/domain_blocked.yml (100%) rename {cisco_umbrella_dns_rules => rules/cisco_umbrella_dns_rules}/fuzzy_matching_domains.py (100%) rename {cisco_umbrella_dns_rules => rules/cisco_umbrella_dns_rules}/fuzzy_matching_domains.yml (100%) rename {cisco_umbrella_dns_rules => rules/cisco_umbrella_dns_rules}/suspicious_domains.py (100%) rename {cisco_umbrella_dns_rules => rules/cisco_umbrella_dns_rules}/suspicious_domains.yml (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_firewall_ddos.py (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_firewall_ddos.yml (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_firewall_high_volume_events_blocked.py (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_firewall_high_volume_events_blocked.yml (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_firewall_high_volume_events_blocked_greynoise.py (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_firewall_high_volume_events_blocked_greynoise.yml (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_firewall_suspicious_event_greynoise.py (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_firewall_suspicious_event_greynoise.yml (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_httpreq_bot_high_volume.py (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_httpreq_bot_high_volume.yml (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_httpreq_bot_high_volume_greynoise.py (100%) rename {cloudflare_rules => rules/cloudflare_rules}/cloudflare_httpreq_bot_high_volume_greynoise.yml (100%) rename {crowdstrike_rules => rules/crowdstrike_rules}/crowdstrike_detection_passthrough.py (100%) rename {crowdstrike_rules => rules/crowdstrike_rules}/crowdstrike_detection_passthrough.yml (100%) rename {crowdstrike_rules => rules/crowdstrike_rules}/crowdstrike_dns_request.py (100%) rename {crowdstrike_rules => rules/crowdstrike_rules}/crowdstrike_dns_request.yml (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_gcs_iam_changes.py (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_gcs_iam_changes.yml (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_gcs_public.py (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_gcs_public.yml (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_iam_admin_role_assigned.py (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_iam_admin_role_assigned.yml (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_iam_corp_email.py (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_iam_corp_email.yml (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_iam_custom_role_changes.py (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_iam_custom_role_changes.yml (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_iam_org_folder_changes.py (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_iam_org_folder_changes.yml (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_sql_config_changes.py (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_sql_config_changes.yml (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_unused_regions.py (100%) rename {gcp_audit_rules => rules/gcp_audit_rules}/gcp_unused_regions.yml (100%) rename {github_rules => rules/github_rules}/github_branch_policy_override.py (100%) rename {github_rules => rules/github_rules}/github_branch_policy_override.yml (100%) rename {github_rules => rules/github_rules}/github_branch_protection_disabled.py (100%) rename {github_rules => rules/github_rules}/github_branch_protection_disabled.yml (100%) rename {github_rules => rules/github_rules}/github_org_auth_modified.py (100%) rename {github_rules => rules/github_rules}/github_org_auth_modified.yml (100%) rename {github_rules => rules/github_rules}/github_org_ip_allowlist.py (100%) rename {github_rules => rules/github_rules}/github_org_ip_allowlist.yml (100%) rename {github_rules => rules/github_rules}/github_org_modified.py (100%) rename {github_rules => rules/github_rules}/github_org_modified.yml (100%) rename {github_rules => rules/github_rules}/github_repo_collaborator_change.py (100%) rename {github_rules => rules/github_rules}/github_repo_collaborator_change.yml (100%) rename {github_rules => rules/github_rules}/github_repo_created.py (100%) rename {github_rules => rules/github_rules}/github_repo_created.yml (100%) rename {github_rules => rules/github_rules}/github_repo_hook_modified.py (100%) rename {github_rules => rules/github_rules}/github_repo_hook_modified.yml (100%) rename {github_rules => rules/github_rules}/github_repo_initial_access.py (100%) rename {github_rules => rules/github_rules}/github_repo_initial_access.yml (100%) rename {github_rules => rules/github_rules}/github_repo_visibility_change.py (100%) rename {github_rules => rules/github_rules}/github_repo_visibility_change.yml (100%) rename {github_rules => rules/github_rules}/github_team_modified.py (100%) rename {github_rules => rules/github_rules}/github_team_modified.yml (100%) rename {github_rules => rules/github_rules}/github_user_access_key_created.py (100%) rename {github_rules => rules/github_rules}/github_user_access_key_created.yml (100%) rename {github_rules => rules/github_rules}/github_user_role_updated.py (100%) rename {github_rules => rules/github_rules}/github_user_role_updated.yml (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_auth_errors.py (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_auth_errors.yml (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_create_user_accounts.py (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_create_user_accounts.yml (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_network_scanning.py (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_network_scanning.yml (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_scheduled_jobs.py (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_scheduled_jobs.yml (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_suspicious_commands.py (100%) rename {gravitational_teleport_rules => rules/gravitational_teleport_rules}/teleport_suspicious_commands.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_advanced_protection.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_advanced_protection.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_brute_force_login.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_brute_force_login.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_doc_ownership_transfer.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_doc_ownership_transfer.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_external_forwarding.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_external_forwarding.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_google_access.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_google_access.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_gov_attack.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_gov_attack.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_group_banned_user.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_group_banned_user.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_leaked_password.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_leaked_password.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_login_type.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_login_type.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_mobile_device_compromise.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_mobile_device_compromise.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_mobile_device_screen_unlock_fail.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_mobile_device_screen_unlock_fail.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_mobile_device_suspicious_activity.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_mobile_device_suspicious_activity.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_permissions_delegated.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_permissions_delegated.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_rule.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_rule.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_suspicious_logins.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_suspicious_logins.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_two_step_verification.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_two_step_verification.yml (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_user_suspended.py (100%) rename {gsuite_activityevent_rules => rules/gsuite_activityevent_rules}/gsuite_user_suspended.yml (100%) rename {gsuite_reports_rules => rules/gsuite_reports_rules}/gsuite_drive_external_share.py (100%) rename {gsuite_reports_rules => rules/gsuite_reports_rules}/gsuite_drive_external_share.yml (100%) rename {gsuite_reports_rules => rules/gsuite_reports_rules}/gsuite_drive_overly_visible.py (100%) rename {gsuite_reports_rules => rules/gsuite_reports_rules}/gsuite_drive_overly_visible.yml (100%) rename {gsuite_reports_rules => rules/gsuite_reports_rules}/gsuite_drive_visibility_change.py (100%) rename {gsuite_reports_rules => rules/gsuite_reports_rules}/gsuite_drive_visibility_change.yml (100%) rename {gsuite_reports_rules => rules/gsuite_reports_rules}/gsuite_drive_visibility_change_deprecated.py (100%) rename {gsuite_reports_rules => rules/gsuite_reports_rules}/gsuite_drive_visibility_change_deprecated.yml (100%) rename {indicator_creation_rules => rules/indicator_creation_rules}/new_aws_account_logging.py (100%) rename {indicator_creation_rules => rules/indicator_creation_rules}/new_aws_account_logging.yml (100%) rename {indicator_creation_rules => rules/indicator_creation_rules}/new_user_account_logging.py (100%) rename {indicator_creation_rules => rules/indicator_creation_rules}/new_user_account_logging.yml (100%) rename {okta_rules => rules/okta_rules}/okta_account_support_access.py (100%) rename {okta_rules => rules/okta_rules}/okta_account_support_access.yml (100%) rename {okta_rules => rules/okta_rules}/okta_admin_disabled_mfa.py (100%) rename {okta_rules => rules/okta_rules}/okta_admin_disabled_mfa.yml (100%) rename {okta_rules => rules/okta_rules}/okta_admin_role_assigned.py (100%) rename {okta_rules => rules/okta_rules}/okta_admin_role_assigned.yml (100%) rename {okta_rules => rules/okta_rules}/okta_api_key_created.py (100%) rename {okta_rules => rules/okta_rules}/okta_api_key_created.yml (100%) rename {okta_rules => rules/okta_rules}/okta_api_key_revoked.py (100%) rename {okta_rules => rules/okta_rules}/okta_api_key_revoked.yml (100%) rename {okta_rules => rules/okta_rules}/okta_brute_force_logins.py (100%) rename {okta_rules => rules/okta_rules}/okta_brute_force_logins.yml (100%) rename {okta_rules => rules/okta_rules}/okta_geo_improbable_access.py (100%) rename {okta_rules => rules/okta_rules}/okta_geo_improbable_access.yml (100%) rename {okta_rules => rules/okta_rules}/okta_support_reset.py (100%) rename {okta_rules => rules/okta_rules}/okta_support_reset.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_active_login_activity.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_active_login_activity.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_admin_role_assigned.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_admin_role_assigned.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_brute_force_by_ip.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_brute_force_by_ip.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_brute_force_by_username.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_brute_force_by_username.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_high_risk_failed_login.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_high_risk_failed_login.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_high_risk_login.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_high_risk_login.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_password_accessed.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_password_accessed.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_password_changed.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_password_changed.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_remove_authentication_factor.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_remove_authentication_factor.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_threshold_accounts_deleted.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_threshold_accounts_deleted.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_threshold_accounts_modified.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_threshold_accounts_modified.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_unauthorized_access.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_unauthorized_access.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_unusual_login.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_unusual_login.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_user_account_locked.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_user_account_locked.yml (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_user_assumed.py (100%) rename {onelogin_rules => rules/onelogin_rules}/onelogin_user_assumed.yml (100%) rename {onepassword_rules => rules/onepassword_rules}/onepassword_lut_sensitive_item_access.py (100%) rename {onepassword_rules => rules/onepassword_rules}/onepassword_lut_sensitive_item_access.yml (100%) rename {onepassword_rules => rules/onepassword_rules}/onepassword_sensitive_item_access.py (100%) rename {onepassword_rules => rules/onepassword_rules}/onepassword_sensitive_item_access.yml (100%) rename {onepassword_rules => rules/onepassword_rules}/onepassword_unusual_client.py (100%) rename {onepassword_rules => rules/onepassword_rules}/onepassword_unusual_client.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_linux_aws_commands.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_linux_aws_commands.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_linux_logins_non_office.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_linux_logins_non_office.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_application_firewall.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_application_firewall.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_enable_auto_update.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_enable_auto_update.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_osx_attacks.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_osx_attacks.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_osx_attacks_keyboard_events.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_osx_attacks_keyboard_events.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_unwanted_chrome_extensions.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_mac_unwanted_chrome_extensions.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_ossec.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_ossec.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_outdated.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_outdated.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_outdated_macos.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_outdated_macos.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_ssh_listener.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_ssh_listener.yml (100%) rename {osquery_rules => rules/osquery_rules}/osquery_suspicious_cron.py (100%) rename {osquery_rules => rules/osquery_rules}/osquery_suspicious_cron.yml (100%) rename {panther_audit_rules => rules/panther_audit_rules}/panther_detection_deleted.py (100%) rename {panther_audit_rules => rules/panther_audit_rules}/panther_detection_deleted.yml (100%) rename {panther_audit_rules => rules/panther_audit_rules}/panther_saml_modified.py (100%) rename {panther_audit_rules => rules/panther_audit_rules}/panther_saml_modified.yml (100%) rename {panther_audit_rules => rules/panther_audit_rules}/panther_sensitive_role_created.py (100%) rename {panther_audit_rules => rules/panther_audit_rules}/panther_sensitive_role_created.yml (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/atlassian_confluence_ip_iocs.py (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/atlassian_confluence_ip_iocs.yml (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/log4j_exploit_iocs.py (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/log4j_exploit_iocs.yml (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/log4j_ip_iocs.py (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/log4j_ip_iocs.yml (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/sunburst_fqdn_iocs.py (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/sunburst_fqdn_iocs.yml (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/sunburst_ip_iocs.py (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/sunburst_ip_iocs.yml (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/sunburst_sha256_iocs.py (100%) rename {panther_ioc_rules => rules/panther_ioc_rules}/sunburst_sha256_iocs.yml (100%) rename {slack_rules => rules/slack_rules}/slack_app_access_expanded.py (100%) rename {slack_rules => rules/slack_rules}/slack_app_access_expanded.yml (100%) rename {slack_rules => rules/slack_rules}/slack_app_added.py (100%) rename {slack_rules => rules/slack_rules}/slack_app_added.yml (100%) rename {slack_rules => rules/slack_rules}/slack_app_removed.py (100%) rename {slack_rules => rules/slack_rules}/slack_app_removed.yml (100%) rename {slack_rules => rules/slack_rules}/slack_application_dos.py (100%) rename {slack_rules => rules/slack_rules}/slack_application_dos.yml (100%) rename {slack_rules => rules/slack_rules}/slack_dlp_modified.py (100%) rename {slack_rules => rules/slack_rules}/slack_dlp_modified.yml (100%) rename {slack_rules => rules/slack_rules}/slack_ekm_config_changed.py (100%) rename {slack_rules => rules/slack_rules}/slack_ekm_config_changed.yml (100%) rename {slack_rules => rules/slack_rules}/slack_ekm_slackbot_unenrolled.py (100%) rename {slack_rules => rules/slack_rules}/slack_ekm_slackbot_unenrolled.yml (100%) rename {slack_rules => rules/slack_rules}/slack_ekm_unenrolled.py (100%) rename {slack_rules => rules/slack_rules}/slack_ekm_unenrolled.yml (100%) rename {slack_rules => rules/slack_rules}/slack_idp_configuration_change.py (100%) rename {slack_rules => rules/slack_rules}/slack_idp_configuration_change.yml (100%) rename {slack_rules => rules/slack_rules}/slack_information_barrier_modified.py (100%) rename {slack_rules => rules/slack_rules}/slack_information_barrier_modified.yml (100%) rename {slack_rules => rules/slack_rules}/slack_intune_mdm_disabled.py (100%) rename {slack_rules => rules/slack_rules}/slack_intune_mdm_disabled.yml (100%) rename {slack_rules => rules/slack_rules}/slack_legal_hold_policy_modified.py (100%) rename {slack_rules => rules/slack_rules}/slack_legal_hold_policy_modified.yml (100%) rename {slack_rules => rules/slack_rules}/slack_mfa_settings_changed.py (100%) rename {slack_rules => rules/slack_rules}/slack_mfa_settings_changed.yml (100%) rename {slack_rules => rules/slack_rules}/slack_org_created.py (100%) rename {slack_rules => rules/slack_rules}/slack_org_created.yml (100%) rename {slack_rules => rules/slack_rules}/slack_org_deleted.py (100%) rename {slack_rules => rules/slack_rules}/slack_org_deleted.yml (100%) rename {slack_rules => rules/slack_rules}/slack_passthrough_anomaly.py (100%) rename {slack_rules => rules/slack_rules}/slack_passthrough_anomaly.yml (100%) rename {slack_rules => rules/slack_rules}/slack_potentially_malicious_file_shared.py (100%) rename {slack_rules => rules/slack_rules}/slack_potentially_malicious_file_shared.yml (100%) rename {slack_rules => rules/slack_rules}/slack_private_channel_made_public.py (100%) rename {slack_rules => rules/slack_rules}/slack_private_channel_made_public.yml (100%) rename {slack_rules => rules/slack_rules}/slack_service_owner_transferred.py (100%) rename {slack_rules => rules/slack_rules}/slack_service_owner_transferred.yml (100%) rename {slack_rules => rules/slack_rules}/slack_sso_settings_changed.py (100%) rename {slack_rules => rules/slack_rules}/slack_sso_settings_changed.yml (100%) rename {slack_rules => rules/slack_rules}/slack_user_privilege_escalation.py (100%) rename {slack_rules => rules/slack_rules}/slack_user_privilege_escalation.yml (100%) rename {standard_rules => rules/standard_rules}/admin_assigned.py (100%) rename {standard_rules => rules/standard_rules}/admin_assigned.yml (100%) rename {standard_rules => rules/standard_rules}/brute_force_by_ip.py (100%) rename {standard_rules => rules/standard_rules}/brute_force_by_ip.yml (100%) rename {standard_rules => rules/standard_rules}/mfa_disabled.py (100%) rename {standard_rules => rules/standard_rules}/mfa_disabled.yml (100%) rename {standard_rules => rules/standard_rules}/unusual_login.py (100%) rename {standard_rules => rules/standard_rules}/unusual_login.yml (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_mobile_app_access.py (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_mobile_app_access.yml (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_new_api_token.py (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_new_api_token.yml (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_new_owner.py (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_new_owner.yml (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_sensitive_data_redaction.py (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_sensitive_data_redaction.yml (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_user_assumption.py (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_user_assumption.yml (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_user_role.py (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_user_role.yml (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_user_suspension.py (100%) rename {zendesk_rules => rules/zendesk_rules}/zendesk_user_suspension.yml (100%) rename {zoom_operation_rules => rules/zoom_operation_rules}/zoom_operation_passcode_disabled.py (100%) rename {zoom_operation_rules => rules/zoom_operation_rules}/zoom_operation_passcode_disabled.yml (100%) rename {zoom_operation_rules => rules/zoom_operation_rules}/zoom_operation_user_granted_admin.py (100%) rename {zoom_operation_rules => rules/zoom_operation_rules}/zoom_operation_user_granted_admin.yml (100%) diff --git a/indexes/aws.md b/indexes/aws.md index c08744cdc..5c246fe37 100644 --- a/indexes/aws.md +++ b/indexes/aws.md @@ -1,381 +1,381 @@ ## ACM -[ AWS ACM Certificate Expiration](../aws_acm_policies/aws_acm_certificate_expiration.py) +[ AWS ACM Certificate Expiration](../policies/aws_acm_policies/aws_acm_certificate_expiration.py) -[ AWS ACM Certificate Status](../aws_acm_policies/aws_acm_certificate_valid.py) +[ AWS ACM Certificate Status](../policies/aws_acm_policies/aws_acm_certificate_valid.py) -[ AWS ACM Secure Algorithms](../aws_acm_policies/aws_acm_certificate_has_secure_algorithms.py) +[ AWS ACM Secure Algorithms](../policies/aws_acm_policies/aws_acm_certificate_has_secure_algorithms.py) ## Access Keys -[ AWS Access Key Rotation](../aws_iam_policies/aws_access_key_rotation.py) +[ AWS Access Key Rotation](../policies/aws_iam_policies/aws_access_key_rotation.py) -[ AWS Access Key Uploaded to Github](../aws_cloudtrail_rules/aws_key_compromised.py) +[ AWS Access Key Uploaded to Github](../rules/aws_cloudtrail_rules/aws_key_compromised.py) -[ AWS Access Keys At Account Creation](../aws_iam_policies/aws_access_keys_at_account_creation.py) +[ AWS Access Keys At Account Creation](../policies/aws_iam_policies/aws_access_keys_at_account_creation.py) ## CloudFormation -[ AWS CloudFormation Stack Drift](../aws_cloudformation_policies/aws_cloudformation_stack_drifted.py) +[ AWS CloudFormation Stack Drift](../policies/aws_cloudformation_policies/aws_cloudformation_stack_drifted.py) -[ AWS CloudFormation Stack IAM Service Role](../aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.py) +[ AWS CloudFormation Stack IAM Service Role](../policies/aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.py) -[ AWS CloudFormation Stack Termination Protection](../aws_cloudformation_policies/aws_cloudformation_termination_protection.py) +[ AWS CloudFormation Stack Termination Protection](../policies/aws_cloudformation_policies/aws_cloudformation_termination_protection.py) ## CloudTrail -[ AWS CloudTrail CloudWatch Logs](../aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.py) +[ AWS CloudTrail CloudWatch Logs](../policies/aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.py) -[ AWS CloudTrail Enabled](../aws_cloudtrail_policies/aws_cloudtrail_enabled.py) +[ AWS CloudTrail Enabled](../policies/aws_cloudtrail_policies/aws_cloudtrail_enabled.py) -[ A CloudTrail Was Created or Updated](../aws_cloudtrail_rules/aws_cloudtrail_created.py) +[ A CloudTrail Was Created or Updated](../rules/aws_cloudtrail_rules/aws_cloudtrail_created.py) -[ AWS CloudTrail Least Privilege Access](../aws_iam_policies/aws_cloudtrail_least_privilege.py) +[ AWS CloudTrail Least Privilege Access](../policies/aws_iam_policies/aws_cloudtrail_least_privilege.py) -[ AWS CloudTrail Log Encryption](../aws_cloudtrail_policies/aws_cloudtrail_log_encryption.py) +[ AWS CloudTrail Log Encryption](../policies/aws_cloudtrail_policies/aws_cloudtrail_log_encryption.py) -[ AWS CloudTrail Log Validation](../aws_cloudtrail_policies/aws_cloudtrail_log_validation.py) +[ AWS CloudTrail Log Validation](../policies/aws_cloudtrail_policies/aws_cloudtrail_log_validation.py) -[ AWS CloudTrail S3 Bucket Access Logging](../aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.py) +[ AWS CloudTrail S3 Bucket Access Logging](../policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.py) -[ AWS CloudTrail S3 Bucket Public](../aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.py) +[ AWS CloudTrail S3 Bucket Public](../policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.py) -[ Monitor Unauthorized API Calls](../aws_cloudtrail_rules/aws_unauthorized_api_call.py) +[ Monitor Unauthorized API Calls](../rules/aws_cloudtrail_rules/aws_unauthorized_api_call.py) -[ Account Security Configuration Changed](../aws_cloudtrail_rules/aws_security_configuration_change.py) +[ Account Security Configuration Changed](../rules/aws_cloudtrail_rules/aws_security_configuration_change.py) -[ CloudTrail Stopped](../aws_cloudtrail_rules/aws_cloudtrail_stopped.py) +[ CloudTrail Stopped](../rules/aws_cloudtrail_rules/aws_cloudtrail_stopped.py) -[ CodeBuild Project made Public](../aws_cloudtrail_rules/aws_codebuild_made_public.py) +[ CodeBuild Project made Public](../rules/aws_cloudtrail_rules/aws_codebuild_made_public.py) ## CloudWatch -[ AWS CloudWatch Log Encryption](../aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.py) +[ AWS CloudWatch Log Encryption](../policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.py) -[ AWS CloudWatch Logs Data Retention](../aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.py) +[ AWS CloudWatch Logs Data Retention](../policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.py) -[ Sensitive AWS CloudWatch Log Encryption](../aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.py) +[ Sensitive AWS CloudWatch Log Encryption](../policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.py) ## Config Audit -[ AWS Config Global Resources](../aws_config_policies/aws_config_global_resources.py) +[ AWS Config Global Resources](../policies/aws_config_policies/aws_config_global_resources.py) -[ AWS Config Recording Status](../aws_config_policies/aws_config_recording_no_error.py) +[ AWS Config Recording Status](../policies/aws_config_policies/aws_config_recording_no_error.py) -[ AWS Config Records All Resource Types](../aws_config_policies/aws_config_all_resource_types.py) +[ AWS Config Records All Resource Types](../policies/aws_config_policies/aws_config_all_resource_types.py) -[ AWS Config Service Created](../aws_cloudtrail_rules/aws_config_service_created.py) +[ AWS Config Service Created](../rules/aws_cloudtrail_rules/aws_config_service_created.py) -[ AWS Config Service Disabled](../aws_cloudtrail_rules/aws_config_service_disabled_deleted.py) +[ AWS Config Service Disabled](../rules/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py) -[ AWS Config Status](../aws_config_policies/aws_config_recording_enabled.py) +[ AWS Config Status](../policies/aws_config_policies/aws_config_recording_enabled.py) ## DynamoDB -[ AWS DynamoDB Table Autoscaling Configuration](../aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.py) +[ AWS DynamoDB Table Autoscaling Configuration](../policies/aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.py) -[ AWS DynamoDB Table Autoscaling](../aws_dynamodb_policies/aws_dynamodb_autoscaling.py) +[ AWS DynamoDB Table Autoscaling](../policies/aws_dynamodb_policies/aws_dynamodb_autoscaling.py) -[ AWS DynamoDB Table Encryption](../aws_dynamodb_policies/aws_dynamodb_table_encryption.py) +[ AWS DynamoDB Table Encryption](../policies/aws_dynamodb_policies/aws_dynamodb_table_encryption.py) -[ AWS DynamoDB Table TTL](../aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.py) +[ AWS DynamoDB Table TTL](../policies/aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.py) ## EC2 -[ AWS EC2 AMI Approved Host](../aws_ec2_policies/aws_ec2_ami_approved_host.py) +[ AWS EC2 AMI Approved Host](../policies/aws_ec2_policies/aws_ec2_ami_approved_host.py) -[ AWS EC2 AMI Approved Instance Type](../aws_ec2_policies/aws_ec2_ami_approved_instance_type.py) +[ AWS EC2 AMI Approved Instance Type](../policies/aws_ec2_policies/aws_ec2_ami_approved_instance_type.py) -[ AWS EC2 AMI Approved Tenancy](../aws_ec2_policies/aws_ec2_ami_approved_tenancy.py) +[ AWS EC2 AMI Approved Tenancy](../policies/aws_ec2_policies/aws_ec2_ami_approved_tenancy.py) -[ AWS EC2 Instance Approved AMI](../aws_ec2_policies/aws_ec2_instance_approved_ami.py) +[ AWS EC2 Instance Approved AMI](../policies/aws_ec2_policies/aws_ec2_instance_approved_ami.py) -[ AWS EC2 Instance Approved Host](../aws_ec2_policies/aws_ec2_instance_approved_host.py) +[ AWS EC2 Instance Approved Host](../policies/aws_ec2_policies/aws_ec2_instance_approved_host.py) -[ AWS EC2 Instance Approved Instance Type](../aws_ec2_policies/aws_ec2_instance_approved_instance_type.py) +[ AWS EC2 Instance Approved Instance Type](../policies/aws_ec2_policies/aws_ec2_instance_approved_instance_type.py) -[ AWS EC2 Instance Approved Tenancy](../aws_ec2_policies/aws_ec2_instance_approved_tenancy.py) +[ AWS EC2 Instance Approved Tenancy](../policies/aws_ec2_policies/aws_ec2_instance_approved_tenancy.py) -[ AWS Snapshot Made Public](../aws_cloudtrail_rules/aws_snapshot_made_public.py) +[ AWS Snapshot Made Public](../rules/aws_cloudtrail_rules/aws_snapshot_made_public.py) -[ AWS CDE EC2 Volume Encryption](../aws_ec2_policies/aws_ec2_cde_volume_encrypted.py) +[ AWS CDE EC2 Volume Encryption](../policies/aws_ec2_policies/aws_ec2_cde_volume_encrypted.py) -[ AWS EC2 Instance Approved VPC](../aws_ec2_policies/aws_ec2_instance_approved_vpc.py) +[ AWS EC2 Instance Approved VPC](../policies/aws_ec2_policies/aws_ec2_instance_approved_vpc.py) -[ AWS EC2 Instance Detailed Monitoring](../aws_ec2_policies/aws_ec2_instance_detailed_monitoring.py) +[ AWS EC2 Instance Detailed Monitoring](../policies/aws_ec2_policies/aws_ec2_instance_detailed_monitoring.py) -[ AWS EC2 Instance EBS Optimization](../aws_ec2_policies/aws_ec2_instance_ebs_optimization.py) +[ AWS EC2 Instance EBS Optimization](../policies/aws_ec2_policies/aws_ec2_instance_ebs_optimization.py) -[ AWS AMI Sharing](../aws_ec2_policies/aws_ami_private.py) +[ AWS AMI Sharing](../policies/aws_ec2_policies/aws_ami_private.py) -[ Amazon Machine Image (AMI) Modified to Allow Public Access](../aws_cloudtrail_rules/aws_ami_modified_for_public_access.py) +[ Amazon Machine Image (AMI) Modified to Allow Public Access](../rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py) -[ AWS EC2 Manual Security Group Change](../aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py) +[ AWS EC2 Manual Security Group Change](../rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py) -[ AWS EC2 Volume Encryption](../aws_ec2_policies/aws_ec2_volume_encryption.py) +[ AWS EC2 Volume Encryption](../policies/aws_ec2_policies/aws_ec2_volume_encryption.py) -[ AWS EC2 Volume Snapshot Encryption](../aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.py) +[ AWS EC2 Volume Snapshot Encryption](../policies/aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.py) -[EC2 Network ACL Modified](../aws_cloudtrail_rules/aws_ec2_network_acl_modified.py) +[EC2 Network ACL Modified](../rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.py) -[ EC2 Network Gateway Modified](../aws_cloudtrail_rules/aws_ec2_gateway_modified.py) +[ EC2 Network Gateway Modified](../rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.py) -[ EC2 Route Table Modified](../aws_cloudtrail_rules/aws_ec2_route_table_modified.py) +[ EC2 Route Table Modified](../rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.py) -[ EC2 Security Group Modified](../aws_cloudtrail_rules/aws_ec2_security_group_modified.py) +[ EC2 Security Group Modified](../rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.py) -[ EC2 