From e8e8d5e1b4c2540bc589e82183fc6b40ff42d118 Mon Sep 17 00:00:00 2001
From: Ashish Agrawal <ashish81394@gmail.com>
Date: Fri, 25 Aug 2023 11:33:00 -0700
Subject: [PATCH] Bump version to 2.10 and resolve compile issues (#521)

Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>
---
 .github/ISSUE_TEMPLATE/config.yml             |   2 +-
 .github/workflows/backport.yml                |   2 +-
 .github/workflows/ci.yml                      |   2 +-
 .github/workflows/dco.yml                     |   2 +-
 .github/workflows/delete_backport_branch.yml  |   2 +-
 .../workflows/multi-node-test-workflow.yml    |   2 +-
 .github/workflows/security-test-workflow.yml  |   2 +-
 .github/workflows/version.yml                 |   4 +-
 build.gradle                                  |  17 +-
 checkstyle/sun_checks.xml                     | 225 +++++++++++
 formatter/formatterConfig.xml                 | 362 ++++++++++++++++++
 gradle/formatting.gradle                      |  36 ++
 gradle/wrapper/gradle-wrapper.properties      |   4 +-
 gradlew                                       |   6 +-
 .../SecurityAnalyticsPlugin.java              |   8 +-
 .../action/AckAlertsRequest.java              |   4 +-
 .../action/AckAlertsResponse.java             |   6 +-
 .../securityanalytics/action/AlertDto.java    |   6 +-
 .../action/CorrelatedFindingRequest.java      |   4 +-
 .../action/CorrelatedFindingResponse.java     |   6 +-
 .../action/CreateIndexMappingsRequest.java    |   9 +-
 .../action/DeleteCorrelationRuleRequest.java  |   4 +-
 .../action/DeleteCustomLogTypeRequest.java    |   4 +-
 .../action/DeleteCustomLogTypeResponse.java   |   8 +-
 .../action/DeleteDetectorRequest.java         |   4 +-
 .../action/DeleteDetectorResponse.java        |   8 +-
 .../action/DeleteRuleRequest.java             |   4 +-
 .../action/DeleteRuleResponse.java            |   8 +-
 .../securityanalytics/action/FindingDto.java  |   6 +-
 .../action/GetAlertsRequest.java              |   4 +-
 .../action/GetAlertsResponse.java             |   8 +-
 .../action/GetAllRuleCategoriesRequest.java   |   4 +-
 .../action/GetAllRuleCategoriesResponse.java  |   6 +-
 .../action/GetDetectorRequest.java            |   6 +-
 .../action/GetDetectorResponse.java           |   8 +-
 .../action/GetFindingsRequest.java            |   4 +-
 .../action/GetFindingsResponse.java           |   8 +-
 .../action/GetIndexMappingsRequest.java       |   6 +-
 .../action/GetIndexMappingsResponse.java      |  14 +-
 .../action/GetMappingsViewRequest.java        |   6 +-
 .../action/GetMappingsViewResponse.java       |  12 +-
 .../action/IndexCorrelationRuleRequest.java   |   4 +-
 .../action/IndexCorrelationRuleResponse.java  |   8 +-
 .../action/IndexCustomLogTypeRequest.java     |   4 +-
 .../action/IndexCustomLogTypeResponse.java    |   8 +-
 .../action/IndexDetectorRequest.java          |   4 +-
 .../action/IndexDetectorResponse.java         |   8 +-
 .../action/IndexRuleRequest.java              |   4 +-
 .../action/IndexRuleResponse.java             |   8 +-
 .../action/ListCorrelationsRequest.java       |   4 +-
 .../action/ListCorrelationsResponse.java      |   6 +-
 .../action/SearchCorrelationRuleRequest.java  |   4 +-
 .../action/SearchCustomLogTypeRequest.java    |   4 +-
 .../action/SearchDetectorRequest.java         |   4 +-
 .../action/SearchRuleRequest.java             |   4 +-
 .../action/UpdateIndexMappingsRequest.java    |   6 +-
 .../action/ValidateRulesRequest.java          |  18 +-
 .../action/ValidateRulesResponse.java         |  15 +-
 .../alerts/AlertsService.java                 |   4 +-
 .../correlation/JoinEngine.java               |   4 +-
 .../correlation/VectorEmbeddingsEngine.java   |   4 +-
 .../index/CorrelationParamsContext.java       |   6 +-
 .../index/query/CorrelationQueryBuilder.java  |   6 +-
 .../findings/FindingsService.java             |   4 +-
 .../DetectorIndexManagementService.java       |   4 +-
 .../logtype/BuiltinLogTypeLoader.java         |   2 +-
 .../logtype/LogTypeService.java               |   4 +-
 .../mapper/IndexTemplateManager.java          |   2 +-
 .../mapper/IndexTemplateUtils.java            |   2 +-
 .../mapper/MapperService.java                 |   9 +-
 .../model/CorrelatedFinding.java              |   8 +-
 .../model/CorrelationQuery.java               |   8 +-
 .../model/CorrelationRule.java                |   8 +-
 .../model/CustomLogType.java                  |   8 +-
 .../securityanalytics/model/Detector.java     |   8 +-
 .../model/DetectorInput.java                  |   8 +-
 .../securityanalytics/model/DetectorRule.java |   8 +-
 .../model/DetectorTrigger.java                |   8 +-
 .../model/FieldMappingDoc.java                |   8 +-
 .../model/FindingWithScore.java               |   8 +-
 .../securityanalytics/model/LogType.java      |   6 +-
 .../securityanalytics/model/Rule.java         |   8 +-
 .../securityanalytics/model/RuleCategory.java |   6 +-
 .../securityanalytics/model/Value.java        |   8 +-
 .../RestAcknowledgeAlertsAction.java          |   2 +-
 .../RestCreateIndexMappingsAction.java        |   2 +-
 .../RestDeleteCustomLogTypeAction.java        |   2 +-
 .../RestIndexCorrelationRuleAction.java       |   2 +-
 .../RestIndexCustomLogTypeAction.java         |   4 +-
 .../resthandler/RestIndexDetectorAction.java  |   4 +-
 .../resthandler/RestIndexRuleAction.java      |   2 +-
 .../RestListCorrelationAction.java            |   2 +-
 .../RestSearchCorrelationAction.java          |   2 +-
 .../RestSearchCustomLogTypeAction.java        |   4 +-
 .../resthandler/RestSearchDetectorAction.java |   9 +-
 .../resthandler/RestSearchRuleAction.java     |   4 +-
 .../RestUpdateIndexMappingsAction.java        |   2 +-
 .../resthandler/RestValidateRulesAction.java  |  21 +-
 .../rules/backend/OSQueryBackend.java         |  12 +-
 .../TransportAcknowledgeAlertsAction.java     |   4 +-
 .../TransportCorrelateFindingAction.java      |   8 +-
 .../TransportCreateIndexMappingsAction.java   |   2 +-
 .../TransportDeleteCorrelationRuleAction.java |   4 +-
 .../TransportDeleteCustomLogTypeAction.java   |   4 +-
 .../TransportDeleteDetectorAction.java        |   4 +-
 .../transport/TransportDeleteRuleAction.java  |   4 +-
 .../transport/TransportGetAlertsAction.java   |   4 +-
 .../TransportGetAllRuleCategoriesAction.java  |   2 +-
 .../transport/TransportGetDetectorAction.java |  11 +-
 .../transport/TransportGetFindingsAction.java |   4 +-
 .../TransportGetIndexMappingsAction.java      |   4 +-
 .../TransportGetMappingsViewAction.java       |   4 +-
 .../TransportIndexCorrelationRuleAction.java  |   4 +-
 .../TransportIndexCustomLogTypeAction.java    |   4 +-
 .../TransportIndexDetectorAction.java         |  10 +-
 .../transport/TransportIndexRuleAction.java   |   6 +-
 .../TransportListCorrelationAction.java       |   4 +-
 .../TransportSearchCorrelationAction.java     |   2 +-
 .../TransportSearchCorrelationRuleAction.java |   2 +-
 .../TransportSearchCustomLogTypeAction.java   |   2 +-
 .../TransportSearchDetectorAction.java        |  19 +-
 .../transport/TransportSearchRuleAction.java  |   4 +-
 .../TransportUpdateIndexMappingsAction.java   |   4 +-
 .../TransportValidateRulesAction.java         |   4 +-
 .../util/CorrelationIndices.java              |   4 +-
 .../util/CorrelationRuleIndices.java          |   2 +-
 .../util/CustomLogTypeIndices.java            |   2 +-
 .../util/DetectorIndices.java                 |   2 +-
 .../securityanalytics/util/DetectorUtils.java |   2 +-
 .../securityanalytics/util/IndexUtils.java    |   2 +-
 .../securityanalytics/util/RuleIndices.java   |   4 +-
 .../util/RuleTopicIndices.java                |   2 +-
 .../securityanalytics/util/RuleValidator.java |   2 +-
 .../util/SecurityAnalyticsException.java      |   4 +-
 .../securityanalytics/util/XContentUtils.java |   5 +-
 .../resources/OSMapping/ad_ldap_logtype.json  |   2 +-
 .../OSMapping/apache_access_logtype.json      |   2 +-
 .../resources/OSMapping/azure_logtype.json    |   2 +-
 .../OSMapping/cloudtrail_logtype.json         |   2 +-
 src/main/resources/OSMapping/dns_logtype.json |   2 +-
 .../resources/OSMapping/github_logtype.json   |   2 +-
 .../OSMapping/gworkspace_logtype.json         |   2 +-
 .../resources/OSMapping/linux_logtype.json    |   2 +-
 src/main/resources/OSMapping/logtypes.json    |   2 +-
 .../resources/OSMapping/m365_logtype.json     |   2 +-
 .../resources/OSMapping/netflow_logtype.json  |   2 +-
 .../resources/OSMapping/network_logtype.json  |   2 +-
 .../resources/OSMapping/okta_logtype.json     |   2 +-
 .../OSMapping/others_application_logtype.json |   2 +-
 .../OSMapping/others_apt_logtype.json         |   2 +-
 .../OSMapping/others_cloud_logtype.json       |   2 +-
 .../OSMapping/others_compliance_logtype.json  |   2 +-
 .../OSMapping/others_macos_logtype.json       |   2 +-
 .../OSMapping/others_proxy_logtype.json       |   2 +-
 .../OSMapping/others_web_logtype.json         |   2 +-
 src/main/resources/OSMapping/s3_logtype.json  |   2 +-
 .../OSMapping/test_windows_logtype.json       |   2 +-
 .../resources/OSMapping/vpcflow_logtype.json  |   2 +-
 .../resources/OSMapping/windows_logtype.json  |   2 +-
 .../resources/mappings/alert_mapping.json     |   2 +-
 src/main/resources/mappings/correlation.json  |   2 +-
 .../resources/mappings/detector-settings.json |   2 +-
 src/main/resources/mappings/detectors.json    |   2 +-
 .../resources/mappings/finding_mapping.json   |   2 +-
 src/main/resources/mappings/rules.json        |   2 +-
 .../azure_aadhybridhealth_adfs_new_server.yml |   2 +-
 ...re_aadhybridhealth_adfs_service_delete.yml |   2 +-
 .../azure_ad_user_added_to_admin_role.yml     |   8 +-
 .../azure_aadhybridhealth_adfs_new_server.yml |   2 +-
 ...re_aadhybridhealth_adfs_service_delete.yml |   2 +-
 .../rules/azure/azure_account_lockout.yml     |   4 +-
 .../azure/azure_app_appid_uri_changes.yml     |   6 +-
 .../azure/azure_app_credential_added.yml      |   6 +-
 .../azure_app_credential_modification.yml     |   4 +-
 .../azure_app_device_code_authentication.yml  |   2 +-
 .../rules/azure/azure_app_owner_added.yml     |   6 +-
 .../azure/azure_app_ropc_authentication.yml   |   4 +-
 .../azure/azure_app_uri_modifications.yml     |   8 +-
 .../rules/azure/azure_application_deleted.yml |   4 +-
 ...pplication_gateway_modified_or_deleted.yml |   6 +-
 ...ion_security_group_modified_or_deleted.yml |   6 +-
 .../azure_change_to_authentication_method.yml |   2 +-
 ..._container_registry_created_or_deleted.yml |   2 +-
 ..._device_no_longer_managed_or_compliant.yml |   4 +-
 ...e_or_configuration_modified_or_deleted.yml |   6 +-
 .../azure_dns_zone_modified_or_deleted.yml    |   2 +-
 .../rules/azure/azure_federation_modified.yml |   5 +-
 .../azure_firewall_modified_or_deleted.yml    |   4 +-
 ...ll_rule_collection_modified_or_deleted.yml |   4 +-
 ...azure_keyvault_key_modified_or_deleted.yml |   6 +-
 .../azure_keyvault_modified_or_deleted.yml    |   4 +-
 ...e_keyvault_secrets_modified_or_deleted.yml |   6 +-
 .../azure_kubernetes_admission_controller.yml |   2 +-
 ..._kubernetes_cluster_created_or_deleted.yml |   3 +-
 .../azure/azure_kubernetes_events_deleted.yml |   1 -
 ...azure_kubernetes_network_policy_change.yml |   4 +-
 .../azure/azure_kubernetes_role_access.yml    |   2 +-
 ...rnetes_rolebinding_modified_or_deleted.yml |   7 +-
 ...ernetes_secret_or_config_object_access.yml |   4 +-
 ...es_service_account_modified_or_deleted.yml |   2 +-
 .../azure/azure_login_to_disabled_account.yml |   4 +-
 .../rules/azure/azure_mfa_denies.yml          |   2 +-
 .../rules/azure/azure_mfa_interrupted.yml     |   2 +-
 ...rk_firewall_policy_modified_or_deleted.yml |   4 +-
 ...work_firewall_rule_modified_or_deleted.yml |   2 +-
 ...re_network_p2s_vpn_modified_or_deleted.yml |   2 +-
 ...e_network_security_modified_or_deleted.yml |   2 +-
 ...ork_virtual_device_modified_or_deleted.yml |   2 +-
 .../azure/azure_new_cloudshell_created.yml    |   3 +-
 ..._from_application_or_service_principal.yml |   6 +-
 .../azure/azure_service_principal_created.yml |   4 +-
 .../azure/azure_service_principal_removed.yml |   4 +-
 ...re_unusual_authentication_interruption.yml |   4 +-
 ...er_login_blocked_by_conditional_access.yml |   4 +-
 ...re_virtual_network_modified_or_deleted.yml |   2 +-
 ...ure_vpn_connection_modified_or_deleted.yml |   2 +-
 .../aws_attached_malicious_lambda_layer.yml   |   2 +-
 .../aws_create_load_balancer_layer.yml        |   2 +-
 .../cloudtrail/aws_ec2_download_userdata.yml  |   2 +-
 .../cloudtrail/aws_ec2_vm_export_failure.yml  |  11 +-
 .../aws_eks_cluster_created_or_deleted.yml    |   6 +-
 ...aws_elasticache_security_group_created.yml |   6 +-
 ...che_security_group_modified_or_deleted.yml |   4 +-
 .../rules/cloudtrail/aws_enum_listing.yml     |   4 +-
 ...aws_lambda_function_created_or_invoked.yml |   2 +-
 ...ssed_role_to_glue_development_endpoint.yml |   2 +-
 ...te_53_domain_transferred_lock_disabled.yml |   3 +-
 .../cloudtrail/aws_susp_saml_activity.yml     |   4 +-
 .../cloudtrail/aws_update_login_profile.yml   |   6 +-
 ...s_external_service_interaction_domains.yml |   1 -
 .../rules/dns/net_dns_high_bytes_out.yml      |   2 +-
 .../rules/dns/net_dns_high_requests_rate.yml  |   2 +-
 .../rules/dns/net_dns_mal_cobaltstrike.yml    |   2 +-
 .../rules/dns/net_dns_susp_telegram_api.yml   |   2 +-
 .../linux/auditd/lnx_auditd_audio_capture.yml |   2 +-
 .../lnx_auditd_capabilities_discovery.yml     |   2 +-
 .../lnx_auditd_clipboard_collection.yml       |   4 +-
 .../lnx_auditd_clipboard_image_collection.yml |   8 +-
 .../linux/auditd/lnx_auditd_coinminer.yml     |   2 +-
 ...itd_cve_2021_3156_sudo_buffer_overflow.yml |   2 +-
 ...21_3156_sudo_buffer_overflow_brutforce.yml |   2 +-
 .../linux/auditd/lnx_auditd_cve_2021_4034.yml |   2 +-
 .../auditd/lnx_auditd_data_exfil_wget.yml     |   2 +-
 .../auditd/lnx_auditd_dd_delete_file.yml      |   6 +-
 .../lnx_auditd_disable_system_firewall.yml    |   4 +-
 .../lnx_auditd_keylogging_with_pam_d.yml      |   4 +-
 .../lnx_auditd_password_policy_discovery.yml  |   6 +-
 .../lnx_auditd_screencapture_import.yml       |   2 +-
 ..._auditd_steghide_extract_steganography.yml |   2 +-
 .../auditd/lnx_auditd_susp_exe_folders.yml    |   2 +-
 .../rules/linux/auditd/lnx_auditd_web_rce.yml |   2 +-
 .../linux/builtin/lnx_buffer_overflows.yml    |   2 +-
 .../builtin/lnx_crontab_file_modification.yml |   2 +-
 .../builtin/lnx_ldso_preload_injection.yml    |   2 +-
 ...nimbuspwn_privilege_escalation_exploit.yml |   2 +-
 .../lnx_pwnkit_local_privilege_escalation.yml |  14 +-
 .../rules/linux/builtin/lnx_shellshock.yml    |   4 +-
 .../linux/builtin/lnx_sudo_cve_2019_14287.yml |   2 +-
 .../builtin/lnx_sudo_cve_2019_14287_user.yml  |   2 +-
 .../file_create_lnx_cron_files.yml            |   3 +-
 .../modsecurity/modsec_mulitple_blocks.yml    |   2 +-
 ..._connection_lnx_back_connect_shell_dev.yml |   3 +-
 ...onnection_lnx_crypto_mining_indicators.yml |   2 +-
 .../rules/linux/other/lnx_clamav.yml          |   2 +-
 .../lnx_security_tools_disabling_syslog.yml   |   4 +-
 .../proc_creation_lnx_cat_sudoers.yml         |   2 +-
 .../proc_creation_lnx_clear_syslog.yml        |   2 +-
 ...proc_creation_lnx_clipboard_collection.yml |   2 +-
 .../proc_creation_lnx_crypto_mining.yml       |   2 +-
 .../proc_creation_lnx_dd_file_overwrite.yml   |   4 +-
 ..._creation_lnx_network_service_scanning.yml |   2 +-
 ...omigod_scx_runasprovider_executescript.yml |   2 +-
 ..._scx_runasprovider_executeshellcommand.yml |   2 +-
 .../proc_creation_lnx_python_pty_spawn.yml    |   2 +-
 ..._creation_lnx_security_tools_disabling.yml |   2 +-
 .../proc_creation_lnx_susp_history_delete.yml |   2 +-
 .../proc_creation_lnx_susp_history_recon.yml  |   2 +-
 ...roc_creation_lnx_susp_interactive_bash.yml |   3 +-
 .../proc_creation_lnx_susp_pipe_shell.yml     |   1 -
 ...roc_creation_lnx_susp_recon_indicators.yml |   2 +-
 .../proc_creation_lnx_webshell_detection.yml  |   1 -
 .../net_firewall_high_dns_bytes_out.yml       |   2 +-
 .../net_firewall_high_dns_requests_rate.yml   |   4 +-
 ...net_firewall_susp_network_scan_by_port.yml |   2 +-
 .../zeek_dce_rpc_domain_user_enumeration.yml  |   4 +-
 ...rpc_potential_petit_potam_efs_rpc_call.yml |   2 +-
 ...zeek_default_cobalt_strike_certificate.yml |   2 +-
 .../rules/network/zeek/zeek_dns_torproxy.yml  |   6 +-
 .../zeek/zeek_http_omigod_no_auth_rce.yml     |   4 +-
 .../antivirus/av_relevant_files.yml           |   2 +-
 .../django/appframework_django_exceptions.yml |   2 +-
 .../python/app_python_sql_exceptions.yml      |   2 +-
 .../appframework_ruby_on_rails_exceptions.yml |   2 +-
 .../spring/appframework_spring_exceptions.yml |   2 +-
 .../azure_aadhybridhealth_adfs_new_server.yml |   2 +-
 ...re_aadhybridhealth_adfs_service_delete.yml |   2 +-
 .../azure/azure_account_lockout.yml           |   4 +-
 .../azure_ad_user_added_to_admin_role.yml     |   8 +-
 .../azure/azure_app_appid_uri_changes.yml     |   6 +-
 .../azure/azure_app_credential_added.yml      |   6 +-
 .../azure_app_credential_modification.yml     |   4 +-
 .../azure_app_device_code_authentication.yml  |   2 +-
 .../azure/azure_app_owner_added.yml           |   6 +-
 .../azure/azure_app_ropc_authentication.yml   |   4 +-
 .../azure/azure_app_uri_modifications.yml     |   8 +-
 .../azure/azure_application_deleted.yml       |   4 +-
 ...pplication_gateway_modified_or_deleted.yml |   6 +-
 ...ion_security_group_modified_or_deleted.yml |   6 +-
 .../azure_change_to_authentication_method.yml |   2 +-
 ..._container_registry_created_or_deleted.yml |   2 +-
 ..._device_no_longer_managed_or_compliant.yml |   4 +-
 ...e_or_configuration_modified_or_deleted.yml |   6 +-
 .../azure_dns_zone_modified_or_deleted.yml    |   2 +-
 .../azure/azure_federation_modified.yml       |   5 +-
 .../azure_firewall_modified_or_deleted.yml    |   4 +-
 ...ll_rule_collection_modified_or_deleted.yml |   4 +-
 ...azure_keyvault_key_modified_or_deleted.yml |   6 +-
 .../azure_keyvault_modified_or_deleted.yml    |   4 +-
 ...e_keyvault_secrets_modified_or_deleted.yml |   6 +-
 .../azure_kubernetes_admission_controller.yml |   2 +-
 ..._kubernetes_cluster_created_or_deleted.yml |   3 +-
 .../azure/azure_kubernetes_events_deleted.yml |   1 -
 ...azure_kubernetes_network_policy_change.yml |   4 +-
 .../azure/azure_kubernetes_role_access.yml    |   2 +-
 ...rnetes_rolebinding_modified_or_deleted.yml |   7 +-
 ...ernetes_secret_or_config_object_access.yml |   4 +-
 ...es_service_account_modified_or_deleted.yml |   2 +-
 .../azure/azure_login_to_disabled_account.yml |   4 +-
 .../others_cloud/azure/azure_mfa_denies.yml   |   2 +-
 .../azure/azure_mfa_interrupted.yml           |   2 +-
 ...rk_firewall_policy_modified_or_deleted.yml |   4 +-
 ...work_firewall_rule_modified_or_deleted.yml |   2 +-
 ...re_network_p2s_vpn_modified_or_deleted.yml |   2 +-
 ...e_network_security_modified_or_deleted.yml |   2 +-
 ...ork_virtual_device_modified_or_deleted.yml |   2 +-
 .../azure/azure_new_cloudshell_created.yml    |   3 +-
 ..._from_application_or_service_principal.yml |   6 +-
 .../azure/azure_service_principal_created.yml |   4 +-
 .../azure/azure_service_principal_removed.yml |   4 +-
 ...re_unusual_authentication_interruption.yml |   4 +-
 ...er_login_blocked_by_conditional_access.yml |   4 +-
 ...re_virtual_network_modified_or_deleted.yml |   2 +-
 ...ure_vpn_connection_modified_or_deleted.yml |   2 +-
 .../gcp/gcp_bucket_enumeration.yml            |   4 +-
 .../gcp/gcp_bucket_modified_or_deleted.yml    |   4 +-
 .../gcp/gcp_dns_zone_modified_or_deleted.yml  |   4 +-
 .../gcp_firewall_rule_modified_or_deleted.yml |   4 +-
 ...cp_full_network_traffic_packet_capture.yml |   4 +-
 .../gcp_kubernetes_admission_controller.yml   |   2 +-
 .../gcp/gcp_kubernetes_cronjob.yml            |   4 +-
 .../gcp/gcp_kubernetes_rolebinding.yml        |   4 +-