VPC Modified](../aws_cloudtrail_rules/aws_ec2_vpc_modified.py) +[ EC2 VPC Modified](../rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.py) ## Load Balancer -[ AWS ELB SSL Policies](../aws_load_balancer_policies/aws_alb_ssl_policy.py) +[ AWS ELB SSL Policies](../policies/aws_load_balancer_policies/aws_alb_ssl_policy.py) -[ AWS Enforces SSL Policies](../aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.py) +[ AWS Enforces SSL Policies](../policies/aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.py) -[ AWS Application Load Balancer Web ACL](../aws_elb_policies/aws_application_load_balancer_web_acl.py) +[ AWS Application Load Balancer Web ACL](../policies/aws_elb_policies/aws_application_load_balancer_web_acl.py) ## GuardDuty -[ AWS GuardDuty Enabled](../aws_guardduty_policies/aws_guardduty_enabled.py) +[ AWS GuardDuty Enabled](../policies/aws_guardduty_policies/aws_guardduty_enabled.py) -[ AWS GuardDuty High Severity Finding](../aws_guardduty_rules/aws_guardduty_high_sev_findings.py) +[ AWS GuardDuty High Severity Finding](../rules/aws_guardduty_rules/aws_guardduty_high_sev_findings.py) -[ AWS GuardDuty Low Severity Finding](../aws_guardduty_rules/aws_guardduty_low_sev_findings.py) +[ AWS GuardDuty Low Severity Finding](../rules/aws_guardduty_rules/aws_guardduty_low_sev_findings.py) -[ AWS GuardDuty Master Account](../aws_guardduty_policies/aws_guardduty_master_account.py) +[ AWS GuardDuty Master Account](../policies/aws_guardduty_policies/aws_guardduty_master_account.py) -[ AWS GuardDuty Medium Severity Finding](../aws_guardduty_rules/aws_guardduty_med_sev_findings.py) +[ AWS GuardDuty Medium Severity Finding](../rules/aws_guardduty_rules/aws_guardduty_med_sev_findings.py) ## IAM -[ AWS IAM Group Users](../aws_iam_policies/aws_iam_group_users.py) +[ AWS IAM Group Users](../policies/aws_iam_policies/aws_iam_group_users.py) -[ Detect Reconnaisance from IAM Users](../aws_cloudtrail_rules/aws_iam_user_recon_denied.py) +[ Detect Reconnaisance from IAM Users](../rules/aws_cloudtrail_rules/aws_iam_user_recon_denied.py) -[ AWS IAM Password Unused](../aws_iam_policies/aws_password_unused.py) +[ AWS IAM Password Unused](../policies/aws_iam_policies/aws_password_unused.py) -[ AWS IAM Policy Administrative Privileges](../aws_iam_policies/aws_iam_policy_administrative_privileges.py) +[ AWS IAM Policy Administrative Privileges](../policies/aws_iam_policies/aws_iam_policy_administrative_privileges.py) -[ AWS IAM Policy Assigned to User](../aws_iam_policies/aws_iam_policy_assigned_to_user.py) +[ AWS IAM Policy Assigned to User](../policies/aws_iam_policies/aws_iam_policy_assigned_to_user.py) -[ AWS IAM Policy Blocklist](../aws_iam_policies/aws_iam_policy_blocklist.py) +[ AWS IAM Policy Blocklist](../policies/aws_iam_policies/aws_iam_policy_blocklist.py) -[ AWS IAM Policy Does Not Grant Any Administrative Access](../aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.py) +[ AWS IAM Policy Does Not Grant Any Administrative Access](../policies/aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.py) -[ AWS IAM Policy Does Not Grant Network Admin Access](../aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.py) +[ AWS IAM Policy Does Not Grant Network Admin Access](../policies/aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.py) -[ AWS IAM Policy Role Mapping](../aws_iam_policies/aws_iam_policy_role_mapping.py) +[ AWS IAM Policy Role Mapping](../policies/aws_iam_policies/aws_iam_policy_role_mapping.py) -[ AWS IAM Resource Does Not Have Inline Policy](../aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.py) +[ AWS IAM Resource Does Not Have Inline Policy](../policies/aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.py) -[ AWS IAM Role Restricts Usage](../aws_iam_policies/aws_iam_role_restricts_usage.py) +[ AWS IAM Role Restricts Usage](../policies/aws_iam_policies/aws_iam_role_restricts_usage.py) -[ AWS IAM User MFA](../aws_iam_policies/aws_iam_user_mfa.py) +[ AWS IAM User MFA](../policies/aws_iam_policies/aws_iam_user_mfa.py) -[ AWS IAM User Not In Conflicting Groups](../aws_iam_policies/aws_iam_user_not_in_conflicting_groups.py) +[ AWS IAM User Not In Conflicting Groups](../policies/aws_iam_policies/aws_iam_user_not_in_conflicting_groups.py) -[ AWS Root Account Hardware MFA](../aws_iam_policies/aws_root_account_hardware_mfa.py) +[ AWS Root Account Hardware MFA](../policies/aws_iam_policies/aws_root_account_hardware_mfa.py) -[ AWS Root Account MFA](../aws_iam_policies/aws_root_account_mfa.py) +[ AWS Root Account MFA](../policies/aws_iam_policies/aws_root_account_mfa.py) -[ AWS Unused Access Key](../aws_iam_policies/aws_access_key_unused.py) +[ AWS Unused Access Key](../policies/aws_iam_policies/aws_access_key_unused.py) -[ IAM Assume Role Blocklist Ignored](../aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py) +[ IAM Assume Role Blocklist Ignored](../rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py) -[ IAM Change](../aws_cloudtrail_rules/aws_iam_anything_changed.py) +[ IAM Change](../rules/aws_cloudtrail_rules/aws_iam_anything_changed.py) -[ IAM Entity Created Without CloudFormation](../aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py) +[ IAM Entity Created Without CloudFormation](../rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py) -[ IAM Inline Policy Network Admin](../aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.py) +[ IAM Inline Policy Network Admin](../policies/aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.py) -[ IAM Policy Modified](../aws_cloudtrail_rules/aws_iam_policy_modified.py) +[ IAM Policy Modified](../rules/aws_cloudtrail_rules/aws_iam_policy_modified.py) -[ KMS CMK Disabled or Deleted](../aws_cloudtrail_rules/aws_kms_cmk_loss.py) +[ KMS CMK Disabled or Deleted](../rules/aws_cloudtrail_rules/aws_kms_cmk_loss.py) -[ Logins Without MFA](../aws_cloudtrail_rules/aws_console_login_without_mfa.py) +[ Logins Without MFA](../rules/aws_cloudtrail_rules/aws_console_login_without_mfa.py) -[ Logins Without SAML](../aws_cloudtrail_rules/aws_console_login_without_saml.py) +[ Logins Without SAML](../rules/aws_cloudtrail_rules/aws_console_login_without_saml.py) -[ Monitor Unauthorized API Calls](../aws_cloudtrail_rules/aws_unauthorized_api_call.py) +[ Monitor Unauthorized API Calls](../rules/aws_cloudtrail_rules/aws_unauthorized_api_call.py) -[ New IAM Credentials Updated](../aws_cloudtrail_rules/aws_update_credentials.py) +[ New IAM Credentials Updated](../rules/aws_cloudtrail_rules/aws_update_credentials.py) -[ Root Account Access Key Created](../aws_cloudtrail_rules/aws_root_access_key_created.py) +[ Root Account Access Key Created](../rules/aws_cloudtrail_rules/aws_root_access_key_created.py) -[ Root Account Activity](../aws_cloudtrail_rules/aws_root_activity.py) +[ Root Account Activity](../rules/aws_cloudtrail_rules/aws_root_activity.py) -[ Root Console Login](../aws_cloudtrail_rules/aws_console_root_login.py) +[ Root Console Login](../rules/aws_cloudtrail_rules/aws_console_root_login.py) -[ Root Password Changed](../aws_cloudtrail_rules/aws_root_password_changed.py) +[ Root Password Changed](../rules/aws_cloudtrail_rules/aws_root_password_changed.py) -[ Logins Without MFA](../aws_cloudtrail_rules/aws_console_login_without_mfa.py) +[ Logins Without MFA](../rules/aws_cloudtrail_rules/aws_console_login_without_mfa.py) -[ Logins Without SAML](../aws_cloudtrail_rules/aws_console_login_without_saml.py) +[ Logins Without SAML](../rules/aws_cloudtrail_rules/aws_console_login_without_saml.py) -[ Detect Reconnaisance from IAM Users](../aws_cloudtrail_rules/aws_iam_user_recon_denied.py) +[ Detect Reconnaisance from IAM Users](../rules/aws_cloudtrail_rules/aws_iam_user_recon_denied.py) -[ Failed Root Console Login](../aws_cloudtrail_rules/aws_console_root_login_failed.py) +[ Failed Root Console Login](../rules/aws_cloudtrail_rules/aws_console_root_login_failed.py) ## KMS -[ AWS KMS CMK Key Rotation](../aws_kms_policies/aws_cmk_key_rotation.py) +[ AWS KMS CMK Key Rotation](../policies/aws_kms_policies/aws_cmk_key_rotation.py) -[ AWS KMS Key Restricts Usage](../aws_kms_policies/aws_kms_key_policy_restricts_usage.py) +[ AWS KMS Key Restricts Usage](../policies/aws_kms_policies/aws_kms_key_policy_restricts_usage.py) -[ KMS CMK Disabled or Deleted](../aws_cloudtrail_rules/aws_kms_cmk_loss.py) +[ KMS CMK Disabled or Deleted](../rules/aws_cloudtrail_rules/aws_kms_cmk_loss.py) ## Network ACLs -[ AWS Network ACL Overly Permissive Entry Created](../aws_cloudtrail_rules/aws_network_acl_permissive_entry.py) +[ AWS Network ACL Overly Permissive Entry Created](../rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py) -[ AWS Network ACL Restricts Inbound Traffic](../aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.py) +[ AWS Network ACL Restricts Inbound Traffic](../policies/aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.py) -[ AWS Network ACL Restricts Insecure Protocols](../aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.py) +[ AWS Network ACL Restricts Insecure Protocols](../policies/aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.py) -[ AWS Network ACL Restricts Outbound Traffic](../aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.py) +[ AWS Network ACL Restricts Outbound Traffic](../policies/aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.py) -[ AWS Network ACL Restricts SSH](../aws_vpc_policies/aws_network_acl_restricted_ssh.py) +[ AWS Network ACL Restricts SSH](../policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py) ## Password Policy -[ AWS Password Policy Complexity Guidelines](../aws_account_policies/aws_password_policy_complexity_guidelines.py) +[ AWS Password Policy Complexity Guidelines](../policies/aws_account_policies/aws_password_policy_complexity_guidelines.py) -[ AWS Password Policy Password Age Limit](../aws_account_policies/aws_password_policy_password_age_limit.py) +[ AWS Password Policy Password Age Limit](../policies/aws_account_policies/aws_password_policy_password_age_limit.py) -[ AWS Password Policy Password Reuse](../aws_account_policies/aws_password_policy_password_reuse.py) +[ AWS Password Policy Password Reuse](../policies/aws_account_policies/aws_password_policy_password_reuse.py) ## RDS -[ AWS RDS Instance Backup](../aws_rds_policies/aws_rds_instance_backup.py) +[ AWS RDS Instance Backup](../policies/aws_rds_policies/aws_rds_instance_backup.py) -[ AWS RDS Instance Encryption](../aws_rds_policies/aws_rds_instance_encryption.py) +[ AWS RDS Instance Encryption](../policies/aws_rds_policies/aws_rds_instance_encryption.py) -[ AWS RDS Instance Has Acceptable Backup Retention Period](../aws_rds_policies/aws_rds_instance_backup_retention_acceptable.py) +[ AWS RDS Instance Has Acceptable Backup Retention Period](../policies/aws_rds_policies/aws_rds_instance_backup_retention_acceptable.py) -[ AWS RDS Instance High Availability](../aws_rds_policies/aws_rds_instance_high_availability.py) +[ AWS RDS Instance High Availability](../policies/aws_rds_policies/aws_rds_instance_high_availability.py) -[ AWS RDS Instance Minor Version Upgrades](../aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.py) +[ AWS RDS Instance Minor Version Upgrades](../policies/aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.py) -[ AWS RDS Instance Public Access](../aws_rds_policies/aws_rds_instance_public_access.py) +[ AWS RDS Instance Public Access](../policies/aws_rds_policies/aws_rds_instance_public_access.py) -[ AWS RDS Instance Snapshot Public Access](../aws_rds_policies/aws_rds_instance_snapshot_public_access.py) +[ AWS RDS Instance Snapshot Public Access](../policies/aws_rds_policies/aws_rds_instance_snapshot_public_access.py) ## Redshift -[ AWS Redshift Cluster Encryption](../aws_redshift_policies/aws_redshift_cluster_encryption.py) +[ AWS Redshift Cluster Encryption](../policies/aws_redshift_policies/aws_redshift_cluster_encryption.py) -[ AWS Redshift Cluster Has Acceptable Snapshot Retention Period](../aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.py) +[ AWS Redshift Cluster Has Acceptable Snapshot Retention Period](../policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.py) -[ AWS Redshift Cluster Logging](../aws_redshift_policies/aws_redshift_cluster_logging.py) +[ AWS Redshift Cluster Logging](../policies/aws_redshift_policies/aws_redshift_cluster_logging.py) -[ AWS Redshift Cluster Maintenance Window](../aws_redshift_policies/aws_redshift_cluster_maintenance_window.py) +[ AWS Redshift Cluster Maintenance Window](../policies/aws_redshift_policies/aws_redshift_cluster_maintenance_window.py) -[ AWS Redshift Cluster Snapshot Retention](../aws_redshift_policies/aws_redshift_cluster_snapshot_retention.py) +[ AWS Redshift Cluster Snapshot Retention](../policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention.py) -[ AWS Redshift Cluster Version Upgrade](../aws_redshift_policies/aws_redshift_cluster_version_upgrade.py) +[ AWS Redshift Cluster Version Upgrade](../policies/aws_redshift_policies/aws_redshift_cluster_version_upgrade.py) ## Account Policies -[ AWS Resource Made Public](../aws_cloudtrail_rules/aws_resource_made_public.py) +[ AWS Resource Made Public](../rules/aws_cloudtrail_rules/aws_resource_made_public.py) -[ AWS Resource Minimum Tags](../aws_account_policies/aws_resource_minimum_tags.py) +[ AWS Resource Minimum Tags](../policies/aws_account_policies/aws_resource_minimum_tags.py) -[ AWS Resource Required Tags](../aws_account_policies/aws_resource_required_tags.py) +[ AWS Resource Required Tags](../policies/aws_account_policies/aws_resource_required_tags.py) -[ AWS Root Account Access Keys](../aws_iam_policies/aws_root_account_access_keys.py) +[ AWS Root Account Access Keys](../policies/aws_iam_policies/aws_root_account_access_keys.py) -[ AWS Root Account Hardware MFA](../aws_iam_policies/aws_root_account_hardware_mfa.py) +[ AWS Root Account Hardware MFA](../policies/aws_iam_policies/aws_root_account_hardware_mfa.py) -[ AWS Root Account MFA](../aws_iam_policies/aws_root_account_mfa.py) +[ AWS Root Account MFA](../policies/aws_iam_policies/aws_root_account_mfa.py) ## S3 -[ AWS S3 Access Error](../aws_s3_rules/aws_s3_access_error.py) +[ AWS S3 Access Error](../rules/aws_s3_rules/aws_s3_access_error.py) -[ AWS S3 Access IP Allowlist](../aws_s3_rules/aws_s3_access_ip_allowlist.py) +[ AWS S3 Access IP Allowlist](../rules/aws_s3_rules/aws_s3_access_ip_allowlist.py) -[ AWS S3 Bucket Action Restrictions](../aws_s3_policies/aws_s3_bucket_action_restrictions.py) +[ AWS S3 Bucket Action Restrictions](../policies/aws_s3_policies/aws_s3_bucket_action_restrictions.py) -[ AWS S3 Bucket Encryption](../aws_s3_policies/aws_s3_bucket_encryption.py) +[ AWS S3 Bucket Encryption](../policies/aws_s3_policies/aws_s3_bucket_encryption.py) -[ AWS S3 Bucket Lifecycle Configuration](../aws_s3_policies/aws_s3_bucket_lifecycle_configuration.py) +[ AWS S3 Bucket Lifecycle Configuration](../policies/aws_s3_policies/aws_s3_bucket_lifecycle_configuration.py) -[ AWS S3 Bucket Logging](../aws_s3_policies/aws_s3_bucket_logging.py) +[ AWS S3 Bucket Logging](../policies/aws_s3_policies/aws_s3_bucket_logging.py) -[ AWS S3 Bucket MFA Delete](../aws_s3_policies/aws_s3_bucket_mfa_delete.py) +[ AWS S3 Bucket MFA Delete](../policies/aws_s3_policies/aws_s3_bucket_mfa_delete.py) -[ AWS S3 Bucket Name DNS Compliance](../aws_s3_policies/aws_s3_bucket_name_dns_compliance.py) +[ AWS S3 Bucket Name DNS Compliance](../policies/aws_s3_policies/aws_s3_bucket_name_dns_compliance.py) -[ AWS S3 Bucket Object Lock Configured](../aws_s3_policies/aws_s3_bucket_object_lock_configured.py) +[ AWS S3 Bucket Object Lock Configured](../policies/aws_s3_policies/aws_s3_bucket_object_lock_configured.py) -[ AWS S3 Bucket Policy Allow With Not Principal](../aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.py) +[ AWS S3 Bucket Policy Allow With Not Principal](../policies/aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.py) -[ AWS S3 Bucket Policy Modified](../aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py) +[ AWS S3 Bucket Policy Modified](../rules/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py) -[ AWS S3 Bucket Principal Restrictions](../aws_s3_policies/aws_s3_bucket_principal_restrictions.py) +[ AWS S3 Bucket Principal Restrictions](../policies/aws_s3_policies/aws_s3_bucket_principal_restrictions.py) -[ AWS S3 Bucket Public Access Block](../aws_s3_policies/aws_s3_bucket_public_access_block.py) +[ AWS S3 Bucket Public Access Block](../policies/aws_s3_policies/aws_s3_bucket_public_access_block.py) -[ AWS S3 Bucket Public Read](../aws_s3_policies/aws_s3_bucket_public_read.py) +[ AWS S3 Bucket Public Read](../policies/aws_s3_policies/aws_s3_bucket_public_read.py) -[ AWS S3 Bucket Public Write](../aws_s3_policies/aws_s3_bucket_public_write.py) +[ AWS S3 Bucket Public Write](../policies/aws_s3_policies/aws_s3_bucket_public_write.py) -[ AWS S3 Bucket Secure Access](../aws_s3_policies/aws_s3_bucket_secure_access.py) +[ AWS S3 Bucket Secure Access](../policies/aws_s3_policies/aws_s3_bucket_secure_access.py) -[ AWS S3 Bucket Versioning](../aws_s3_policies/aws_s3_bucket_versioning.py) +[ AWS S3 Bucket Versioning](../policies/aws_s3_policies/aws_s3_bucket_versioning.py) -[ AWS S3 Insecure Access](../aws_s3_rules/aws_s3_insecure_access.py) +[ AWS S3 Insecure Access](../rules/aws_s3_rules/aws_s3_insecure_access.py) -[ AWS S3 Unauthenticated Access](../aws_s3_rules/aws_s3_unauthenticated_access.py) +[ AWS S3 Unauthenticated Access](../rules/aws_s3_rules/aws_s3_unauthenticated_access.py) -[ AWS S3 Unknown Requester](../aws_s3_rules/aws_s3_unknown_requester_get_object.py) +[ AWS S3 Unknown Requester](../rules/aws_s3_rules/aws_s3_unknown_requester_get_object.py) -[ S3 Bucket Deleted](../aws_cloudtrail_rules/aws_s3_bucket_deleted.py) +[ S3 Bucket Deleted](../rules/aws_cloudtrail_rules/aws_s3_bucket_deleted.py) ## VPC -[ AWS Security Group - Only DMZ Publicly Accessible](../aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py) +[ AWS Security Group - Only DMZ Publicly Accessible](../policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py) -[ AWS Security Group Administrative Ingress](../aws_vpc_policies/aws_security_group_administrative_ingress.py) +[ AWS Security Group Administrative Ingress](../policies/aws_vpc_policies/aws_security_group_administrative_ingress.py) -[ AWS Security Group Restricts Access To CDE](../aws_vpc_policies/aws_security_group_restricts_access_to_cde.py) +[ AWS Security Group Restricts Access To CDE](../policies/aws_vpc_policies/aws_security_group_restricts_access_to_cde.py) -[ AWS Security Group Restricts Inbound Traffic](../aws_vpc_policies/aws_security_group_restricts_inbound_traffic.py) +[ AWS Security Group Restricts Inbound Traffic](../policies/aws_vpc_policies/aws_security_group_restricts_inbound_traffic.py) -[ AWS Security Group Restricts Inter-SG Traffic](../aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.py) +[ AWS Security Group Restricts Inter-SG Traffic](../policies/aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.py) -[ AWS Security Group Restricts Outbound Traffic](../aws_vpc_policies/aws_security_group_restricts_outbound_traffic.py) +[ AWS Security Group Restricts Outbound Traffic](../policies/aws_vpc_policies/aws_security_group_restricts_outbound_traffic.py) -[ AWS Security Group Restricts Traffic Leaving CDE](../aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.py) +[ AWS Security Group Restricts Traffic Leaving CDE](../policies/aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.py) -[ AWS Security Group Tightly Restricts Inbound Traffic](../aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.py) +[ AWS Security Group Tightly Restricts Inbound Traffic](../policies/aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.py) -[ AWS Security Group Tightly Restricts Outbound Traffic](../aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.py) +[ AWS Security Group Tightly Restricts Outbound Traffic](../policies/aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.py) -[ AWS Security Group Used](../aws_vpc_policies/aws_security_group_unused_security_group.py) +[ AWS Security Group Used](../policies/aws_vpc_policies/aws_security_group_unused_security_group.py) -[ AWS VPC Default Network ACL Restricts All Traffic](../aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.py) +[ AWS VPC Default Network ACL Restricts All Traffic](../policies/aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.py) -[ AWS VPC Default Security Group Restrictions](../aws_vpc_policies/aws_vpc_default_security_restrictions.py) +[ AWS VPC Default Security Group Restrictions](../policies/aws_vpc_policies/aws_vpc_default_security_restrictions.py) -[ AWS VPC Flow Logs](../aws_vpc_policies/aws_vpc_flow_logs.py) +[ AWS VPC Flow Logs](../policies/aws_vpc_policies/aws_vpc_flow_logs.py) -[ AWS VPC Healthy Log Status](../aws_vpc_flow_rules/aws_vpc_healthy_log_status.py) +[ AWS VPC Healthy Log Status](../rules/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py) -[ VPC Flow Logs Inbound Port Allowlist](../aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py) +[ VPC Flow Logs Inbound Port Allowlist](../rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py) -[ VPC Flow Logs Inbound Port Blocklist](../aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py) +[ VPC Flow Logs Inbound Port Blocklist](../rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py) -[ VPC Flow Logs Unapproved Outbound DNS Traffic](../aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py) +[ VPC Flow Logs Unapproved Outbound DNS Traffic](../rules/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py) ## AWS WAF -[ AWS WAF Has XSS Predicate](../aws_waf_policies/aws_waf_has_xss_predicate.py) +[ AWS WAF Has XSS Predicate](../policies/aws_waf_policies/aws_waf_has_xss_predicate.py) -[ AWS WAF Rule Ordering](../aws_waf_policies/aws_waf_rule_ordering.py) +[ AWS WAF Rule Ordering](../policies/aws_waf_policies/aws_waf_rule_ordering.py) diff --git a/indexes/gcp.md b/indexes/gcp.md index 7b3da4905..06adf10c4 100644 --- a/indexes/gcp.md +++ b/indexes/gcp.md @@ -1,12 +1,12 @@ -[ GCS Bucket Made Public](../gcp_audit_rules/gcp_gcs_public.py) +[ GCS Bucket Made Public](../rules/gcp_audit_rules/gcp_gcs_public.py) -[ GCP Resource in Unused Region](../gcp_audit_rules/gcp_unused_regions.py) +[ GCP Resource in Unused Region](../rules/gcp_audit_rules/gcp_unused_regions.py) -[ GCP SQL Config Changes](../gcp_audit_rules/gcp_sql_config_changes.py) +[ GCP SQL Config Changes](../rules/gcp_audit_rules/gcp_sql_config_changes.py) -[ GCP GCS IAM Permission Changes](../gcp_audit_rules/gcp_gcs_iam_changes.py) +[ GCP GCS IAM Permission Changes](../rules/gcp_audit_rules/gcp_gcs_iam_changes.py) -[ GCP IAM Role Has Changed](../gcp_audit_rules/gcp_iam_custom_role_changes.py) +[ GCP IAM Role Has Changed](../rules/gcp_audit_rules/gcp_iam_custom_role_changes.py) -[ GCP Corporate Email Not Used](../gcp_audit_rules/gcp_iam_corp_email.py) +[ GCP Corporate Email Not Used](../rules/gcp_audit_rules/gcp_iam_corp_email.py) diff --git a/indexes/github.md b/indexes/github.md index 9b2c8e588..e9291e6cf 100644 --- a/indexes/github.md +++ b/indexes/github.md @@ -1,36 +1,36 @@ ## User Rules -[ GitHub User Role Updated](../github_rules/github_user_role_updated.py) +[ GitHub User Role Updated](../rules/github_rules/github_user_role_updated.py) -[ GitHub Team Modified](../github_rules/github_team_modified.py) +[ GitHub Team Modified](../rules/github_rules/github_team_modified.py) -[ GitHub User Initial Access to Private Repo](../github_rules/github_repo_initial_access.py) +[ GitHub User Initial Access to Private Repo](../rules/github_rules/github_repo_initial_access.py) -[ GitHub Team Modified](../github_rules/github_team_modified.py) +[ GitHub Team Modified](../rules/github_rules/github_team_modified.py) -[ GitHub User Initial Access to Private Repo](../github_rules/github_repo_initial_access.py) +[ GitHub User Initial Access to Private Repo](../rules/github_rules/github_repo_initial_access.py) -[ GitHub User Added or Removed from Org](../github_rules/github_org_modified.py) +[ GitHub User Added or Removed from Org](../rules/github_rules/github_org_modified.py) -[ GitHub User Access Key Created](../github_rules/github_user_access_key_created.py) +[ GitHub User Access Key Created](../rules/github_rules/github_user_access_key_created.py) ## Repository Rules -[ GitHub Branch Protection Policy Override](../github_rules/github_branch_policy_override.py) +[ GitHub Branch Protection Policy Override](../rules/github_rules/github_branch_policy_override.py) -[ GitHub Branch Protection Disabled](../github_rules/github_branch_protection_disabled.py) +[ GitHub Branch Protection Disabled](../rules/github_rules/github_branch_protection_disabled.py) -[ GitHub Repository Created](../github_rules/github_repo_created.py) +[ GitHub Repository Created](../rules/github_rules/github_repo_created.py) -[ GitHub Repository Visibility Change](../github_rules/github_repo_collaborator_change.py) +[ GitHub Repository Visibility Change](../rules/github_rules/github_repo_collaborator_change.py) -[ GitHub Web Hook Modified](../github_rules/github_repo_hook_modified.py) +[ GitHub Web Hook Modified](../rules/github_rules/github_repo_hook_modified.py) -[ GitHub Repository Visibility Change](../github_rules/github_repo_visibility_change.py) +[ GitHub Repository Visibility Change](../rules/github_rules/github_repo_visibility_change.py) ## Organization Rules -[ GitHub Org Authentication Method Changed](../github_rules/github_org_auth_modified.py) +[ GitHub Org Authentication Method Changed](../rules/github_rules/github_org_auth_modified.py) -[ GitHub Org IP Allow List modified](../github_rules/github_org_ip_allowlist.py) \ No newline at end of file +[ GitHub Org IP Allow List modified](../rules/github_rules/github_org_ip_allowlist.py) \ No newline at end of file diff --git a/indexes/gworkspace.md b/indexes/gworkspace.md index 31a7a91ff..2c9677daf 100644 --- a/indexes/gworkspace.md +++ b/indexes/gworkspace.md @@ -1,44 +1,44 @@ ## Drive and Docs -[ External GSuite File Share](../gsuite_reports_rules/gsuite_drive_external_share.py) +[ External GSuite File Share](../rules/gsuite_reports_rules/gsuite_drive_external_share.py) -[ GSuite Document External Ownership Transfer](../gsuite_activityevent_rules/gsuite_doc_ownership_transfer.py) +[ GSuite Document External Ownership Transfer](../rules/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.py) -[ GSuite External Drive Document](../gsuite_reports_rules/gsuite_drive_visibility_change.py) +[ GSuite External Drive Document](../rules/gsuite_reports_rules/gsuite_drive_visibility_change.py) -[ GSuite Overly Visible Drive Document](../gsuite_reports_rules/gsuite_drive_overly_visible.py) +[ GSuite Overly Visible Drive Document](../rules/gsuite_reports_rules/gsuite_drive_overly_visible.py) ## User Specific -[ GSuite Device Suspicious Activity](../gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.py) +[ GSuite Device Suspicious Activity](../rules/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.py) -[ GSuite User Advanced Protection Change](../gsuite_activityevent_rules/gsuite_advanced_protection.py) +[ GSuite User Advanced Protection Change](../rules/gsuite_activityevent_rules/gsuite_advanced_protection.py) -[ GSuite User Banned from Group](../gsuite_activityevent_rules/gsuite_group_banned_user.py) +[ GSuite User Banned from Group](../rules/gsuite_activityevent_rules/gsuite_group_banned_user.py) -[ GSuite User Device Compromised](../gsuite_activityevent_rules/gsuite_mobile_device_compromise.py) +[ GSuite User Device Compromised](../rules/gsuite_activityevent_rules/gsuite_mobile_device_compromise.py) -[ GSuite User Device Unlock Failures](../gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.py) +[ GSuite User Device Unlock Failures](../rules/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.py) -[ GSuite User Password Leaked](../gsuite_activityevent_rules/gsuite_leaked_password.py) +[ GSuite User Password Leaked](../rules/gsuite_activityevent_rules/gsuite_leaked_password.py) -[ GSuite User Suspended](../gsuite_activityevent_rules/gsuite_user_suspended.py) +[ GSuite User Suspended](../rules/gsuite_activityevent_rules/gsuite_user_suspended.py) -[ GSuite User Two Step Verification Change](../gsuite_activityevent_rules/gsuite_two_step_verification.py) +[ GSuite User Two Step Verification Change](../rules/gsuite_activityevent_rules/gsuite_two_step_verification.py) -[ Gsuite Mail forwarded to external domain](../gsuite_activityevent_rules/gsuite_external_forwarding.py) +[ Gsuite Mail forwarded to external domain](../rules/gsuite_activityevent_rules/gsuite_external_forwarding.py) -[ Suspicious GSuite Login](../gsuite_activityevent_rules/gsuite_suspicious_logins.py) +[ Suspicious GSuite Login](../rules/gsuite_activityevent_rules/gsuite_suspicious_logins.py) -[ GSuite Unapproved Login Type](../gsuite_activityevent_rules/gsuite_login_type.py) +[ GSuite Unapproved Login Type](../rules/gsuite_activityevent_rules/gsuite_login_type.py) ## Account Alerts -[ GSuite Government Backed Attack](../gsuite_activityevent_rules/gsuite_gov_attack.py) +[ GSuite Government Backed Attack](../rules/gsuite_activityevent_rules/gsuite_gov_attack.py) -[ GSuite Low Severity Rule Triggered](../gsuite_activityevent_rules/gsuite_low_severity_rule.py) +[ GSuite Low Severity Rule Triggered](../rules/gsuite_activityevent_rules/gsuite_low_severity_rule.py) -[ GSuite Medium Severity Rule Triggered](../gsuite_activityevent_rules/gsuite_medium_severity_rule.py) +[ GSuite Medium Severity Rule Triggered](../rules/gsuite_activityevent_rules/gsuite_medium_severity_rule.py) -[ GSuite High Severity Rule Triggered](../gsuite_activityevent_rules/gsuite_high_severity_rule.py) +[ GSuite High Severity Rule Triggered](../rules/gsuite_activityevent_rules/gsuite_high_severity_rule.py) -[ Google Accessed a GSuite Resource](../gsuite_activityevent_rules/gsuite_google_access.py) +[ Google Accessed a GSuite Resource](../rules/gsuite_activityevent_rules/gsuite_google_access.py) diff --git a/indexes/okta.md b/indexes/okta.md index ea1df4b8a..1290469c4 100644 --- a/indexes/okta.md +++ b/indexes/okta.md @@ -1,28 +1,28 @@ ## Rules -[ Okta MFA Globally Disabled](../okta_rules/okta_admin_disabled_mfa.py) +[ Okta MFA Globally Disabled](../rules/okta_rules/okta_admin_disabled_mfa.py) -[ Okta API Key Revoked](../okta_rules/okta_api_key_revoked.py) +[ Okta API Key Revoked](../rules/okta_rules/okta_api_key_revoked.py) -[ Geographically Improbable Okta Login](../okta_rules/okta_geo_improbable_access.py) +[ Geographically Improbable Okta Login](../rules/okta_rules/okta_geo_improbable_access.py) -[ Okta Support Reset Credential](../okta_rules/okta_support_reset.py) +[ Okta Support Reset Credential](../rules/okta_rules/okta_support_reset.py) -[ Okta Admin Role Assigned](../okta_rules/okta_admin_role_assigned.py) +[ Okta Admin Role Assigned](../rules/okta_rules/okta_admin_role_assigned.py) -[ Okta API Key Created](../okta_rules/okta_api_key_created.py) +[ Okta API Key Created](../rules/okta_rules/okta_api_key_created.py) -[ Okta Support Access Granted](../okta_rules/okta_account_support_access.py) +[ Okta Support Access Granted](../rules/okta_rules/okta_account_support_access.py) ## Investigative Queries -[Session ID Audit ](../okta_queries/okta_session_id_audit.yml) +[Session ID Audit ](../queries/okta_queries/okta_session_id_audit.yml) -[MFA and Password Reset Audit ](../okta_queries/okta_mfa_password_reset_audit.yml) +[MFA and Password Reset Audit ](../queries/okta_queries/okta_mfa_password_reset_audit.yml) -[Admin Access Granted](../okta_queries/okta_admin_access_granted.yml) +[Admin Access Granted](../queries/okta_queries/okta_admin_access_granted.yml) -[Support Access](../okta_queries/okta_support_access.yml) +[Support Access](../queries/okta_queries/okta_support_access.yml) -[User Activity Audit](../okta_queries/okta_activity_audit.yml) +[User Activity Audit](../queries/okta_queries/okta_activity_audit.yml) diff --git a/indexes/onelogin.md b/indexes/onelogin.md index 400f0d3c2..f43b343b9 100644 --- a/indexes/onelogin.md +++ b/indexes/onelogin.md @@ -1,43 +1,43 @@ -[ OneLogin High Risk Login](../onelogin_rules/onelogin_high_risk_login.py) +[ OneLogin High Risk Login](../rules/onelogin_rules/onelogin_high_risk_login.py) -[ OneLogin Multiple Accounts Deleted](../onelogin_rules/onelogin_threshold_accounts_deleted.py) +[ OneLogin Multiple Accounts Deleted](../rules/onelogin_rules/onelogin_threshold_accounts_deleted.py) -[ OneLogin Password Access](../onelogin_rules/onelogin_password_accessed.py) +[ OneLogin Password Access](../rules/onelogin_rules/onelogin_password_accessed.py) -[ OneLogin Authentication Factor Removed](../onelogin_rules/onelogin_remove_authentication_factor.py) +[ OneLogin Authentication Factor Removed](../rules/onelogin_rules/onelogin_remove_authentication_factor.py) -[ OneLogin Failed High Risk Login](../onelogin_rules/onelogin_high_risk_failed_login.py) +[ OneLogin Failed High Risk Login](../rules/onelogin_rules/onelogin_high_risk_failed_login.py) -[ OneLogin Multiple Accounts Modified](../onelogin_rules/onelogin_threshold_accounts_modified.py) +[ OneLogin Multiple Accounts Modified](../rules/onelogin_rules/onelogin_threshold_accounts_modified.py) -[ OneLogin User Locked](../onelogin_rules/onelogin_user_account_locked.py) +[ OneLogin User Locked](../rules/onelogin_rules/onelogin_user_account_locked.py) -[ OneLogin User Password Changed](../onelogin_rules/onelogin_password_changed.py) +[ OneLogin User Password Changed](../rules/onelogin_rules/onelogin_password_changed.py) -[ OneLogin User Assumed Another User](../onelogin_rules/onelogin_user_assumed.py) +[ OneLogin User Assumed Another User](../rules/onelogin_rules/onelogin_user_assumed.py) -[ OneLogin Unauthorized Access](../onelogin_rules/onelogin_unauthorized_access.py) +[ OneLogin Unauthorized Access](../rules/onelogin_rules/onelogin_unauthorized_access.py) -[ OneLogin Active Login Activity](../onelogin_rules/onelogin_active_login_activity.py) +[ OneLogin Active Login Activity](../rules/onelogin_rules/onelogin_active_login_activity.py) -[ OneLogin High Risk Login](../onelogin_rules/onelogin_high_risk_login.py) +[ OneLogin High Risk Login](../rules/onelogin_rules/onelogin_high_risk_login.py) -[ OneLogin Multiple Accounts Deleted](../onelogin_rules/onelogin_threshold_accounts_deleted.py) +[ OneLogin Multiple Accounts Deleted](../rules/onelogin_rules/onelogin_threshold_accounts_deleted.py) -[ OneLogin Password Access](../onelogin_rules/onelogin_password_accessed.py) +[ OneLogin Password Access](../rules/onelogin_rules/onelogin_password_accessed.py) -[ OneLogin Authentication Factor Removed](../onelogin_rules/onelogin_remove_authentication_factor.py) +[ OneLogin Authentication Factor Removed](../rules/onelogin_rules/onelogin_remove_authentication_factor.py) -[ OneLogin Failed High Risk Login](../onelogin_rules/onelogin_high_risk_failed_login.py) +[ OneLogin Failed High Risk Login](../rules/onelogin_rules/onelogin_high_risk_failed_login.py) -[ OneLogin Multiple Accounts Modified](../onelogin_rules/onelogin_threshold_accounts_modified.py) +[ OneLogin Multiple Accounts Modified](../rules/onelogin_rules/onelogin_threshold_accounts_modified.py) -[ OneLogin User Locked](../onelogin_rules/onelogin_user_account_locked.py) +[ OneLogin User Locked](../rules/onelogin_rules/onelogin_user_account_locked.py) -[ OneLogin User Password Changed](../onelogin_rules/onelogin_password_changed.py) +[ OneLogin User Password Changed](../rules/onelogin_rules/onelogin_password_changed.py) -[ OneLogin User Assumed Another User](../onelogin_rules/onelogin_user_assumed.py) +[ OneLogin User Assumed Another User](../rules/onelogin_rules/onelogin_user_assumed.py) -[ OneLogin Unauthorized Access](../onelogin_rules/onelogin_unauthorized_access.py) +[ OneLogin Unauthorized Access](../rules/onelogin_rules/onelogin_unauthorized_access.py) -[ OneLogin Active Login Activity](../onelogin_rules/onelogin_active_login_activity.py) +[ OneLogin Active Login Activity](../rules/onelogin_rules/onelogin_active_login_activity.py) diff --git a/indexes/onepass.md b/indexes/onepass.md index 205bc970d..d8ee2124b 100644 --- a/indexes/onepass.md +++ b/indexes/onepass.md @@ -1,6 +1,6 @@ -[ Unusual 1Password Client Detected](../onepassword_rules/onepassword_unusual_client.py) +[ Unusual 1Password Client Detected](../rules/onepassword_rules/onepassword_unusual_client.py) -[ BETA - Sensitive 1Password Item Accessed](../onepassword_rules/onepassword_lut_sensitive_item_access.py) +[ BETA - Sensitive 1Password Item Accessed](../rules/onepassword_rules/onepassword_lut_sensitive_item_access.py) -[ Configuration Required - Sensitive 1Password Item Accessed](../onepassword_rules/onepassword_sensitive_item_access.py) +[ Configuration Required - Sensitive 1Password Item Accessed](../rules/onepassword_rules/onepassword_sensitive_item_access.py) diff --git a/indexes/osquery.md b/indexes/osquery.md index 44c6b301b..69119a1ba 100644 --- a/indexes/osquery.md +++ b/indexes/osquery.md @@ -1,28 +1,28 @@ ## Linux -[ A Login from Outside the Corporate Office](../osquery_rules/osquery_linux_logins_non_office.py) +[ A Login from Outside the Corporate Office](../rules/osquery_rules/osquery_linux_logins_non_office.py) -[ AWS command executed on the command line](../osquery_rules/osquery_linux_aws_commands.py) +[ AWS command executed on the command line](../rules/osquery_rules/osquery_linux_aws_commands.py) ## MacOS -[ OSQuery Reports Application Firewall Disabled](../osquery_rules/osquery_mac_enable_auto_update.py) +[ OSQuery Reports Application Firewall Disabled](../rules/osquery_rules/osquery_mac_enable_auto_update.py) -[ Unsupported macOS version](../osquery_rules/osquery_outdated_macos.py) +[ Unsupported macOS version](../rules/osquery_rules/osquery_outdated_macos.py) -[ MacOS ALF is misconfigured](../osquery_rules/osquery_mac_application_firewall.py) +[ MacOS ALF is misconfigured](../rules/osquery_rules/osquery_mac_application_firewall.py) -[ MacOS Keyboard Events](../osquery_rules/osquery_mac_osx_attacks_keyboard_events.py) +[ MacOS Keyboard Events](../rules/osquery_rules/osquery_mac_osx_attacks_keyboard_events.py) -[ macOS Malware Detected with osquery](../osquery_rules/osquery_mac_osx_attacks.py) +[ macOS Malware Detected with osquery](../rules/osquery_rules/osquery_mac_osx_attacks.py) ## OSQuery Config and Universal -[ OSQuery Detected SSH Listener](../osquery_rules/osquery_ssh_listener.py) +[ OSQuery Detected SSH Listener](../rules/osquery_rules/osquery_ssh_listener.py) -[ Suspicious cron detected](../osquery_rules/osquery_suspicious_cron.py) +[ Suspicious cron detected](../rules/osquery_rules/osquery_suspicious_cron.py) -[ OSQuery Detected Unwanted Chrome Extensions](../osquery_rules/osquery_mac_unwanted_chrome_extensions.py) +[ OSQuery Detected Unwanted Chrome Extensions](../rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.py) -[ Osquery Agent Outdated](../osquery_rules/osquery_outdated.py) +[ Osquery Agent Outdated](../rules/osquery_rules/osquery_outdated.py) -[ OSSEC Rootkit Detected via Osquery](../osquery_rules/osquery_ossec.py) +[ OSSEC Rootkit Detected via Osquery](../rules/osquery_rules/osquery_ossec.py) diff --git a/indexes/saas.md b/indexes/saas.md index 1b0f4fef3..314f0a24b 100644 --- a/indexes/saas.md +++ b/indexes/saas.md @@ -1,88 +1,88 @@ ## 1Password -[ Unusual 1Password Client Detected](../onepassword_rules/onepassword_unusual_client.py) +[ Unusual 1Password Client Detected](../rules/onepassword_rules/onepassword_unusual_client.py) -[ BETA - Sensitive 1Password Item Accessed](../onepassword_rules/onepassword_lut_sensitive_item_access.py) +[ BETA - Sensitive 1Password Item Accessed](../rules/onepassword_rules/onepassword_lut_sensitive_item_access.py) -[ Configuration Required - Sensitive 1Password Item Accessed](../onepassword_rules/onepassword_sensitive_item_access.py) +[ Configuration Required - Sensitive 1Password Item Accessed](../rules/onepassword_rules/onepassword_sensitive_item_access.py) ## Gravitational Teleport -[ Teleport Suspicious Commands Executed](../gravitational_teleport_rules/teleport_suspicious_commands.py) +[ Teleport Suspicious Commands Executed](../rules/gravitational_teleport_rules/teleport_suspicious_commands.py) -[ Teleport SSH Auth Errors](../gravitational_teleport_rules/teleport_auth_errors.py) +[ Teleport SSH Auth Errors](../rules/gravitational_teleport_rules/teleport_auth_errors.py) -[ Teleport Create User Accounts](../gravitational_teleport_rules/teleport_create_user_accounts.py) +[ Teleport Create User Accounts](../rules/gravitational_teleport_rules/teleport_create_user_accounts.py) -[ Teleport Scheduled Jobs](../gravitational_teleport_rules/teleport_scheduled_jobs.py) +[ Teleport Scheduled Jobs](../rules/gravitational_teleport_rules/teleport_scheduled_jobs.py) -[ Teleport Network Scan Initiated](../gravitational_teleport_rules/teleport_network_scanning.py) +[ Teleport Network Scan Initiated](../rules/gravitational_teleport_rules/teleport_network_scanning.py) -[ Teleport Suspicious Commands Executed](../gravitational_teleport_rules/teleport_suspicious_commands.py) +[ Teleport Suspicious Commands Executed](../rules/gravitational_teleport_rules/teleport_suspicious_commands.py) -[ Teleport SSH Auth Errors](../gravitational_teleport_rules/teleport_auth_errors.py) +[ Teleport SSH Auth Errors](../rules/gravitational_teleport_rules/teleport_auth_errors.py) -[ Teleport Create User Accounts](../gravitational_teleport_rules/teleport_create_user_accounts.py) +[ Teleport Create User Accounts](../rules/gravitational_teleport_rules/teleport_create_user_accounts.py) -[ Teleport Scheduled Jobs](../gravitational_teleport_rules/teleport_scheduled_jobs.py) +[ Teleport Scheduled Jobs](../rules/gravitational_teleport_rules/teleport_scheduled_jobs.py) -[ Teleport Network Scan Initiated](../gravitational_teleport_rules/teleport_network_scanning.py) +[ Teleport Network Scan Initiated](../rules/gravitational_teleport_rules/teleport_network_scanning.py) ## Zendesk -[ Zendesk User Suspension Status Changed](../zendesk_rules/zendesk_user_suspension.py) +[ Zendesk User Suspension Status Changed](../rules/zendesk_rules/zendesk_user_suspension.py) -[ Zendesk Account Owner Changed](../zendesk_rules/zendesk_new_owner.py) +[ Zendesk Account Owner Changed](../rules/zendesk_rules/zendesk_new_owner.py) -[ Zendesk User Role Changed](../zendesk_rules/zendesk_user_role.py) +[ Zendesk User Role Changed](../rules/zendesk_rules/zendesk_user_role.py) -[ Zendesk Mobile App Access Modified](../zendesk_rules/zendesk_mobile_app_access.py) +[ Zendesk Mobile App Access Modified](../rules/zendesk_rules/zendesk_mobile_app_access.py) -[ Zendesk Credit Card Redaction Off](../zendesk_rules/zendesk_sensitive_data_redaction.py) +[ Zendesk Credit Card Redaction Off](../rules/zendesk_rules/zendesk_sensitive_data_redaction.py) -[ Zendesk API Token Created](../zendesk_rules/zendesk_new_api_token.py) +[ Zendesk API Token Created](../rules/zendesk_rules/zendesk_new_api_token.py) -[ Enabled Zendesk Support to Assume Users](../zendesk_rules/zendesk_user_assumption.py) +[ Enabled Zendesk Support to Assume Users](../rules/zendesk_rules/zendesk_user_assumption.py) -[ Zendesk User Suspension Status Changed](../zendesk_rules/zendesk_user_suspension.py) +[ Zendesk User Suspension Status Changed](../rules/zendesk_rules/zendesk_user_suspension.py) -[ Zendesk Account Owner Changed](../zendesk_rules/zendesk_new_owner.py) +[ Zendesk Account Owner Changed](../rules/zendesk_rules/zendesk_new_owner.py) -[ Zendesk User Role Changed](../zendesk_rules/zendesk_user_role.py) +[ Zendesk User Role Changed](../rules/zendesk_rules/zendesk_user_role.py) -[ Zendesk Mobile App Access Modified](../zendesk_rules/zendesk_mobile_app_access.py) +[ Zendesk Mobile App Access Modified](../rules/zendesk_rules/zendesk_mobile_app_access.py) -[ Zendesk Credit Card Redaction Off](../zendesk_rules/zendesk_sensitive_data_redaction.py) +[ Zendesk Credit Card Redaction Off](../rules/zendesk_rules/zendesk_sensitive_data_redaction.py) -[ Zendesk API Token Created](../zendesk_rules/zendesk_new_api_token.py) +[ Zendesk API Token Created](../rules/zendesk_rules/zendesk_new_api_token.py) -[ Enabled Zendesk Support to Assume Users](../zendesk_rules/zendesk_user_assumption.py) +[ Enabled Zendesk Support to Assume Users](../rules/zendesk_rules/zendesk_user_assumption.py) ## Zoom -[ Zoom User Granted Admin Rights](../zoom_operation_rules/zoom_operation_user_granted_admin.py) +[ Zoom User Granted Admin Rights](../rules/zoom_operation_rules/zoom_operation_user_granted_admin.py) -[ Zoom Meeting Passcode Disabled](../zoom_operation_rules/zoom_operation_passcode_disabled.py) +[ Zoom Meeting Passcode Disabled](../rules/zoom_operation_rules/zoom_operation_passcode_disabled.py) -[ Zoom User Granted Admin Rights](../zoom_operation_rules/zoom_operation_user_granted_admin.py) +[ Zoom User Granted Admin Rights](../rules/zoom_operation_rules/zoom_operation_user_granted_admin.py) -[ Zoom Meeting Passcode Disabled](../zoom_operation_rules/zoom_operation_passcode_disabled.py) +[ Zoom Meeting Passcode Disabled](../rules/zoom_operation_rules/zoom_operation_passcode_disabled.py) ## Box -[ Box Access Granted](../box_rules/box_access_granted.py) +[ Box Access Granted](../rules/box_rules/box_access_granted.py) -[ Box Content Workflow Policy Violation](../box_rules/box_policy_violation.py) +[ Box Content Workflow Policy Violation](../rules/box_rules/box_policy_violation.py) -[ Box Large Number of Downlaods](../box_rules/box_user_downloads.py) +[ Box Large Number of Downlaods](../rules/box_rules/box_user_downloads.py) -[ Box Large Number of Permission Changes](../box_rules/box_user_permission_updates.py) +[ Box Large Number of Permission Changes](../rules/box_rules/box_user_permission_updates.py) -[ Box New Login](../box_rules/box_new_login.py) +[ Box New Login](../rules/box_rules/box_new_login.py) -[ Box Shield Detected Anomalous Download Activity](../box_rules/box_anomalous_download.py) +[ Box Shield Detected Anomalous Download Activity](../rules/box_rules/box_anomalous_download.py) -[ Box Shield Suspicious Alert Triggered](../box_rules/box_suspicious_login_or_session.py) +[ Box Shield Suspicious Alert Triggered](../rules/box_rules/box_suspicious_login_or_session.py) -[ Box Untrusted Device Login](../box_rules/box_untrusted_device.py) +[ Box Untrusted Device Login](../rules/box_rules/box_untrusted_device.py) -[ Box event triggered by unknown or external user](../box_rules/box_event_triggered_externally.py) +[ Box event triggered by unknown or external user](../rules/box_rules/box_event_triggered_externally.py) -[ Box item shared externally](../box_rules/box_item_shared_externally.py) +[ Box item shared externally](../rules/box_rules/box_item_shared_externally.py) -[ Malicious Content Detected](../box_rules/box_malicious_content.py) +[ Malicious Content Detected](../rules/box_rules/box_malicious_content.py) diff --git a/indexes/snowflake.md b/indexes/snowflake.md index 8783645ab..b3298607f 100644 --- a/indexes/snowflake.md +++ b/indexes/snowflake.md @@ -1,25 +1,25 @@ # Users and Authentication -[ Snowflake Brute Force Attacks by Username](../snowflake_queries/snowflake_brute_force_username_query.yml) +[ Snowflake Brute Force Attacks by Username](../queries/snowflake_queries/snowflake_brute_force_username_query.yml) -[ Snowflake User Created](../snowflake_queries/snowflake_user_created_query.yml) +[ Snowflake User Created](../queries/snowflake_queries/snowflake_user_created_query.yml) -[ Snowflake Brute Force Attacks by IP ](../snowflake_queries/snowflake_brute_force_ip_query.yml) +[ Snowflake Brute Force Attacks by IP ](../queries/snowflake_queries/snowflake_brute_force_ip_query.yml) -[ Snowflake User Enabled](../snowflake_queries/snowflake_user_enabled_query.yml) +[ Snowflake User Enabled](../queries/snowflake_queries/snowflake_user_enabled_query.yml) -[ Snowflake Account Admin Granted](../snowflake_queries/snowflake_account_admin_assigned_query.yml) +[ Snowflake Account Admin Granted](../queries/snowflake_queries/snowflake_account_admin_assigned_query.yml) -[ Snowflake user with key-based auth logged in with password auth](../snowflake_queries/snowflake_key_user_password_login_query.yml) +[ Snowflake user with key-based auth logged in with password auth](../queries/snowflake_queries/snowflake_key_user_password_login_query.yml) -[ Snowflake Login Without MFA](../snowflake_queries/snowflake_login_without_mfa_query.yml) +[ Snowflake Login Without MFA](../queries/snowflake_queries/snowflake_login_without_mfa_query.yml) -[ Unusual Volume of Snowflake Logins Detected](../snowflake_queries/snowflake_unusual_login_volume_query.yml) +[ Unusual Volume of Snowflake Logins Detected](../queries/snowflake_queries/snowflake_unusual_login_volume_query.yml) -[ Snowflake Grant to Public Role](../snowflake_queries/snowflake_public_role_grant_query.yml) +[ Snowflake Grant to Public Role](../queries/snowflake_queries/snowflake_public_role_grant_query.yml) ## Secure Configuration and Admin Actions -[ Privileged Object Changes](../snowflake_queries/snowflake_privileged_object_changes_query.yml) +[ Privileged Object Changes](../queries/snowflake_queries/snowflake_privileged_object_changes_query.yml) -[ Snowflake network policy modified](../snowflake_queries/snowflake_network_policy_modified_query.yml) +[ Snowflake network policy modified](../queries/snowflake_queries/snowflake_network_policy_modified_query.yml) -[Snowflake SCIM Token Created](../snowflake_queries/snowflake_scim_token_created_query.yml) \ No newline at end of file +[Snowflake SCIM Token Created](../queries/snowflake_queries/snowflake_scim_token_created_query.yml) \ No newline at end of file diff --git a/indexes/standard.md b/indexes/standard.md index 9b17b0ef6..549ed1d1f 100644 --- a/indexes/standard.md +++ b/indexes/standard.md @@ -1,7 +1,7 @@ ## Panther Standard Detections ### Supported Log Types are listed below each detection -[ Unusual Login](../standard_rules/unusual_login.py) +[ Unusual Login](../rules/standard_rules/unusual_login.py) - Asana - Atlassian - AWS CloudTrail @@ -12,13 +12,13 @@ - Zoom - 1Password -[ MFA Disabled](../standard_rules/mfa_disabled.py) +[ MFA Disabled](../rules/standard_rules/mfa_disabled.py) - Atlassian - GitHub - Zendesk - Okta -[ Brute Force By IP](../standard_rules/brute_force_by_ip.py) +[ Brute Force By IP](../rules/standard_rules/brute_force_by_ip.py) - Asana - Atlassian @@ -29,7 +29,7 @@ - OneLogin - 1Password -[ Admin Role Assigned](../standard_rules/admin_assigned.py) +[ Admin Role Assigned](../rules/standard_rules/admin_assigned.py) - Asana - Atlassian diff --git a/aws_account_policies/aws_password_policy_complexity_guidelines.py b/policies/aws_account_policies/aws_password_policy_complexity_guidelines.py similarity index 100% rename from aws_account_policies/aws_password_policy_complexity_guidelines.py rename to policies/aws_account_policies/aws_password_policy_complexity_guidelines.py diff --git a/aws_account_policies/aws_password_policy_complexity_guidelines.yml b/policies/aws_account_policies/aws_password_policy_complexity_guidelines.yml similarity index 100% rename from aws_account_policies/aws_password_policy_complexity_guidelines.yml rename to policies/aws_account_policies/aws_password_policy_complexity_guidelines.yml diff --git a/aws_account_policies/aws_password_policy_password_age_limit.py b/policies/aws_account_policies/aws_password_policy_password_age_limit.py similarity index 100% rename from aws_account_policies/aws_password_policy_password_age_limit.py rename to policies/aws_account_policies/aws_password_policy_password_age_limit.py diff --git a/aws_account_policies/aws_password_policy_password_age_limit.yml b/policies/aws_account_policies/aws_password_policy_password_age_limit.yml similarity index 100% rename from aws_account_policies/aws_password_policy_password_age_limit.yml rename to policies/aws_account_policies/aws_password_policy_password_age_limit.yml diff --git a/aws_account_policies/aws_password_policy_password_reuse.py b/policies/aws_account_policies/aws_password_policy_password_reuse.py similarity index 100% rename from aws_account_policies/aws_password_policy_password_reuse.py rename to policies/aws_account_policies/aws_password_policy_password_reuse.py diff --git a/aws_account_policies/aws_password_policy_password_reuse.yml b/policies/aws_account_policies/aws_password_policy_password_reuse.yml similarity index 100% rename from aws_account_policies/aws_password_policy_password_reuse.yml rename to policies/aws_account_policies/aws_password_policy_password_reuse.yml diff --git a/aws_account_policies/aws_resource_minimum_tags.py b/policies/aws_account_policies/aws_resource_minimum_tags.py similarity index 100% rename from aws_account_policies/aws_resource_minimum_tags.py rename to policies/aws_account_policies/aws_resource_minimum_tags.py diff --git a/aws_account_policies/aws_resource_minimum_tags.yml b/policies/aws_account_policies/aws_resource_minimum_tags.yml similarity index 100% rename from aws_account_policies/aws_resource_minimum_tags.yml rename to policies/aws_account_policies/aws_resource_minimum_tags.yml diff --git a/aws_account_policies/aws_resource_required_tags.py b/policies/aws_account_policies/aws_resource_required_tags.py similarity index 100% rename from aws_account_policies/aws_resource_required_tags.py rename to policies/aws_account_policies/aws_resource_required_tags.py diff --git a/aws_account_policies/aws_resource_required_tags.yml b/policies/aws_account_policies/aws_resource_required_tags.yml similarity index 100% rename from aws_account_policies/aws_resource_required_tags.yml rename to policies/aws_account_policies/aws_resource_required_tags.yml diff --git a/aws_acm_policies/aws_acm_certificate_expiration.py b/policies/aws_acm_policies/aws_acm_certificate_expiration.py similarity index 100% rename from aws_acm_policies/aws_acm_certificate_expiration.py rename to policies/aws_acm_policies/aws_acm_certificate_expiration.py diff --git a/aws_acm_policies/aws_acm_certificate_expiration.yml b/policies/aws_acm_policies/aws_acm_certificate_expiration.yml similarity index 100% rename from aws_acm_policies/aws_acm_certificate_expiration.yml rename to policies/aws_acm_policies/aws_acm_certificate_expiration.yml diff --git a/aws_acm_policies/aws_acm_certificate_has_secure_algorithms.py b/policies/aws_acm_policies/aws_acm_certificate_has_secure_algorithms.py similarity index 100% rename from aws_acm_policies/aws_acm_certificate_has_secure_algorithms.py rename to policies/aws_acm_policies/aws_acm_certificate_has_secure_algorithms.py diff --git a/aws_acm_policies/aws_acm_certificate_has_secure_algorithms.yml b/policies/aws_acm_policies/aws_acm_certificate_has_secure_algorithms.yml similarity index 100% rename from aws_acm_policies/aws_acm_certificate_has_secure_algorithms.yml rename to policies/aws_acm_policies/aws_acm_certificate_has_secure_algorithms.yml diff --git a/aws_acm_policies/aws_acm_certificate_valid.py b/policies/aws_acm_policies/aws_acm_certificate_valid.py similarity index 100% rename from aws_acm_policies/aws_acm_certificate_valid.py rename to policies/aws_acm_policies/aws_acm_certificate_valid.py diff --git a/aws_acm_policies/aws_acm_certificate_valid.yml b/policies/aws_acm_policies/aws_acm_certificate_valid.yml similarity index 100% rename from aws_acm_policies/aws_acm_certificate_valid.yml rename to policies/aws_acm_policies/aws_acm_certificate_valid.yml diff --git a/aws_cloudformation_policies/aws_cloudformation_stack_drifted.py b/policies/aws_cloudformation_policies/aws_cloudformation_stack_drifted.py similarity index 100% rename from aws_cloudformation_policies/aws_cloudformation_stack_drifted.py rename to policies/aws_cloudformation_policies/aws_cloudformation_stack_drifted.py diff --git a/aws_cloudformation_policies/aws_cloudformation_stack_drifted.yml b/policies/aws_cloudformation_policies/aws_cloudformation_stack_drifted.yml similarity index 100% rename from aws_cloudformation_policies/aws_cloudformation_stack_drifted.yml rename to policies/aws_cloudformation_policies/aws_cloudformation_stack_drifted.yml diff --git a/aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.py b/policies/aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.py similarity index 100% rename from aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.py rename to policies/aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.py diff --git a/aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.yml b/policies/aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.yml similarity index 100% rename from aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.yml rename to policies/aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.yml diff --git a/aws_cloudformation_policies/aws_cloudformation_termination_protection.py b/policies/aws_cloudformation_policies/aws_cloudformation_termination_protection.py similarity index 100% rename from aws_cloudformation_policies/aws_cloudformation_termination_protection.py rename to policies/aws_cloudformation_policies/aws_cloudformation_termination_protection.py diff --git a/aws_cloudformation_policies/aws_cloudformation_termination_protection.yml b/policies/aws_cloudformation_policies/aws_cloudformation_termination_protection.yml similarity index 100% rename from aws_cloudformation_policies/aws_cloudformation_termination_protection.yml rename to policies/aws_cloudformation_policies/aws_cloudformation_termination_protection.yml diff --git a/aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.py b/policies/aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.py similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.py rename to policies/aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.py diff --git a/aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.yml b/policies/aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.yml similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.yml rename to policies/aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.yml diff --git a/aws_cloudtrail_policies/aws_cloudtrail_enabled.py b/policies/aws_cloudtrail_policies/aws_cloudtrail_enabled.py similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_enabled.py rename to policies/aws_cloudtrail_policies/aws_cloudtrail_enabled.py diff --git a/aws_cloudtrail_policies/aws_cloudtrail_enabled.yml b/policies/aws_cloudtrail_policies/aws_cloudtrail_enabled.yml similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_enabled.yml rename to policies/aws_cloudtrail_policies/aws_cloudtrail_enabled.yml diff --git a/aws_cloudtrail_policies/aws_cloudtrail_log_encryption.py b/policies/aws_cloudtrail_policies/aws_cloudtrail_log_encryption.py similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_log_encryption.py rename to policies/aws_cloudtrail_policies/aws_cloudtrail_log_encryption.py diff --git a/aws_cloudtrail_policies/aws_cloudtrail_log_encryption.yml b/policies/aws_cloudtrail_policies/aws_cloudtrail_log_encryption.yml similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_log_encryption.yml rename to policies/aws_cloudtrail_policies/aws_cloudtrail_log_encryption.yml diff --git a/aws_cloudtrail_policies/aws_cloudtrail_log_validation.py b/policies/aws_cloudtrail_policies/aws_cloudtrail_log_validation.py similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_log_validation.py rename to policies/aws_cloudtrail_policies/aws_cloudtrail_log_validation.py diff --git a/aws_cloudtrail_policies/aws_cloudtrail_log_validation.yml b/policies/aws_cloudtrail_policies/aws_cloudtrail_log_validation.yml similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_log_validation.yml rename to policies/aws_cloudtrail_policies/aws_cloudtrail_log_validation.yml diff --git a/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.py b/policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.py similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.py rename to policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.py diff --git a/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.yml b/policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.yml similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.yml rename to policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.yml diff --git a/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.py b/policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.py similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.py rename to policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.py diff --git a/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.yml b/policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.yml similarity index 100% rename from aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.yml rename to policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.yml diff --git a/aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.py b/policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.py similarity index 100% rename from aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.py rename to policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.py diff --git a/aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.yml b/policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.yml similarity index 100% rename from aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.yml rename to policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.yml diff --git a/aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.py b/policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.py similarity index 100% rename from aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.py rename to policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.py diff --git a/aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.yml b/policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.yml similarity index 100% rename from aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.yml rename to policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.yml diff --git a/aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.py b/policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.py similarity index 100% rename from aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.py rename to policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.py diff --git a/aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.yml b/policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.yml similarity index 100% rename from aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.yml rename to policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.yml diff --git a/aws_config_policies/aws_config_all_resource_types.py b/policies/aws_config_policies/aws_config_all_resource_types.py similarity index 100% rename from aws_config_policies/aws_config_all_resource_types.py rename to policies/aws_config_policies/aws_config_all_resource_types.py diff --git a/aws_config_policies/aws_config_all_resource_types.yml b/policies/aws_config_policies/aws_config_all_resource_types.yml similarity index 100% rename from aws_config_policies/aws_config_all_resource_types.yml rename to policies/aws_config_policies/aws_config_all_resource_types.yml diff --git a/aws_config_policies/aws_config_global_resources.py b/policies/aws_config_policies/aws_config_global_resources.py similarity index 100% rename from aws_config_policies/aws_config_global_resources.py rename to policies/aws_config_policies/aws_config_global_resources.py diff --git a/aws_config_policies/aws_config_global_resources.yml b/policies/aws_config_policies/aws_config_global_resources.yml similarity index 100% rename from aws_config_policies/aws_config_global_resources.yml rename to policies/aws_config_policies/aws_config_global_resources.yml diff --git a/aws_config_policies/aws_config_recording_enabled.py b/policies/aws_config_policies/aws_config_recording_enabled.py similarity index 100% rename from aws_config_policies/aws_config_recording_enabled.py rename to policies/aws_config_policies/aws_config_recording_enabled.py diff --git a/aws_config_policies/aws_config_recording_enabled.yml b/policies/aws_config_policies/aws_config_recording_enabled.yml similarity index 100% rename from aws_config_policies/aws_config_recording_enabled.yml rename to policies/aws_config_policies/aws_config_recording_enabled.yml diff --git a/aws_config_policies/aws_config_recording_no_error.py b/policies/aws_config_policies/aws_config_recording_no_error.py similarity index 100% rename from aws_config_policies/aws_config_recording_no_error.py rename to policies/aws_config_policies/aws_config_recording_no_error.py diff --git a/aws_config_policies/aws_config_recording_no_error.yml b/policies/aws_config_policies/aws_config_recording_no_error.yml similarity index 100% rename from aws_config_policies/aws_config_recording_no_error.yml rename to policies/aws_config_policies/aws_config_recording_no_error.yml diff --git a/aws_dynamodb_policies/aws_dynamodb_autoscaling.py b/policies/aws_dynamodb_policies/aws_dynamodb_autoscaling.py similarity index 100% rename from aws_dynamodb_policies/aws_dynamodb_autoscaling.py rename to policies/aws_dynamodb_policies/aws_dynamodb_autoscaling.py diff --git a/aws_dynamodb_policies/aws_dynamodb_autoscaling.yml b/policies/aws_dynamodb_policies/aws_dynamodb_autoscaling.yml similarity index 100% rename from aws_dynamodb_policies/aws_dynamodb_autoscaling.yml rename to policies/aws_dynamodb_policies/aws_dynamodb_autoscaling.yml diff --git a/aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.py b/policies/aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.py similarity index 100% rename from aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.py rename to policies/aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.py diff --git a/aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.yml b/policies/aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.yml similarity index 100% rename from aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.yml rename to policies/aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.yml diff --git a/aws_dynamodb_policies/aws_dynamodb_table_encryption.py b/policies/aws_dynamodb_policies/aws_dynamodb_table_encryption.py similarity index 100% rename from aws_dynamodb_policies/aws_dynamodb_table_encryption.py rename to policies/aws_dynamodb_policies/aws_dynamodb_table_encryption.py diff --git a/aws_dynamodb_policies/aws_dynamodb_table_encryption.yml b/policies/aws_dynamodb_policies/aws_dynamodb_table_encryption.yml similarity index 100% rename from aws_dynamodb_policies/aws_dynamodb_table_encryption.yml rename to policies/aws_dynamodb_policies/aws_dynamodb_table_encryption.yml diff --git a/aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.py b/policies/aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.py similarity index 100% rename from aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.py rename to policies/aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.py diff --git a/aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.yml b/policies/aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.yml similarity index 100% rename from aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.yml rename to policies/aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.yml diff --git a/aws_ec2_policies/aws_ami_private.py b/policies/aws_ec2_policies/aws_ami_private.py similarity index 100% rename from aws_ec2_policies/aws_ami_private.py rename to policies/aws_ec2_policies/aws_ami_private.py diff --git a/aws_ec2_policies/aws_ami_private.yml b/policies/aws_ec2_policies/aws_ami_private.yml similarity index 100% rename from aws_ec2_policies/aws_ami_private.yml rename to policies/aws_ec2_policies/aws_ami_private.yml diff --git a/aws_ec2_policies/aws_ec2_ami_approved_host.py b/policies/aws_ec2_policies/aws_ec2_ami_approved_host.py similarity index 100% rename from aws_ec2_policies/aws_ec2_ami_approved_host.py rename to policies/aws_ec2_policies/aws_ec2_ami_approved_host.py diff --git a/aws_ec2_policies/aws_ec2_ami_approved_host.yml b/policies/aws_ec2_policies/aws_ec2_ami_approved_host.