 ...kubernetes_secrets_modified_or_deleted.yml |   6 +-
 ...cp_service_account_disabled_or_deleted.yml |   6 +-
 .../gcp/gcp_service_account_modified.yml      |   6 +-
 .../gcp_sql_database_modified_or_deleted.yml  |   6 +-
 .../gcp_vpn_tunnel_modified_or_deleted.yml    |   8 +-
 .../gworkspace_application_removed.yml        |   2 +-
 .../gworkspace_granted_domain_api_access.yml  |   1 -
 .../gworkspace/gworkspace_mfa_disabled.yml    |   3 +-
 .../gworkspace_role_modified_or_deleted.yml   |   3 +-
 .../gworkspace_role_privilege_deleted.yml     |   1 -
 ...orkspace_user_granted_admin_privileges.yml |   6 +-
 .../microsoft365_from_susp_ip_addresses.yml   |   2 +-
 ...icrosoft365_impossible_travel_activity.yml |   2 -
 ...a_admin_role_assigned_to_user_or_group.yml |   5 +-
 .../okta/okta_api_token_created.yml           |   1 -
 .../okta/okta_api_token_revoked.yml           |   1 -
 .../okta_application_modified_or_deleted.yml  |   3 +-
 ...ion_sign_on_policy_modified_or_deleted.yml |   4 +-
 .../okta/okta_mfa_reset_or_deactivated.yml    |   4 +-
 ...ta_network_zone_deactivated_or_deleted.yml |   3 +-
 .../okta/okta_policy_modified_or_deleted.yml  |   6 +-
 .../okta_policy_rule_modified_or_deleted.yml  |   3 +-
 .../firewall_cleartext_protocols.yml          |   2 +-
 .../netflow_cleartext_protocols.yml           |   2 +-
 .../proxy_apt_domestic_kitten.yml             |   2 +-
 .../rules/others_proxy/proxy_baby_shark.yml   |   2 +-
 .../others_proxy/proxy_cobalt_amazon.yml      |   1 -
 .../proxy_cobalt_malformed_uas.yml            |   2 +-
 .../proxy_ua_bitsadmin_susp_ip.yml            |   2 +-
 .../proxy_ua_bitsadmin_susp_tld.yml           |   6 +-
 .../rules/others_proxy/proxy_ua_susp.yml      |   2 +-
 .../proxy_ursnif_malware_download_url.yml     |   4 +-
 ...cve_2020_28188_terramaster_rce_exploit.yml |   2 +-
 .../web_cve_2020_3452_cisco_asa_ftd.yml       |   2 +-
 ...090_2021_20091_arcadyan_router_exploit.yml |   2 +-
 ...web_cve_2021_2109_weblogic_rce_exploit.yml |   4 +-
 ..._2021_21972_vsphere_unauth_rce_exploit.yml |   2 +-
 .../web_cve_2021_26814_wzuh_rce.yml           |   2 +-
 .../web_cve_2021_28480_exchange_exploit.yml   |   2 +-
 ...b_cve_2021_33766_msexchange_proxytoken.yml |   4 +-
 ...b_cve_2021_41773_apache_path_traversal.yml |   6 +-
 .../others_web/web_cve_2021_43798_grafana.yml |   2 +-
 .../web_cve_2021_44228_log4j_fields.yml       |   2 +-
 .../web_exchange_exploitation_hafnium.yml     |  12 +-
 .../others_web/web_exchange_proxyshell.yml    |   6 +-
 .../web_exchange_proxyshell_successful.yml    |   4 +-
 .../web_iis_tilt_shortname_scan.yml           |   2 +-
 .../web_solarwinds_supernova_webshell.yml     |   2 +-
 .../web_sonicwall_jarrewrite_exploit.yml      |   2 +-
 .../others_web/web_susp_windows_path_uri.yml  |   1 -
 .../web_unc2546_dewmode_php_webshell.yml      |   2 +-
 src/main/resources/rules/rule_categories.json |   2 +-
 ...ns_query_win_regsvr32_network_activity.yml |   2 +-
 ...nnection_win_regsvr32_network_activity.yml |   2 +-
 ...proc_creation_win_susp_regsvr32_no_dll.yml |   2 +-
 .../rules/test_windows/win_sample_rule.yml    |   2 +-
 .../builtin/application/win_audit_cve.yml     |   1 -
 .../win_builtin_remove_application.yml        |   2 +-
 .../win_software_atera_rmm_agent_install.yml  |   8 +-
 .../application/win_vul_cve_2020_0688.yml     |   2 +-
 .../win_bits_client_susp_domain.yml           |   2 +-
 .../win_bits_client_susp_local_file.yml       |   4 +-
 .../win_bits_client_susp_local_folder.yml     |   4 +-
 .../win_bits_client_susp_powershell_job.yml   |   4 +-
 .../win_bits_client_susp_use_bitsadmin.yml    |   4 +-
 .../win_bits_client_uncommon_domain.yml       |   2 +-
 .../win_codeintegrity_failed_driver_load.yml  |   2 +-
 .../builtin/dns_server/win_apt_gallium.yml    |   4 +-
 .../win_firewall_as_setting_change.yml        |   2 +-
 .../win_exchange_cve_2021_42321.yml           |   4 +-
 .../win_exchange_proxylogon_oabvirtualdir.yml |   2 +-
 ...win_exchange_proxyshell_mailbox_export.yml |   8 +-
 ...hange_proxyshell_remove_mailbox_export.yml |   4 +-
 .../win_exchange_transportagent.yml           |   8 +-
 .../win_exchange_transportagent_failed.yml    |  12 +-
 .../ntlm/win_susp_ntlm_brute_force.yml        |   2 +-
 ...win_exploit_cve_2021_1675_printspooler.yml |   2 +-
 ...cve_2021_1675_printspooler_operational.yml |   2 +-
 .../win_account_backdoor_dcsync_rights.yml    |   2 +-
 .../security/win_ad_user_enumeration.yml      |   2 +-
 ...e_template_configuration_vulnerability.yml |   2 +-
 .../security/win_alert_ad_user_backdoors.yml  |   2 +-
 .../win_apt_chafer_mar18_security.yml         |   2 +-
 .../builtin/security/win_apt_slingshot.yml    |   2 +-
 .../builtin/security/win_apt_wocao.yml        |   4 +-
 .../windows/builtin/security/win_dcsync.yml   |   1 -
 .../security/win_disable_event_logging.yml    |   2 +-
 .../security/win_event_log_cleared.yml        |   8 +-
 .../builtin/security/win_external_device.yml  |   4 +-
 .../win_global_catalog_enumeration.yml        |   2 +-
 ...n_hybridconnectionmgr_svc_installation.yml |   4 +-
 ...oke_obfuscation_clip_services_security.yml |   6 +-
 ...ation_obfuscated_iex_services_security.yml |   4 +-
 ...ke_obfuscation_stdin_services_security.yml |   2 +-
 ...voke_obfuscation_var_services_security.yml |   1 -
 ...scation_via_compress_services_security.yml |   6 +-
 ...fuscation_via_rundll_services_security.yml |   2 +-
 ...bfuscation_via_stdin_services_security.yml |   2 +-
 ...scation_via_use_clip_services_security.yml |   2 -
 ...cation_via_use_mshta_services_security.yml |   2 +-
 .../builtin/security/win_iso_mount.yml        |   4 +-
 .../win_lsass_access_non_system_account.yml   |   2 +-
 .../win_metasploit_authentication.yml         |   2 +-
 .../security/win_net_ntlm_downgrade.yml       |   4 +-
 .../security/win_scheduled_task_deletion.yml  |   2 +-
 .../win_scm_database_handle_failure.yml       |   2 +-
 ...security_cobaltstrike_service_installs.yml |   8 +-
 .../security/win_security_mal_creddumper.yml  |   2 +-
 .../win_security_mal_service_installs.yml     |   2 +-
 ...or_impacket_smb_psexec_service_install.yml |   2 +-
 ...cobaltstrike_getsystem_service_install.yml |   2 +-
 ...powershell_script_installed_as_service.yml |   4 +-
 .../win_security_tap_driver_installation.yml  |   2 +-
 .../security/win_security_wmi_persistence.yml |   2 +-
 .../security/win_susp_failed_logon_source.yml |   2 +-
 .../win_susp_failed_logons_single_source.yml  |   2 +-
 .../win_susp_failed_logons_single_source2.yml |   2 +-
 .../win_susp_local_anon_logon_created.yml     |   2 +-
 ..._vssaudit_secevent_source_registration.yml |   4 +-
 .../win_hybridconnectionmgr_svc_running.yml   |   2 +-
 .../smbclient/win_susp_failed_guest_logon.yml |   2 +-
 .../system/win_apt_chafer_mar18_system.yml    |   2 +-
 .../win_cobaltstrike_service_installs.yml     |   8 +-
 .../win_invoke_obfuscation_clip_services.yml  |   2 +-
 ...ke_obfuscation_obfuscated_iex_services.yml |   2 +-
 .../win_invoke_obfuscation_stdin_services.yml |   4 +-
 .../win_invoke_obfuscation_var_services.yml   |   2 +-
 ...voke_obfuscation_via_compress_services.yml |   2 +-
 ...invoke_obfuscation_via_rundll_services.yml |   2 +-
 ..._invoke_obfuscation_via_stdin_services.yml |   2 +-
 ...voke_obfuscation_via_use_clip_services.yml |   2 +-
 ..._obfuscation_via_use_rundll32_services.yml |   2 +-
 ...in_invoke_obfuscation_via_var_services.yml |   2 +-
 .../builtin/system/win_mal_creddumper.yml     |   2 +-
 ...tstrike_getsystem_service_installation.yml |   2 +-
 .../builtin/system/win_moriya_rootkit.yml     |   2 +-
 .../builtin/system/win_ntfs_vuln_exploit.yml  |   6 +-
 ...powershell_script_installed_as_service.yml |   2 +-
 .../builtin/system/win_sample_rule.yml        |   2 +-
 .../system/win_susp_system_update_error.yml   |   2 +-
 .../system/win_system_defender_disabled.yml   |   2 +-
 .../system/win_tap_driver_installation.yml    |   2 +-
 .../builtin/system/win_tool_psexec.yml        |   2 +-
 .../system/win_volume_shadow_copy_mount.yml   |   2 +-
 ...n_vul_cve_2021_42278_or_cve_2021_42287.yml |   4 +-
 .../windefend/win_defender_amsi_trigger.yml   |   2 +-
 ...win_defender_tamper_protection_trigger.yml |   2 +-
 .../builtin/windefend/win_defender_threat.yml |   2 +-
 .../builtin/wmi/win_wmi_persistence.yml       |   2 +-
 .../create_remote_thread_win_susp_targets.yml |   2 +-
 .../sysmon_cobaltstrike_process_injection.yml |   3 +-
 .../windows/dns_query/dns_query_win_ammyy.yml |   4 +-
 .../dns_query/dns_query_win_gotoopener.yml    |   4 +-
 ...ery_win_hybridconnectionmgr_servicebus.yml |   2 +-
 .../dns_query_win_lobas_appinstaller.yml      |   2 +-
 .../dns_query/dns_query_win_logmein.yml       |   4 +-
 .../dns_query_win_mal_cobaltstrike.yml        |   2 +-
 .../dns_query/dns_query_win_mega_nz.yml       |   2 +-
 ...ns_query_win_regsvr32_network_activity.yml |   2 +-
 .../dns_query/dns_query_win_susp_ipify.yml    |   2 +-
 .../dns_query_win_susp_teamviewer.yml         |   4 +-
 ...tstrike_getsystem_service_installation.yml |   2 +-
 ...powershell_script_installed_as_service.yml |   4 +-
 .../driver_load_vuln_dell_driver.yml          |   2 +-
 .../driver_load/driver_load_windivert.yml     |   2 +-
 .../file_delete_win_delete_appli_log.yml      |   2 +-
 .../file_event_win_advanced_ip_scanner.yml    |   4 +-
 .../file_event_win_anydesk_artefact.yml       |   2 +-
 ...file_event_win_apt_unidentified_nov_18.yml |   4 +-
 .../file_event_win_crackmapexec_patterns.yml  |   2 +-
 ...e_event_win_creation_new_shim_database.yml |   4 +-
 ...ile_event_win_creation_scr_binary_file.yml |   2 +-
 .../file_event_win_creation_system_file.yml   |   2 +-
 ...ent_win_creation_unquoted_service_path.yml |  10 +-
 ...le_event_win_cve_2021_26858_msexchange.yml |   4 +-
 ...cve_2021_31979_cve_2021_33771_exploits.yml |   2 +-
 .../file_event_win_cve_2022_24527_lpe.yml     |   1 -
 ..._event_win_detect_powerup_dllhijacking.yml |   2 +-
 .../file_event_win_gotoopener_artefact.yml    |   2 +-
 .../file_event_win_hack_dumpert.yml           |   4 +-
 ...e_event_win_hivenightmare_file_exports.yml |   6 +-
 .../file_event/file_event_win_hktl_nppspy.yml |   4 +-
 ...e_event_win_install_teamviewer_desktop.yml |   4 +-
 .../file_event/file_event_win_lsass_dump.yml  |   4 +-
 .../file_event/file_event_win_macro_file.yml  |   8 +-
 .../file_event/file_event_win_mal_adwind.yml  |   2 +-
 .../file_event_win_moriya_rootkit.yml         |   2 +-
 .../file_event/file_event_win_ntds_dit.yml    |   6 +-
 .../file_event_win_ntds_exfil_tools.yml       |   4 +-
 ...le_event_win_outlook_c2_macro_creation.yml |   4 +-
 .../file_event_win_pcre_net_temp_file.yml     |   2 +-
 .../file_event_win_pingback_backdoor.yml      |   4 +-
 ...event_win_powershell_startup_shortcuts.yml |   2 +-
 .../file_event_win_rclone_exec_file.yml       |   4 +-
 .../file_event/file_event_win_sam_dump.yml    |   2 +-
 .../file_event_win_screenconnect_artefact.yml |   2 +-
 ...ript_creation_by_office_using_file_ext.yml |   2 +-
 .../file_event_win_susp_desktop_txt.yml       |   2 +-
 .../file_event_win_susp_diagcab.yml           |   4 +-
 .../file_event_win_susp_dropper.yml           |   2 +-
 ...ile_event_win_susp_exchange_aspx_write.yml |   2 +-
 .../file_event_win_susp_get_variable.yml      |   5 +-
 ...win_susp_system_interactive_powershell.yml |   2 +-
 .../file_event_win_susp_task_write.yml        |   4 +-
 ...ent_win_susp_teamviewer_remote_session.yml |   4 +-
 .../file_event/file_event_win_tool_psexec.yml |   2 +-
 ..._event_win_win_cscript_wscript_dropper.yml |   6 +-
 ...ent_win_win_shell_write_susp_directory.yml |   4 +-
 .../file_event_win_winrm_awl_bypass.yml       |   4 +-
 ...event_win_wmiprvse_wbemcomn_dll_hijack.yml |   2 +-
 ...le_event_win_writing_local_admin_share.yml |   6 +-
 ..._alternate_powershell_hosts_moduleload.yml |   2 +-
 .../image_load/image_load_msdt_sdiageng.yml   |   2 +-
 .../image_load/image_load_pcre_net_load.yml   |   2 +-
 .../image_load_pingback_backdoor.yml          |   2 +-
 .../image_load_silenttrinity_stage_use.yml    |   2 +-
 .../image_load_spoolsv_dll_load.yml           |   2 +-
 .../image_load_susp_python_image_load.yml     |   4 +-
 .../image_load_susp_system_drawing_load.yml   |   4 +-
 .../image_load_tttracer_mod_load.yml          |   4 +-
 .../image_load_usp_svchost_clfsw32.yml        |   2 +-
 .../image_load/image_load_wmi_module_load.yml |   3 +-
 ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml |   2 +-
 .../image_load_wsman_provider_image_load.yml  |   8 +-
 ..._connection_susp_win_binary_no_cmdline.yml |   2 +-
 .../net_connection_win_crypto_mining.yml      |   4 +-
 .../net_connection_win_imewdbld.yml           |   2 +-
 .../net_connection_win_msiexec.yml            |   4 +-
 .../net_connection_win_python.yml             |   2 +-
 ...nnection_win_regsvr32_network_activity.yml |   2 +-
 .../net_connection_win_susp_dropbox_api.yml   |   2 +-
 ...ion_win_susp_outbound_smtp_connections.yml |   6 +-
 .../pipe_created_mal_cobaltstrike.yml         |   2 +-
 .../pipe_created_mal_namedpipes.yml           |  38 +-
 ...pe_created_susp_wmi_consumer_namedpipe.yml |   4 +-
 .../posh_pc_alternate_powershell_hosts.yml    |   2 +-
 .../powershell_classic/posh_pc_powercat.yml   |   4 +-
 .../posh_pc_remote_powershell_session.yml     |   2 +-
 ...susp_athremotefxvgpudisablementcommand.yml |   2 +-
 .../posh_pc_susp_download.yml                 |   2 +-
 .../posh_pc_susp_get_nettcpconnection.yml     |   6 +-
 .../posh_pc_susp_zip_compress.yml             |   4 +-
 .../posh_pm_alternate_powershell_hosts.yml    |   2 +-
 .../posh_pm_decompress_commands.yml           |   2 +-
 .../posh_pm_get_clipboard.yml                 |   2 +-
 .../posh_pm_invoke_obfuscation_clip.yml       |   2 +-
 .../posh_pm_invoke_obfuscation_stdin.yml      |   4 +-
 .../posh_pm_invoke_obfuscation_var.yml        |   2 +-
 .../posh_pm_invoke_obfuscation_via_rundll.yml |   4 +-
 ...pm_invoke_obfuscation_via_use_rundll32.yml |   2 +-
 .../powershell_module/posh_pm_powercat.yml    |   4 +-
 .../posh_pm_remote_powershell_session.yml     |   4 +-
 .../posh_pm_susp_ad_group_reco.yml            |   6 +-
 ...susp_athremotefxvgpudisablementcommand.yml |   2 +-
 .../posh_pm_susp_download.yml                 |   2 +-
 .../posh_pm_susp_get_nettcpconnection.yml     |   6 +-
 .../posh_pm_susp_local_group_reco.yml         |   4 +-
 ..._pm_susp_reset_computermachinepassword.yml |   4 +-
 .../posh_pm_susp_smb_share_reco.yml           |   4 +-
 .../posh_pm_syncappvpublishingserver_exe.yml  |   2 +-
 .../posh_ps_access_to_browser_login_data.yml  |   6 +-
 .../posh_ps_adrecon_execution.yml             |   2 +-
 .../posh_ps_as_rep_roasting.yml               |   6 +-
 .../posh_ps_cl_mutexverifiers_lolscript.yml   |   2 +-
 .../posh_ps_cmdlet_scheduled_task.yml         |   6 +-
 .../posh_ps_copy_item_system32.yml            |   2 +-
 .../posh_ps_cor_profiler.yml                  |   2 +-
 .../posh_ps_create_local_user.yml             |   2 +-
 .../posh_ps_create_volume_shadow_copy.yml     |   2 +-
 .../posh_ps_detect_vm_env.yml                 |   4 +-
 ...mp_password_windows_credential_manager.yml |   4 +-
 .../posh_ps_enable_psremoting.yml             |   2 +-
 ...te_password_windows_credential_manager.yml |   4 +-
 .../posh_ps_file_and_directory_discovery.yml  |   6 +-
 .../posh_ps_get_acl_service.yml               |   2 +-
 .../posh_ps_get_adreplaccount.yml             |   6 +-
 .../posh_ps_get_childitem_bookmarks.yml       |   3 +-
 .../posh_ps_invoke_command_remote.yml         |   2 +-
 .../posh_ps_invoke_obfuscation_clip.yml       |   2 +-
 .../posh_ps_invoke_obfuscation_stdin.yml      |   2 +-
 .../posh_ps_invoke_obfuscation_var.yml        |   2 +-
 ...osh_ps_invoke_obfuscation_via_compress.yml |   4 +-
 .../powershell_script/posh_ps_keylogging.yml  |   2 +-
 .../posh_ps_prompt_credentials.yml            |   2 +-
 .../posh_ps_request_kerberos_ticket.yml       |   2 +-
 .../posh_ps_root_certificate_installed.yml    |   2 +-
 .../posh_ps_security_software_discovery.yml   |   1 -
 .../posh_ps_send_mailmessage.yml              |   2 +-
 ...posh_ps_set_policies_to_unsecure_level.yml |   2 +-
 ...ps_store_file_in_alternate_data_stream.yml |   4 +-
 .../posh_ps_susp_ad_group_reco.yml            |   8 +-
 .../posh_ps_susp_directory_enum.yml           |   2 +-
 .../posh_ps_susp_download.yml                 |   2 +-
 .../posh_ps_susp_execute_batch_script.yml     |   2 +-
 .../posh_ps_susp_extracting.yml               |   2 +-
 .../posh_ps_susp_get_adcomputer.yml           |   1 -
 .../posh_ps_susp_get_adgroup.yml              |   1 -
 ...sh_ps_susp_invoke_webrequest_useragent.yml |   3 +-
 .../posh_ps_susp_iofilestream.yml             |   2 +-
 .../posh_ps_susp_local_group_reco.yml         |   2 +-
 .../posh_ps_susp_mail_acces.yml               |   4 +-
 .../posh_ps_susp_networkcredential.yml        |   2 +-
 .../posh_ps_susp_new_psdrive.yml              |   4 +-
 .../posh_ps_susp_remove_adgroupmember.yml     |   5 +-
 .../posh_ps_susp_smb_share_reco.yml           |   4 +-
 .../posh_ps_susp_ssl_keyword.yml              |   2 +-
 .../posh_ps_susp_wallpaper.yml                |   3 +-
 .../posh_ps_susp_win32_pnpentity.yml          |   4 +-
 .../posh_ps_susp_win32_shadowcopy.yml         |   2 +-
 .../posh_ps_susp_windowstyle.yml              |   4 +-
 .../posh_ps_syncappvpublishingserver_exe.yml  |   2 +-
 .../posh_ps_test_netconnection.yml            |   2 +-
 .../powershell_script/posh_ps_timestomp.yml   |   2 +-
 .../posh_ps_trigger_profiles.yml              |   6 +-
 ...h_ps_windows_firewall_profile_disabled.yml |   2 +-
 .../posh_ps_winlogon_helper_dll.yml           |   2 +-
 .../posh_ps_wmi_persistence.yml               |  10 +-
 ...roc_access_win_handlekatz_lsass_access.yml |   4 +-
 ...ess_win_lazagne_cred_dump_lsass_access.yml |   4 +-
 .../proc_access_win_lsass_memdump.yml         |   2 +-
 .../proc_access_win_lsass_memdump_evasion.yml |   6 +-
 ...oc_access_win_lsass_memdump_indicators.yml |   2 +-
 ...ss_win_pypykatz_cred_dump_lsass_access.yml |   6 +-
 .../proc_access_win_svchost_cred_dump.yml     |   2 +-
 ...access_win_shellcode_inject_msf_empire.yml |   4 +-
 ...sing_windows_telemetry_for_persistence.yml |   2 +-
 .../proc_creation_win_ad_find_discovery.yml   |   2 +-
 ...oc_creation_win_alternate_data_streams.yml |   2 +-
 .../proc_creation_win_anydesk.yml             |   2 +-
 ...oc_creation_win_anydesk_silent_install.yml |   2 +-
 .../proc_creation_win_anydesk_susp_folder.yml |   2 +-
 ..._creation_win_apt_actinium_persistence.yml |   2 +-
 .../proc_creation_win_apt_chafer_mar18.yml    |   4 +-
 .../proc_creation_win_apt_gallium.yml         |   2 +-
 .../proc_creation_win_apt_gallium_sha1.yml    |   4 +-
 ...oc_creation_win_apt_gamaredon_ultravnc.yml |   4 +-
 .../proc_creation_win_apt_hafnium.yml         |  10 +-
 .../proc_creation_win_apt_ke3chang_regadd.yml |   2 +-
 ...reation_win_apt_lazarus_activity_apr21.yml |   2 +-
 .../proc_creation_win_apt_lazarus_loader.yml  |   6 +-
 .../proc_creation_win_apt_slingshot.yml       |   2 +-
 ...eation_win_apt_turla_commands_critical.yml |   2 +-
 .../proc_creation_win_apt_unc2452_cmds.yml    |   2 +-
 .../proc_creation_win_apt_unc2452_ps.yml      |   8 +-
 .../proc_creation_win_apt_wocao.yml           |   6 +-
 ...ary_shell_execution_via_settingcontent.yml |   6 +-
 .../proc_creation_win_attrib_system.yml       |   2 +-
 ..._creation_win_attrib_system_susp_paths.yml |   2 +-
 ...proc_creation_win_automated_collection.yml |   4 +-
 ...reation_win_base64_invoke_susp_cmdlets.yml |   2 +-
 ...creation_win_base64_listing_shadowcopy.yml |   4 +-
 ...on_win_base64_reflective_assembly_load.yml |   2 +-
 ...ion_win_bitsadmin_download_susp_domain.yml |   4 +-
 ...eation_win_bitsadmin_download_susp_ext.yml |   2 +-
 ...n_bitsadmin_download_susp_targetfolder.yml |   2 +-
 .../proc_creation_win_clip.yml                |   4 +-
 .../proc_creation_win_cmd_delete.yml          |   2 +-