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_ami_approved_host.yml rename to policies/aws_ec2_policies/aws_ec2_ami_approved_host.yml diff --git a/aws_ec2_policies/aws_ec2_ami_approved_instance_type.py b/policies/aws_ec2_policies/aws_ec2_ami_approved_instance_type.py similarity index 100% rename from aws_ec2_policies/aws_ec2_ami_approved_instance_type.py rename to policies/aws_ec2_policies/aws_ec2_ami_approved_instance_type.py diff --git a/aws_ec2_policies/aws_ec2_ami_approved_instance_type.yml b/policies/aws_ec2_policies/aws_ec2_ami_approved_instance_type.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_ami_approved_instance_type.yml rename to policies/aws_ec2_policies/aws_ec2_ami_approved_instance_type.yml diff --git a/aws_ec2_policies/aws_ec2_ami_approved_tenancy.py b/policies/aws_ec2_policies/aws_ec2_ami_approved_tenancy.py similarity index 100% rename from aws_ec2_policies/aws_ec2_ami_approved_tenancy.py rename to policies/aws_ec2_policies/aws_ec2_ami_approved_tenancy.py diff --git a/aws_ec2_policies/aws_ec2_ami_approved_tenancy.yml b/policies/aws_ec2_policies/aws_ec2_ami_approved_tenancy.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_ami_approved_tenancy.yml rename to policies/aws_ec2_policies/aws_ec2_ami_approved_tenancy.yml diff --git a/aws_ec2_policies/aws_ec2_cde_volume_encrypted.py b/policies/aws_ec2_policies/aws_ec2_cde_volume_encrypted.py similarity index 100% rename from aws_ec2_policies/aws_ec2_cde_volume_encrypted.py rename to policies/aws_ec2_policies/aws_ec2_cde_volume_encrypted.py diff --git a/aws_ec2_policies/aws_ec2_cde_volume_encrypted.yml b/policies/aws_ec2_policies/aws_ec2_cde_volume_encrypted.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_cde_volume_encrypted.yml rename to policies/aws_ec2_policies/aws_ec2_cde_volume_encrypted.yml diff --git a/aws_ec2_policies/aws_ec2_instance_approved_ami.py b/policies/aws_ec2_policies/aws_ec2_instance_approved_ami.py similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_ami.py rename to policies/aws_ec2_policies/aws_ec2_instance_approved_ami.py diff --git a/aws_ec2_policies/aws_ec2_instance_approved_ami.yml b/policies/aws_ec2_policies/aws_ec2_instance_approved_ami.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_ami.yml rename to policies/aws_ec2_policies/aws_ec2_instance_approved_ami.yml diff --git a/aws_ec2_policies/aws_ec2_instance_approved_host.py b/policies/aws_ec2_policies/aws_ec2_instance_approved_host.py similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_host.py rename to policies/aws_ec2_policies/aws_ec2_instance_approved_host.py diff --git a/aws_ec2_policies/aws_ec2_instance_approved_host.yml b/policies/aws_ec2_policies/aws_ec2_instance_approved_host.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_host.yml rename to policies/aws_ec2_policies/aws_ec2_instance_approved_host.yml diff --git a/aws_ec2_policies/aws_ec2_instance_approved_instance_type.py b/policies/aws_ec2_policies/aws_ec2_instance_approved_instance_type.py similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_instance_type.py rename to policies/aws_ec2_policies/aws_ec2_instance_approved_instance_type.py diff --git a/aws_ec2_policies/aws_ec2_instance_approved_instance_type.yml b/policies/aws_ec2_policies/aws_ec2_instance_approved_instance_type.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_instance_type.yml rename to policies/aws_ec2_policies/aws_ec2_instance_approved_instance_type.yml diff --git a/aws_ec2_policies/aws_ec2_instance_approved_tenancy.py b/policies/aws_ec2_policies/aws_ec2_instance_approved_tenancy.py similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_tenancy.py rename to policies/aws_ec2_policies/aws_ec2_instance_approved_tenancy.py diff --git a/aws_ec2_policies/aws_ec2_instance_approved_tenancy.yml b/policies/aws_ec2_policies/aws_ec2_instance_approved_tenancy.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_tenancy.yml rename to policies/aws_ec2_policies/aws_ec2_instance_approved_tenancy.yml diff --git a/aws_ec2_policies/aws_ec2_instance_approved_vpc.py b/policies/aws_ec2_policies/aws_ec2_instance_approved_vpc.py similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_vpc.py rename to policies/aws_ec2_policies/aws_ec2_instance_approved_vpc.py diff --git a/aws_ec2_policies/aws_ec2_instance_approved_vpc.yml b/policies/aws_ec2_policies/aws_ec2_instance_approved_vpc.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_approved_vpc.yml rename to policies/aws_ec2_policies/aws_ec2_instance_approved_vpc.yml diff --git a/aws_ec2_policies/aws_ec2_instance_detailed_monitoring.py b/policies/aws_ec2_policies/aws_ec2_instance_detailed_monitoring.py similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_detailed_monitoring.py rename to policies/aws_ec2_policies/aws_ec2_instance_detailed_monitoring.py diff --git a/aws_ec2_policies/aws_ec2_instance_detailed_monitoring.yml b/policies/aws_ec2_policies/aws_ec2_instance_detailed_monitoring.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_detailed_monitoring.yml rename to policies/aws_ec2_policies/aws_ec2_instance_detailed_monitoring.yml diff --git a/aws_ec2_policies/aws_ec2_instance_ebs_optimization.py b/policies/aws_ec2_policies/aws_ec2_instance_ebs_optimization.py similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_ebs_optimization.py rename to policies/aws_ec2_policies/aws_ec2_instance_ebs_optimization.py diff --git a/aws_ec2_policies/aws_ec2_instance_ebs_optimization.yml b/policies/aws_ec2_policies/aws_ec2_instance_ebs_optimization.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_instance_ebs_optimization.yml rename to policies/aws_ec2_policies/aws_ec2_instance_ebs_optimization.yml diff --git a/aws_ec2_policies/aws_ec2_volume_encryption.py b/policies/aws_ec2_policies/aws_ec2_volume_encryption.py similarity index 100% rename from aws_ec2_policies/aws_ec2_volume_encryption.py rename to policies/aws_ec2_policies/aws_ec2_volume_encryption.py diff --git a/aws_ec2_policies/aws_ec2_volume_encryption.yml b/policies/aws_ec2_policies/aws_ec2_volume_encryption.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_volume_encryption.yml rename to policies/aws_ec2_policies/aws_ec2_volume_encryption.yml diff --git a/aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.py b/policies/aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.py similarity index 100% rename from aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.py rename to policies/aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.py diff --git a/aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.yml b/policies/aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.yml similarity index 100% rename from aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.yml rename to policies/aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.yml diff --git a/aws_elb_policies/aws_application_load_balancer_web_acl.py b/policies/aws_elb_policies/aws_application_load_balancer_web_acl.py similarity index 100% rename from aws_elb_policies/aws_application_load_balancer_web_acl.py rename to policies/aws_elb_policies/aws_application_load_balancer_web_acl.py diff --git a/aws_elb_policies/aws_application_load_balancer_web_acl.yml b/policies/aws_elb_policies/aws_application_load_balancer_web_acl.yml similarity index 100% rename from aws_elb_policies/aws_application_load_balancer_web_acl.yml rename to policies/aws_elb_policies/aws_application_load_balancer_web_acl.yml diff --git a/aws_guardduty_policies/aws_guardduty_enabled.py b/policies/aws_guardduty_policies/aws_guardduty_enabled.py similarity index 100% rename from aws_guardduty_policies/aws_guardduty_enabled.py rename to policies/aws_guardduty_policies/aws_guardduty_enabled.py diff --git a/aws_guardduty_policies/aws_guardduty_enabled.yml b/policies/aws_guardduty_policies/aws_guardduty_enabled.yml similarity index 100% rename from aws_guardduty_policies/aws_guardduty_enabled.yml rename to policies/aws_guardduty_policies/aws_guardduty_enabled.yml diff --git a/aws_guardduty_policies/aws_guardduty_master_account.py b/policies/aws_guardduty_policies/aws_guardduty_master_account.py similarity index 100% rename from aws_guardduty_policies/aws_guardduty_master_account.py rename to policies/aws_guardduty_policies/aws_guardduty_master_account.py diff --git a/aws_guardduty_policies/aws_guardduty_master_account.yml b/policies/aws_guardduty_policies/aws_guardduty_master_account.yml similarity index 100% rename from aws_guardduty_policies/aws_guardduty_master_account.yml rename to policies/aws_guardduty_policies/aws_guardduty_master_account.yml diff --git a/aws_iam_policies/aws_access_key_rotation.py b/policies/aws_iam_policies/aws_access_key_rotation.py similarity index 100% rename from aws_iam_policies/aws_access_key_rotation.py rename to policies/aws_iam_policies/aws_access_key_rotation.py diff --git a/aws_iam_policies/aws_access_key_rotation.yml b/policies/aws_iam_policies/aws_access_key_rotation.yml similarity index 100% rename from aws_iam_policies/aws_access_key_rotation.yml rename to policies/aws_iam_policies/aws_access_key_rotation.yml diff --git a/aws_iam_policies/aws_access_key_unused.py b/policies/aws_iam_policies/aws_access_key_unused.py similarity index 100% rename from aws_iam_policies/aws_access_key_unused.py rename to policies/aws_iam_policies/aws_access_key_unused.py diff --git a/aws_iam_policies/aws_access_key_unused.yml b/policies/aws_iam_policies/aws_access_key_unused.yml similarity index 100% rename from aws_iam_policies/aws_access_key_unused.yml rename to policies/aws_iam_policies/aws_access_key_unused.yml diff --git a/aws_iam_policies/aws_access_keys_at_account_creation.py b/policies/aws_iam_policies/aws_access_keys_at_account_creation.py similarity index 100% rename from aws_iam_policies/aws_access_keys_at_account_creation.py rename to policies/aws_iam_policies/aws_access_keys_at_account_creation.py diff --git a/aws_iam_policies/aws_access_keys_at_account_creation.yml b/policies/aws_iam_policies/aws_access_keys_at_account_creation.yml similarity index 100% rename from aws_iam_policies/aws_access_keys_at_account_creation.yml rename to policies/aws_iam_policies/aws_access_keys_at_account_creation.yml diff --git a/aws_iam_policies/aws_cloudtrail_least_privilege.py b/policies/aws_iam_policies/aws_cloudtrail_least_privilege.py similarity index 100% rename from aws_iam_policies/aws_cloudtrail_least_privilege.py rename to policies/aws_iam_policies/aws_cloudtrail_least_privilege.py diff --git a/aws_iam_policies/aws_cloudtrail_least_privilege.yml b/policies/aws_iam_policies/aws_cloudtrail_least_privilege.yml similarity index 100% rename from aws_iam_policies/aws_cloudtrail_least_privilege.yml rename to policies/aws_iam_policies/aws_cloudtrail_least_privilege.yml diff --git a/aws_iam_policies/aws_iam_group_users.py b/policies/aws_iam_policies/aws_iam_group_users.py similarity index 100% rename from aws_iam_policies/aws_iam_group_users.py rename to policies/aws_iam_policies/aws_iam_group_users.py diff --git a/aws_iam_policies/aws_iam_group_users.yml b/policies/aws_iam_policies/aws_iam_group_users.yml similarity index 100% rename from aws_iam_policies/aws_iam_group_users.yml rename to policies/aws_iam_policies/aws_iam_group_users.yml diff --git a/aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.py b/policies/aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.py similarity index 100% rename from aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.py rename to policies/aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.py diff --git a/aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.yml b/policies/aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.yml similarity index 100% rename from aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.yml rename to policies/aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.yml diff --git a/aws_iam_policies/aws_iam_policy_administrative_privileges.py b/policies/aws_iam_policies/aws_iam_policy_administrative_privileges.py similarity index 100% rename from aws_iam_policies/aws_iam_policy_administrative_privileges.py rename to policies/aws_iam_policies/aws_iam_policy_administrative_privileges.py diff --git a/aws_iam_policies/aws_iam_policy_administrative_privileges.yml b/policies/aws_iam_policies/aws_iam_policy_administrative_privileges.yml similarity index 100% rename from aws_iam_policies/aws_iam_policy_administrative_privileges.yml rename to policies/aws_iam_policies/aws_iam_policy_administrative_privileges.yml diff --git a/aws_iam_policies/aws_iam_policy_assigned_to_user.py b/policies/aws_iam_policies/aws_iam_policy_assigned_to_user.py similarity index 100% rename from aws_iam_policies/aws_iam_policy_assigned_to_user.py rename to policies/aws_iam_policies/aws_iam_policy_assigned_to_user.py diff --git a/aws_iam_policies/aws_iam_policy_assigned_to_user.yml b/policies/aws_iam_policies/aws_iam_policy_assigned_to_user.yml similarity index 100% rename from aws_iam_policies/aws_iam_policy_assigned_to_user.yml rename to policies/aws_iam_policies/aws_iam_policy_assigned_to_user.yml diff --git a/aws_iam_policies/aws_iam_policy_blocklist.py b/policies/aws_iam_policies/aws_iam_policy_blocklist.py similarity index 100% rename from aws_iam_policies/aws_iam_policy_blocklist.py rename to policies/aws_iam_policies/aws_iam_policy_blocklist.py diff --git a/aws_iam_policies/aws_iam_policy_blocklist.yml b/policies/aws_iam_policies/aws_iam_policy_blocklist.yml similarity index 100% rename from aws_iam_policies/aws_iam_policy_blocklist.yml rename to policies/aws_iam_policies/aws_iam_policy_blocklist.yml diff --git a/aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.py b/policies/aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.py similarity index 100% rename from aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.py rename to policies/aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.py diff --git a/aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.yml b/policies/aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.yml similarity index 100% rename from aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.yml rename to policies/aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.yml diff --git a/aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.py b/policies/aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.py similarity index 100% rename from aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.py rename to policies/aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.py diff --git a/aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.yml b/policies/aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.yml similarity index 100% rename from aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.yml rename to policies/aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.yml diff --git a/aws_iam_policies/aws_iam_policy_role_mapping.py b/policies/aws_iam_policies/aws_iam_policy_role_mapping.py similarity index 100% rename from aws_iam_policies/aws_iam_policy_role_mapping.py rename to policies/aws_iam_policies/aws_iam_policy_role_mapping.py diff --git a/aws_iam_policies/aws_iam_policy_role_mapping.yml b/policies/aws_iam_policies/aws_iam_policy_role_mapping.yml similarity index 100% rename from aws_iam_policies/aws_iam_policy_role_mapping.yml rename to policies/aws_iam_policies/aws_iam_policy_role_mapping.yml diff --git a/aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.py b/policies/aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.py similarity index 100% rename from aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.py rename to policies/aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.py diff --git a/aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.yml b/policies/aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.yml similarity index 100% rename from aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.yml rename to policies/aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.yml diff --git a/aws_iam_policies/aws_iam_role_external_permission.py b/policies/aws_iam_policies/aws_iam_role_external_permission.py similarity index 100% rename from aws_iam_policies/aws_iam_role_external_permission.py rename to policies/aws_iam_policies/aws_iam_role_external_permission.py diff --git a/aws_iam_policies/aws_iam_role_external_permission.yml b/policies/aws_iam_policies/aws_iam_role_external_permission.yml similarity index 100% rename from aws_iam_policies/aws_iam_role_external_permission.yml rename to policies/aws_iam_policies/aws_iam_role_external_permission.yml diff --git a/aws_iam_policies/aws_iam_role_restricts_usage.py b/policies/aws_iam_policies/aws_iam_role_restricts_usage.py similarity index 100% rename from aws_iam_policies/aws_iam_role_restricts_usage.py rename to policies/aws_iam_policies/aws_iam_role_restricts_usage.py diff --git a/aws_iam_policies/aws_iam_role_restricts_usage.yml b/policies/aws_iam_policies/aws_iam_role_restricts_usage.yml similarity index 100% rename from aws_iam_policies/aws_iam_role_restricts_usage.yml rename to policies/aws_iam_policies/aws_iam_role_restricts_usage.yml diff --git a/aws_iam_policies/aws_iam_user_mfa.py b/policies/aws_iam_policies/aws_iam_user_mfa.py similarity index 100% rename from aws_iam_policies/aws_iam_user_mfa.py rename to policies/aws_iam_policies/aws_iam_user_mfa.py diff --git a/aws_iam_policies/aws_iam_user_mfa.yml b/policies/aws_iam_policies/aws_iam_user_mfa.yml similarity index 100% rename from aws_iam_policies/aws_iam_user_mfa.yml rename to policies/aws_iam_policies/aws_iam_user_mfa.yml diff --git a/aws_iam_policies/aws_iam_user_not_in_conflicting_groups.py b/policies/aws_iam_policies/aws_iam_user_not_in_conflicting_groups.py similarity index 100% rename from aws_iam_policies/aws_iam_user_not_in_conflicting_groups.py rename to policies/aws_iam_policies/aws_iam_user_not_in_conflicting_groups.py diff --git a/aws_iam_policies/aws_iam_user_not_in_conflicting_groups.yml b/policies/aws_iam_policies/aws_iam_user_not_in_conflicting_groups.yml similarity index 100% rename from aws_iam_policies/aws_iam_user_not_in_conflicting_groups.yml rename to policies/aws_iam_policies/aws_iam_user_not_in_conflicting_groups.yml diff --git a/aws_iam_policies/aws_password_unused.py b/policies/aws_iam_policies/aws_password_unused.py similarity index 100% rename from aws_iam_policies/aws_password_unused.py rename to policies/aws_iam_policies/aws_password_unused.py diff --git a/aws_iam_policies/aws_password_unused.yml b/policies/aws_iam_policies/aws_password_unused.yml similarity index 100% rename from aws_iam_policies/aws_password_unused.yml rename to policies/aws_iam_policies/aws_password_unused.yml diff --git a/aws_iam_policies/aws_root_account_access_keys.py b/policies/aws_iam_policies/aws_root_account_access_keys.py similarity index 100% rename from aws_iam_policies/aws_root_account_access_keys.py rename to policies/aws_iam_policies/aws_root_account_access_keys.py diff --git a/aws_iam_policies/aws_root_account_access_keys.yml b/policies/aws_iam_policies/aws_root_account_access_keys.yml similarity index 100% rename from aws_iam_policies/aws_root_account_access_keys.yml rename to policies/aws_iam_policies/aws_root_account_access_keys.yml diff --git a/aws_iam_policies/aws_root_account_hardware_mfa.py b/policies/aws_iam_policies/aws_root_account_hardware_mfa.py similarity index 100% rename from aws_iam_policies/aws_root_account_hardware_mfa.py rename to policies/aws_iam_policies/aws_root_account_hardware_mfa.py diff --git a/aws_iam_policies/aws_root_account_hardware_mfa.yml b/policies/aws_iam_policies/aws_root_account_hardware_mfa.yml similarity index 100% rename from aws_iam_policies/aws_root_account_hardware_mfa.yml rename to policies/aws_iam_policies/aws_root_account_hardware_mfa.yml diff --git a/aws_iam_policies/aws_root_account_mfa.py b/policies/aws_iam_policies/aws_root_account_mfa.py similarity index 100% rename from aws_iam_policies/aws_root_account_mfa.py rename to policies/aws_iam_policies/aws_root_account_mfa.py diff --git a/aws_iam_policies/aws_root_account_mfa.yml b/policies/aws_iam_policies/aws_root_account_mfa.yml similarity index 100% rename from aws_iam_policies/aws_root_account_mfa.yml rename to policies/aws_iam_policies/aws_root_account_mfa.yml diff --git a/aws_kms_policies/aws_cmk_key_rotation.py b/policies/aws_kms_policies/aws_cmk_key_rotation.py similarity index 100% rename from aws_kms_policies/aws_cmk_key_rotation.py rename to policies/aws_kms_policies/aws_cmk_key_rotation.py diff --git a/aws_kms_policies/aws_cmk_key_rotation.yml b/policies/aws_kms_policies/aws_cmk_key_rotation.yml similarity index 100% rename from aws_kms_policies/aws_cmk_key_rotation.yml rename to policies/aws_kms_policies/aws_cmk_key_rotation.yml diff --git a/aws_kms_policies/aws_kms_key_policy_restricts_usage.py b/policies/aws_kms_policies/aws_kms_key_policy_restricts_usage.py similarity index 100% rename from aws_kms_policies/aws_kms_key_policy_restricts_usage.py rename to policies/aws_kms_policies/aws_kms_key_policy_restricts_usage.py diff --git a/aws_kms_policies/aws_kms_key_policy_restricts_usage.yml b/policies/aws_kms_policies/aws_kms_key_policy_restricts_usage.yml similarity index 100% rename from aws_kms_policies/aws_kms_key_policy_restricts_usage.yml rename to policies/aws_kms_policies/aws_kms_key_policy_restricts_usage.yml diff --git a/aws_load_balancer_policies/aws_alb_ssl_policy.py b/policies/aws_load_balancer_policies/aws_alb_ssl_policy.py similarity index 100% rename from aws_load_balancer_policies/aws_alb_ssl_policy.py rename to policies/aws_load_balancer_policies/aws_alb_ssl_policy.py diff --git a/aws_load_balancer_policies/aws_alb_ssl_policy.yml b/policies/aws_load_balancer_policies/aws_alb_ssl_policy.yml similarity index 100% rename from aws_load_balancer_policies/aws_alb_ssl_policy.yml rename to policies/aws_load_balancer_policies/aws_alb_ssl_policy.yml diff --git a/aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.py b/policies/aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.py similarity index 100% rename from aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.py rename to policies/aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.py diff --git a/aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.yml b/policies/aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.yml similarity index 100% rename from aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.yml rename to policies/aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.yml diff --git a/aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.py b/policies/aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.py similarity index 100% rename from aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.py rename to policies/aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.py diff --git a/aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.yml b/policies/aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.yml similarity index 100% rename from aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.yml rename to policies/aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.yml diff --git a/aws_rds_policies/aws_rds_instance_backup.py b/policies/aws_rds_policies/aws_rds_instance_backup.py similarity index 100% rename from aws_rds_policies/aws_rds_instance_backup.py rename to policies/aws_rds_policies/aws_rds_instance_backup.py diff --git a/aws_rds_policies/aws_rds_instance_backup.yml b/policies/aws_rds_policies/aws_rds_instance_backup.yml similarity index 100% rename from aws_rds_policies/aws_rds_instance_backup.yml rename to policies/aws_rds_policies/aws_rds_instance_backup.yml diff --git a/aws_rds_policies/aws_rds_instance_backup_retention_acceptable.py b/policies/aws_rds_policies/aws_rds_instance_backup_retention_acceptable.py similarity index 100% rename from aws_rds_policies/aws_rds_instance_backup_retention_acceptable.py rename to policies/aws_rds_policies/aws_rds_instance_backup_retention_acceptable.py diff --git a/aws_rds_policies/aws_rds_instance_backup_retention_acceptable.yml b/policies/aws_rds_policies/aws_rds_instance_backup_retention_acceptable.yml similarity index 100% rename from aws_rds_policies/aws_rds_instance_backup_retention_acceptable.yml rename to policies/aws_rds_policies/aws_rds_instance_backup_retention_acceptable.yml diff --git a/aws_rds_policies/aws_rds_instance_encryption.py b/policies/aws_rds_policies/aws_rds_instance_encryption.py similarity index 100% rename from aws_rds_policies/aws_rds_instance_encryption.py rename to policies/aws_rds_policies/aws_rds_instance_encryption.py diff --git a/aws_rds_policies/aws_rds_instance_encryption.yml b/policies/aws_rds_policies/aws_rds_instance_encryption.yml similarity index 100% rename from aws_rds_policies/aws_rds_instance_encryption.yml rename to policies/aws_rds_policies/aws_rds_instance_encryption.yml diff --git a/aws_rds_policies/aws_rds_instance_high_availability.py b/policies/aws_rds_policies/aws_rds_instance_high_availability.py similarity index 100% rename from aws_rds_policies/aws_rds_instance_high_availability.py rename to policies/aws_rds_policies/aws_rds_instance_high_availability.py diff --git a/aws_rds_policies/aws_rds_instance_high_availability.yml b/policies/aws_rds_policies/aws_rds_instance_high_availability.yml similarity index 100% rename from aws_rds_policies/aws_rds_instance_high_availability.yml rename to policies/aws_rds_policies/aws_rds_instance_high_availability.yml diff --git a/aws_rds_policies/aws_rds_instance_public_access.py b/policies/aws_rds_policies/aws_rds_instance_public_access.py similarity index 100% rename from aws_rds_policies/aws_rds_instance_public_access.py rename to policies/aws_rds_policies/aws_rds_instance_public_access.py diff --git a/aws_rds_policies/aws_rds_instance_public_access.yml b/policies/aws_rds_policies/aws_rds_instance_public_access.yml similarity index 100% rename from aws_rds_policies/aws_rds_instance_public_access.yml rename to policies/aws_rds_policies/aws_rds_instance_public_access.yml diff --git a/aws_rds_policies/aws_rds_instance_snapshot_public_access.py b/policies/aws_rds_policies/aws_rds_instance_snapshot_public_access.py similarity index 100% rename from aws_rds_policies/aws_rds_instance_snapshot_public_access.py rename to policies/aws_rds_policies/aws_rds_instance_snapshot_public_access.py diff --git a/aws_rds_policies/aws_rds_instance_snapshot_public_access.yml b/policies/aws_rds_policies/aws_rds_instance_snapshot_public_access.yml similarity index 100% rename from aws_rds_policies/aws_rds_instance_snapshot_public_access.yml rename to policies/aws_rds_policies/aws_rds_instance_snapshot_public_access.yml diff --git a/aws_redshift_policies/aws_redshift_cluster_encryption.py b/policies/aws_redshift_policies/aws_redshift_cluster_encryption.py similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_encryption.py rename to policies/aws_redshift_policies/aws_redshift_cluster_encryption.py diff --git a/aws_redshift_policies/aws_redshift_cluster_encryption.yml b/policies/aws_redshift_policies/aws_redshift_cluster_encryption.yml similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_encryption.yml rename to policies/aws_redshift_policies/aws_redshift_cluster_encryption.yml diff --git a/aws_redshift_policies/aws_redshift_cluster_logging.py b/policies/aws_redshift_policies/aws_redshift_cluster_logging.py similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_logging.py rename to policies/aws_redshift_policies/aws_redshift_cluster_logging.py diff --git a/aws_redshift_policies/aws_redshift_cluster_logging.yml b/policies/aws_redshift_policies/aws_redshift_cluster_logging.yml similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_logging.yml rename to policies/aws_redshift_policies/aws_redshift_cluster_logging.yml diff --git a/aws_redshift_policies/aws_redshift_cluster_maintenance_window.py b/policies/aws_redshift_policies/aws_redshift_cluster_maintenance_window.py similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_maintenance_window.py rename to policies/aws_redshift_policies/aws_redshift_cluster_maintenance_window.py diff --git a/aws_redshift_policies/aws_redshift_cluster_maintenance_window.yml b/policies/aws_redshift_policies/aws_redshift_cluster_maintenance_window.yml similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_maintenance_window.yml rename to policies/aws_redshift_policies/aws_redshift_cluster_maintenance_window.yml diff --git a/aws_redshift_policies/aws_redshift_cluster_snapshot_retention.py b/policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention.py similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_snapshot_retention.py rename to policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention.py diff --git a/aws_redshift_policies/aws_redshift_cluster_snapshot_retention.yml b/policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention.yml similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_snapshot_retention.yml rename to policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention.yml diff --git a/aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.py b/policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.py similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.py rename to policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.py diff --git a/aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.yml b/policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.yml similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.yml rename to policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.yml diff --git a/aws_redshift_policies/aws_redshift_cluster_version_upgrade.py b/policies/aws_redshift_policies/aws_redshift_cluster_version_upgrade.py similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_version_upgrade.py rename to policies/aws_redshift_policies/aws_redshift_cluster_version_upgrade.py diff --git a/aws_redshift_policies/aws_redshift_cluster_version_upgrade.yml b/policies/aws_redshift_policies/aws_redshift_cluster_version_upgrade.yml similarity index 100% rename from aws_redshift_policies/aws_redshift_cluster_version_upgrade.yml rename to policies/aws_redshift_policies/aws_redshift_cluster_version_upgrade.yml diff --git a/aws_s3_policies/aws_s3_bucket_action_restrictions.py b/policies/aws_s3_policies/aws_s3_bucket_action_restrictions.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_action_restrictions.py rename to policies/aws_s3_policies/aws_s3_bucket_action_restrictions.py diff --git a/aws_s3_policies/aws_s3_bucket_action_restrictions.yml b/policies/aws_s3_policies/aws_s3_bucket_action_restrictions.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_action_restrictions.yml rename to policies/aws_s3_policies/aws_s3_bucket_action_restrictions.yml diff --git a/aws_s3_policies/aws_s3_bucket_encryption.py b/policies/aws_s3_policies/aws_s3_bucket_encryption.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_encryption.py rename to policies/aws_s3_policies/aws_s3_bucket_encryption.py diff --git a/aws_s3_policies/aws_s3_bucket_encryption.yml b/policies/aws_s3_policies/aws_s3_bucket_encryption.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_encryption.yml rename to policies/aws_s3_policies/aws_s3_bucket_encryption.yml diff --git a/aws_s3_policies/aws_s3_bucket_lifecycle_configuration.py b/policies/aws_s3_policies/aws_s3_bucket_lifecycle_configuration.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_lifecycle_configuration.py rename to policies/aws_s3_policies/aws_s3_bucket_lifecycle_configuration.py diff --git a/aws_s3_policies/aws_s3_bucket_lifecycle_configuration.yml b/policies/aws_s3_policies/aws_s3_bucket_lifecycle_configuration.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_lifecycle_configuration.yml rename to policies/aws_s3_policies/aws_s3_bucket_lifecycle_configuration.yml diff --git a/aws_s3_policies/aws_s3_bucket_logging.py b/policies/aws_s3_policies/aws_s3_bucket_logging.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_logging.py rename to policies/aws_s3_policies/aws_s3_bucket_logging.py diff --git a/aws_s3_policies/aws_s3_bucket_logging.yml b/policies/aws_s3_policies/aws_s3_bucket_logging.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_logging.yml rename to policies/aws_s3_policies/aws_s3_bucket_logging.yml diff --git a/aws_s3_policies/aws_s3_bucket_mfa_delete.py b/policies/aws_s3_policies/aws_s3_bucket_mfa_delete.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_mfa_delete.py rename to policies/aws_s3_policies/aws_s3_bucket_mfa_delete.py diff --git a/aws_s3_policies/aws_s3_bucket_mfa_delete.yml b/policies/aws_s3_policies/aws_s3_bucket_mfa_delete.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_mfa_delete.yml rename to policies/aws_s3_policies/aws_s3_bucket_mfa_delete.yml diff --git a/aws_s3_policies/aws_s3_bucket_name_dns_compliance.py b/policies/aws_s3_policies/aws_s3_bucket_name_dns_compliance.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_name_dns_compliance.py rename to policies/aws_s3_policies/aws_s3_bucket_name_dns_compliance.py diff --git a/aws_s3_policies/aws_s3_bucket_name_dns_compliance.yml b/policies/aws_s3_policies/aws_s3_bucket_name_dns_compliance.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_name_dns_compliance.yml rename to policies/aws_s3_policies/aws_s3_bucket_name_dns_compliance.yml diff --git a/aws_s3_policies/aws_s3_bucket_object_lock_configured.py b/policies/aws_s3_policies/aws_s3_bucket_object_lock_configured.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_object_lock_configured.py rename to policies/aws_s3_policies/aws_s3_bucket_object_lock_configured.py diff --git a/aws_s3_policies/aws_s3_bucket_object_lock_configured.yml b/policies/aws_s3_policies/aws_s3_bucket_object_lock_configured.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_object_lock_configured.yml rename to policies/aws_s3_policies/aws_s3_bucket_object_lock_configured.yml diff --git a/aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.py b/policies/aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.py rename to policies/aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.py diff --git a/aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.yml b/policies/aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.yml rename to policies/aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.yml diff --git a/aws_s3_policies/aws_s3_bucket_principal_restrictions.py b/policies/aws_s3_policies/aws_s3_bucket_principal_restrictions.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_principal_restrictions.py rename to policies/aws_s3_policies/aws_s3_bucket_principal_restrictions.py diff --git a/aws_s3_policies/aws_s3_bucket_principal_restrictions.yml b/policies/aws_s3_policies/aws_s3_bucket_principal_restrictions.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_principal_restrictions.yml rename to policies/aws_s3_policies/aws_s3_bucket_principal_restrictions.yml diff --git a/aws_s3_policies/aws_s3_bucket_public_access_block.py b/policies/aws_s3_policies/aws_s3_bucket_public_access_block.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_public_access_block.py rename to policies/aws_s3_policies/aws_s3_bucket_public_access_block.py diff --git a/aws_s3_policies/aws_s3_bucket_public_access_block.yml b/policies/aws_s3_policies/aws_s3_bucket_public_access_block.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_public_access_block.yml rename to policies/aws_s3_policies/aws_s3_bucket_public_access_block.yml diff --git a/aws_s3_policies/aws_s3_bucket_public_read.py b/policies/aws_s3_policies/aws_s3_bucket_public_read.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_public_read.py rename to policies/aws_s3_policies/aws_s3_bucket_public_read.py diff --git a/aws_s3_policies/aws_s3_bucket_public_read.yml b/policies/aws_s3_policies/aws_s3_bucket_public_read.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_public_read.yml rename to policies/aws_s3_policies/aws_s3_bucket_public_read.yml diff --git a/aws_s3_policies/aws_s3_bucket_public_write.py b/policies/aws_s3_policies/aws_s3_bucket_public_write.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_public_write.py rename to policies/aws_s3_policies/aws_s3_bucket_public_write.py diff --git a/aws_s3_policies/aws_s3_bucket_public_write.yml b/policies/aws_s3_policies/aws_s3_bucket_public_write.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_public_write.yml rename to policies/aws_s3_policies/aws_s3_bucket_public_write.yml diff --git a/aws_s3_policies/aws_s3_bucket_secure_access.py b/policies/aws_s3_policies/aws_s3_bucket_secure_access.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_secure_access.py rename to policies/aws_s3_policies/aws_s3_bucket_secure_access.py diff --git a/aws_s3_policies/aws_s3_bucket_secure_access.yml b/policies/aws_s3_policies/aws_s3_bucket_secure_access.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_secure_access.yml rename to policies/aws_s3_policies/aws_s3_bucket_secure_access.yml diff --git a/aws_s3_policies/aws_s3_bucket_versioning.py b/policies/aws_s3_policies/aws_s3_bucket_versioning.py similarity index 100% rename from aws_s3_policies/aws_s3_bucket_versioning.py rename to policies/aws_s3_policies/aws_s3_bucket_versioning.py diff --git a/aws_s3_policies/aws_s3_bucket_versioning.yml b/policies/aws_s3_policies/aws_s3_bucket_versioning.yml similarity index 100% rename from aws_s3_policies/aws_s3_bucket_versioning.yml rename to policies/aws_s3_policies/aws_s3_bucket_versioning.yml diff --git a/aws_vpc_policies/aws_network_acl_restricted_ssh.py b/policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py similarity index 100% rename from aws_vpc_policies/aws_network_acl_restricted_ssh.py rename to policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py diff --git a/aws_vpc_policies/aws_network_acl_restricted_ssh.yml b/policies/aws_vpc_policies/aws_network_acl_restricted_ssh.yml similarity index 100% rename from aws_vpc_policies/aws_network_acl_restricted_ssh.yml rename to policies/aws_vpc_policies/aws_network_acl_restricted_ssh.yml diff --git a/aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.py b/policies/aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.py similarity index 100% rename from aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.py rename to policies/aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.py diff --git a/aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.yml b/policies/aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.yml similarity index 100% rename from aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.yml rename to policies/aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.yml diff --git a/aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.py b/policies/aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.py similarity index 100% rename from aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.py rename to policies/aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.py diff --git a/aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.yml b/policies/aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.yml similarity index 100% rename from aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.yml rename to policies/aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.yml diff --git a/aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.py b/policies/aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.py similarity index 100% rename from aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.py rename to policies/aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.py diff --git a/aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.yml b/policies/aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.yml similarity index 100% rename from aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.yml rename to policies/aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.yml diff --git a/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py b/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py similarity index 100% rename from aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py rename to policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py diff --git a/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml b/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml similarity index 100% rename from aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml rename to policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml diff --git a/aws_vpc_policies/aws_security_group_administrative_ingress.py b/policies/aws_vpc_policies/aws_security_group_administrative_ingress.py similarity index 100% rename from aws_vpc_policies/aws_security_group_administrative_ingress.py rename to policies/aws_vpc_policies/aws_security_group_administrative_ingress.py diff --git a/aws_vpc_policies/aws_security_group_administrative_ingress.yml b/policies/aws_vpc_policies/aws_security_group_administrative_ingress.yml similarity index 100% rename from aws_vpc_policies/aws_security_group_administrative_ingress.yml rename to policies/aws_vpc_policies/aws_security_group_administrative_ingress.yml diff --git a/aws_vpc_policies/aws_security_group_restricts_access_to_cde.py b/policies/aws_vpc_policies/aws_security_group_restricts_access_to_cde.py similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_access_to_cde.py rename to policies/aws_vpc_policies/aws_security_group_restricts_access_to_cde.py diff --git a/aws_vpc_policies/aws_security_group_restricts_access_to_cde.yml b/policies/aws_vpc_policies/aws_security_group_restricts_access_to_cde.yml similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_access_to_cde.yml rename to policies/aws_vpc_policies/aws_security_group_restricts_access_to_cde.yml diff --git a/aws_vpc_policies/aws_security_group_restricts_inbound_traffic.py b/policies/aws_vpc_policies/aws_security_group_restricts_inbound_traffic.py similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_inbound_traffic.py rename to policies/aws_vpc_policies/aws_security_group_restricts_inbound_traffic.py diff --git a/aws_vpc_policies/aws_security_group_restricts_inbound_traffic.yml b/policies/aws_vpc_policies/aws_security_group_restricts_inbound_traffic.yml similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_inbound_traffic.yml rename to policies/aws_vpc_policies/aws_security_group_restricts_inbound_traffic.yml diff --git a/aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.py b/policies/aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.py similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.py rename to policies/aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.py diff --git a/aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.yml b/policies/aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.yml similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.yml rename to policies/aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.yml diff --git a/aws_vpc_policies/aws_security_group_restricts_outbound_traffic.py b/policies/aws_vpc_policies/aws_security_group_restricts_outbound_traffic.py similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_outbound_traffic.py rename to policies/aws_vpc_policies/aws_security_group_restricts_outbound_traffic.py diff --git a/aws_vpc_policies/aws_security_group_restricts_outbound_traffic.yml b/policies/aws_vpc_policies/aws_security_group_restricts_outbound_traffic.yml similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_outbound_traffic.yml rename to policies/aws_vpc_policies/aws_security_group_restricts_outbound_traffic.yml diff --git a/aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.py b/policies/aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.py similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.py rename to policies/aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.py diff --git a/aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.yml b/policies/aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.yml similarity index 100% rename from aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.yml rename to policies/aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.yml diff --git a/aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.py b/policies/aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.py similarity index 100% rename from aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.py rename to policies/aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.py diff --git a/aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.yml b/policies/aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.yml similarity index 100% rename from aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.yml rename to policies/aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.yml diff --git a/aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.py b/policies/aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.py similarity index 100% rename from aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.py rename to policies/aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.py diff --git a/aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.yml b/policies/aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.yml similarity index 100% rename from aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.yml rename to policies/aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.yml diff --git a/aws_vpc_policies/aws_security_group_unused_security_group.py b/policies/aws_vpc_policies/aws_security_group_unused_security_group.py similarity index 100% rename from aws_vpc_policies/aws_security_group_unused_security_group.py rename to policies/aws_vpc_policies/aws_security_group_unused_security_group.py diff --git a/aws_vpc_policies/aws_security_group_unused_security_group.yml b/policies/aws_vpc_policies/aws_security_group_unused_security_group.yml similarity index 100% rename from aws_vpc_policies/aws_security_group_unused_security_group.yml rename to policies/aws_vpc_policies/aws_security_group_unused_security_group.yml diff --git a/aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.py b/policies/aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.py similarity index 100% rename from aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.py rename to policies/aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.py diff --git a/aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.yml b/policies/aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.yml similarity index 100% rename from aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.yml rename to policies/aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.yml diff --git a/aws_vpc_policies/aws_vpc_default_security_restrictions.py b/policies/aws_vpc_policies/aws_vpc_default_security_restrictions.py similarity index 100% rename from aws_vpc_policies/aws_vpc_default_security_restrictions.py rename to policies/aws_vpc_policies/aws_vpc_default_security_restrictions.py diff --git a/aws_vpc_policies/aws_vpc_default_security_restrictions.yml b/policies/aws_vpc_policies/aws_vpc_default_security_restrictions.yml similarity index 100% rename from aws_vpc_policies/aws_vpc_default_security_restrictions.yml rename to policies/aws_vpc_policies/aws_vpc_default_security_restrictions.yml diff --git a/aws_vpc_policies/aws_vpc_flow_logs.py b/policies/aws_vpc_policies/aws_vpc_flow_logs.py similarity index 100% rename from aws_vpc_policies/aws_vpc_flow_logs.py rename to policies/aws_vpc_policies/aws_vpc_flow_logs.py diff --git a/aws_vpc_policies/aws_vpc_flow_logs.yml b/policies/aws_vpc_policies/aws_vpc_flow_logs.yml similarity index 100% rename from aws_vpc_policies/aws_vpc_flow_logs.yml rename to policies/aws_vpc_policies/aws_vpc_flow_logs.yml diff --git a/aws_waf_policies/aws_waf_has_xss_predicate.py b/policies/aws_waf_policies/aws_waf_has_xss_predicate.py similarity index 100% rename from aws_waf_policies/aws_waf_has_xss_predicate.py rename to policies/aws_waf_policies/aws_waf_has_xss_predicate.py diff --git a/aws_waf_policies/aws_waf_has_xss_predicate.yml b/policies/aws_waf_policies/aws_waf_has_xss_predicate.yml similarity index 100% rename from aws_waf_policies/aws_waf_has_xss_predicate.yml rename to policies/aws_waf_policies/aws_waf_has_xss_predicate.yml diff --git a/aws_waf_policies/aws_waf_rule_ordering.py b/policies/aws_waf_policies/aws_waf_rule_ordering.py similarity index 100% rename from aws_waf_policies/aws_waf_rule_ordering.py rename to policies/aws_waf_policies/aws_waf_rule_ordering.py diff --git a/aws_waf_policies/aws_waf_rule_ordering.yml b/policies/aws_waf_policies/aws_waf_rule_ordering.yml similarity index 100% rename from aws_waf_policies/aws_waf_rule_ordering.yml rename to policies/aws_waf_policies/aws_waf_rule_ordering.yml diff --git a/aws_queries/cloudtrail_password_spraying.yml b/queries/aws_queries/cloudtrail_password_spraying.yml similarity index 100% rename from aws_queries/cloudtrail_password_spraying.yml rename to queries/aws_queries/cloudtrail_password_spraying.yml diff --git a/aws_queries/cloudtrail_password_spraying_query.yml b/queries/aws_queries/cloudtrail_password_spraying_query.yml similarity index 100% rename from aws_queries/cloudtrail_password_spraying_query.yml rename to queries/aws_queries/cloudtrail_password_spraying_query.yml diff --git a/aws_queries/scheduled_rule_default.py b/queries/aws_queries/scheduled_rule_default.py similarity index 100% rename from aws_queries/scheduled_rule_default.py rename to queries/aws_queries/scheduled_rule_default.py diff --git a/aws_queries/vpc_dns_tunneling.yml b/queries/aws_queries/vpc_dns_tunneling.yml similarity index 100% rename from aws_queries/vpc_dns_tunneling.yml rename to queries/aws_queries/vpc_dns_tunneling.yml diff --git a/aws_queries/vpc_dns_tunneling_query.yml b/queries/aws_queries/vpc_dns_tunneling_query.yml similarity index 100% rename from aws_queries/vpc_dns_tunneling_query.yml rename to queries/aws_queries/vpc_dns_tunneling_query.yml diff --git a/okta_queries/okta_activity_audit.yml b/queries/okta_queries/okta_activity_audit.yml similarity index 100% rename from okta_queries/okta_activity_audit.yml rename to queries/okta_queries/okta_activity_audit.yml diff --git a/okta_queries/okta_admin_access_granted.yml b/queries/okta_queries/okta_admin_access_granted.yml similarity index 100% rename from okta_queries/okta_admin_access_granted.yml rename to queries/okta_queries/okta_admin_access_granted.yml diff --git a/okta_queries/okta_mfa_password_reset_audit.yml b/queries/okta_queries/okta_mfa_password_reset_audit.yml similarity index 100% rename from okta_queries/okta_mfa_password_reset_audit.yml rename to queries/okta_queries/okta_mfa_password_reset_audit.yml diff --git a/okta_queries/okta_session_id_audit.yml b/queries/okta_queries/okta_session_id_audit.yml similarity index 100% rename from okta_queries/okta_session_id_audit.yml rename to queries/okta_queries/okta_session_id_audit.yml diff --git a/okta_queries/okta_support_access.yml b/queries/okta_queries/okta_support_access.yml similarity index 100% rename from okta_queries/okta_support_access.yml rename to queries/okta_queries/okta_support_access.yml diff --git a/snowflake_queries/snowflake_account_admin_assigned.py b/queries/snowflake_queries/snowflake_account_admin_assigned.py similarity index 100% rename from snowflake_queries/snowflake_account_admin_assigned.py rename to queries/snowflake_queries/snowflake_account_admin_assigned.py diff --git a/snowflake_queries/snowflake_account_admin_assigned.yml b/queries/snowflake_queries/snowflake_account_admin_assigned.yml similarity index 100% rename from snowflake_queries/snowflake_account_admin_assigned.yml rename to queries/snowflake_queries/snowflake_account_admin_assigned.yml diff --git a/snowflake_queries/snowflake_account_admin_assigned_query.yml b/queries/snowflake_queries/snowflake_account_admin_assigned_query.yml similarity index 100% rename from snowflake_queries/snowflake_account_admin_assigned_query.yml rename to queries/snowflake_queries/snowflake_account_admin_assigned_query.yml diff --git a/snowflake_queries/snowflake_brute_force_ip.py b/queries/snowflake_queries/snowflake_brute_force_ip.py similarity index 100% rename from snowflake_queries/snowflake_brute_force_ip.py rename to queries/snowflake_queries/snowflake_brute_force_ip.py diff --git a/snowflake_queries/snowflake_brute_force_ip.yml b/queries/snowflake_queries/snowflake_brute_force_ip.yml similarity index 100% rename from snowflake_queries/snowflake_brute_force_ip.yml rename to queries/snowflake_queries/snowflake_brute_force_ip.yml diff --git a/snowflake_queries/snowflake_brute_force_ip_query.yml b/queries/snowflake_queries/snowflake_brute_force_ip_query.yml similarity index 100% rename from snowflake_queries/snowflake_brute_force_ip_query.yml rename to queries/snowflake_queries/snowflake_brute_force_ip_query.yml diff --git a/snowflake_queries/snowflake_brute_force_username.py b/queries/snowflake_queries/snowflake_brute_force_username.py similarity index 100% rename from snowflake_queries/snowflake_brute_force_username.py rename to queries/snowflake_queries/snowflake_brute_force_username.py diff --git a/snowflake_queries/snowflake_brute_force_username.yml b/queries/snowflake_queries/snowflake_brute_force_username.yml similarity index 100% rename from snowflake_queries/snowflake_brute_force_username.yml rename to queries/snowflake_queries/snowflake_brute_force_username.yml diff --git a/snowflake_queries/snowflake_brute_force_username_query.yml b/queries/snowflake_queries/snowflake_brute_force_username_query.yml similarity index 100% rename from snowflake_queries/snowflake_brute_force_username_query.yml rename to queries/snowflake_queries/snowflake_brute_force_username_query.yml diff --git a/snowflake_queries/snowflake_key_user_password_login.py b/queries/snowflake_queries/snowflake_key_user_password_login.py similarity index 100% rename from snowflake_queries/snowflake_key_user_password_login.py rename to queries/snowflake_queries/snowflake_key_user_password_login.py diff --git a/snowflake_queries/snowflake_key_user_password_login.yml b/queries/snowflake_queries/snowflake_key_user_password_login.yml similarity index 100% rename from snowflake_queries/snowflake_key_user_password_login.yml rename to queries/snowflake_queries/snowflake_key_user_password_login.yml diff --git a/snowflake_queries/snowflake_key_user_password_login_query.yml b/queries/snowflake_queries/snowflake_key_user_password_login_query.yml similarity index 100% rename from snowflake_queries/snowflake_key_user_password_login_query.yml rename to queries/snowflake_queries/snowflake_key_user_password_login_query.yml diff --git a/snowflake_queries/snowflake_login_without_mfa.py b/queries/snowflake_queries/snowflake_login_without_mfa.py similarity index 100% rename from snowflake_queries/snowflake_login_without_mfa.py rename to queries/snowflake_queries/snowflake_login_without_mfa.py diff --git a/snowflake_queries/snowflake_login_without_mfa.yml b/queries/snowflake_queries/snowflake_login_without_mfa.yml similarity index 100% rename from snowflake_queries/snowflake_login_without_mfa.yml rename to queries/snowflake_queries/snowflake_login_without_mfa.yml diff --git a/snowflake_queries/snowflake_login_without_mfa_query.yml b/queries/snowflake_queries/snowflake_login_without_mfa_query.yml similarity index 100% rename from snowflake_queries/snowflake_login_without_mfa_query.yml rename to queries/snowflake_queries/snowflake_login_without_mfa_query.yml diff --git a/snowflake_queries/snowflake_network_policy_modified.py b/queries/snowflake_queries/snowflake_network_policy_modified.py similarity index 100% rename from snowflake_queries/snowflake_network_policy_modified.py rename to queries/snowflake_queries/snowflake_network_policy_modified.py diff --git a/snowflake_queries/snowflake_network_policy_modified.yml b/queries/snowflake_queries/snowflake_network_policy_modified.yml similarity index 100% rename from snowflake_queries/snowflake_network_policy_modified.yml rename to queries/snowflake_queries/snowflake_network_policy_modified.yml diff --git a/snowflake_queries/snowflake_network_policy_modified_query.yml b/queries/snowflake_queries/snowflake_network_policy_modified_query.yml similarity index 100% rename from snowflake_queries/snowflake_network_policy_modified_query.yml rename to queries/snowflake_queries/snowflake_network_policy_modified_query.yml diff --git a/snowflake_queries/snowflake_privileged_object_changes.py b/queries/snowflake_queries/snowflake_privileged_object_changes.py similarity index 100% rename from snowflake_queries/snowflake_privileged_object_changes.py rename to queries/snowflake_queries/snowflake_privileged_object_changes.py diff --git a/snowflake_queries/snowflake_privileged_object_changes.yml b/queries/snowflake_queries/snowflake_privileged_object_changes.yml similarity index 100% rename from snowflake_queries/snowflake_privileged_object_changes.yml rename to queries/snowflake_queries/snowflake_privileged_object_changes.yml diff --git a/snowflake_queries/snowflake_privileged_object_changes_query.yml b/queries/snowflake_queries/snowflake_privileged_object_changes_query.yml similarity index 100% rename from snowflake_queries/snowflake_privileged_object_changes_query.yml rename to queries/snowflake_queries/snowflake_privileged_object_changes_query.yml diff --git a/snowflake_queries/snowflake_public_role_grant.py b/queries/snowflake_queries/snowflake_public_role_grant.py similarity index 100% rename from snowflake_queries/snowflake_public_role_grant.py rename to queries/snowflake_queries/snowflake_public_role_grant.py diff --git a/snowflake_queries/snowflake_public_role_grant.yml b/queries/snowflake_queries/snowflake_public_role_grant.yml similarity index 100% rename from snowflake_queries/snowflake_public_role_grant.yml rename to queries/snowflake_queries/snowflake_public_role_grant.yml diff --git a/snowflake_queries/snowflake_public_role_grant_query.yml b/queries/snowflake_queries/snowflake_public_role_grant_query.yml similarity index 100% rename from snowflake_queries/snowflake_public_role_grant_query.yml rename to queries/snowflake_queries/snowflake_public_role_grant_query.yml diff --git a/snowflake_queries/snowflake_scim_token_created.py b/queries/snowflake_queries/snowflake_scim_token_created.py similarity index 100% rename from snowflake_queries/snowflake_scim_token_created.py rename to queries/snowflake_queries/snowflake_scim_token_created.py diff --git a/snowflake_queries/snowflake_scim_token_created.yml b/queries/snowflake_queries/snowflake_scim_token_created.yml similarity index 100% rename from snowflake_queries/snowflake_scim_token_created.yml rename to queries/snowflake_queries/snowflake_scim_token_created.yml diff --git a/snowflake_queries/snowflake_scim_token_created_query.yml b/queries/snowflake_queries/snowflake_scim_token_created_query.yml similarity index 100% rename from snowflake_queries/snowflake_scim_token_created_query.yml rename to queries/snowflake_queries/snowflake_scim_token_created_query.yml diff --git a/snowflake_queries/snowflake_unusual_login_volume.py b/queries/snowflake_queries/snowflake_unusual_login_volume.py similarity index 100% rename from snowflake_queries/snowflake_unusual_login_volume.py rename to queries/snowflake_queries/snowflake_unusual_login_volume.py diff --git a/snowflake_queries/snowflake_unusual_login_volume.yml b/queries/snowflake_queries/snowflake_unusual_login_volume.yml similarity index 100% rename from snowflake_queries/snowflake_unusual_login_volume.yml rename to queries/snowflake_queries/snowflake_unusual_login_volume.yml diff --git a/snowflake_queries/snowflake_unusual_login_volume_query.yml b/queries/snowflake_queries/snowflake_unusual_login_volume_query.yml similarity index 100% rename from snowflake_queries/snowflake_unusual_login_volume_query.yml rename to queries/snowflake_queries/snowflake_unusual_login_volume_query.yml diff --git a/snowflake_queries/snowflake_user_created.py b/queries/snowflake_queries/snowflake_user_created.py similarity index 100% rename from snowflake_queries/snowflake_user_created.py rename to queries/snowflake_queries/snowflake_user_created.py diff --git a/snowflake_queries/snowflake_user_created.yml b/queries/snowflake_queries/snowflake_user_created.yml similarity index 100% rename from snowflake_queries/snowflake_user_created.yml rename to queries/snowflake_queries/snowflake_user_created.yml diff --git a/snowflake_queries/snowflake_user_created_query.yml b/queries/snowflake_queries/snowflake_user_created_query.yml similarity index 100% rename from snowflake_queries/snowflake_user_created_query.yml rename to queries/snowflake_queries/snowflake_user_created_query.yml diff --git a/snowflake_queries/snowflake_user_enabled.py b/queries/snowflake_queries/snowflake_user_enabled.py similarity index 100% rename from snowflake_queries/snowflake_user_enabled.py rename to queries/snowflake_queries/snowflake_user_enabled.py diff --git a/snowflake_queries/snowflake_user_enabled.yml b/queries/snowflake_queries/snowflake_user_enabled.yml similarity index 100% rename from snowflake_queries/snowflake_user_enabled.yml rename to queries/snowflake_queries/snowflake_user_enabled.yml diff --git a/snowflake_queries/snowflake_user_enabled_query.yml b/queries/snowflake_queries/snowflake_user_enabled_query.yml similarity index 100% rename from snowflake_queries/snowflake_user_enabled_query.yml rename to queries/snowflake_queries/snowflake_user_enabled_query.yml diff --git a/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py b/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py similarity index 100% rename from aws_cloudtrail_rules/aws_ami_modified_for_public_access.py rename to rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py diff --git a/aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml b/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml similarity index 100% rename from aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml rename to rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml diff --git a/aws_cloudtrail_rules/aws_cloudtrail_created.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_created.py similarity index 100% rename from aws_cloudtrail_rules/aws_cloudtrail_created.py rename to rules/aws_cloudtrail_rules/aws_cloudtrail_created.py diff --git a/aws_cloudtrail_rules/aws_cloudtrail_created.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_created.yml similarity index 100% rename from aws_cloudtrail_rules/aws_cloudtrail_created.yml rename to rules/aws_cloudtrail_rules/aws_cloudtrail_created.yml diff --git a/aws_cloudtrail_rules/aws_cloudtrail_stopped.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_stopped.py similarity index 100% rename from aws_cloudtrail_rules/aws_cloudtrail_stopped.py rename to rules/aws_cloudtrail_rules/aws_cloudtrail_stopped.py diff --git a/aws_cloudtrail_rules/aws_cloudtrail_stopped.