 ...creation_win_cobaltstrike_bloopers_cmd.yml |   2 +-
 ...tion_win_cobaltstrike_bloopers_modules.yml |   2 +-
 ...tion_win_cobaltstrike_process_patterns.yml |   9 +-
 .../proc_creation_win_conti_sqlcmd.yml        |   4 +-
 ...roc_creation_win_crackmapexec_patterns.yml |   2 +-
 ...c_creation_win_crime_snatch_ransomware.yml |   2 +-
 ...proc_creation_win_crypto_mining_monero.yml |   4 +-
 ..._creation_win_delete_systemstatebackup.yml |   2 +-
 ..._win_detecting_fake_instances_of_hxtsr.yml |   2 +-
 .../proc_creation_win_dinjector.yml           |   2 +-
 ..._creation_win_dns_serverlevelplugindll.yml |   4 +-
 .../proc_creation_win_dsim_remove.yml         |   4 +-
 .../proc_creation_win_embed_exe_lnk.yml       |   2 +-
 ...on_win_enumeration_for_credentials_cli.yml |   2 +-
 ...numeration_for_credentials_in_registry.yml |   2 +-
 .../proc_creation_win_esentutl_webcache.yml   |   2 +-
 .../proc_creation_win_evil_winrm.yml          |   2 +-
 ...proc_creation_win_expand_cabinet_files.yml |   2 +-
 ...reation_win_exploit_lpe_cve_2021_41379.yml |   2 +-
 ...oc_creation_win_false_sysinternalsuite.yml |   4 +-
 ...roc_creation_win_findstr_gpp_passwords.yml |   6 +-
 .../proc_creation_win_gotoopener.yml          |   2 +-
 .../proc_creation_win_hack_dumpert.yml        |   2 +-
 .../proc_creation_win_hack_koadic.yml         |   2 +-
 .../proc_creation_win_hack_wce.yml            |   2 +-
 .../proc_creation_win_hacktool_imphashes.yml  |   8 +-
 .../proc_creation_win_hh_chm.yml              |   2 +-
 .../proc_creation_win_hktl_createminidump.yml |   2 +-
 .../proc_creation_win_iis_http_logging.yml    |   6 +-
 ...c_creation_win_impacket_compiled_tools.yml |   4 +-
 ...c_creation_win_impacket_lateralization.yml |   4 +-
 .../proc_creation_win_infdefaultinstall.yml   |   4 +-
 ...in_invoke_obfuscation_via_use_rundll32.yml |   2 +-
 .../proc_creation_win_logmein.yml             |   2 +-
 .../proc_creation_win_lolbin_bash.yml         |   2 +-
 ...proc_creation_win_lolbin_cl_invocation.yml |   4 +-
 ...n_win_lolbin_cscript_gathernetworkinfo.yml |   4 +-
 .../proc_creation_win_lolbin_diantz_ads.yml   |   4 +-
 ..._creation_win_lolbin_diantz_remote_cab.yml |   6 +-
 .../proc_creation_win_lolbin_dump64.yml       |   4 +-
 ...eation_win_lolbin_execution_via_winget.yml |   4 +-
 .../proc_creation_win_lolbin_extrac32_ads.yml |   6 +-
 .../proc_creation_win_lolbin_findstr.yml      |   2 +-
 .../proc_creation_win_lolbin_ie4uinit.yml     |   2 +-
 .../proc_creation_win_lolbin_jsc.yml          |   2 +-
 ...reation_win_lolbin_offlinescannershell.yml |   6 +-
 .../proc_creation_win_lolbin_printbrm.yml     |   8 +-
 .../proc_creation_win_lolbin_pubprn.yml       |   2 +-
 .../proc_creation_win_lolbin_replace.yml      |   2 +-
 ...eation_win_lolbin_susp_acccheckconsole.yml |   2 +-
 .../proc_creation_win_lolbin_susp_grpconv.yml |   1 -
 .../proc_creation_win_lolbin_ttdinject.yml    |   2 +-
 ..._creation_win_lolbin_tttracer_mod_load.yml |   4 +-
 ...ion_win_lolbins_by_office_applications.yml |   2 +-
 ...n_lolbins_with_wmiprvse_parent_process.yml |   2 +-
 .../proc_creation_win_mailboxexport_share.yml |   4 +-
 .../proc_creation_win_mal_adwind.yml          |   2 +-
 ...proc_creation_win_mal_blue_mockingbird.yml |   2 +-
 ...c_creation_win_mal_darkside_ransomware.yml |   2 +-
 .../proc_creation_win_malware_conti.yml       |   2 +-
 .../proc_creation_win_malware_conti_7zip.yml  |   2 +-
 ..._creation_win_malware_conti_shadowcopy.yml |   2 +-
 .../proc_creation_win_malware_emotet.yml      |   1 -
 .../proc_creation_win_malware_notpetya.yml    |   2 +-
 ...r_cobaltstrike_getsystem_service_start.yml |   2 +-
 ..._modif_of_services_for_via_commandline.yml |   2 +-
 ...in_monitoring_for_persistence_via_bits.yml |   4 +-
 ...roc_creation_win_msiexec_install_quiet.yml |   2 +-
 .../proc_creation_win_multiple_susp_cli.yml   |   2 +-
 .../proc_creation_win_net_enum.yml            |   4 +-
 .../proc_creation_win_netcat_execution.yml    |   2 +-
 ...reation_win_netsh_fw_enable_group_rule.yml |   2 +-
 .../proc_creation_win_network_scan_loop.yml   |   4 +-
 ...reation_win_non_interactive_powershell.yml |   2 +-
 .../proc_creation_win_outlook_shell.yml       |   2 +-
 .../proc_creation_win_pingback_backdoor.yml   |   2 +-
 ...in_powershell_defender_disable_feature.yml |   2 +-
 ..._creation_win_powershell_public_folder.yml |   2 +-
 ...proc_creation_win_proc_dump_createdump.yml |   2 +-
 ...roc_creation_win_proc_dump_rdrleakdiag.yml |   2 +-
 ...eation_win_proc_dump_susp_dumpminitool.yml |   6 +-
 .../proc_creation_win_proc_wrong_parent.yml   |   4 +-
 ..._creation_win_process_dump_rdrleakdiag.yml |   4 +-
 ...tion_win_process_dump_rundll32_comsvcs.yml |   2 +-
 ...creation_win_protocolhandler_susp_file.yml |   2 +-
 ...proc_creation_win_public_folder_parent.yml |   2 +-
 ...oc_creation_win_purplesharp_indicators.yml |   2 +-
 .../proc_creation_win_pypykatz.yml            |   2 +-
 .../proc_creation_win_python_pty_spawn.yml    |   2 +-
 .../proc_creation_win_reg_add_run_key.yml     |   4 +-
 ...oc_creation_win_reg_defender_exclusion.yml |   2 +-
 .../proc_creation_win_reg_enable_rdp.yml      |   2 +-
 ...ation_win_reg_service_imagepath_change.yml |   2 +-
 .../proc_creation_win_regini.yml              |   2 +-
 .../proc_creation_win_regini_ads.yml          |   2 +-
 ...move_windows_defender_definition_files.yml |   2 +-
 .../proc_creation_win_renamed_browsercore.yml |   2 +-
 ...reation_win_root_certificate_installed.yml |   4 +-
 .../proc_creation_win_run_from_zip.yml        |   2 +-
 .../proc_creation_win_run_virtualbox.yml      |   2 +-
 ...creation_win_rundll32_not_from_c_drive.yml |   4 +-
 ..._creation_win_rundll32_parent_explorer.yml |   2 +-
 ...on_win_rundll32_registered_com_objects.yml |   2 +-
 ...tion_win_schtasks_appdata_local_system.yml |   2 +-
 .../proc_creation_win_schtasks_reg_loader.yml |   2 +-
 .../proc_creation_win_screenconnect.yml       |   2 +-
 ...c_creation_win_silenttrinity_stage_use.yml |   2 +-
 .../proc_creation_win_software_discovery.yml  |   2 +-
 .../proc_creation_win_sqlcmd_veeam_dump.yml   |   2 +-
 ...c_creation_win_stickykey_like_backdoor.yml |   2 +-
 .../proc_creation_win_sus_auditpol_usage.yml  |   6 +-
 .../proc_creation_win_susp_ad_reco.yml        |   2 +-
 .../proc_creation_win_susp_adfind.yml         |   2 +-
 ...roc_creation_win_susp_adfind_enumerate.yml |   6 +-
 .../proc_creation_win_susp_adidnsdump.yml     |   2 +-
 ...reation_win_susp_advancedrun_priv_user.yml |   6 +-
 ...susp_athremotefxvgpudisablementcommand.yml |   2 +-
 .../proc_creation_win_susp_base64_invoke.yml  |   2 +-
 .../proc_creation_win_susp_bitstransfer.yml   |   6 +-
 .../proc_creation_win_susp_char_in_cmd.yml    |   6 +-
 .../proc_creation_win_susp_cipher.yml         |   2 +-
 ...reation_win_susp_cmd_shadowcopy_access.yml |   2 +-
 ...proc_creation_win_susp_codepage_lookup.yml |   2 +-
 .../proc_creation_win_susp_covenant.yml       |   2 +-
 .../proc_creation_win_susp_csi.yml            |  10 +-
 .../proc_creation_win_susp_del.yml            |   4 +-
 .../proc_creation_win_susp_devinit_lolbin.yml |   4 +-
 ...roc_creation_win_susp_devtoolslauncher.yml |   2 +-
 .../proc_creation_win_susp_dir.yml            |   2 +-
 ...roc_creation_win_susp_disable_eventlog.yml |   2 +-
 ...proc_creation_win_susp_disable_raccine.yml |   4 +-
 .../proc_creation_win_susp_findstr_385201.yml |   2 +-
 .../proc_creation_win_susp_finger_usage.yml   |   2 +-
 ...roc_creation_win_susp_firewall_disable.yml |   2 +-
 .../proc_creation_win_susp_gpresult.yml       |   4 +-
 .../proc_creation_win_susp_hostname.yml       |   2 +-
 .../proc_creation_win_susp_instalutil.yml     |   2 +-
 .../proc_creation_win_susp_machineguid.yml    |   2 +-
 .../proc_creation_win_susp_mpiexec_lolbin.yml |   4 +-
 .../proc_creation_win_susp_mshta_pattern.yml  |  10 +-
 ...on_win_susp_net_use_password_plaintext.yml |   2 +-
 ...n_win_susp_network_listing_connections.yml |   4 +-
 .../proc_creation_win_susp_nmap.yml           |   4 +-
 .../proc_creation_win_susp_non_exe_image.yml  |   1 -
 ...in_susp_nt_resource_kit_auditpol_usage.yml |   4 +-
 ..._creation_win_susp_ntdll_type_redirect.yml |   2 +-
 .../proc_creation_win_susp_ntds.yml           |   6 +-
 ...ation_win_susp_powershell_cmd_patterns.yml |   2 +-
 ...reation_win_susp_powershell_sam_access.yml |   4 +-
 ...oc_creation_win_susp_pressynkey_lolbin.yml |   2 +-
 ...win_susp_psexex_paexec_escalate_system.yml |   6 +-
 ..._creation_win_susp_psexex_paexec_flags.yml |  10 +-
 .../proc_creation_win_susp_rar_flags.yml      |   4 +-
 ...ation_win_susp_razorinstaller_explorer.yml |   2 +-
 ...roc_creation_win_susp_rclone_execution.yml |   4 +-
 ...ation_win_susp_redir_local_admin_share.yml |   2 +-
 ...roc_creation_win_susp_reg_open_command.yml |   2 +-
 ...tion_win_susp_regedit_trustedinstaller.yml |   4 +-
 ...reation_win_susp_regsvr32_http_pattern.yml |   4 +-
 .../proc_creation_win_susp_regsvr32_image.yml |   4 +-
 ...proc_creation_win_susp_regsvr32_no_dll.yml |   2 +-
 .../proc_creation_win_susp_renamed_paexec.yml |   8 +-
 .../proc_creation_win_susp_run_folder.yml     |   2 +-
 ..._creation_win_susp_rundll32_inline_vbs.yml |   4 +-
 ...in_susp_rundll32_js_runhtmlapplication.yml |   1 -
 ...proc_creation_win_susp_rundll32_keymgr.yml |   2 +-
 ...c_creation_win_susp_rundll32_no_params.yml |   6 +-
 ..._creation_win_susp_rundll32_script_run.yml |   2 +-
 ..._creation_win_susp_rundll32_user32_dll.yml |   4 +-
 ..._win_susp_schtask_creation_temp_folder.yml |   2 +-
 ...roc_creation_win_susp_schtasks_disable.yml |   6 +-
 ..._creation_win_susp_schtasks_env_folder.yml |   2 +-
 ...eation_win_susp_schtasks_folder_combos.yml |   6 +-
 ...c_creation_win_susp_schtasks_user_temp.yml |   2 +-
 ...creation_win_susp_screenconnect_access.yml |   6 +-
 ...proc_creation_win_susp_screensaver_reg.yml |   4 +-
 ...n_win_susp_script_exec_from_env_folder.yml |   2 +-
 ...reation_win_susp_script_exec_from_temp.yml |   4 +-
 ...roc_creation_win_susp_script_execution.yml |   1 -
 .../proc_creation_win_susp_service_dir.yml    |   8 +-
 ...creation_win_susp_service_modification.yml |   2 +-
 ...susp_servu_exploitation_cve_2021_35211.yml |   2 +-
 ...reation_win_susp_servu_process_pattern.yml |   2 +-
 .../proc_creation_win_susp_sharpview.yml      |   4 +-
 .../proc_creation_win_susp_shutdown.yml       |   8 +-
 .../proc_creation_win_susp_splwow64.yml       |   4 +-
 ...ation_win_susp_spoolsv_child_processes.yml |   2 +-
 ...proc_creation_win_susp_squirrel_lolbin.yml |   2 +-
 ..._creation_win_susp_system_user_anomaly.yml |   2 +-
 .../proc_creation_win_susp_systeminfo.yml     |   2 +-
 .../proc_creation_win_susp_takeown.yml        |   2 +-
 ...tion_win_susp_use_of_vsjitdebugger_bin.yml |   1 -
 .../proc_creation_win_susp_userinit_child.yml |   2 +-
 .../proc_creation_win_susp_vaultcmd.yml       |   2 +-
 ...roc_creation_win_susp_vbscript_unc2452.yml |   2 +-
 ...proc_creation_win_susp_volsnap_disable.yml |   2 +-
 ...proc_creation_win_susp_web_request_cmd.yml |   2 +-
 ...proc_creation_win_susp_where_execution.yml |   2 +-
 .../proc_creation_win_susp_winrar_dmp.yml     |   2 +-
 ...roc_creation_win_susp_winrar_execution.yml |   6 +-
 ...roc_creation_win_susp_winrm_awl_bypass.yml |   4 +-
 .../proc_creation_win_susp_zip_compress.yml   |   4 +-
 ...reation_win_sysinternals_eula_accepted.yml |   4 +-
 ...proc_creation_win_sysmon_driver_unload.yml |   2 +-
 ...reation_win_sysmon_uac_bypass_eventvwr.yml |   4 +-
 .../proc_creation_win_tool_psexec.yml         |   2 +-
 .../proc_creation_win_tool_runx_as_system.yml |   2 +-
 .../proc_creation_win_tor_browser.yml         |   2 +-
 .../proc_creation_win_trust_discovery.yml     |   4 +-
 ...ation_win_uninstall_crowdstrike_falcon.yml |   2 +-
 .../proc_creation_win_uninstall_sysmon.yml    |   4 +-
 .../proc_creation_win_webshell_hacking.yml    |  14 +-
 ..._creation_win_webshell_recon_detection.yml |   8 +-
 .../proc_creation_win_webshell_spawn.yml      |   9 +-
 .../proc_creation_win_whoami_priv.yml         |   2 +-
 ...eation_win_win_exchange_transportagent.yml |   8 +-
 ...proc_creation_win_wmi_spwns_powershell.yml |   2 +-
 .../proc_creation_win_wmic_reconnaissance.yml |   2 +-
 ...c_creation_win_wmic_remove_application.yml |   2 +-
 ...w_disk_access_using_illegitimate_tools.yml |   1 -
 .../registry_add/registry_add_mal_netwire.yml |   6 +-
 .../registry_add/registry_add_mal_ursnif.yml  |   2 +-
 .../registry_add_persistence_key_linking.yml  |   4 +-
 ...egistry_add_sysinternals_eula_accepted.yml |   4 +-
 ...add_sysinternals_sdelete_registry_keys.yml |   2 +-
 ...istry_delete_removal_amsi_registry_key.yml |   2 +-
 ...ete_removal_com_hijacking_registry_key.yml |   2 +-
 ...e_removal_sd_value_scheduled_task_hide.yml |   2 +-
 .../registry_event_apt_chafer_mar18.yml       |   4 +-
 .../registry_event_apt_leviathan.yml          |   2 +-
 .../registry_event_apt_pandemic.yml           |   4 +-
 ...stry_event_cmstp_execution_by_registry.yml |   2 +-
 .../registry_event_crashdump_disabled.yml     |   2 +-
 ...cve_2021_31979_cve_2021_33771_exploits.yml |   2 +-
 ...egistry_event_dns_serverlevelplugindll.yml |   4 +-
 ...entutl_volume_shadow_copy_service_keys.yml |   4 +-
 ...t_hybridconnectionmgr_svc_installation.yml |   2 +-
 ...gistry_event_mimikatz_printernightmare.yml |   2 +-
 .../registry_event_net_ntlm_downgrade.yml     |   4 +-
 ...dll_added_to_appinit_dlls_registry_key.yml |   2 +-
 ...registry_event_persistence_recycle_bin.yml |   2 +-
 ...try_event_shell_open_keys_manipulation.yml |   4 +-
 ...registry_event_silentprocessexit_lsass.yml |   4 +-
 ...registry_event_stickykey_like_backdoor.yml |   2 +-
 ...sing_windows_telemetry_for_persistence.yml |   4 +-
 .../registry_set_add_port_monitor.yml         |   2 +-
 .../registry_set_blackbyte_ransomware.yml     |   4 +-
 ...istry_set_bypass_uac_using_eventviewer.yml |   2 +-
 ...et_bypass_uac_using_silentcleanup_task.yml |   2 +-
 .../registry_set_change_rdp_port.yml          |   2 +-
 .../registry_set_chrome_extension.yml         | 210 +++++-----
 ...stry_set_cobaltstrike_service_installs.yml |   8 +-
 ...istry_set_creation_service_susp_folder.yml |   8 +-
 ...istry_set_creation_service_temp_folder.yml |   6 +-
 ...y_set_creation_service_uncommon_folder.yml |  12 +-
 .../registry_set_defender_disabled.yml        |   4 +-
 .../registry_set_defender_exclusions.yml      |   2 +-
 ..._defender_realtime_protection_disabled.yml |   8 +-
 ...istry_set_disable_administrative_share.yml |   2 +-
 ...ble_microsoft_office_security_features.yml |   8 +-
 .../registry_set_disable_system_restore.yml   |   4 +-
 ...it_guard_net_protection_on_ms_defender.yml |   2 +-
 ...t_disabled_microsoft_defender_eventlog.yml |   2 +-
 ...d_pua_protection_on_microsoft_defender.yml |   2 +-
 ...amper_protection_on_microsoft_defender.yml |   2 +-
 .../registry_set_dns_over_https_enabled.yml   |   2 +-
 .../registry_set_etw_disabled.yml             |   2 +-
 .../registry_set_file_association_exefile.yml |   2 +-
 .../registry_set/registry_set_hide_file.yml   |   2 +-
 .../registry_set/registry_set_mal_adwind.yml  |   2 +-
 .../registry_set_mal_blue_mockingbird.yml     |   2 +-
 .../registry_set_office_enable_dde.yml        |   4 +-
 .../registry_set_office_security.yml          |   2 +-
 .../registry_set_office_vsto_persistence.yml  |   2 +-
 .../registry_set_outlook_c2_registry_key.yml  |   4 +-
 ...egistry_set_outlook_registry_todaypage.yml |  10 +-
 .../registry_set_outlook_registry_webview.yml |   8 +-
 .../registry_set_persistence_search_order.yml |   2 +-
 .../registry_set_powershell_as_service.yml    |   6 +-
 ...gistry_set_powershell_logging_disabled.yml |   4 +-
 ...registry_set_rdp_registry_modification.yml |   2 +-
 .../registry_set_rdp_settings_hijack.yml      |   2 +-
 ...stry_set_scr_file_executed_by_rundll32.yml |   4 +-
 ...egistry_set_shim_databases_persistence.yml |   2 +-
 .../registry_set_silentprocessexit.yml        |   6 +-
 .../registry_set_susp_printer_driver.yml      |   2 +-
 ...stry_set_susp_reg_persist_explorer_run.yml |   2 +-
 .../registry_set_susp_run_key_img_folder.yml  |   6 +-
 .../registry_set_taskcache_entry.yml          |   2 +-
 .../registry_set_telemetry_persistence.yml    |   2 +-
 .../registry_set_timeproviders_dllname.yml    |   4 +-
 .../registry_set_uac_bypass_eventvwr.yml      |   2 +-
 .../registry_set_uac_bypass_sdclt.yml         |   6 +-
 .../registry_set_uac_bypass_winsat.yml        |   2 +-
 .../registry_set_uac_bypass_wmp.yml           |   2 +-
 .../registry_set_vbs_payload_stored.yml       |   6 +-
 .../registry_set_wab_dllpath_reg_change.yml   |   6 +-
 ..._set_wdigest_enable_uselogoncredential.yml |   4 +-
 .../registry_set_winlogon_notify_key.yml      |   2 +-
 ...napi_in_powershell_credentials_dumping.yml |   2 +-
 .../sysmon/sysmon_config_modification.yml     |   2 +-
 .../sysmon_config_modification_status.yml     |   2 +-
 .../sysmon_dcom_iertutil_dll_hijack.yml       |   6 +-
 .../sysmon/sysmon_process_hollowing.yml       |   4 +-
 .../wmi_event/sysmon_wmi_susp_scripting.yml   |   2 +-
 .../SecurityAnalyticsClientUtils.java         |   2 +-
 .../SecurityAnalyticsRestTestCase.java        |  21 +-
 .../securityanalytics/TestHelpers.java        |   2 +-
 .../action/AckAlertsRequestTests.java         |   2 +-
 .../action/AckAlertsResponseTests.java        |   2 +-
 .../CreateIndexMappingsRequestTests.java      |   2 +-
 .../action/GetDetectorRequestTests.java       |   2 +-
 .../action/GetIndexMappingsRequestTests.java  |   2 +-
 .../action/GetIndexMappingsResponseTests.java |   2 +-
 .../action/IndexDetectorRequestTests.java     |   2 +-
 .../action/IndexDetectorResponseTests.java    |   4 +-
 .../UpdateIndexMappingsRequestTests.java      |   2 +-
 .../action/ValidateRulesRequestTests.java     |   4 +-
 .../action/ValidateRulesResponseTests.java    |   6 +-
 .../alerts/AlertingServiceTests.java          |   4 +-
 .../securityanalytics/alerts/AlertsIT.java    |   2 +-
 .../alerts/SecureAlertsRestApiIT.java         |   2 +-
 .../CorrelationEngineRestApiIT.java           |   2 +-
 .../correlation/LuceneEngineIT.java           |   2 +-
 .../securityanalytics/findings/FindingIT.java |   2 +-
 .../findings/FindingServiceTests.java         |   4 +-
 .../findings/SecureFindingRestApiIT.java      |   2 +-
 .../mapper/MapperRestApiIT.java               |   6 +-
 .../mapper/MapperServiceTests.java            |   2 +-
 .../CreateIndexMappingsRequestTests.java      |   2 +-
 .../mapping/GetIndexMappingsRequestTests.java |   2 +-
 .../GetIndexMappingsResponseTests.java        |   2 +-
 .../UpdateIndexMappingsRequestTests.java      |   2 +-
 .../model/DetectorInputTests.java             |   2 +-
 .../model/WriteableTests.java                 |   2 +-
 .../model/XContentTests.java                  |   3 +-
 .../resthandler/CustomLogTypeRestApiIT.java   |   2 +-
 .../resthandler/DetectorMonitorRestApiIT.java |   2 +-
 .../resthandler/DetectorRestApiIT.java        |  14 +-
 .../resthandler/OCSFDetectorRestApiIT.java    |   2 +-
 .../resthandler/RuleRestApiIT.java            |  11 +-
 .../resthandler/SecureDetectorRestApiIT.java  |   2 +-
 .../writable/LogTypeTests.java                |   2 +-
 .../resources/OSMapping/windows/mappings.json |   2 +-
 src/test/resources/ad_ldap-sample.json        |   2 +-
 src/test/resources/azure-sample.json          |   2 +-
 src/test/resources/dns-sample.json            |   2 +-
 src/test/resources/s3-sample.json             |   2 +-
 src/test/resources/testMissingPath.json       |   2 +-
 .../testMultipleAliasesWithSameName.json      |   2 +-
 .../resources/testValidAliasMappings.json     |   2 +-
 .../testValidAliasMappingsSimple.json         |   2 +-
 .../testValidAliasMappingsWithNestedType.json |   2 +-
 1061 files changed, 2544 insertions(+), 2000 deletions(-)
 create mode 100644 checkstyle/sun_checks.xml
 create mode 100644 formatter/formatterConfig.xml
 create mode 100644 gradle/formatting.gradle

diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
index a8199a104..67f6e2a32 100644
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -4,4 +4,4 @@ contact_links:
     about: Please ask and answer questions here.
   - name: AWS/Amazon Security
     url: https://aws.amazon.com/security/vulnerability-reporting/
-    about: Please report security vulnerabilities here.
\ No newline at end of file
+    about: Please report security vulnerabilities here.
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 2d3d7060f..e3f96a44f 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -26,4 +26,4 @@ jobs:
         uses: VachaShah/backport@v1.1.4
         with:
           github_token: ${{ steps.github_app_token.outputs.token }}
-          branch_name: backport/backport-${{ github.event.number }}
\ No newline at end of file
+          branch_name: backport/backport-${{ github.event.number }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c2ab4d407..7dfd0c361 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -84,4 +84,4 @@ jobs:
         uses: actions/upload-artifact@v1
         with:
           name: security-analytics-plugin-${{ matrix.os }}
-          path: security-analytics-artifacts
\ No newline at end of file
+          path: security-analytics-artifacts
diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
index d4c9ff2c4..0a30f2f76 100644
--- a/.github/workflows/dco.yml
+++ b/.github/workflows/dco.yml
@@ -15,4 +15,4 @@ jobs:
     - name: DCO Check
       uses: tim-actions/dco@v1.1.0
       with:
-        commits: ${{ steps.get-pr-commits.outputs.commits }}
\ No newline at end of file
+        commits: ${{ steps.get-pr-commits.outputs.commits }}
diff --git a/.github/workflows/delete_backport_branch.yml b/.github/workflows/delete_backport_branch.yml
index 39b5b3424..5dcb12e2d 100644
--- a/.github/workflows/delete_backport_branch.yml
+++ b/.github/workflows/delete_backport_branch.yml
@@ -17,4 +17,4 @@ jobs:
       - name: Delete merged branch
         uses: SvanBoxel/delete-merged-branch@main
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/multi-node-test-workflow.yml b/.github/workflows/multi-node-test-workflow.yml
index d7c4a1a0c..4bd011bbb 100644
--- a/.github/workflows/multi-node-test-workflow.yml
+++ b/.github/workflows/multi-node-test-workflow.yml
@@ -33,4 +33,4 @@ jobs:
         if: failure()
         with:
           name: logs
-          path: build/testclusters/integTest-*/logs/*
\ No newline at end of file
+          path: build/testclusters/integTest-*/logs/*
diff --git a/.github/workflows/security-test-workflow.yml b/.github/workflows/security-test-workflow.yml
index f600314e2..725dd9207 100644
--- a/.github/workflows/security-test-workflow.yml
+++ b/.github/workflows/security-test-workflow.yml
@@ -82,7 +82,7 @@ jobs:
           if [ $security -gt 0 ]
           then
             echo "Security plugin is available"
-            ./gradlew :integTest -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername=docker-cluster -Dhttps=true -Duser=admin -Dpassword=admin          
+            ./gradlew :integTest -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername=docker-cluster -Dhttps=true -Duser=admin -Dpassword=admin
           else
             echo "Security plugin is NOT available skipping this run as tests without security have already been run"
           fi
diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
index 550306f13..ce850295d 100644
--- a/.github/workflows/version.yml
+++ b/.github/workflows/version.yml
@@ -5,7 +5,7 @@ on:
     tags:
       - '*.*.*.*'
 