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_stopped.yml similarity index 100% rename from aws_cloudtrail_rules/aws_cloudtrail_stopped.yml rename to rules/aws_cloudtrail_rules/aws_cloudtrail_stopped.yml diff --git a/aws_cloudtrail_rules/aws_codebuild_made_public.py b/rules/aws_cloudtrail_rules/aws_codebuild_made_public.py similarity index 100% rename from aws_cloudtrail_rules/aws_codebuild_made_public.py rename to rules/aws_cloudtrail_rules/aws_codebuild_made_public.py diff --git a/aws_cloudtrail_rules/aws_codebuild_made_public.yml b/rules/aws_cloudtrail_rules/aws_codebuild_made_public.yml similarity index 100% rename from aws_cloudtrail_rules/aws_codebuild_made_public.yml rename to rules/aws_cloudtrail_rules/aws_codebuild_made_public.yml diff --git a/aws_cloudtrail_rules/aws_config_service_created.py b/rules/aws_cloudtrail_rules/aws_config_service_created.py similarity index 100% rename from aws_cloudtrail_rules/aws_config_service_created.py rename to rules/aws_cloudtrail_rules/aws_config_service_created.py diff --git a/aws_cloudtrail_rules/aws_config_service_created.yml b/rules/aws_cloudtrail_rules/aws_config_service_created.yml similarity index 100% rename from aws_cloudtrail_rules/aws_config_service_created.yml rename to rules/aws_cloudtrail_rules/aws_config_service_created.yml diff --git a/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py b/rules/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py similarity index 100% rename from aws_cloudtrail_rules/aws_config_service_disabled_deleted.py rename to rules/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py diff --git a/aws_cloudtrail_rules/aws_config_service_disabled_deleted.yml b/rules/aws_cloudtrail_rules/aws_config_service_disabled_deleted.yml similarity index 100% rename from aws_cloudtrail_rules/aws_config_service_disabled_deleted.yml rename to rules/aws_cloudtrail_rules/aws_config_service_disabled_deleted.yml diff --git a/aws_cloudtrail_rules/aws_console_login_failed.py b/rules/aws_cloudtrail_rules/aws_console_login_failed.py similarity index 100% rename from aws_cloudtrail_rules/aws_console_login_failed.py rename to rules/aws_cloudtrail_rules/aws_console_login_failed.py diff --git a/aws_cloudtrail_rules/aws_console_login_failed.yml b/rules/aws_cloudtrail_rules/aws_console_login_failed.yml similarity index 100% rename from aws_cloudtrail_rules/aws_console_login_failed.yml rename to rules/aws_cloudtrail_rules/aws_console_login_failed.yml diff --git a/aws_cloudtrail_rules/aws_console_login_without_mfa.py b/rules/aws_cloudtrail_rules/aws_console_login_without_mfa.py similarity index 100% rename from aws_cloudtrail_rules/aws_console_login_without_mfa.py rename to rules/aws_cloudtrail_rules/aws_console_login_without_mfa.py diff --git a/aws_cloudtrail_rules/aws_console_login_without_mfa.yml b/rules/aws_cloudtrail_rules/aws_console_login_without_mfa.yml similarity index 100% rename from aws_cloudtrail_rules/aws_console_login_without_mfa.yml rename to rules/aws_cloudtrail_rules/aws_console_login_without_mfa.yml diff --git a/aws_cloudtrail_rules/aws_console_login_without_saml.py b/rules/aws_cloudtrail_rules/aws_console_login_without_saml.py similarity index 100% rename from aws_cloudtrail_rules/aws_console_login_without_saml.py rename to rules/aws_cloudtrail_rules/aws_console_login_without_saml.py diff --git a/aws_cloudtrail_rules/aws_console_login_without_saml.yml b/rules/aws_cloudtrail_rules/aws_console_login_without_saml.yml similarity index 100% rename from aws_cloudtrail_rules/aws_console_login_without_saml.yml rename to rules/aws_cloudtrail_rules/aws_console_login_without_saml.yml diff --git a/aws_cloudtrail_rules/aws_console_root_login.py b/rules/aws_cloudtrail_rules/aws_console_root_login.py similarity index 100% rename from aws_cloudtrail_rules/aws_console_root_login.py rename to rules/aws_cloudtrail_rules/aws_console_root_login.py diff --git a/aws_cloudtrail_rules/aws_console_root_login.yml b/rules/aws_cloudtrail_rules/aws_console_root_login.yml similarity index 100% rename from aws_cloudtrail_rules/aws_console_root_login.yml rename to rules/aws_cloudtrail_rules/aws_console_root_login.yml diff --git a/aws_cloudtrail_rules/aws_console_root_login_failed.py b/rules/aws_cloudtrail_rules/aws_console_root_login_failed.py similarity index 100% rename from aws_cloudtrail_rules/aws_console_root_login_failed.py rename to rules/aws_cloudtrail_rules/aws_console_root_login_failed.py diff --git a/aws_cloudtrail_rules/aws_console_root_login_failed.yml b/rules/aws_cloudtrail_rules/aws_console_root_login_failed.yml similarity index 100% rename from aws_cloudtrail_rules/aws_console_root_login_failed.yml rename to rules/aws_cloudtrail_rules/aws_console_root_login_failed.yml diff --git a/aws_cloudtrail_rules/aws_ec2_gateway_modified.py b/rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.py similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_gateway_modified.py rename to rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.py diff --git a/aws_cloudtrail_rules/aws_ec2_gateway_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.yml similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_gateway_modified.yml rename to rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.yml diff --git a/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py b/rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py rename to rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py diff --git a/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml b/rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml rename to rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml diff --git a/aws_cloudtrail_rules/aws_ec2_network_acl_modified.py b/rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.py similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_network_acl_modified.py rename to rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.py diff --git a/aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml rename to rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml diff --git a/aws_cloudtrail_rules/aws_ec2_route_table_modified.py b/rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.py similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_route_table_modified.py rename to rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.py diff --git a/aws_cloudtrail_rules/aws_ec2_route_table_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.yml similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_route_table_modified.yml rename to rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.yml diff --git a/aws_cloudtrail_rules/aws_ec2_security_group_modified.py b/rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.py similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_security_group_modified.py rename to rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.py diff --git a/aws_cloudtrail_rules/aws_ec2_security_group_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.yml similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_security_group_modified.yml rename to rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.yml diff --git a/aws_cloudtrail_rules/aws_ec2_vpc_modified.py b/rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.py similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_vpc_modified.py rename to rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.py diff --git a/aws_cloudtrail_rules/aws_ec2_vpc_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.yml similarity index 100% rename from aws_cloudtrail_rules/aws_ec2_vpc_modified.yml rename to rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.yml diff --git a/aws_cloudtrail_rules/aws_iam_anything_changed.py b/rules/aws_cloudtrail_rules/aws_iam_anything_changed.py similarity index 100% rename from aws_cloudtrail_rules/aws_iam_anything_changed.py rename to rules/aws_cloudtrail_rules/aws_iam_anything_changed.py diff --git a/aws_cloudtrail_rules/aws_iam_anything_changed.yml b/rules/aws_cloudtrail_rules/aws_iam_anything_changed.yml similarity index 100% rename from aws_cloudtrail_rules/aws_iam_anything_changed.yml rename to rules/aws_cloudtrail_rules/aws_iam_anything_changed.yml diff --git a/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py b/rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py similarity index 100% rename from aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py rename to rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py diff --git a/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml b/rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml similarity index 100% rename from aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml rename to rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml diff --git a/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py b/rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py similarity index 100% rename from aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py rename to rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py diff --git a/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml b/rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml similarity index 100% rename from aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml rename to rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml diff --git a/aws_cloudtrail_rules/aws_iam_policy_modified.py b/rules/aws_cloudtrail_rules/aws_iam_policy_modified.py similarity index 100% rename from aws_cloudtrail_rules/aws_iam_policy_modified.py rename to rules/aws_cloudtrail_rules/aws_iam_policy_modified.py diff --git a/aws_cloudtrail_rules/aws_iam_policy_modified.yml b/rules/aws_cloudtrail_rules/aws_iam_policy_modified.yml similarity index 100% rename from aws_cloudtrail_rules/aws_iam_policy_modified.yml rename to rules/aws_cloudtrail_rules/aws_iam_policy_modified.yml diff --git a/aws_cloudtrail_rules/aws_iam_user_recon_denied.py b/rules/aws_cloudtrail_rules/aws_iam_user_recon_denied.py similarity index 100% rename from aws_cloudtrail_rules/aws_iam_user_recon_denied.py rename to rules/aws_cloudtrail_rules/aws_iam_user_recon_denied.py diff --git a/aws_cloudtrail_rules/aws_iam_user_recon_denied.yml b/rules/aws_cloudtrail_rules/aws_iam_user_recon_denied.yml similarity index 100% rename from aws_cloudtrail_rules/aws_iam_user_recon_denied.yml rename to rules/aws_cloudtrail_rules/aws_iam_user_recon_denied.yml diff --git a/aws_cloudtrail_rules/aws_key_compromised.py b/rules/aws_cloudtrail_rules/aws_key_compromised.py similarity index 100% rename from aws_cloudtrail_rules/aws_key_compromised.py rename to rules/aws_cloudtrail_rules/aws_key_compromised.py diff --git a/aws_cloudtrail_rules/aws_key_compromised.yml b/rules/aws_cloudtrail_rules/aws_key_compromised.yml similarity index 100% rename from aws_cloudtrail_rules/aws_key_compromised.yml rename to rules/aws_cloudtrail_rules/aws_key_compromised.yml diff --git a/aws_cloudtrail_rules/aws_kms_cmk_loss.py b/rules/aws_cloudtrail_rules/aws_kms_cmk_loss.py similarity index 100% rename from aws_cloudtrail_rules/aws_kms_cmk_loss.py rename to rules/aws_cloudtrail_rules/aws_kms_cmk_loss.py diff --git a/aws_cloudtrail_rules/aws_kms_cmk_loss.yml b/rules/aws_cloudtrail_rules/aws_kms_cmk_loss.yml similarity index 100% rename from aws_cloudtrail_rules/aws_kms_cmk_loss.yml rename to rules/aws_cloudtrail_rules/aws_kms_cmk_loss.yml diff --git a/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py b/rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py similarity index 100% rename from aws_cloudtrail_rules/aws_network_acl_permissive_entry.py rename to rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py diff --git a/aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml b/rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml similarity index 100% rename from aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml rename to rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml diff --git a/aws_cloudtrail_rules/aws_resource_made_public.py b/rules/aws_cloudtrail_rules/aws_resource_made_public.py similarity index 100% rename from aws_cloudtrail_rules/aws_resource_made_public.py rename to rules/aws_cloudtrail_rules/aws_resource_made_public.py diff --git a/aws_cloudtrail_rules/aws_resource_made_public.yml b/rules/aws_cloudtrail_rules/aws_resource_made_public.yml similarity index 100% rename from aws_cloudtrail_rules/aws_resource_made_public.yml rename to rules/aws_cloudtrail_rules/aws_resource_made_public.yml diff --git a/aws_cloudtrail_rules/aws_root_access_key_created.py b/rules/aws_cloudtrail_rules/aws_root_access_key_created.py similarity index 100% rename from aws_cloudtrail_rules/aws_root_access_key_created.py rename to rules/aws_cloudtrail_rules/aws_root_access_key_created.py diff --git a/aws_cloudtrail_rules/aws_root_access_key_created.yml b/rules/aws_cloudtrail_rules/aws_root_access_key_created.yml similarity index 100% rename from aws_cloudtrail_rules/aws_root_access_key_created.yml rename to rules/aws_cloudtrail_rules/aws_root_access_key_created.yml diff --git a/aws_cloudtrail_rules/aws_root_activity.py b/rules/aws_cloudtrail_rules/aws_root_activity.py similarity index 100% rename from aws_cloudtrail_rules/aws_root_activity.py rename to rules/aws_cloudtrail_rules/aws_root_activity.py diff --git a/aws_cloudtrail_rules/aws_root_activity.yml b/rules/aws_cloudtrail_rules/aws_root_activity.yml similarity index 100% rename from aws_cloudtrail_rules/aws_root_activity.yml rename to rules/aws_cloudtrail_rules/aws_root_activity.yml diff --git a/aws_cloudtrail_rules/aws_root_console_login.py b/rules/aws_cloudtrail_rules/aws_root_console_login.py similarity index 100% rename from aws_cloudtrail_rules/aws_root_console_login.py rename to rules/aws_cloudtrail_rules/aws_root_console_login.py diff --git a/aws_cloudtrail_rules/aws_root_console_login.yml b/rules/aws_cloudtrail_rules/aws_root_console_login.yml similarity index 100% rename from aws_cloudtrail_rules/aws_root_console_login.yml rename to rules/aws_cloudtrail_rules/aws_root_console_login.yml diff --git a/aws_cloudtrail_rules/aws_root_failed_console_login.py b/rules/aws_cloudtrail_rules/aws_root_failed_console_login.py similarity index 100% rename from aws_cloudtrail_rules/aws_root_failed_console_login.py rename to rules/aws_cloudtrail_rules/aws_root_failed_console_login.py diff --git a/aws_cloudtrail_rules/aws_root_failed_console_login.yml b/rules/aws_cloudtrail_rules/aws_root_failed_console_login.yml similarity index 100% rename from aws_cloudtrail_rules/aws_root_failed_console_login.yml rename to rules/aws_cloudtrail_rules/aws_root_failed_console_login.yml diff --git a/aws_cloudtrail_rules/aws_root_password_changed.py b/rules/aws_cloudtrail_rules/aws_root_password_changed.py similarity index 100% rename from aws_cloudtrail_rules/aws_root_password_changed.py rename to rules/aws_cloudtrail_rules/aws_root_password_changed.py diff --git a/aws_cloudtrail_rules/aws_root_password_changed.yml b/rules/aws_cloudtrail_rules/aws_root_password_changed.yml similarity index 100% rename from aws_cloudtrail_rules/aws_root_password_changed.yml rename to rules/aws_cloudtrail_rules/aws_root_password_changed.yml diff --git a/aws_cloudtrail_rules/aws_s3_activity_greynoise.py b/rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.py similarity index 100% rename from aws_cloudtrail_rules/aws_s3_activity_greynoise.py rename to rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.py diff --git a/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml b/rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml similarity index 100% rename from aws_cloudtrail_rules/aws_s3_activity_greynoise.yml rename to rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml diff --git a/aws_cloudtrail_rules/aws_s3_bucket_deleted.py b/rules/aws_cloudtrail_rules/aws_s3_bucket_deleted.py similarity index 100% rename from aws_cloudtrail_rules/aws_s3_bucket_deleted.py rename to rules/aws_cloudtrail_rules/aws_s3_bucket_deleted.py diff --git a/aws_cloudtrail_rules/aws_s3_bucket_deleted.yml b/rules/aws_cloudtrail_rules/aws_s3_bucket_deleted.yml similarity index 100% rename from aws_cloudtrail_rules/aws_s3_bucket_deleted.yml rename to rules/aws_cloudtrail_rules/aws_s3_bucket_deleted.yml diff --git a/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py b/rules/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py similarity index 100% rename from aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py rename to rules/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py diff --git a/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.yml b/rules/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.yml similarity index 100% rename from aws_cloudtrail_rules/aws_s3_bucket_policy_modified.yml rename to rules/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.yml diff --git a/aws_cloudtrail_rules/aws_security_configuration_change.py b/rules/aws_cloudtrail_rules/aws_security_configuration_change.py similarity index 100% rename from aws_cloudtrail_rules/aws_security_configuration_change.py rename to rules/aws_cloudtrail_rules/aws_security_configuration_change.py diff --git a/aws_cloudtrail_rules/aws_security_configuration_change.yml b/rules/aws_cloudtrail_rules/aws_security_configuration_change.yml similarity index 100% rename from aws_cloudtrail_rules/aws_security_configuration_change.yml rename to rules/aws_cloudtrail_rules/aws_security_configuration_change.yml diff --git a/aws_cloudtrail_rules/aws_snapshot_made_public.py b/rules/aws_cloudtrail_rules/aws_snapshot_made_public.py similarity index 100% rename from aws_cloudtrail_rules/aws_snapshot_made_public.py rename to rules/aws_cloudtrail_rules/aws_snapshot_made_public.py diff --git a/aws_cloudtrail_rules/aws_snapshot_made_public.yml b/rules/aws_cloudtrail_rules/aws_snapshot_made_public.yml similarity index 100% rename from aws_cloudtrail_rules/aws_snapshot_made_public.yml rename to rules/aws_cloudtrail_rules/aws_snapshot_made_public.yml diff --git a/aws_cloudtrail_rules/aws_unauthorized_api_call.py b/rules/aws_cloudtrail_rules/aws_unauthorized_api_call.py similarity index 100% rename from aws_cloudtrail_rules/aws_unauthorized_api_call.py rename to rules/aws_cloudtrail_rules/aws_unauthorized_api_call.py diff --git a/aws_cloudtrail_rules/aws_unauthorized_api_call.yml b/rules/aws_cloudtrail_rules/aws_unauthorized_api_call.yml similarity index 100% rename from aws_cloudtrail_rules/aws_unauthorized_api_call.yml rename to rules/aws_cloudtrail_rules/aws_unauthorized_api_call.yml diff --git a/aws_cloudtrail_rules/aws_update_credentials.py b/rules/aws_cloudtrail_rules/aws_update_credentials.py similarity index 100% rename from aws_cloudtrail_rules/aws_update_credentials.py rename to rules/aws_cloudtrail_rules/aws_update_credentials.py diff --git a/aws_cloudtrail_rules/aws_update_credentials.yml b/rules/aws_cloudtrail_rules/aws_update_credentials.yml similarity index 100% rename from aws_cloudtrail_rules/aws_update_credentials.yml rename to rules/aws_cloudtrail_rules/aws_update_credentials.yml diff --git a/aws_guardduty_rules/aws_guardduty_high_sev_findings.py b/rules/aws_guardduty_rules/aws_guardduty_high_sev_findings.py similarity index 100% rename from aws_guardduty_rules/aws_guardduty_high_sev_findings.py rename to rules/aws_guardduty_rules/aws_guardduty_high_sev_findings.py diff --git a/aws_guardduty_rules/aws_guardduty_high_sev_findings.yml b/rules/aws_guardduty_rules/aws_guardduty_high_sev_findings.yml similarity index 100% rename from aws_guardduty_rules/aws_guardduty_high_sev_findings.yml rename to rules/aws_guardduty_rules/aws_guardduty_high_sev_findings.yml diff --git a/aws_guardduty_rules/aws_guardduty_low_sev_findings.py b/rules/aws_guardduty_rules/aws_guardduty_low_sev_findings.py similarity index 100% rename from aws_guardduty_rules/aws_guardduty_low_sev_findings.py rename to rules/aws_guardduty_rules/aws_guardduty_low_sev_findings.py diff --git a/aws_guardduty_rules/aws_guardduty_low_sev_findings.yml b/rules/aws_guardduty_rules/aws_guardduty_low_sev_findings.yml similarity index 100% rename from aws_guardduty_rules/aws_guardduty_low_sev_findings.yml rename to rules/aws_guardduty_rules/aws_guardduty_low_sev_findings.yml diff --git a/aws_guardduty_rules/aws_guardduty_med_sev_findings.py b/rules/aws_guardduty_rules/aws_guardduty_med_sev_findings.py similarity index 100% rename from aws_guardduty_rules/aws_guardduty_med_sev_findings.py rename to rules/aws_guardduty_rules/aws_guardduty_med_sev_findings.py diff --git a/aws_guardduty_rules/aws_guardduty_med_sev_findings.yml b/rules/aws_guardduty_rules/aws_guardduty_med_sev_findings.yml similarity index 100% rename from aws_guardduty_rules/aws_guardduty_med_sev_findings.yml rename to rules/aws_guardduty_rules/aws_guardduty_med_sev_findings.yml diff --git a/aws_s3_rules/aws_s3_access_error.py b/rules/aws_s3_rules/aws_s3_access_error.py similarity index 100% rename from aws_s3_rules/aws_s3_access_error.py rename to rules/aws_s3_rules/aws_s3_access_error.py diff --git a/aws_s3_rules/aws_s3_access_error.yml b/rules/aws_s3_rules/aws_s3_access_error.yml similarity index 100% rename from aws_s3_rules/aws_s3_access_error.yml rename to rules/aws_s3_rules/aws_s3_access_error.yml diff --git a/aws_s3_rules/aws_s3_access_ip_allowlist.py b/rules/aws_s3_rules/aws_s3_access_ip_allowlist.py similarity index 100% rename from aws_s3_rules/aws_s3_access_ip_allowlist.py rename to rules/aws_s3_rules/aws_s3_access_ip_allowlist.py diff --git a/aws_s3_rules/aws_s3_access_ip_allowlist.yml b/rules/aws_s3_rules/aws_s3_access_ip_allowlist.yml similarity index 100% rename from aws_s3_rules/aws_s3_access_ip_allowlist.yml rename to rules/aws_s3_rules/aws_s3_access_ip_allowlist.yml diff --git a/aws_s3_rules/aws_s3_insecure_access.py b/rules/aws_s3_rules/aws_s3_insecure_access.py similarity index 100% rename from aws_s3_rules/aws_s3_insecure_access.py rename to rules/aws_s3_rules/aws_s3_insecure_access.py diff --git a/aws_s3_rules/aws_s3_insecure_access.yml b/rules/aws_s3_rules/aws_s3_insecure_access.yml similarity index 100% rename from aws_s3_rules/aws_s3_insecure_access.yml rename to rules/aws_s3_rules/aws_s3_insecure_access.yml diff --git a/aws_s3_rules/aws_s3_unauthenticated_access.py b/rules/aws_s3_rules/aws_s3_unauthenticated_access.py similarity index 100% rename from aws_s3_rules/aws_s3_unauthenticated_access.py rename to rules/aws_s3_rules/aws_s3_unauthenticated_access.py diff --git a/aws_s3_rules/aws_s3_unauthenticated_access.yml b/rules/aws_s3_rules/aws_s3_unauthenticated_access.yml similarity index 100% rename from aws_s3_rules/aws_s3_unauthenticated_access.yml rename to rules/aws_s3_rules/aws_s3_unauthenticated_access.yml diff --git a/aws_s3_rules/aws_s3_unknown_requester_get_object.py b/rules/aws_s3_rules/aws_s3_unknown_requester_get_object.py similarity index 100% rename from aws_s3_rules/aws_s3_unknown_requester_get_object.py rename to rules/aws_s3_rules/aws_s3_unknown_requester_get_object.py diff --git a/aws_s3_rules/aws_s3_unknown_requester_get_object.yml b/rules/aws_s3_rules/aws_s3_unknown_requester_get_object.yml similarity index 100% rename from aws_s3_rules/aws_s3_unknown_requester_get_object.yml rename to rules/aws_s3_rules/aws_s3_unknown_requester_get_object.yml diff --git a/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py b/rules/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py similarity index 100% rename from aws_vpc_flow_rules/aws_vpc_healthy_log_status.py rename to rules/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py diff --git a/aws_vpc_flow_rules/aws_vpc_healthy_log_status.yml b/rules/aws_vpc_flow_rules/aws_vpc_healthy_log_status.yml similarity index 100% rename from aws_vpc_flow_rules/aws_vpc_healthy_log_status.yml rename to rules/aws_vpc_flow_rules/aws_vpc_healthy_log_status.yml diff --git a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py b/rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py similarity index 100% rename from aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py rename to rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py diff --git a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.yml b/rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.yml similarity index 100% rename from aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.yml rename to rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.yml diff --git a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py b/rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py similarity index 100% rename from aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py rename to rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py diff --git a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.yml b/rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.yml similarity index 100% rename from aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.yml rename to rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.yml diff --git a/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py b/rules/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py similarity index 100% rename from aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py rename to rules/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py diff --git a/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.yml b/rules/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.yml similarity index 100% rename from aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.yml rename to rules/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.yml diff --git a/box_rules/box_access_granted.py b/rules/box_rules/box_access_granted.py similarity index 100% rename from box_rules/box_access_granted.py rename to rules/box_rules/box_access_granted.py diff --git a/box_rules/box_access_granted.yml b/rules/box_rules/box_access_granted.yml similarity index 100% rename from box_rules/box_access_granted.yml rename to rules/box_rules/box_access_granted.yml diff --git a/box_rules/box_anomalous_download.py b/rules/box_rules/box_anomalous_download.py similarity index 100% rename from box_rules/box_anomalous_download.py rename to rules/box_rules/box_anomalous_download.py diff --git a/box_rules/box_anomalous_download.yml b/rules/box_rules/box_anomalous_download.yml similarity index 100% rename from box_rules/box_anomalous_download.yml rename to rules/box_rules/box_anomalous_download.yml diff --git a/box_rules/box_brute_force_login.py b/rules/box_rules/box_brute_force_login.py similarity index 100% rename from box_rules/box_brute_force_login.py rename to rules/box_rules/box_brute_force_login.py diff --git a/box_rules/box_brute_force_login.yml b/rules/box_rules/box_brute_force_login.yml similarity index 100% rename from box_rules/box_brute_force_login.yml rename to rules/box_rules/box_brute_force_login.yml diff --git a/box_rules/box_event_triggered_externally.py b/rules/box_rules/box_event_triggered_externally.py similarity index 100% rename from box_rules/box_event_triggered_externally.py rename to rules/box_rules/box_event_triggered_externally.py diff --git a/box_rules/box_event_triggered_externally.yml b/rules/box_rules/box_event_triggered_externally.yml similarity index 100% rename from box_rules/box_event_triggered_externally.yml rename to rules/box_rules/box_event_triggered_externally.yml diff --git a/box_rules/box_item_shared_externally.py b/rules/box_rules/box_item_shared_externally.py similarity index 100% rename from box_rules/box_item_shared_externally.py rename to rules/box_rules/box_item_shared_externally.py diff --git a/box_rules/box_item_shared_externally.yml b/rules/box_rules/box_item_shared_externally.yml similarity index 100% rename from box_rules/box_item_shared_externally.yml rename to rules/box_rules/box_item_shared_externally.yml diff --git a/box_rules/box_malicious_content.py b/rules/box_rules/box_malicious_content.py similarity index 100% rename from box_rules/box_malicious_content.py rename to rules/box_rules/box_malicious_content.py diff --git a/box_rules/box_malicious_content.yml b/rules/box_rules/box_malicious_content.yml similarity index 100% rename from box_rules/box_malicious_content.yml rename to rules/box_rules/box_malicious_content.yml diff --git a/box_rules/box_new_login.py b/rules/box_rules/box_new_login.py similarity index 100% rename from box_rules/box_new_login.py rename to rules/box_rules/box_new_login.py diff --git a/box_rules/box_new_login.yml b/rules/box_rules/box_new_login.yml similarity index 100% rename from box_rules/box_new_login.yml rename to rules/box_rules/box_new_login.yml diff --git a/box_rules/box_policy_violation.py b/rules/box_rules/box_policy_violation.py similarity index 100% rename from box_rules/box_policy_violation.py rename to rules/box_rules/box_policy_violation.py diff --git a/box_rules/box_policy_violation.yml b/rules/box_rules/box_policy_violation.yml similarity index 100% rename from box_rules/box_policy_violation.yml rename to rules/box_rules/box_policy_violation.yml diff --git a/box_rules/box_suspicious_login_or_session.py b/rules/box_rules/box_suspicious_login_or_session.py similarity index 100% rename from box_rules/box_suspicious_login_or_session.py rename to rules/box_rules/box_suspicious_login_or_session.py diff --git a/box_rules/box_suspicious_login_or_session.yml b/rules/box_rules/box_suspicious_login_or_session.yml similarity index 100% rename from box_rules/box_suspicious_login_or_session.yml rename to rules/box_rules/box_suspicious_login_or_session.yml diff --git a/box_rules/box_untrusted_device.py b/rules/box_rules/box_untrusted_device.py similarity index 100% rename from box_rules/box_untrusted_device.py rename to rules/box_rules/box_untrusted_device.py diff --git a/box_rules/box_untrusted_device.yml b/rules/box_rules/box_untrusted_device.yml similarity index 100% rename from box_rules/box_untrusted_device.yml rename to rules/box_rules/box_untrusted_device.yml diff --git a/box_rules/box_user_downloads.py b/rules/box_rules/box_user_downloads.py similarity index 100% rename from box_rules/box_user_downloads.py rename to rules/box_rules/box_user_downloads.py diff --git a/box_rules/box_user_downloads.yml b/rules/box_rules/box_user_downloads.yml similarity index 100% rename from box_rules/box_user_downloads.yml rename to rules/box_rules/box_user_downloads.yml diff --git a/box_rules/box_user_permission_updates.py b/rules/box_rules/box_user_permission_updates.py similarity index 100% rename from box_rules/box_user_permission_updates.py rename to rules/box_rules/box_user_permission_updates.py diff --git a/box_rules/box_user_permission_updates.yml b/rules/box_rules/box_user_permission_updates.yml similarity index 100% rename from box_rules/box_user_permission_updates.yml rename to rules/box_rules/box_user_permission_updates.yml diff --git a/cisco_umbrella_dns_rules/domain_blocked.py b/rules/cisco_umbrella_dns_rules/domain_blocked.py similarity index 100% rename from cisco_umbrella_dns_rules/domain_blocked.py rename to rules/cisco_umbrella_dns_rules/domain_blocked.py diff --git a/cisco_umbrella_dns_rules/domain_blocked.yml b/rules/cisco_umbrella_dns_rules/domain_blocked.yml similarity index 100% rename from cisco_umbrella_dns_rules/domain_blocked.yml rename to rules/cisco_umbrella_dns_rules/domain_blocked.yml diff --git a/cisco_umbrella_dns_rules/fuzzy_matching_domains.py b/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.py similarity index 100% rename from cisco_umbrella_dns_rules/fuzzy_matching_domains.py rename to rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.py diff --git a/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml b/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml similarity index 100% rename from cisco_umbrella_dns_rules/fuzzy_matching_domains.yml rename to rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml diff --git a/cisco_umbrella_dns_rules/suspicious_domains.py b/rules/cisco_umbrella_dns_rules/suspicious_domains.py similarity index 100% rename from cisco_umbrella_dns_rules/suspicious_domains.py rename to rules/cisco_umbrella_dns_rules/suspicious_domains.py diff --git a/cisco_umbrella_dns_rules/suspicious_domains.yml b/rules/cisco_umbrella_dns_rules/suspicious_domains.yml similarity index 100% rename from cisco_umbrella_dns_rules/suspicious_domains.yml rename to rules/cisco_umbrella_dns_rules/suspicious_domains.yml diff --git a/cloudflare_rules/cloudflare_firewall_ddos.py b/rules/cloudflare_rules/cloudflare_firewall_ddos.py similarity index 100% rename from cloudflare_rules/cloudflare_firewall_ddos.py rename to rules/cloudflare_rules/cloudflare_firewall_ddos.py diff --git a/cloudflare_rules/cloudflare_firewall_ddos.yml b/rules/cloudflare_rules/cloudflare_firewall_ddos.yml similarity index 100% rename from cloudflare_rules/cloudflare_firewall_ddos.yml rename to rules/cloudflare_rules/cloudflare_firewall_ddos.yml diff --git a/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.py b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.py similarity index 100% rename from cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.py rename to rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.py diff --git a/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml similarity index 100% rename from cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml rename to rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml diff --git a/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.py b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.py similarity index 100% rename from cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.py rename to rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.py diff --git a/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml similarity index 100% rename from cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml rename to rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml diff --git a/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.py b/rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.py similarity index 100% rename from cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.py rename to rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.py diff --git a/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml b/rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml similarity index 100% rename from cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml rename to rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml diff --git a/cloudflare_rules/cloudflare_httpreq_bot_high_volume.py b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.py similarity index 100% rename from cloudflare_rules/cloudflare_httpreq_bot_high_volume.py rename to rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.py diff --git a/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml similarity index 100% rename from cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml rename to rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml diff --git a/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.py b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.py similarity index 100% rename from cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.py rename to rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.py diff --git a/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml similarity index 100% rename from cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml rename to rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml diff --git a/crowdstrike_rules/crowdstrike_detection_passthrough.py b/rules/crowdstrike_rules/crowdstrike_detection_passthrough.py similarity index 100% rename from crowdstrike_rules/crowdstrike_detection_passthrough.py rename to rules/crowdstrike_rules/crowdstrike_detection_passthrough.py diff --git a/crowdstrike_rules/crowdstrike_detection_passthrough.yml b/rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml similarity index 100% rename from crowdstrike_rules/crowdstrike_detection_passthrough.yml rename to rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml diff --git a/crowdstrike_rules/crowdstrike_dns_request.py b/rules/crowdstrike_rules/crowdstrike_dns_request.py similarity index 100% rename from crowdstrike_rules/crowdstrike_dns_request.py rename to rules/crowdstrike_rules/crowdstrike_dns_request.py diff --git a/crowdstrike_rules/crowdstrike_dns_request.yml b/rules/crowdstrike_rules/crowdstrike_dns_request.yml similarity index 100% rename from crowdstrike_rules/crowdstrike_dns_request.yml rename to rules/crowdstrike_rules/crowdstrike_dns_request.yml diff --git a/gcp_audit_rules/gcp_gcs_iam_changes.py b/rules/gcp_audit_rules/gcp_gcs_iam_changes.py similarity index 100% rename from gcp_audit_rules/gcp_gcs_iam_changes.py rename to rules/gcp_audit_rules/gcp_gcs_iam_changes.py diff --git a/gcp_audit_rules/gcp_gcs_iam_changes.yml b/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml similarity index 100% rename from gcp_audit_rules/gcp_gcs_iam_changes.yml rename to rules/gcp_audit_rules/gcp_gcs_iam_changes.yml diff --git a/gcp_audit_rules/gcp_gcs_public.py b/rules/gcp_audit_rules/gcp_gcs_public.py similarity index 100% rename from gcp_audit_rules/gcp_gcs_public.py rename to rules/gcp_audit_rules/gcp_gcs_public.py diff --git a/gcp_audit_rules/gcp_gcs_public.yml b/rules/gcp_audit_rules/gcp_gcs_public.yml similarity index 100% rename from gcp_audit_rules/gcp_gcs_public.yml rename to rules/gcp_audit_rules/gcp_gcs_public.yml diff --git a/gcp_audit_rules/gcp_iam_admin_role_assigned.py b/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.py similarity index 100% rename from gcp_audit_rules/gcp_iam_admin_role_assigned.py rename to rules/gcp_audit_rules/gcp_iam_admin_role_assigned.py diff --git a/gcp_audit_rules/gcp_iam_admin_role_assigned.yml b/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml similarity index 100% rename from gcp_audit_rules/gcp_iam_admin_role_assigned.yml rename to rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml diff --git a/gcp_audit_rules/gcp_iam_corp_email.py b/rules/gcp_audit_rules/gcp_iam_corp_email.py similarity index 100% rename from gcp_audit_rules/gcp_iam_corp_email.py rename to rules/gcp_audit_rules/gcp_iam_corp_email.py diff --git a/gcp_audit_rules/gcp_iam_corp_email.yml b/rules/gcp_audit_rules/gcp_iam_corp_email.yml similarity index 100% rename from gcp_audit_rules/gcp_iam_corp_email.yml rename to rules/gcp_audit_rules/gcp_iam_corp_email.yml diff --git a/gcp_audit_rules/gcp_iam_custom_role_changes.py b/rules/gcp_audit_rules/gcp_iam_custom_role_changes.py similarity index 100% rename from gcp_audit_rules/gcp_iam_custom_role_changes.py rename to rules/gcp_audit_rules/gcp_iam_custom_role_changes.py diff --git a/gcp_audit_rules/gcp_iam_custom_role_changes.yml b/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml similarity index 100% rename from gcp_audit_rules/gcp_iam_custom_role_changes.yml rename to rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml diff --git a/gcp_audit_rules/gcp_iam_org_folder_changes.py b/rules/gcp_audit_rules/gcp_iam_org_folder_changes.py similarity index 100% rename from gcp_audit_rules/gcp_iam_org_folder_changes.py rename to rules/gcp_audit_rules/gcp_iam_org_folder_changes.py diff --git a/gcp_audit_rules/gcp_iam_org_folder_changes.yml b/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml similarity index 100% rename from gcp_audit_rules/gcp_iam_org_folder_changes.yml rename to rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml diff --git a/gcp_audit_rules/gcp_sql_config_changes.py b/rules/gcp_audit_rules/gcp_sql_config_changes.py similarity index 100% rename from gcp_audit_rules/gcp_sql_config_changes.py rename to rules/gcp_audit_rules/gcp_sql_config_changes.py diff --git a/gcp_audit_rules/gcp_sql_config_changes.yml b/rules/gcp_audit_rules/gcp_sql_config_changes.yml similarity index 100% rename from gcp_audit_rules/gcp_sql_config_changes.yml rename to rules/gcp_audit_rules/gcp_sql_config_changes.yml diff --git a/gcp_audit_rules/gcp_unused_regions.py b/rules/gcp_audit_rules/gcp_unused_regions.py similarity index 100% rename from gcp_audit_rules/gcp_unused_regions.py rename to rules/gcp_audit_rules/gcp_unused_regions.py diff --git a/gcp_audit_rules/gcp_unused_regions.yml b/rules/gcp_audit_rules/gcp_unused_regions.yml similarity index 100% rename from gcp_audit_rules/gcp_unused_regions.yml rename to rules/gcp_audit_rules/gcp_unused_regions.yml diff --git a/github_rules/github_branch_policy_override.py b/rules/github_rules/github_branch_policy_override.py similarity index 100% rename from github_rules/github_branch_policy_override.py rename to rules/github_rules/github_branch_policy_override.py diff --git a/github_rules/github_branch_policy_override.yml b/rules/github_rules/github_branch_policy_override.yml similarity index 100% rename from github_rules/github_branch_policy_override.yml rename to rules/github_rules/github_branch_policy_override.yml diff --git a/github_rules/github_branch_protection_disabled.py b/rules/github_rules/github_branch_protection_disabled.py similarity index 100% rename from github_rules/github_branch_protection_disabled.py rename to rules/github_rules/github_branch_protection_disabled.py diff --git a/github_rules/github_branch_protection_disabled.yml b/rules/github_rules/github_branch_protection_disabled.yml similarity index 100% rename from github_rules/github_branch_protection_disabled.yml rename to rules/github_rules/github_branch_protection_disabled.yml diff --git a/github_rules/github_org_auth_modified.py b/rules/github_rules/github_org_auth_modified.py similarity index 100% rename from github_rules/github_org_auth_modified.py rename to rules/github_rules/github_org_auth_modified.py diff --git a/github_rules/github_org_auth_modified.yml b/rules/github_rules/github_org_auth_modified.yml similarity index 100% rename from github_rules/github_org_auth_modified.yml rename to rules/github_rules/github_org_auth_modified.yml diff --git a/github_rules/github_org_ip_allowlist.py b/rules/github_rules/github_org_ip_allowlist.py similarity index 100% rename from github_rules/github_org_ip_allowlist.py rename to rules/github_rules/github_org_ip_allowlist.py diff --git a/github_rules/github_org_ip_allowlist.yml b/rules/github_rules/github_org_ip_allowlist.yml similarity index 100% rename from github_rules/github_org_ip_allowlist.yml rename to rules/github_rules/github_org_ip_allowlist.yml diff --git a/github_rules/github_org_modified.py b/rules/github_rules/github_org_modified.py similarity index 100% rename from github_rules/github_org_modified.py rename to rules/github_rules/github_org_modified.py diff --git a/github_rules/github_org_modified.yml b/rules/github_rules/github_org_modified.yml similarity index 100% rename from github_rules/github_org_modified.yml rename to rules/github_rules/github_org_modified.yml diff --git a/github_rules/github_repo_collaborator_change.py b/rules/github_rules/github_repo_collaborator_change.py similarity index 100% rename from github_rules/github_repo_collaborator_change.py rename to rules/github_rules/github_repo_collaborator_change.py diff --git a/github_rules/github_repo_collaborator_change.yml b/rules/github_rules/github_repo_collaborator_change.yml similarity index 100% rename from github_rules/github_repo_collaborator_change.yml rename to rules/github_rules/github_repo_collaborator_change.yml diff --git a/github_rules/github_repo_created.py b/rules/github_rules/github_repo_created.py similarity index 100% rename from github_rules/github_repo_created.py rename to rules/github_rules/github_repo_created.py diff --git a/github_rules/github_repo_created.yml b/rules/github_rules/github_repo_created.yml similarity index 100% rename from github_rules/github_repo_created.yml rename to rules/github_rules/github_repo_created.yml diff --git a/github_rules/github_repo_hook_modified.py b/rules/github_rules/github_repo_hook_modified.py similarity index 100% rename from github_rules/github_repo_hook_modified.py rename to rules/github_rules/github_repo_hook_modified.py diff --git a/github_rules/github_repo_hook_modified.yml b/rules/github_rules/github_repo_hook_modified.yml similarity index 100% rename from github_rules/github_repo_hook_modified.yml rename to rules/github_rules/github_repo_hook_modified.yml diff --git a/github_rules/github_repo_initial_access.py b/rules/github_rules/github_repo_initial_access.py similarity index 100% rename from github_rules/github_repo_initial_access.py rename to rules/github_rules/github_repo_initial_access.py diff --git a/github_rules/github_repo_initial_access.yml b/rules/github_rules/github_repo_initial_access.yml similarity index 100% rename from github_rules/github_repo_initial_access.yml rename to rules/github_rules/github_repo_initial_access.yml diff --git a/github_rules/github_repo_visibility_change.py b/rules/github_rules/github_repo_visibility_change.py similarity index 100% rename from github_rules/github_repo_visibility_change.py rename to rules/github_rules/github_repo_visibility_change.py diff --git a/github_rules/github_repo_visibility_change.yml b/rules/github_rules/github_repo_visibility_change.yml similarity index 100% rename from github_rules/github_repo_visibility_change.yml rename to rules/github_rules/github_repo_visibility_change.yml diff --git a/github_rules/github_team_modified.py b/rules/github_rules/github_team_modified.py similarity index 100% rename from github_rules/github_team_modified.py rename to rules/github_rules/github_team_modified.py diff --git a/github_rules/github_team_modified.yml b/rules/github_rules/github_team_modified.yml similarity index 100% rename from github_rules/github_team_modified.yml rename to rules/github_rules/github_team_modified.yml diff --git a/github_rules/github_user_access_key_created.py b/rules/github_rules/github_user_access_key_created.py similarity index 100% rename from github_rules/github_user_access_key_created.py rename to rules/github_rules/github_user_access_key_created.py diff --git a/github_rules/github_user_access_key_created.yml b/rules/github_rules/github_user_access_key_created.yml similarity index 100% rename from github_rules/github_user_access_key_created.yml rename to rules/github_rules/github_user_access_key_created.yml diff --git a/github_rules/github_user_role_updated.py b/rules/github_rules/github_user_role_updated.py similarity index 100% rename from github_rules/github_user_role_updated.py rename to rules/github_rules/github_user_role_updated.py diff --git a/github_rules/github_user_role_updated.yml b/rules/github_rules/github_user_role_updated.yml similarity index 100% rename from github_rules/github_user_role_updated.yml rename to rules/github_rules/github_user_role_updated.yml diff --git a/gravitational_teleport_rules/teleport_auth_errors.py b/rules/gravitational_teleport_rules/teleport_auth_errors.py similarity index 100% rename from gravitational_teleport_rules/teleport_auth_errors.py rename to rules/gravitational_teleport_rules/teleport_auth_errors.py diff --git a/gravitational_teleport_rules/teleport_auth_errors.yml b/rules/gravitational_teleport_rules/teleport_auth_errors.yml similarity index 100% rename from gravitational_teleport_rules/teleport_auth_errors.yml rename to rules/gravitational_teleport_rules/teleport_auth_errors.yml diff --git a/gravitational_teleport_rules/teleport_create_user_accounts.py b/rules/gravitational_teleport_rules/teleport_create_user_accounts.py similarity index 100% rename from gravitational_teleport_rules/teleport_create_user_accounts.py rename to rules/gravitational_teleport_rules/teleport_create_user_accounts.py diff --git a/gravitational_teleport_rules/teleport_create_user_accounts.yml b/rules/gravitational_teleport_rules/teleport_create_user_accounts.yml similarity index 100% rename from gravitational_teleport_rules/teleport_create_user_accounts.yml rename to rules/gravitational_teleport_rules/teleport_create_user_accounts.yml diff --git a/gravitational_teleport_rules/teleport_network_scanning.py b/rules/gravitational_teleport_rules/teleport_network_scanning.py similarity index 100% rename from gravitational_teleport_rules/teleport_network_scanning.py rename to rules/gravitational_teleport_rules/teleport_network_scanning.py diff --git a/gravitational_teleport_rules/teleport_network_scanning.yml b/rules/gravitational_teleport_rules/teleport_network_scanning.yml similarity index 100% rename from gravitational_teleport_rules/teleport_network_scanning.yml rename to rules/gravitational_teleport_rules/teleport_network_scanning.yml diff --git a/gravitational_teleport_rules/teleport_scheduled_jobs.py b/rules/gravitational_teleport_rules/teleport_scheduled_jobs.py similarity index 100% rename from gravitational_teleport_rules/teleport_scheduled_jobs.py rename to rules/gravitational_teleport_rules/teleport_scheduled_jobs.py diff --git a/gravitational_teleport_rules/teleport_scheduled_jobs.yml b/rules/gravitational_teleport_rules/teleport_scheduled_jobs.yml similarity index 100% rename from gravitational_teleport_rules/teleport_scheduled_jobs.yml rename to rules/gravitational_teleport_rules/teleport_scheduled_jobs.yml diff --git a/gravitational_teleport_rules/teleport_suspicious_commands.py b/rules/gravitational_teleport_rules/teleport_suspicious_commands.py similarity index 100% rename from gravitational_teleport_rules/teleport_suspicious_commands.py rename to rules/gravitational_teleport_rules/teleport_suspicious_commands.py diff --git a/gravitational_teleport_rules/teleport_suspicious_commands.yml b/rules/gravitational_teleport_rules/teleport_suspicious_commands.yml similarity index 100% rename from gravitational_teleport_rules/teleport_suspicious_commands.yml rename to rules/gravitational_teleport_rules/teleport_suspicious_commands.yml diff --git a/gsuite_activityevent_rules/gsuite_advanced_protection.py b/rules/gsuite_activityevent_rules/gsuite_advanced_protection.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_advanced_protection.py rename to rules/gsuite_activityevent_rules/gsuite_advanced_protection.py diff --git a/gsuite_activityevent_rules/gsuite_advanced_protection.yml b/rules/gsuite_activityevent_rules/gsuite_advanced_protection.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_advanced_protection.yml rename to rules/gsuite_activityevent_rules/gsuite_advanced_protection.yml diff --git a/gsuite_activityevent_rules/gsuite_brute_force_login.py b/rules/gsuite_activityevent_rules/gsuite_brute_force_login.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_brute_force_login.py rename to rules/gsuite_activityevent_rules/gsuite_brute_force_login.py diff --git a/gsuite_activityevent_rules/gsuite_brute_force_login.yml b/rules/gsuite_activityevent_rules/gsuite_brute_force_login.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_brute_force_login.yml rename to rules/gsuite_activityevent_rules/gsuite_brute_force_login.yml diff --git a/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.py b/rules/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_doc_ownership_transfer.py rename to rules/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.py diff --git a/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.yml b/rules/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_doc_ownership_transfer.yml rename to rules/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.yml diff --git a/gsuite_activityevent_rules/gsuite_external_forwarding.py b/rules/gsuite_activityevent_rules/gsuite_external_forwarding.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_external_forwarding.py rename to rules/gsuite_activityevent_rules/gsuite_external_forwarding.py diff --git a/gsuite_activityevent_rules/gsuite_external_forwarding.yml b/rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_external_forwarding.yml rename to rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml diff --git a/gsuite_activityevent_rules/gsuite_google_access.py b/rules/gsuite_activityevent_rules/gsuite_google_access.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_google_access.py rename to rules/gsuite_activityevent_rules/gsuite_google_access.py diff --git a/gsuite_activityevent_rules/gsuite_google_access.yml b/rules/gsuite_activityevent_rules/gsuite_google_access.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_google_access.yml rename to rules/gsuite_activityevent_rules/gsuite_google_access.yml diff --git a/gsuite_activityevent_rules/gsuite_gov_attack.py b/rules/gsuite_activityevent_rules/gsuite_gov_attack.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_gov_attack.py rename to rules/gsuite_activityevent_rules/gsuite_gov_attack.py diff --git a/gsuite_activityevent_rules/gsuite_gov_attack.yml b/rules/gsuite_activityevent_rules/gsuite_gov_attack.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_gov_attack.yml rename to rules/gsuite_activityevent_rules/gsuite_gov_attack.yml diff --git a/gsuite_activityevent_rules/gsuite_group_banned_user.py b/rules/gsuite_activityevent_rules/gsuite_group_banned_user.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_group_banned_user.py rename to rules/gsuite_activityevent_rules/gsuite_group_banned_user.py diff --git a/gsuite_activityevent_rules/gsuite_group_banned_user.yml b/rules/gsuite_activityevent_rules/gsuite_group_banned_user.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_group_banned_user.yml rename to rules/gsuite_activityevent_rules/gsuite_group_banned_user.yml diff --git a/gsuite_activityevent_rules/gsuite_leaked_password.py b/rules/gsuite_activityevent_rules/gsuite_leaked_password.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_leaked_password.py rename to rules/gsuite_activityevent_rules/gsuite_leaked_password.py diff --git a/gsuite_activityevent_rules/gsuite_leaked_password.yml b/rules/gsuite_activityevent_rules/gsuite_leaked_password.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_leaked_password.yml rename to rules/gsuite_activityevent_rules/gsuite_leaked_password.yml diff --git a/gsuite_activityevent_rules/gsuite_login_type.py b/rules/gsuite_activityevent_rules/gsuite_login_type.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_login_type.py rename to rules/gsuite_activityevent_rules/gsuite_login_type.py diff --git a/gsuite_activityevent_rules/gsuite_login_type.yml b/rules/gsuite_activityevent_rules/gsuite_login_type.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_login_type.yml rename to rules/gsuite_activityevent_rules/gsuite_login_type.yml diff --git a/gsuite_activityevent_rules/gsuite_mobile_device_compromise.py b/rules/gsuite_activityevent_rules/gsuite_mobile_device_compromise.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_mobile_device_compromise.py rename to rules/gsuite_activityevent_rules/gsuite_mobile_device_compromise.py diff --git a/gsuite_activityevent_rules/gsuite_mobile_device_compromise.yml b/rules/gsuite_activityevent_rules/gsuite_mobile_device_compromise.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_mobile_device_compromise.yml rename to rules/gsuite_activityevent_rules/gsuite_mobile_device_compromise.yml diff --git a/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.py b/rules/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.py rename to rules/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.py diff --git a/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.yml b/rules/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.yml rename to rules/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.yml diff --git a/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.py b/rules/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.py rename to rules/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.py diff --git a/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.yml b/rules/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.yml rename to rules/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.yml diff --git a/gsuite_activityevent_rules/gsuite_permissions_delegated.py b/rules/gsuite_activityevent_rules/gsuite_permissions_delegated.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_permissions_delegated.py rename to rules/gsuite_activityevent_rules/gsuite_permissions_delegated.py diff --git a/gsuite_activityevent_rules/gsuite_permissions_delegated.yml b/rules/gsuite_activityevent_rules/gsuite_permissions_delegated.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_permissions_delegated.yml rename to rules/gsuite_activityevent_rules/gsuite_permissions_delegated.yml diff --git a/gsuite_activityevent_rules/gsuite_rule.py b/rules/gsuite_activityevent_rules/gsuite_rule.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_rule.py rename to rules/gsuite_activityevent_rules/gsuite_rule.py diff --git a/gsuite_activityevent_rules/gsuite_rule.yml b/rules/gsuite_activityevent_rules/gsuite_rule.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_rule.yml rename to rules/gsuite_activityevent_rules/gsuite_rule.yml diff --git a/gsuite_activityevent_rules/gsuite_suspicious_logins.py b/rules/gsuite_activityevent_rules/gsuite_suspicious_logins.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_suspicious_logins.py rename to rules/gsuite_activityevent_rules/gsuite_suspicious_logins.py diff --git a/gsuite_activityevent_rules/gsuite_suspicious_logins.yml b/rules/gsuite_activityevent_rules/gsuite_suspicious_logins.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_suspicious_logins.yml rename to rules/gsuite_activityevent_rules/gsuite_suspicious_logins.yml diff --git a/gsuite_activityevent_rules/gsuite_two_step_verification.py b/rules/gsuite_activityevent_rules/gsuite_two_step_verification.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_two_step_verification.py rename to rules/gsuite_activityevent_rules/gsuite_two_step_verification.py diff --git a/gsuite_activityevent_rules/gsuite_two_step_verification.yml b/rules/gsuite_activityevent_rules/gsuite_two_step_verification.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_two_step_verification.yml rename to rules/gsuite_activityevent_rules/gsuite_two_step_verification.yml diff --git a/gsuite_activityevent_rules/gsuite_user_suspended.py b/rules/gsuite_activityevent_rules/gsuite_user_suspended.py similarity index 100% rename from gsuite_activityevent_rules/gsuite_user_suspended.py rename to rules/gsuite_activityevent_rules/gsuite_user_suspended.py diff --git a/gsuite_activityevent_rules/gsuite_user_suspended.yml b/rules/gsuite_activityevent_rules/gsuite_user_suspended.yml similarity index 100% rename from gsuite_activityevent_rules/gsuite_user_suspended.yml rename to rules/gsuite_activityevent_rules/gsuite_user_suspended.yml diff --git a/gsuite_reports_rules/gsuite_drive_external_share.py b/rules/gsuite_reports_rules/gsuite_drive_external_share.py similarity index 100% rename from gsuite_reports_rules/gsuite_drive_external_share.py rename to rules/gsuite_reports_rules/gsuite_drive_external_share.py diff --git a/gsuite_reports_rules/gsuite_drive_external_share.yml b/rules/gsuite_reports_rules/gsuite_drive_external_share.yml similarity index 100% rename from gsuite_reports_rules/gsuite_drive_external_share.yml rename to rules/gsuite_reports_rules/gsuite_drive_external_share.yml diff --git a/gsuite_reports_rules/gsuite_drive_overly_visible.py b/rules/gsuite_reports_rules/gsuite_drive_overly_visible.py similarity index 100% rename from gsuite_reports_rules/gsuite_drive_overly_visible.py rename to rules/gsuite_reports_rules/gsuite_drive_overly_visible.py diff --git a/gsuite_reports_rules/gsuite_drive_overly_visible.yml b/rules/gsuite_reports_rules/gsuite_drive_overly_visible.yml similarity index 100% rename from gsuite_reports_rules/gsuite_drive_overly_visible.yml rename to rules/gsuite_reports_rules/gsuite_drive_overly_visible.yml diff --git a/gsuite_reports_rules/gsuite_drive_visibility_change.py b/rules/gsuite_reports_rules/gsuite_drive_visibility_change.py similarity index 100% rename from gsuite_reports_rules/gsuite_drive_visibility_change.py rename to rules/gsuite_reports_rules/gsuite_drive_visibility_change.py diff --git a/gsuite_reports_rules/gsuite_drive_visibility_change.yml b/rules/gsuite_reports_rules/gsuite_drive_visibility_change.yml similarity index 100% rename from gsuite_reports_rules/gsuite_drive_visibility_change.yml rename to rules/gsuite_reports_rules/gsuite_drive_visibility_change.yml diff --git a/gsuite_reports_rules/gsuite_drive_visibility_change_deprecated.py b/rules/gsuite_reports_rules/gsuite_drive_visibility_change_deprecated.py similarity index 100% rename from gsuite_reports_rules/gsuite_drive_visibility_change_deprecated.py rename to rules/gsuite_reports_rules/gsuite_drive_visibility_change_deprecated.py diff --git a/gsuite_reports_rules/gsuite_drive_visibility_change_deprecated.yml b/rules/gsuite_reports_rules/gsuite_drive_visibility_change_deprecated.yml similarity index 100% rename from gsuite_reports_rules/gsuite_drive_visibility_change_deprecated.yml rename to rules/gsuite_reports_rules/gsuite_drive_visibility_change_deprecated.yml diff --git a/indicator_creation_rules/new_aws_account_logging.py b/rules/indicator_creation_rules/new_aws_account_logging.py similarity index 100% rename from indicator_creation_rules/new_aws_account_logging.py rename to rules/indicator_creation_rules/new_aws_account_logging.py diff --git a/indicator_creation_rules/new_aws_account_logging.yml b/rules/indicator_creation_rules/new_aws_account_logging.yml similarity index 100% rename from indicator_creation_rules/new_aws_account_logging.yml rename to rules/indicator_creation_rules/new_aws_account_logging.yml diff --git a/indicator_creation_rules/new_user_account_logging.py b/rules/indicator_creation_rules/new_user_account_logging.py similarity index 100% rename from indicator_creation_rules/new_user_account_logging.py rename to rules/indicator_creation_rules/new_user_account_logging.py diff --git a/indicator_creation_rules/new_user_account_logging.yml b/rules/indicator_creation_rules/new_user_account_logging.yml similarity index 100% rename from indicator_creation_rules/new_user_account_logging.yml rename to rules/indicator_creation_rules/new_user_account_logging.yml diff --git a/okta_rules/okta_account_support_access.py b/rules/okta_rules/okta_account_support_access.py similarity index 100% rename from okta_rules/okta_account_support_access.py rename to rules/okta_rules/okta_account_support_access.py diff --git a/okta_rules/okta_account_support_access.yml b/rules/okta_rules/okta_account_support_access.yml similarity index 100% rename from okta_rules/okta_account_support_access.yml rename to rules/okta_rules/okta_account_support_access.yml diff --git a/okta_rules/okta_admin_disabled_mfa.py b/rules/okta_rules/okta_admin_disabled_mfa.py similarity index 100% rename from okta_rules/okta_admin_disabled_mfa.py rename to rules/okta_rules/okta_admin_disabled_mfa.py diff --git a/okta_rules/okta_admin_disabled_mfa.yml b/rules/okta_rules/okta_admin_disabled_mfa.yml similarity index 100% rename from okta_rules/okta_admin_disabled_mfa.yml rename to rules/okta_rules/okta_admin_disabled_mfa.yml diff --git a/okta_rules/okta_admin_role_assigned.py b/rules/okta_rules/okta_admin_role_assigned.py similarity index 100% rename from okta_rules/okta_admin_role_assigned.py rename to rules/okta_rules/okta_admin_role_assigned.py diff --git a/okta_rules/okta_admin_role_assigned.yml b/rules/okta_rules/okta_admin_role_assigned.yml similarity index 100% rename from okta_rules/okta_admin_role_assigned.yml rename to rules/okta_rules/okta_admin_role_assigned.yml diff --git a/okta_rules/okta_api_key_created.py b/rules/okta_rules/okta_api_key_created.py similarity index 100% rename from okta_rules/okta_api_key_created.py rename to rules/okta_rules/okta_api_key_created.py diff --git a/okta_rules/okta_api_key_created.yml b/rules/okta_rules/okta_api_key_created.yml similarity index 100% rename from okta_rules/okta_api_key_created.yml rename to rules/okta_rules/okta_api_key_created.yml diff --git a/okta_rules/okta_api_key_revoked.py b/rules/okta_rules/okta_api_key_revoked.py similarity index 100% rename from okta_rules/okta_api_key_revoked.py rename to rules/okta_rules/okta_api_key_revoked.py diff --git a/okta_rules/okta_api_key_revoked.yml b/rules/okta_rules/okta_api_key_revoked.yml similarity index 100% rename from okta_rules/okta_api_key_revoked.yml rename to rules/okta_rules/okta_api_key_revoked.yml diff --git a/okta_rules/okta_brute_force_logins.py b/rules/okta_rules/okta_brute_force_logins.py similarity index 100% rename from okta_rules/okta_brute_force_logins.py rename to rules/okta_rules/okta_brute_force_logins.py diff --git a/okta_rules/okta_brute_force_logins.yml b/rules/okta_rules/okta_brute_force_logins.yml similarity index 100% rename from okta_rules/okta_brute_force_logins.yml rename to rules/okta_rules/okta_brute_force_logins.yml diff --git a/okta_rules/okta_geo_improbable_access.py b/rules/okta_rules/okta_geo_improbable_access.py similarity index 100% rename from okta_rules/okta_geo_improbable_access.py rename to rules/okta_rules/okta_geo_improbable_access.py diff --git a/okta_rules/okta_geo_improbable_access.yml b/rules/okta_rules/okta_geo_improbable_access.yml similarity index 100% rename from okta_rules/okta_geo_improbable_access.yml rename to rules/okta_rules/okta_geo_improbable_access.yml diff --git a/okta_rules/okta_support_reset.py b/rules/okta_rules/okta_support_reset.py similarity index 100% rename from okta_rules/okta_support_reset.py rename to rules/okta_rules/okta_support_reset.py diff --git a/okta_rules/okta_support_reset.yml b/rules/okta_rules/okta_support_reset.yml similarity index 100% rename from okta_rules/okta_support_reset.yml rename to rules/okta_rules/okta_support_reset.yml diff --git a/onelogin_rules/onelogin_active_login_activity.py b/rules/onelogin_rules/onelogin_active_login_activity.py similarity index 100% rename from onelogin_rules/onelogin_active_login_activity.py rename to rules/onelogin_rules/onelogin_active_login_activity.py diff --git a/onelogin_rules/onelogin_active_login_activity.yml b/rules/onelogin_rules/onelogin_active_login_activity.yml similarity index 100% rename from onelogin_rules/onelogin_active_login_activity.yml rename to rules/onelogin_rules/onelogin_active_login_activity.yml diff --git a/onelogin_rules/onelogin_admin_role_assigned.py b/rules/onelogin_rules/onelogin_admin_role_assigned.py similarity index 100% rename from onelogin_rules/onelogin_admin_role_assigned.py rename to rules/onelogin_rules/onelogin_admin_role_assigned.py diff --git a/onelogin_rules/onelogin_admin_role_assigned.yml b/rules/onelogin_rules/onelogin_admin_role_assigned.yml similarity index 100% rename from onelogin_rules/onelogin_admin_role_assigned.yml rename to rules/onelogin_rules/onelogin_admin_role_assigned.yml diff --git a/onelogin_rules/onelogin_brute_force_by_ip.py b/rules/onelogin_rules/onelogin_brute_force_by_ip.py similarity index 100% rename from onelogin_rules/onelogin_brute_force_by_ip.py rename to rules/onelogin_rules/onelogin_brute_force_by_ip.py diff --git a/onelogin_rules/onelogin_brute_force_by_ip.yml b/rules/onelogin_rules/onelogin_brute_force_by_ip.yml similarity index 100% rename from onelogin_rules/onelogin_brute_force_by_ip.yml rename to rules/onelogin_rules/onelogin_brute_force_by_ip.yml diff --git a/onelogin_rules/onelogin_brute_force_by_username.py b/rules/onelogin_rules/onelogin_brute_force_by_username.py similarity index 100% rename from onelogin_rules/onelogin_brute_force_by_username.py rename to rules/onelogin_rules/onelogin_brute_force_by_username.py diff --git a/onelogin_rules/onelogin_brute_force_by_username.yml b/rules/onelogin_rules/onelogin_brute_force_by_username.yml similarity index 100% rename from onelogin_rules/onelogin_brute_force_by_username.yml rename to rules/onelogin_rules/onelogin_brute_force_by_username.yml diff --git a/onelogin_rules/onelogin_high_risk_failed_login.py b/rules/onelogin_rules/onelogin_high_risk_failed_login.py similarity index 100% rename from onelogin_rules/onelogin_high_risk_failed_login.py rename to rules/onelogin_rules/onelogin_high_risk_failed_login.py diff --git a/onelogin_rules/onelogin_high_risk_failed_login.yml b/rules/onelogin_rules/onelogin_high_risk_failed_login.yml similarity index 100% rename from onelogin_rules/onelogin_high_risk_failed_login.yml rename to rules/onelogin_rules/onelogin_high_risk_failed_login.yml diff --git a/onelogin_rules/onelogin_high_risk_login.py b/rules/onelogin_rules/onelogin_high_risk_login.py similarity index 100% rename from onelogin_rules/onelogin_high_risk_login.py rename to rules/onelogin_rules/onelogin_high_risk_login.py diff --git a/onelogin_rules/onelogin_high_risk_login.yml b/rules/onelogin_rules/onelogin_high_risk_login.yml similarity index 100% rename from onelogin_rules/onelogin_high_risk_login.yml rename to rules/onelogin_rules/onelogin_high_risk_login.yml diff --git a/onelogin_rules/onelogin_password_accessed.py b/rules/onelogin_rules/onelogin_password_accessed.py similarity index 100% rename from onelogin_rules/onelogin_password_accessed.py rename to rules/onelogin_rules/onelogin_password_accessed.py diff --git a/onelogin_rules/onelogin_password_accessed.yml b/rules/onelogin_rules/onelogin_password_accessed.yml similarity index 100% rename from onelogin_rules/onelogin_password_accessed.yml rename to rules/onelogin_rules/onelogin_password_accessed.yml diff --git a/onelogin_rules/onelogin_password_changed.py b/rules/onelogin_rules/onelogin_password_changed.py similarity index 100% rename from onelogin_rules/onelogin_password_changed.py rename to rules/onelogin_rules/onelogin_password_changed.py diff --git a/onelogin_rules/onelogin_password_changed.yml b/rules/onelogin_rules/onelogin_password_changed.yml similarity index 100% rename from onelogin_rules/onelogin_password_changed.yml rename to rules/onelogin_rules/onelogin_password_changed.yml diff --git a/onelogin_rules/onelogin_remove_authentication_factor.py b/rules/onelogin_rules/onelogin_remove_authentication_factor.py similarity index 100% rename from onelogin_rules/onelogin_remove_authentication_factor.py rename to rules/onelogin_rules/onelogin_remove_authentication_factor.py diff --git a/onelogin_rules/onelogin_remove_authentication_factor.yml b/rules/onelogin_rules/onelogin_remove_authentication_factor.yml similarity index 100% rename from onelogin_rules/onelogin_remove_authentication_factor.yml rename to rules/onelogin_rules/onelogin_remove_authentication_factor.yml diff --git a/onelogin_rules/onelogin_threshold_accounts_deleted.py b/rules/onelogin_rules/onelogin_threshold_accounts_deleted.py similarity index 100% rename from onelogin_rules/onelogin_threshold_accounts_deleted.py rename to rules/onelogin_rules/onelogin_threshold_accounts_deleted.py diff --git a/onelogin_rules/onelogin_threshold_accounts_deleted.yml b/rules/onelogin_rules/onelogin_threshold_accounts_deleted.yml similarity index 100% rename from onelogin_rules/onelogin_threshold_accounts_deleted.yml rename to rules/onelogin_rules/onelogin_threshold_accounts_deleted.yml diff --git a/onelogin_rules/onelogin_threshold_accounts_modified.py b/rules/onelogin_rules/onelogin_threshold_accounts_modified.py similarity index 100% rename from onelogin_rules/onelogin_threshold_accounts_modified.py rename to rules/onelogin_rules/onelogin_threshold_accounts_modified.py diff --git a/onelogin_rules/onelogin_threshold_accounts_modified.yml b/rules/onelogin_rules/onelogin_threshold_accounts_modified.yml similarity index 100% rename from onelogin_rules/onelogin_threshold_accounts_modified.yml rename to rules/onelogin_rules/onelogin_threshold_accounts_modified.yml diff --git a/onelogin_rules/onelogin_unauthorized_access.py b/rules/onelogin_rules/onelogin_unauthorized_access.py similarity index 100% rename from onelogin_rules/onelogin_unauthorized_access.py rename to rules/onelogin_rules/onelogin_unauthorized_access.py diff --git a/onelogin_rules/onelogin_unauthorized_access.yml b/rules/onelogin_rules/onelogin_unauthorized_access.yml similarity index 100% rename from onelogin_rules/onelogin_unauthorized_access.yml rename to rules/onelogin_rules/onelogin_unauthorized_access.yml diff --git a/onelogin_rules/onelogin_unusual_login.py b/rules/onelogin_rules/onelogin_unusual_login.py similarity index 100% rename from onelogin_rules/onelogin_unusual_login.py rename to rules/onelogin_rules/onelogin_unusual_login.py diff --git a/onelogin_rules/onelogin_unusual_login.yml b/rules/onelogin_rules/onelogin_unusual_login.yml similarity index 100% rename from onelogin_rules/onelogin_unusual_login.yml rename to rules/onelogin_rules/onelogin_unusual_login.yml diff --git a/onelogin_rules/onelogin_user_account_locked.py b/rules/onelogin_rules/onelogin_user_account_locked.py similarity index 100% rename from onelogin_rules/onelogin_user_account_locked.py rename to rules/onelogin_rules/onelogin_user_account_locked.py diff --git a/onelogin_rules/onelogin_user_account_locked.yml b/rules/onelogin_rules/onelogin_user_account_locked.yml similarity index 100% rename from onelogin_rules/onelogin_user_account_locked.yml rename to rules/onelogin_rules/onelogin_user_account_locked.yml diff --git a/onelogin_rules/onelogin_user_assumed.py b/rules/onelogin_rules/onelogin_user_assumed.py similarity index 100% rename from onelogin_rules/onelogin_user_assumed.py rename to rules/onelogin_rules/onelogin_user_assumed.py diff --git a/onelogin_rules/onelogin_user_assumed.yml b/rules/onelogin_rules/onelogin_user_assumed.yml similarity index 100% rename from onelogin_rules/onelogin_user_assumed.yml rename to rules/onelogin_rules/onelogin_user_assumed.yml diff --git a/onepassword_rules/onepassword_lut_sensitive_item_access.py b/rules/onepassword_rules/onepassword_lut_sensitive_item_access.py similarity index 100% rename from onepassword_rules/onepassword_lut_sensitive_item_access.py rename to rules/onepassword_rules/onepassword_lut_sensitive_item_access.py diff --git a/onepassword_rules/onepassword_lut_sensitive_item_access.yml b/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml similarity index 100% rename from onepassword_rules/onepassword_lut_sensitive_item_access.yml rename to rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml diff --git a/onepassword_rules/onepassword_sensitive_item_access.py b/rules/onepassword_rules/onepassword_sensitive_item_access.py similarity index 100% rename from onepassword_rules/onepassword_sensitive_item_access.py rename to rules/onepassword_rules/onepassword_sensitive_item_access.py diff --git a/onepassword_rules/onepassword_sensitive_item_access.yml b/rules/onepassword_rules/onepassword_sensitive_item_access.yml similarity index 100% rename from onepassword_rules/onepassword_sensitive_item_access.yml rename to rules/onepassword_rules/onepassword_sensitive_item_access.yml diff --git a/onepassword_rules/onepassword_unusual_client.py b/rules/onepassword_rules/onepassword_unusual_client.py similarity index 100% rename from onepassword_rules/onepassword_unusual_client.py rename to rules/onepassword_rules/onepassword_unusual_client.py diff --git a/onepassword_rules/onepassword_unusual_client.yml b/rules/onepassword_rules/onepassword_unusual_client.yml similarity index 100% rename from onepassword_rules/onepassword_unusual_client.yml rename to rules/onepassword_rules/onepassword_unusual_client.yml diff --git a/osquery_rules/osquery_linux_aws_commands.py b/rules/osquery_rules/osquery_linux_aws_commands.py similarity index 100% rename from osquery_rules/osquery_linux_aws_commands.py rename to rules/osquery_rules/osquery_linux_aws_commands.py diff --git a/osquery_rules/osquery_linux_aws_commands.yml b/rules/osquery_rules/osquery_linux_aws_commands.yml similarity index 100% rename from osquery_rules/osquery_linux_aws_commands.yml rename to rules/osquery_rules/osquery_linux_aws_commands.yml diff --git a/osquery_rules/osquery_linux_logins_non_office.py b/rules/osquery_rules/osquery_linux_logins_non_office.py similarity index 100% rename from osquery_rules/osquery_linux_logins_non_office.py rename to rules/osquery_rules/osquery_linux_logins_non_office.py diff --git a/osquery_rules/osquery_linux_logins_non_office.yml b/rules/osquery_rules/osquery_linux_logins_non_office.yml similarity index 100% rename from osquery_rules/osquery_linux_logins_non_office.yml rename to rules/osquery_rules/osquery_linux_logins_non_office.yml diff --git a/osquery_rules/osquery_mac_application_firewall.py b/rules/osquery_rules/osquery_mac_application_firewall.py similarity index 100% rename from osquery_rules/osquery_mac_application_firewall.py rename to rules/osquery_rules/osquery_mac_application_firewall.py diff --git a/osquery_rules/osquery_mac_application_firewall.yml b/rules/osquery_rules/osquery_mac_application_firewall.yml similarity index 100% rename from osquery_rules/osquery_mac_application_firewall.yml rename to rules/osquery_rules/osquery_mac_application_firewall.yml diff --git a/osquery_rules/osquery_mac_enable_auto_update.py b/rules/osquery_rules/osquery_mac_enable_auto_update.py similarity index 100% rename from osquery_rules/osquery_mac_enable_auto_update.py rename to rules/osquery_rules/osquery_mac_enable_auto_update.py diff --git a/osquery_rules/osquery_mac_enable_auto_update.yml b/rules/osquery_rules/osquery_mac_enable_auto_update.yml similarity index 100% rename from osquery_rules/osquery_mac_enable_auto_update.yml rename to rules/osquery_rules/osquery_mac_enable_auto_update.yml diff --git a/osquery_rules/osquery_mac_osx_attacks.py b/rules/osquery_rules/osquery_mac_osx_attacks.py similarity index 100% rename from osquery_rules/osquery_mac_osx_attacks.py rename to rules/osquery_rules/osquery_mac_osx_attacks.py diff --git a/osquery_rules/osquery_mac_osx_attacks.yml b/rules/osquery_rules/osquery_mac_osx_attacks.yml similarity index 100% rename from osquery_rules/osquery_mac_osx_attacks.yml rename to rules/osquery_rules/osquery_mac_osx_attacks.yml diff --git a/osquery_rules/osquery_mac_osx_attacks_keyboard_events.py b/rules/osquery_rules/osquery_mac_osx_attacks_keyboard_events.py similarity index 100% rename from osquery_rules/osquery_mac_osx_attacks_keyboard_events.py rename to rules/osquery_rules/osquery_mac_osx_attacks_keyboard_events.py diff --git a/osquery_rules/osquery_mac_osx_attacks_keyboard_events.yml b/rules/osquery_rules/osquery_mac_osx_attacks_keyboard_events.yml similarity index 100% rename from osquery_rules/osquery_mac_osx_attacks_keyboard_events.yml rename to rules/osquery_rules/osquery_mac_osx_attacks_keyboard_events.yml diff --git a/osquery_rules/osquery_mac_unwanted_chrome_extensions.py b/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.py similarity index 100% rename from osquery_rules/osquery_mac_unwanted_chrome_extensions.py rename to rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.py diff --git a/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml b/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml similarity index 100% rename from osquery_rules/osquery_mac_unwanted_chrome_extensions.yml rename to rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml diff --git a/osquery_rules/osquery_ossec.py b/rules/osquery_rules/osquery_ossec.py similarity index 100% rename from osquery_rules/osquery_ossec.py rename to rules/osquery_rules/osquery_ossec.py diff --git a/osquery_rules/osquery_ossec.yml b/rules/osquery_rules/osquery_ossec.yml similarity index 100% rename from osquery_rules/osquery_ossec.yml rename to rules/osquery_rules/osquery_ossec.yml diff --git a/osquery_rules/osquery_outdated.py b/rules/osquery_rules/osquery_outdated.py similarity index 100% rename from osquery_rules/osquery_outdated.py rename to rules/osquery_rules/osquery_outdated.py diff --git a/osquery_rules/osquery_outdated.yml b/rules/osquery_rules/osquery_outdated.yml similarity index 100% rename from osquery_rules/osquery_outdated.yml rename to rules/osquery_rules/osquery_outdated.yml diff --git a/osquery_rules/osquery_outdated_macos.py b/rules/osquery_rules/osquery_outdated_macos.py similarity index 100% rename from osquery_rules/osquery_outdated_macos.py rename to rules/osquery_rules/osquery_outdated_macos.py diff --git a/osquery_rules/osquery_outdated_macos.yml b/rules/osquery_rules/osquery_outdated_macos.yml similarity index 100% rename from osquery_rules/osquery_outdated_macos.yml rename to rules/osquery_rules/osquery_outdated_macos.yml diff --git a/osquery_rules/osquery_ssh_listener.py b/rules/osquery_rules/osquery_ssh_listener.py similarity index 100% rename from osquery_rules/osquery_ssh_listener.py rename to rules/osquery_rules/osquery_ssh_listener.py diff --git a/osquery_rules/osquery_ssh_listener.yml b/rules/osquery_rules/osquery_ssh_listener.yml similarity index 100% rename from osquery_rules/osquery_ssh_listener.yml rename to rules/osquery_rules/osquery_ssh_listener.yml diff --git a/osquery_rules/osquery_suspicious_cron.py b/rules/osquery_rules/osquery_suspicious_cron.py similarity index 100% rename from osquery_rules/osquery_suspicious_cron.py rename to rules/osquery_rules/osquery_suspicious_cron.py diff --git a/osquery_rules/osquery_suspicious_cron.yml b/rules/osquery_rules/osquery_suspicious_cron.yml similarity index 100% rename from osquery_rules/osquery_suspicious_cron.yml rename to rules/osquery_rules/osquery_suspicious_cron.yml diff --git a/panther_audit_rules/panther_detection_deleted.py b/rules/panther_audit_rules/panther_detection_deleted.py similarity index 100% rename from panther_audit_rules/panther_detection_deleted.py rename to rules/panther_audit_rules/panther_detection_deleted.py diff --git a/panther_audit_rules/panther_detection_deleted.yml b/rules/panther_audit_rules/panther_detection_deleted.yml similarity index 100% rename from panther_audit_rules/panther_detection_deleted.yml rename to rules/panther_audit_rules/panther_detection_deleted.yml diff --git a/panther_audit_rules/panther_saml_modified.py b/rules/panther_audit_rules/panther_saml_modified.py similarity index 100% rename from panther_audit_rules/panther_saml_modified.py rename to rules/panther_audit_rules/panther_saml_modified.py diff --git a/panther_audit_rules/panther_saml_modified.yml b/rules/panther_audit_rules/panther_saml_modified.yml similarity index 100% rename from panther_audit_rules/panther_saml_modified.yml rename to rules/panther_audit_rules/panther_saml_modified.yml diff --git a/panther_audit_rules/panther_sensitive_role_created.py b/rules/panther_audit_rules/panther_sensitive_role_created.py similarity index 100% rename from panther_audit_rules/panther_sensitive_role_created.py rename to rules/panther_audit_rules/panther_sensitive_role_created.py diff --git a/panther_audit_rules/panther_sensitive_role_created.yml b/rules/panther_audit_rules/panther_sensitive_role_created.yml similarity index 100% rename from panther_audit_rules/panther_sensitive_role_created.yml rename to rules/panther_audit_rules/panther_sensitive_role_created.yml diff --git a/panther_ioc_rules/atlassian_confluence_ip_iocs.py b/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.py similarity index 100% rename from panther_ioc_rules/atlassian_confluence_ip_iocs.py rename to rules/panther_ioc_rules/atlassian_confluence_ip_iocs.py diff --git a/panther_ioc_rules/atlassian_confluence_ip_iocs.yml b/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml similarity index 100% rename from panther_ioc_rules/atlassian_confluence_ip_iocs.yml rename to rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml diff --git a/panther_ioc_rules/log4j_exploit_iocs.py b/rules/panther_ioc_rules/log4j_exploit_iocs.py similarity index 100% rename from panther_ioc_rules/log4j_exploit_iocs.py rename to rules/panther_ioc_rules/log4j_exploit_iocs.py diff --git a/panther_ioc_rules/log4j_exploit_iocs.yml b/rules/panther_ioc_rules/log4j_exploit_iocs.yml similarity index 100% rename from panther_ioc_rules/log4j_exploit_iocs.yml rename to rules/panther_ioc_rules/log4j_exploit_iocs.yml diff --git a/panther_ioc_rules/log4j_ip_iocs.py b/rules/panther_ioc_rules/log4j_ip_iocs.py similarity index 100% rename from panther_ioc_rules/log4j_ip_iocs.py rename to rules/panther_ioc_rules/log4j_ip_iocs.py diff --git a/panther_ioc_rules/log4j_ip_iocs.yml b/rules/panther_ioc_rules/log4j_ip_iocs.yml similarity index 100% rename from panther_ioc_rules/log4j_ip_iocs.yml rename to rules/panther_ioc_rules/log4j_ip_iocs.yml diff --git a/panther_ioc_rules/sunburst_fqdn_iocs.py b/rules/panther_ioc_rules/sunburst_fqdn_iocs.py similarity index 100% rename from panther_ioc_rules/sunburst_fqdn_iocs.py rename to rules/panther_ioc_rules/sunburst_fqdn_iocs.py diff --git a/panther_ioc_rules/sunburst_fqdn_iocs.yml b/rules/panther_ioc_rules/sunburst_fqdn_iocs.yml similarity index 100% rename from panther_ioc_rules/sunburst_fqdn_iocs.yml rename to rules/panther_ioc_rules/sunburst_fqdn_iocs.yml diff --git a/panther_ioc_rules/sunburst_ip_iocs.py b/rules/panther_ioc_rules/sunburst_ip_iocs.py similarity index 100% rename from panther_ioc_rules/sunburst_ip_iocs.py rename to rules/panther_ioc_rules/sunburst_ip_iocs.py diff --git a/panther_ioc_rules/sunburst_ip_iocs.yml b/rules/panther_ioc_rules/sunburst_ip_iocs.yml similarity index 100% rename from panther_ioc_rules/sunburst_ip_iocs.yml rename to rules/panther_ioc_rules/sunburst_ip_iocs.yml diff --git a/panther_ioc_rules/sunburst_sha256_iocs.py b/rules/panther_ioc_rules/sunburst_sha256_iocs.py similarity index 100% rename from panther_ioc_rules/sunburst_sha256_iocs.py rename to rules/panther_ioc_rules/sunburst_sha256_iocs.py diff --git a/panther_ioc_rules/sunburst_sha256_iocs.yml b/rules/panther_ioc_rules/sunburst_sha256_iocs.yml similarity index 100% rename from panther_ioc_rules/sunburst_sha256_iocs.yml rename to rules/panther_ioc_rules/sunburst_sha256_iocs.yml diff --git a/slack_rules/slack_app_access_expanded.py b/rules/slack_rules/slack_app_access_expanded.py similarity index 100% rename from slack_rules/slack_app_access_expanded.py rename to rules/slack_rules/slack_app_access_expanded.py diff --git a/slack_rules/slack_app_access_expanded.yml b/rules/slack_rules/slack_app_access_expanded.yml similarity index 100% rename from slack_rules/slack_app_access_expanded.yml rename to rules/slack_rules/slack_app_access_expanded.yml diff --git a/slack_rules/slack_app_added.py b/rules/slack_rules/slack_app_added.py similarity index 100% rename from slack_rules/slack_app_added.py rename to rules/slack_rules/slack_app_added.py diff --git a/slack_rules/slack_app_added.yml b/rules/slack_rules/slack_app_added.yml similarity index 100% rename from slack_rules/slack_app_added.yml rename to rules/slack_rules/slack_app_added.yml diff --git a/slack_rules/slack_app_removed.py b/rules/slack_rules/slack_app_removed.py similarity index 100% rename from slack_rules/slack_app_removed.py rename to rules/slack_rules/slack_app_removed.py diff --git a/slack_rules/slack_app_removed.yml b/rules/slack_rules/slack_app_removed.yml similarity index 100% rename from slack_rules/slack_app_removed.yml rename to rules/slack_rules/slack_app_removed.yml diff --git a/slack_rules/slack_application_dos.py b/rules/slack_rules/slack_application_dos.py similarity index 100% rename from slack_rules/slack_application_dos.py rename to rules/slack_rules/slack_application_dos.py diff --git a/slack_rules/slack_application_dos.yml b/rules/slack_rules/slack_application_dos.yml similarity index 100% rename from slack_rules/slack_application_dos.yml rename to rules/slack_rules/slack_application_dos.yml diff --git a/slack_rules/slack_dlp_modified.py b/rules/slack_rules/slack_dlp_modified.py similarity index 100% rename from slack_rules/slack_dlp_modified.py rename to rules/slack_rules/slack_dlp_modified.py diff --git a/slack_rules/slack_dlp_modified.yml b/rules/slack_rules/slack_dlp_modified.yml similarity index 100% rename from slack_rules/slack_dlp_modified.yml rename to rules/slack_rules/slack_dlp_modified.yml diff --git a/slack_rules/slack_ekm_config_changed.py b/rules/slack_rules/slack_ekm_config_changed.py similarity index 100% rename from slack_rules/slack_ekm_config_changed.py rename to rules/slack_rules/slack_ekm_config_changed.py diff --git a/slack_rules/slack_ekm_config_changed.yml b/rules/slack_rules/slack_ekm_config_changed.yml similarity index 100% rename from slack_rules/slack_ekm_config_changed.yml rename to rules/slack_rules/slack_ekm_config_changed.yml diff --git a/slack_rules/slack_ekm_slackbot_unenrolled.py b/rules/slack_rules/slack_ekm_slackbot_unenrolled.py similarity index 100% rename from slack_rules/slack_ekm_slackbot_unenrolled.py rename to rules/slack_rules/slack_ekm_slackbot_unenrolled.py diff --git a/slack_rules/slack_ekm_slackbot_unenrolled.yml b/rules/slack_rules/slack_ekm_slackbot_unenrolled.yml similarity index 100% rename from slack_rules/slack_ekm_slackbot_unenrolled.yml rename to rules/slack_rules/slack_ekm_slackbot_unenrolled.yml diff --git a/slack_rules/slack_ekm_unenrolled.py b/rules/slack_rules/slack_ekm_unenrolled.py similarity index 100% rename from slack_rules/slack_ekm_unenrolled.py rename to rules/slack_rules/slack_ekm_unenrolled.py diff --git a/slack_rules/slack_ekm_unenrolled.yml b/rules/slack_rules/slack_ekm_unenrolled.yml similarity index 100% rename from slack_rules/slack_ekm_unenrolled.yml rename to rules/slack_rules/slack_ekm_unenrolled.yml diff --git a/slack_rules/slack_idp_configuration_change.py b/rules/slack_rules/slack_idp_configuration_change.py similarity index 100% rename from slack_rules/slack_idp_configuration_change.py rename to rules/slack_rules/slack_idp_configuration_change.py diff --git a/slack_rules/slack_idp_configuration_change.yml b/rules/slack_rules/slack_idp_configuration_change.yml similarity index 100% rename from slack_rules/slack_idp_configuration_change.yml rename to rules/slack_rules/slack_idp_configuration_change.yml diff --git a/slack_rules/slack_information_barrier_modified.py b/rules/slack_rules/slack_information_barrier_modified.py similarity index 100% rename from slack_rules/slack_information_barrier_modified.py rename to rules/slack_rules/slack_information_barrier_modified.py diff --git a/slack_rules/slack_information_barrier_modified.yml b/rules/slack_rules/slack_information_barrier_modified.yml similarity index 100% rename from slack_rules/slack_information_barrier_modified.yml rename to rules/slack_rules/slack_information_barrier_modified.yml diff --git a/slack_rules/slack_intune_mdm_disabled.py b/rules/slack_rules/slack_intune_mdm_disabled.py similarity index 100% rename from slack_rules/slack_intune_mdm_disabled.py rename to rules/slack_rules/slack_intune_mdm_disabled.py diff --git a/slack_rules/slack_intune_mdm_disabled.yml b/rules/slack_rules/slack_intune_mdm_disabled.yml similarity index 100% rename from slack_rules/slack_intune_mdm_disabled.yml rename to rules/slack_rules/slack_intune_mdm_disabled.yml diff --git a/slack_rules/slack_legal_hold_policy_modified.py b/rules/slack_rules/slack_legal_hold_policy_modified.py similarity index 100% rename from slack_rules/slack_legal_hold_policy_modified.py rename to rules/slack_rules/slack_legal_hold_policy_modified.py diff --git a/slack_rules/slack_legal_hold_policy_modified.yml b/rules/slack_rules/slack_legal_hold_policy_modified.yml similarity index 100% rename from slack_rules/slack_legal_hold_policy_modified.yml rename to rules/slack_rules/slack_legal_hold_policy_modified.yml diff --git a/slack_rules/slack_mfa_settings_changed.py b/rules/slack_rules/slack_mfa_settings_changed.py similarity index 100% rename from slack_rules/slack_mfa_settings_changed.py rename to rules/slack_rules/slack_mfa_settings_changed.py diff --git a/slack_rules/slack_mfa_settings_changed.yml b/rules/slack_rules/slack_mfa_settings_changed.yml similarity index 100% rename from slack_rules/slack_mfa_settings_changed.yml rename to rules/slack_rules/slack_mfa_settings_changed.yml diff --git a/slack_rules/slack_org_created.py b/rules/slack_rules/slack_org_created.py similarity index 100% rename from slack_rules/slack_org_created.py rename to rules/slack_rules/slack_org_created.py diff --git a/slack_rules/slack_org_created.yml b/rules/slack_rules/slack_org_created.yml similarity index 100% rename from slack_rules/slack_org_created.yml rename to rules/slack_rules/slack_org_created.yml diff --git a/slack_rules/slack_org_deleted.py b/rules/slack_rules/slack_org_deleted.py similarity index 100% rename from slack_rules/slack_org_deleted.py rename to rules/slack_rules/slack_org_deleted.py diff --git a/slack_rules/slack_org_deleted.yml b/rules/slack_rules/slack_org_deleted.yml similarity index 100% rename from slack_rules/slack_org_deleted.yml rename to rules/slack_rules/slack_org_deleted.yml diff --git a/slack_rules/slack_passthrough_anomaly.py b/rules/slack_rules/slack_passthrough_anomaly.py similarity index 100% rename from slack_rules/slack_passthrough_anomaly.py rename to rules/slack_rules/slack_passthrough_anomaly.py diff --git a/slack_rules/slack_passthrough_anomaly.yml b/rules/slack_rules/slack_passthrough_anomaly.yml similarity index 100% rename from slack_rules/slack_passthrough_anomaly.yml rename to rules/slack_rules/slack_passthrough_anomaly.yml diff --git a/slack_rules/slack_potentially_malicious_file_shared.py b/rules/slack_rules/slack_potentially_malicious_file_shared.py similarity index 100% rename from slack_rules/slack_potentially_malicious_file_shared.py rename to rules/slack_rules/slack_potentially_malicious_file_shared.py diff --git a/slack_rules/slack_potentially_malicious_file_shared.yml b/rules/slack_rules/slack_potentially_malicious_file_shared.yml similarity index 100% rename from slack_rules/slack_potentially_malicious_file_shared.yml rename to rules/slack_rules/slack_potentially_malicious_file_shared.yml diff --git a/slack_rules/slack_private_channel_made_public.py b/rules/slack_rules/slack_private_channel_made_public.py similarity index 100% rename from slack_rules/slack_private_channel_made_public.py rename to rules/slack_rules/slack_private_channel_made_public.py diff --git a/slack_rules/slack_private_channel_made_public.yml b/rules/slack_rules/slack_private_channel_made_public.yml similarity index 100% rename from slack_rules/slack_private_channel_made_public.yml rename to rules/slack_rules/slack_private_channel_made_public.yml diff --git a/slack_rules/slack_service_owner_transferred.py b/rules/slack_rules/slack_service_owner_transferred.py similarity index 100% rename from slack_rules/slack_service_owner_transferred.py rename to rules/slack_rules/slack_service_owner_transferred.py diff --git a/slack_rules/slack_service_owner_transferred.yml b/rules/slack_rules/slack_service_owner_transferred.yml similarity index 100% rename from slack_rules/slack_service_owner_transferred.yml rename to rules/slack_rules/slack_service_owner_transferred.yml diff --git a/slack_rules/slack_sso_settings_changed.py b/rules/slack_rules/slack_sso_settings_changed.py similarity index 100% rename from slack_rules/slack_sso_settings_changed.py rename to rules/slack_rules/slack_sso_settings_changed.py diff --git a/slack_rules/slack_sso_settings_changed.yml b/rules/slack_rules/slack_sso_settings_changed.yml similarity index 100% rename from slack_rules/slack_sso_settings_changed.yml rename to rules/slack_rules/slack_sso_settings_changed.yml diff --git a/slack_rules/slack_user_privilege_escalation.py b/rules/slack_rules/slack_user_privilege_escalation.py similarity index 100% rename from slack_rules/slack_user_privilege_escalation.py rename to rules/slack_rules/slack_user_privilege_escalation.py diff --git a/slack_rules/slack_user_privilege_escalation.yml b/rules/slack_rules/slack_user_privilege_escalation.yml similarity index 100% rename from slack_rules/slack_user_privilege_escalation.yml rename to rules/slack_rules/slack_user_privilege_escalation.yml diff --git a/standard_rules/admin_assigned.py b/rules/standard_rules/admin_assigned.py similarity index 100% rename from standard_rules/admin_assigned.py rename to rules/standard_rules/admin_assigned.py diff --git a/standard_rules/admin_assigned.yml b/rules/standard_rules/admin_assigned.yml similarity index 100% rename from standard_rules/admin_assigned.yml rename to rules/standard_rules/admin_assigned.yml diff --git a/standard_rules/brute_force_by_ip.py b/rules/standard_rules/brute_force_by_ip.py similarity index 100% rename from standard_rules/brute_force_by_ip.py rename to rules/standard_rules/brute_force_by_ip.py diff --git a/standard_rules/brute_force_by_ip.yml b/rules/standard_rules/brute_force_by_ip.yml similarity index 100% rename from standard_rules/brute_force_by_ip.yml rename to rules/standard_rules/brute_force_by_ip.yml diff --git a/standard_rules/mfa_disabled.py b/rules/standard_rules/mfa_disabled.py similarity index 100% rename from standard_rules/mfa_disabled.py rename to rules/standard_rules/mfa_disabled.py diff --git a/standard_rules/mfa_disabled.yml b/rules/standard_rules/mfa_disabled.yml similarity index 100% rename from standard_rules/mfa_disabled.yml rename to rules/standard_rules/mfa_disabled.yml diff --git a/standard_rules/unusual_login.py b/rules/standard_rules/unusual_login.py similarity index 100% rename from standard_rules/unusual_login.py rename to rules/standard_rules/unusual_login.py diff --git a/standard_rules/unusual_login.yml b/rules/standard_rules/unusual_login.yml similarity index 100% rename from standard_rules/unusual_login.yml rename to rules/standard_rules/unusual_login.yml diff --git a/zendesk_rules/zendesk_mobile_app_access.py b/rules/zendesk_rules/zendesk_mobile_app_access.py similarity index 100% rename from zendesk_rules/zendesk_mobile_app_access.py rename to rules/zendesk_rules/zendesk_mobile_app_access.py diff --git a/zendesk_rules/zendesk_mobile_app_access.yml b/rules/zendesk_rules/zendesk_mobile_app_access.yml similarity index 100% rename from zendesk_rules/zendesk_mobile_app_access.yml rename to rules/zendesk_rules/zendesk_mobile_app_access.yml diff --git a/zendesk_rules/zendesk_new_api_token.py b/rules/zendesk_rules/zendesk_new_api_token.py similarity index 100% rename from zendesk_rules/zendesk_new_api_token.py rename to rules/zendesk_rules/zendesk_new_api_token.py diff --git a/zendesk_rules/zendesk_new_api_token.yml b/rules/zendesk_rules/zendesk_new_api_token.yml similarity index 100% rename from zendesk_rules/zendesk_new_api_token.yml rename to rules/zendesk_rules/zendesk_new_api_token.yml diff --git a/zendesk_rules/zendesk_new_owner.py b/rules/zendesk_rules/zendesk_new_owner.py similarity index 100% rename from zendesk_rules/zendesk_new_owner.py rename to rules/zendesk_rules/zendesk_new_owner.py diff --git a/zendesk_rules/zendesk_new_owner.yml b/rules/zendesk_rules/zendesk_new_owner.yml similarity index 100% rename from zendesk_rules/zendesk_new_owner.yml rename to rules/zendesk_rules/zendesk_new_owner.yml diff --git a/zendesk_rules/zendesk_sensitive_data_redaction.py b/rules/zendesk_rules/zendesk_sensitive_data_redaction.py similarity index 100% rename from zendesk_rules/zendesk_sensitive_data_redaction.py rename to rules/zendesk_rules/zendesk_sensitive_data_redaction.py diff --git a/zendesk_rules/zendesk_sensitive_data_redaction.yml b/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml similarity index 100% rename from zendesk_rules/zendesk_sensitive_data_redaction.yml rename to rules/zendesk_rules/zendesk_sensitive_data_redaction.yml diff --git a/zendesk_rules/zendesk_user_assumption.py b/rules/zendesk_rules/zendesk_user_assumption.py similarity index 100% rename from zendesk_rules/zendesk_user_assumption.py rename to rules/zendesk_rules/zendesk_user_assumption.py diff --git a/zendesk_rules/zendesk_user_assumption.yml b/rules/zendesk_rules/zendesk_user_assumption.yml similarity index 100% rename from zendesk_rules/zendesk_user_assumption.yml rename to rules/zendesk_rules/zendesk_user_assumption.yml diff --git a/zendesk_rules/zendesk_user_role.py b/rules/zendesk_rules/zendesk_user_role.py similarity index 100% rename from zendesk_rules/zendesk_user_role.py rename to rules/zendesk_rules/zendesk_user_role.py diff --git a/zendesk_rules/zendesk_user_role.yml b/rules/zendesk_rules/zendesk_user_role.yml similarity index 100% rename from zendesk_rules/zendesk_user_role.yml rename to rules/zendesk_rules/zendesk_user_role.yml diff --git a/zendesk_rules/zendesk_user_suspension.py b/rules/zendesk_rules/zendesk_user_suspension.py similarity index 100% rename from zendesk_rules/zendesk_user_suspension.py rename to rules/zendesk_rules/zendesk_user_suspension.py diff --git a/zendesk_rules/zendesk_user_suspension.yml b/rules/zendesk_rules/zendesk_user_suspension.yml similarity index 100% rename from zendesk_rules/zendesk_user_suspension.yml rename to rules/zendesk_rules/zendesk_user_suspension.yml diff --git a/zoom_operation_rules/zoom_operation_passcode_disabled.py b/rules/zoom_operation_rules/zoom_operation_passcode_disabled.py similarity index 100% rename from zoom_operation_rules/zoom_operation_passcode_disabled.py rename to rules/zoom_operation_rules/zoom_operation_passcode_disabled.py diff --git a/zoom_operation_rules/zoom_operation_passcode_disabled.yml b/rules/zoom_operation_rules/zoom_operation_passcode_disabled.yml similarity index 100% rename from zoom_operation_rules/zoom_operation_passcode_disabled.yml rename to rules/zoom_operation_rules/zoom_operation_passcode_disabled.yml diff --git a/zoom_operation_rules/zoom_operation_user_granted_admin.py b/rules/zoom_operation_rules/zoom_operation_user_granted_admin.py similarity index 100% rename from zoom_operation_rules/zoom_operation_user_granted_admin.py rename to rules/zoom_operation_rules/zoom_operation_user_granted_admin.py diff --git a/zoom_operation_rules/zoom_operation_user_granted_admin.yml b/rules/zoom_operation_rules/zoom_operation_user_granted_admin.yml similarity index 100% rename from zoom_operation_rules/zoom_operation_user_granted_admin.yml rename to rules/zoom_operation_rules/zoom_operation_user_granted_admin.yml