-jobs:  
+jobs:
   build:
     runs-on: ubuntu-latest
     steps:
@@ -50,4 +50,4 @@ jobs:
           delete-branch: true
           title: '[AUTO] Incremented version to ${{ env.NEXT_VERSION }}.'
           body: |
-            I've noticed that a new tag ${{ env.TAG }} was pushed, and incremented the version from ${{ env.CURRENT_VERSION }} to ${{ env.NEXT_VERSION }}.
\ No newline at end of file
+            I've noticed that a new tag ${{ env.TAG }} was pushed, and incremented the version from ${{ env.CURRENT_VERSION }} to ${{ env.NEXT_VERSION }}.
diff --git a/build.gradle b/build.gradle
index 1fe0c1b7a..71fc610a1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -2,11 +2,12 @@
  * Copyright OpenSearch Contributors
  * SPDX-License-Identifier: Apache-2.0
  */
+import com.diffplug.gradle.spotless.JavaExtension
 import org.opensearch.gradle.test.RestIntegTestTask
 
 buildscript {
     ext {
-        opensearch_version = System.getProperty("opensearch.version", "2.9.0-SNAPSHOT")
+        opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT")
         isSnapshot = "true" == System.getProperty("build.snapshot", "true")
         buildVersionQualifier = System.getProperty("build.version_qualifier", "")
         version_tokens = opensearch_version.tokenize('-')
@@ -35,6 +36,8 @@ buildscript {
 }
 
 plugins {
+    id 'java'
+    id 'com.diffplug.spotless' version '6.20.0'
     id "com.netflix.nebula.ospackage" version "11.3.0"
     id 'java-library'
 }
@@ -44,6 +47,7 @@ apply plugin: 'opensearch.testclusters'
 apply plugin: 'opensearch.java-rest-test'
 apply plugin: 'opensearch.pluginzip'
 apply from: 'build-tools/opensearchplugin-coverage.gradle'
+apply from: 'gradle/formatting.gradle'
 
 ext {
     projectSubstitutions = [:]
@@ -88,7 +92,7 @@ allprojects {
 
     apply from: "$rootDir/build-tools/repositories.gradle"
 
-    plugins.withId('java') {
+    java {
         targetCompatibility = JavaVersion.VERSION_11
         sourceCompatibility = JavaVersion.VERSION_11
     }
@@ -156,6 +160,11 @@ dependencies {
     zipArchive group: 'org.opensearch.plugin', name:'alerting', version: "${opensearch_build}"
     zipArchive group: 'org.opensearch.plugin', name:'opensearch-notifications-core', version: "${opensearch_build}"
     zipArchive group: 'org.opensearch.plugin', name:'notifications', version: "${opensearch_build}"
+
+    //spotless
+    implementation('com.google.googlejavaformat:google-java-format:1.17.0') {
+        exclude group: 'com.google.guava'
+    }
 }
 
 // RPM & Debian build
@@ -343,7 +352,7 @@ afterEvaluate {
         maintainer 'OpenSearch Team <opensearch@amazon.com>'
         url 'https://opensearch.org/downloads.html'
         summary '''
-         Security Analytics plugin for OpenSearch. 
+         Security Analytics plugin for OpenSearch.
          Reference documentation can be found at https://docs-beta.opensearch.org/.
     '''.stripIndent().replace('\n', ' ').trim()
     }
@@ -368,4 +377,4 @@ afterEvaluate {
             doLast { delete file("$buildDir/distributions/$archiveFileName") }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/checkstyle/sun_checks.xml b/checkstyle/sun_checks.xml
new file mode 100644
index 000000000..b11aede42
--- /dev/null
+++ b/checkstyle/sun_checks.xml
@@ -0,0 +1,225 @@
+<?xml version="1.0"?>
+<!DOCTYPE module PUBLIC
+        "-//Checkstyle//DTD Checkstyle Configuration 1.3//EN"
+        "https://checkstyle.org/dtds/configuration_1_3.dtd">
+
+<!--
+  Checkstyle configuration that checks the sun coding conventions from:
+    - the Java Language Specification at
+      https://docs.oracle.com/javase/specs/jls/se11/html/index.html
+    - the Sun Code Conventions at https://www.oracle.com/java/technologies/javase/codeconventions-contents.html
+    - the Javadoc guidelines at
+      https://www.oracle.com/technical-resources/articles/java/javadoc-tool.html
+    - the JDK Api documentation https://docs.oracle.com/en/java/javase/11/
+    - some best practices
+  Checkstyle is very configurable. Be sure to read the documentation at
+  https://checkstyle.org (or in your downloaded distribution).
+  Most Checks are configurable, be sure to consult the documentation.
+  To completely disable a check, just comment it out or delete it from the file.
+  To suppress certain violations please review suppression filters.
+  Finally, it is worth reading the documentation.
+-->
+
+<module name="Checker">
+    <!--
+        If you set the basedir property below, then all reported file
+        names will be relative to the specified directory. See
+        https://checkstyle.org/config.html#Checker
+        <property name="basedir" value="${basedir}"/>
+    -->
+    <property name="severity" value="ignore"/>
+
+    <property name="fileExtensions" value="java, properties, xml"/>
+
+    <!-- Excludes all 'module-info.java' files              -->
+    <!-- See https://checkstyle.org/config_filefilters.html -->
+    <module name="BeforeExecutionExclusionFileFilter">
+        <property name="fileNamePattern" value="module\-info\.java$"/>
+    </module>
+
+    <!-- https://checkstyle.org/config_filters.html#SuppressionFilter -->
+    <module name="SuppressionFilter">
+        <property name="file" value="${org.checkstyle.sun.suppressionfilter.config}"
+                  default="checkstyle-suppressions.xml" />
+        <property name="optional" value="true"/>
+    </module>
+
+    <!-- Checks that a package-info.java file exists for each package.     -->
+    <!-- See https://checkstyle.org/config_javadoc.html#JavadocPackage -->
+    <module name="JavadocPackage"/>
+
+    <!-- Checks whether files end with a new line.                        -->
+    <!-- See https://checkstyle.org/config_misc.html#NewlineAtEndOfFile -->
+    <module name="NewlineAtEndOfFile"/>
+
+    <!-- Checks that property files contain the same keys.         -->
+    <!-- See https://checkstyle.org/config_misc.html#Translation -->
+    <module name="Translation"/>
+
+    <!-- Checks for Size Violations.                    -->
+    <!-- See https://checkstyle.org/config_sizes.html -->
+    <module name="FileLength"/>
+    <module name="LineLength">
+        <property name="fileExtensions" value="java"/>
+    </module>
+
+    <!-- Checks for whitespace                               -->
+    <!-- See https://checkstyle.org/config_whitespace.html -->
+    <module name="FileTabCharacter"/>
+
+    <!-- Miscellaneous other checks.                   -->
+    <!-- See https://checkstyle.org/config_misc.html -->
+    <module name="RegexpSingleline">
+        <property name="format" value="\s+$"/>
+        <property name="minimum" value="0"/>
+        <property name="maximum" value="0"/>
+        <property name="message" value="Line has trailing spaces."/>
+    </module>
+
+    <!-- Checks for Headers                                -->
+    <!-- See https://checkstyle.org/config_header.html   -->
+    <!-- <module name="Header"> -->
+    <!--   <property name="headerFile" value="${checkstyle.header.file}"/> -->
+    <!--   <property name="fileExtensions" value="java"/> -->
+    <!-- </module> -->
+
+    <module name="TreeWalker">
+
+        <!-- Checks for Javadoc comments.                     -->
+        <!-- See https://checkstyle.org/config_javadoc.html -->
+        <module name="InvalidJavadocPosition"/>
+        <module name="JavadocMethod"/>
+        <module name="JavadocType"/>
+        <module name="JavadocVariable"/>
+        <module name="JavadocStyle"/>
+        <module name="MissingJavadocMethod"/>
+
+        <!-- Checks for Naming Conventions.                  -->
+        <!-- See https://checkstyle.org/config_naming.html -->
+        <module name="ConstantName"/>
+        <module name="LocalFinalVariableName"/>
+        <module name="LocalVariableName"/>
+        <module name="MemberName"/>
+        <module name="MethodName"/>
+        <module name="PackageName"/>
+        <module name="ParameterName"/>
+        <module name="StaticVariableName"/>
+        <module name="TypeName"/>
+
+        <!-- Checks for imports                              -->
+        <!-- See https://checkstyle.org/config_imports.html -->
+        <module name="AvoidStarImport">
+            <property name="severity" value="error"/>
+        </module>
+        <module name="IllegalImport"> <!-- defaults to sun.* packages -->
+            <property name="severity" value="error"/>
+        </module>
+        <module name="RedundantImport">
+            <property name="severity" value="error"/>
+        </module>
+        <module name="UnusedImports">
+            <property name="severity" value="error"/>
+            <property name="processJavadoc" value="true"/>
+        </module>
+
+        <!-- Checks for Size Violations.                    -->
+        <!-- See https://checkstyle.org/config_sizes.html -->
+        <module name="MethodLength"/>
+        <module name="ParameterNumber"/>
+
+        <!-- Checks for whitespace                               -->
+        <!-- See https://checkstyle.org/config_whitespace.html -->
+        <module name="EmptyForIteratorPad"/>
+        <module name="GenericWhitespace"/>
+        <module name="MethodParamPad"/>
+        <module name="NoWhitespaceAfter"/>
+        <module name="NoWhitespaceBefore"/>
+        <module name="OperatorWrap"/>
+        <module name="ParenPad"/>
+        <module name="TypecastParenPad"/>
+        <module name="WhitespaceAfter"/>
+        <module name="WhitespaceAround"/>
+
+        <!-- Modifier Checks                                    -->
+        <!-- See https://checkstyle.org/config_modifier.html -->
+        <module name="ModifierOrder"/>
+        <module name="RedundantModifier"/>
+
+        <!-- Checks for blocks. You know, those {}'s         -->
+        <!-- See https://checkstyle.org/config_blocks.html -->
+        <module name="AvoidNestedBlocks"/>
+        <module name="EmptyBlock"/>
+        <module name="LeftCurly"/>
+        <module name="NeedBraces"/>
+        <module name="RightCurly"/>
+
+        <!-- Checks for common coding problems               -->
+        <!-- See https://checkstyle.org/config_coding.html -->
+        <module name="EmptyStatement"/>
+        <module name="EqualsHashCode"/>
+        <module name="HiddenField"/>
+        <module name="IllegalInstantiation"/>
+        <module name="InnerAssignment"/>
+        <module name="MagicNumber"/>
+        <module name="MissingSwitchDefault"/>
+        <module name="MultipleVariableDeclarations"/>
+        <module name="SimplifyBooleanExpression"/>
+        <module name="SimplifyBooleanReturn"/>
+
+        <!-- Checks for class design                         -->
+        <!-- See https://checkstyle.org/config_design.html -->
+        <module name="DesignForExtension"/>
+        <module name="FinalClass"/>
+        <module name="HideUtilityClassConstructor"/>
+        <module name="InterfaceIsType"/>
+        <module name="VisibilityModifier"/>
+
+        <!-- Miscellaneous other checks.                   -->
+        <!-- See https://checkstyle.org/config_misc.html -->
+        <module name="ArrayTypeStyle"/>
+        <module name="FinalParameters"/>
+        <module name="TodoComment"/>
+        <module name="UpperEll"/>
+
+        <!-- https://checkstyle.org/config_filters.html#SuppressionXpathFilter -->
+        <module name="SuppressionXpathFilter">
+            <property name="file" value="${org.checkstyle.sun.suppressionxpathfilter.config}"
+                      default="checkstyle-xpath-suppressions.xml" />
+            <property name="optional" value="true"/>
+        </module>
+
+    </module>
+
+    <module name="RegexpSingleline">
+        <property name="format" value="whitelist"/>
+        <property name="ignoreCase" value="true"/>
+        <property name="message" value="Usage should be switched to an allow* based pattern" />
+        <property name="severity" value="ignore"/>
+    </module>
+
+    <module name="RegexpSingleline">
+        <property name="format" value="master"/>
+        <property name="ignoreCase" value="true"/>
+        <property name="message" value="Usage should be switched to cluster manager" />
+        <property name="severity" value="error"/>
+    </module>
+
+    <module name="RegexpSingleline">
+        <property name="format" value="extension"/>
+        <property name="ignoreCase" value="true"/>
+        <property name="message" value="Extension should only be used sparingly to keep implementations as generic as possible" />
+        <property name="severity" value="error"/>
+    </module>
+
+    <module name="SuppressWithPlainTextCommentFilter">
+        <property name="offCommentFormat" value="CS-SUPPRESS-ALL: .+"/> <!-- Require an explaination after surpressing -->
+        <property name="onCommentFormat" value="CS-ENFORCE-ALL"/>
+    </module>
+
+    <module name="SuppressWithPlainTextCommentFilter">
+        <property name="offCommentFormat" value="CS-SUPPRESS-SINGLE\: ([\w\|]+) .+"/> <!-- Require an explaination after surpressing -->
+        <property name="onCommentFormat" value="CS-ENFORCE-SINGLE()"/>
+        <property name="checkFormat" value="$1"/>
+    </module>
+
+</module>
\ No newline at end of file
diff --git a/formatter/formatterConfig.xml b/formatter/formatterConfig.xml
new file mode 100644
index 000000000..b0e1ecccb
--- /dev/null
+++ b/formatter/formatterConfig.xml
@@ -0,0 +1,362 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<profiles version="17">
+    <profile kind="CodeFormatterProfile" name="OpenSearch" version="17">
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_ellipsis" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_declarations" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_allocation_expression" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_at_in_annotation_type_declaration" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_for_statment" value="common_lines"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.new_lines_at_block_boundaries" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_logical_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_parameters" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.insert_new_line_for_parameter" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_package" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_method_invocation" value="separate_lines_if_wrapped"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_enum_constant" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_after_imports" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_while" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.insert_new_line_before_root_tags" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_annotation_type_member_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_throws" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_switch_statement" value="common_lines"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.format_javadoc_comments" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.indentation.size" value="4"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_postfix_operator" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_enum_constant_declaration" value="separate_lines_if_wrapped"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_increments" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_arguments" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_arrow_in_switch_default" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_inits" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_for" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.align_with_spaces" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.disabling_tag" value="tag::"/>
+        <setting id="org.eclipse.jdt.core.formatter.continuation_indentation" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.number_of_blank_lines_before_code_block" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_switch_case_expressions" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_enum_constants" value="49"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_before_imports" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.number_of_blank_lines_at_end_of_method_body" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_after_package" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_local_declarations" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_if_while_statement" value="common_lines"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_enum_constant" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_parameterized_type_reference" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.indent_root_tags" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_or_operator_multicatch" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.enabling_tag" value="end::"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_closing_brace_in_block" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.count_line_length_from_starting_position" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_return" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_method_declaration" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_parameter" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_arrow_in_switch_case" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_multiplicative_operator" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_then_statement_on_same_line" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_field" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_explicitconstructorcall_arguments" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_prefix_operator" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_between_type_declarations" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_brace_in_array_initializer" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_for" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_catch" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_arguments" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_method" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_switch" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_parameterized_type_references" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_anonymous_type_declaration" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_logical_operator" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_parenthesized_expression" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_annotation_declaration_on_one_line" value="one_line_never"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_enum_constant" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_multiplicative_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.never_indent_line_comments_on_first_column" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_and_in_type_parameter" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_inits" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_statements_compare_to_block" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_anonymous_type_declaration" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_question_in_wildcard" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_invocation_arguments" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_switch" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.align_tags_descriptions_grouped" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.line_length" value="140"/>
+        <setting id="org.eclipse.jdt.core.formatter.use_on_off_tags" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_method_body_on_one_line" value="one_line_if_empty"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_brackets_in_array_allocation_expression" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_loop_body_block_on_one_line" value="one_line_never"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_constant" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_invocation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_assignment_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_type_declaration" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_for" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.preserve_white_space_between_code_and_line_comments" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_local_variable" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_method_declaration" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_before_abstract_method" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_enum_constant_declaration_on_one_line" value="one_line_never"/>
+        <setting id="org.eclipse.jdt.core.formatter.align_variable_declarations_on_columns" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_invocation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_union_type_in_multicatch" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_for" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_type_declaration_on_one_line" value="one_line_if_empty"/>
+        <setting id="org.eclipse.jdt.core.formatter.number_of_blank_lines_at_beginning_of_method_body" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_arguments" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_else_statement_on_same_line" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_catch_clause" value="common_lines"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_additive_operator" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_parameterized_type_reference" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_array_initializer" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_field_declarations" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_annotation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_explicit_constructor_call" value="80"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_relational_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_multiplicative_operator" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_anonymous_type_declaration_on_one_line" value="one_line_never"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_switch_case_expressions" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_shift_operator" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_annotation_declaration_header" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_superinterfaces" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_default" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_question_in_conditional" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_block" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_constructor_declaration" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_lambda_body" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.number_of_blank_lines_at_end_of_code_block" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.compact_else_if" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_parameters" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_catch" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_invocation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_bitwise_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.put_empty_statement_on_new_line" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_parameters_in_constructor_declaration" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_type_parameters" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_invocation_arguments" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_method_invocation" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_constructor_declaration" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_compact_loops" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_block_comment" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_catch_in_try_statement" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_try" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_simple_for_body_on_same_line" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_at_end_of_file_if_missing" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_javadoc_comment" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_relational_operator" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_array_initializer" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_unary_operator" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_expressions_in_array_initializer" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.format_line_comment_starting_on_first_column" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.number_of_empty_lines_to_preserve" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_annotation" value="common_lines"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_case" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_ellipsis" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_additive_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_try_resources" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_assert" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_if" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_arguments" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_and_in_type_parameter" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_string_concatenation" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_parenthesized_expression" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.format_line_comments" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_labeled_statement" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.align_type_members_on_columns" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_assignment" value="80"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_module_statements" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_type_header" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.number_of_blank_lines_after_code_block" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.align_tags_names_descriptions" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_enum_constant" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_type_declaration" value="64"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_if_then_body_block_on_one_line" value="one_line_never"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_before_first_class_body_declaration" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_conditional_expression" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_closing_brace_in_array_initializer" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_parameters" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.format_guardian_clause_on_one_line" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_if" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.align_assignment_statements_on_columns" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_type" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_block" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_enum_declaration" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_block_in_case" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_arrow_in_switch_default" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_constructor_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_conditional_expression_chain" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.format_header" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_allocation_expression" value="80"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_additive_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_invocation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_while" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_switch" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_method_declaration" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.join_wrapped_lines" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_constructor_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_conditional_operator" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_cases" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_allocation_expression" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_synchronized" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_shift_operator" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.align_fields_grouping_blank_lines" value="2147483647"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.new_lines_at_javadoc_boundaries" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_bitwise_operator" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_annotation_type_declaration" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_for" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_resources_in_try" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.use_tabs_only_for_leading_indentations" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_try_clause" value="separate_lines_if_wrapped"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_selector_in_method_invocation" value="80"/>
+        <setting id="org.eclipse.jdt.core.formatter.never_indent_block_comments_on_first_column" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_code_block_on_one_line" value="one_line_if_empty"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_synchronized" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_throws" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.tabulation.size" value="4"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_bitwise_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_allocation_expression" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_reference" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_conditional" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.format_source_code" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_array_initializer" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_try" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_try_resources" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_before_field" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.continuation_indentation_for_array_initializer" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_question_in_wildcard" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_before_method" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_superclass_in_type_declaration" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_enum_declaration" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_throw" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_assignment_operator" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_labeled_statement" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_switch" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_superinterfaces" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_parameters" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_type_annotation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_brace_in_array_initializer" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_parenthesized_expression" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.format_html" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation_type_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_parameters" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_method_delcaration" value="separate_lines_if_wrapped"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_compact_if" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_lambda_body_block_on_one_line" value="one_line_if_single_item"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_empty_lines" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_type_arguments" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_parameterized_type_reference" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_unary_operator" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_enum_constant" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_annotation" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_declarations" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_empty_array_initializer_on_one_line" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_switch" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_else_in_if_statement" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_assignment_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_constructor_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_before_new_chunk" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_label" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_declaration_header" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_allocation_expression" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_constructor_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_conditional" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_parameterized_type_reference" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_parameters" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_arguments" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_cast" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_arrow_in_switch_case" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_assert" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_before_member_type" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_while_in_do_statement" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_logical_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_type_reference" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_parameterized_type_reference" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_qualified_allocation_expression" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_opening_brace_in_array_initializer" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_breaks_compare_to_cases" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_bitwise_operator" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_if" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_semicolon" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_relational_operator" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_postfix_operator" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_try" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_arguments" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_cast" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.format_block_comments" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_lambda_arrow" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.indent_tag_description" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_imple_if_on_one_line" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_declaration" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_parameters_in_method_declaration" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_between_brackets_in_array_type_reference" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_parameters" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_string_concatenation" value="48"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_for" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_throws" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_allocation_expression" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_after_last_class_body_declaration" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_statements_compare_to_body" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_multiple_fields" value="16"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_constant_arguments" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_simple_while_body_on_same_line" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_prefix_operator" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_array_initializer" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_logical_operator" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_shift_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_method_declaration" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_parameters" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_catch" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_between_statement_group_in_switch" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_reference" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_annotation" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_constant_arguments" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.parentheses_positions_in_lambda_declaration" value="common_lines"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_shift_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_braces_in_array_initializer" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_case" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_local_declarations" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_simple_do_while_body_on_same_line" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_annotation_type_declaration" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_reference" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_enum_declaration_on_one_line" value="one_line_never"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_outer_expressions_when_nested" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_closing_paren_in_cast" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_enum_constant" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.brace_position_for_type_declaration" value="end_of_line"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_multiplicative_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_before_package" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_for" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_synchronized" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_increments" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation_type_member_declaration" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.alignment_for_expressions_in_for_loop_header" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_additive_operator" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.keep_simple_getter_setter_on_one_line" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_while" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_enum_constant" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_explicitconstructorcall_arguments" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_annotation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_parameters" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_constant_header" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_string_concatenation" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_lambda_arrow" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_constructor_declaration" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_throws" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.join_lines_in_comments" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_parameters" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_question_in_conditional" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.comment.indent_parameter_description" value="false"/>
+        <setting id="org.eclipse.jdt.core.formatter.number_of_blank_lines_at_beginning_of_code_block" value="0"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_finally_in_try_statement" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.tabulation.char" value="space"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_relational_operator" value="insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_field_declarations" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.wrap_before_string_concatenation" value="true"/>
+        <setting id="org.eclipse.jdt.core.formatter.blank_lines_between_import_groups" value="1"/>
+        <setting id="org.eclipse.jdt.core.formatter.lineSplit" value="140"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_annotation" value="do not insert"/>
+        <setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_switch" value="insert"/>
+    </profile>
+</profiles>
\ No newline at end of file
diff --git a/gradle/formatting.gradle b/gradle/formatting.gradle
new file mode 100644
index 000000000..4d0e223f2
--- /dev/null
+++ b/gradle/formatting.gradle
@@ -0,0 +1,36 @@
+allprojects {
+    project.apply plugin: "com.diffplug.spotless"
+    spotless {
+        java {
+            // Normally this isn't necessary, but we have Java sources in
+            // non-standard places
+            target '*/com/amazon/dlic/auth/**/*.java'
+
+            removeUnusedImports()
+            eclipse().configFile rootProject.file('formatter/formatterConfig.xml')
+            trimTrailingWhitespace()
+            endWithNewline();
+
+            // note: you can use an empty string for all the imports you didn't specify explicitly, and '\\#` prefix for static imports
+            importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
+
+            custom 'Refuse wildcard imports', {
+                // Wildcard imports can't be resolved; fail the build
+                if (it =~ /\s+import .*\*;/) {
+                    throw new AssertionError("Do not use wildcard imports.  'spotlessApply' cannot resolve this issue.")
+                }
+            }
+
+            // See DEVELOPER_GUIDE.md for details of when to enable this.
+            if (System.getProperty('spotless.paddedcell') != null) {
+                paddedCell()
+            }
+        }
+        format 'misc', {
+            target '*.md', '*.gradle', '**/*.json', '**/*.yaml', '**/*.yml', '**/*.svg'
+
+            trimTrailingWhitespace()
+            endWithNewline()
+        }
+    }
+}
\ No newline at end of file
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index 37aef8d3f..daf8a3998 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.1.1-bin.zip
-networkTimeout=10000
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
+distributionSha256Sum=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1
diff --git a/gradlew b/gradlew
index aeb74cbb4..325571e39 100755
--- a/gradlew
+++ b/gradlew
@@ -130,10 +130,12 @@ location of your Java installation."
     fi
 else
     JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
-
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 
 # Increase the maximum file descriptors if we can.
diff --git a/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java b/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java
index 26b029cde..df6d0b6cc 100644
--- a/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java
+++ b/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java
@@ -12,9 +12,9 @@
 import java.util.function.Supplier;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRequest;
-import org.opensearch.action.ActionResponse;
+import org.opensearch.core.action.ActionResponse;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.client.Client;
@@ -22,14 +22,14 @@
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.cluster.node.DiscoveryNodes;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.component.LifecycleComponent;
-import org.opensearch.common.io.stream.NamedWriteableRegistry;
+import org.opensearch.common.lifecycle.LifecycleComponent;
 import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.IndexScopedSettings;
 import org.opensearch.common.settings.Setting;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.settings.SettingsFilter;
 import org.opensearch.commons.alerting.action.AlertingActions;
+import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.env.Environment;
 import org.opensearch.env.NodeEnvironment;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/AckAlertsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/AckAlertsRequest.java
index 09e0dfc61..455fd56ca 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/AckAlertsRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/AckAlertsRequest.java
@@ -7,8 +7,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.ValidateActions;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.XContentBuilder;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/AckAlertsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/AckAlertsResponse.java
index d83bec12c..56262689b 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/AckAlertsResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/AckAlertsResponse.java
@@ -4,9 +4,9 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/AlertDto.java b/src/main/java/org/opensearch/securityanalytics/action/AlertDto.java
index f2b46cdb7..97e55be6b 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/AlertDto.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/AlertDto.java
@@ -7,9 +7,9 @@
 import java.io.IOException;
 import java.time.Instant;
 import java.util.List;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
 import org.opensearch.common.lucene.uid.Versions;
 import org.opensearch.commons.alerting.alerts.AlertError;
 import org.opensearch.commons.alerting.model.ActionExecutionResult;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.java b/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.java
index 6eaf9a0ca..2f78aa718 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.java
@@ -6,8 +6,8 @@
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.securityanalytics.model.Detector;
 
 import java.io.IOException;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingResponse.java b/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingResponse.java
index 3e4dd7eb9..a5f31f13b 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingResponse.java
@@ -4,9 +4,9 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.securityanalytics.model.FindingWithScore;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequest.java
index 8e246072f..01666ed2a 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequest.java
@@ -9,13 +9,14 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.core.common.Strings;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.common.xcontent.XContentFactory;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.xcontent.MediaTypeRegistry;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
+import org.opensearch.core.xcontent.XContentParserUtils;
 
 import java.io.IOException;
 import java.util.HashMap;
@@ -135,7 +136,7 @@ public static CreateIndexMappingsRequest parse(XContentParser xcp) throws IOExce
                             aliasMap.put(alias, Map.of("type", "alias", "path", path));
                         }
                     }
-                    aliasMappings = org.opensearch.common.Strings.toString(XContentFactory.jsonBuilder().map(Map.of("properties", aliasMap)));
+                    aliasMappings = MediaTypeRegistry.JSON.contentBuilder().map(Map.of("properties", aliasMap)).toString();
                     break;
                 case PARTIAL_FIELD:
                     partial = xcp.booleanValue();
diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.java
index 3bae730c4..a50b61046 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.java
@@ -13,8 +13,8 @@
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.ValidateActions;
 import org.opensearch.action.support.WriteRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.securityanalytics.model.CorrelationRule;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.java
index 1bce40fe2..e1ae97099 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.java
@@ -11,8 +11,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.support.WriteRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeResponse.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeResponse.java
index 6347a42a1..49a2e1672 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeResponse.java
@@ -8,12 +8,12 @@
 
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorRequest.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorRequest.java
index 27bcfa2a6..3392da4c1 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorRequest.java
@@ -7,8 +7,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.support.WriteRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorResponse.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorResponse.java
index 4981cbc47..313488449 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorResponse.java
@@ -4,12 +4,12 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleRequest.java
index 18c2a740a..b1206f5ed 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleRequest.java
@@ -7,8 +7,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.support.WriteRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleResponse.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleResponse.java
index ffeb6bf4f..63e843e1e 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleResponse.java
@@ -4,12 +4,12 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/FindingDto.java b/src/main/java/org/opensearch/securityanalytics/action/FindingDto.java
index f94a08c81..92ca2a171 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/FindingDto.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/FindingDto.java
@@ -7,9 +7,9 @@
 import java.io.IOException;
 import java.time.Instant;
 import java.util.List;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
 import org.opensearch.commons.alerting.model.DocLevelQuery;
 import org.opensearch.commons.alerting.model.FindingDocument;
 import org.opensearch.commons.alerting.model.FindingWithDocs;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java
index 5ed416deb..1e0cb6113 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java
@@ -8,8 +8,8 @@
 import java.util.Locale;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.commons.alerting.model.Table;
 import org.opensearch.securityanalytics.model.Detector;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsResponse.java
index 7b0f6e01b..11f541512 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsResponse.java
@@ -8,14 +8,14 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.commons.alerting.model.Alert;
 import org.opensearch.commons.alerting.model.FindingWithDocs;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.model.Detector;
 
 public class GetAlertsResponse extends ActionResponse implements ToXContentObject {
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.java
index 241d7a066..c0006d4d8 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.java
@@ -7,8 +7,8 @@
 import java.io.IOException;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 
 public class GetAllRuleCategoriesRequest extends ActionRequest {
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesResponse.java
index c182fac48..f2082f988 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesResponse.java
@@ -6,9 +6,9 @@
 
 import java.io.IOException;
 import java.util.List;
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.securityanalytics.model.RuleCategory;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetDetectorRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetDetectorRequest.java
index 15743690a..2e5dfe105 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetDetectorRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetDetectorRequest.java
@@ -6,9 +6,9 @@
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.XContentParser;
 
 import java.io.IOException;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetDetectorResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetDetectorResponse.java
index 318429bb6..3e4fc68d1 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetDetectorResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetDetectorResponse.java
@@ -4,12 +4,12 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.model.Detector;
 
 import java.io.IOException;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java
index cc4c5d7eb..8e99720ee 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java
@@ -8,8 +8,8 @@
 import java.util.Locale;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.commons.alerting.model.Table;
 import org.opensearch.securityanalytics.model.Detector;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsResponse.java
index 3bc483b91..08146daa3 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsResponse.java
@@ -8,13 +8,13 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.commons.alerting.model.FindingWithDocs;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.model.Detector;
 
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.java
index 089920350..804b4f191 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.java
@@ -6,9 +6,9 @@
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.XContentParser;
 
 import java.io.IOException;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponse.java
index b7d42b123..b52c03c5b 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponse.java
@@ -4,17 +4,19 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.opensearch.Version;
-import org.opensearch.action.ActionResponse;
+import org.opensearch.core.action.ActionResponse;
 import org.opensearch.cluster.metadata.MappingMetadata;
+import org.opensearch.core.common.Strings;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.common.xcontent.XContentType;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
 import org.opensearch.core.ParseField;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
@@ -104,7 +106,7 @@ public Map<String, MappingMetadata> getMappings() {
 
     @Override
     public String toString() {
-        return org.opensearch.common.Strings.toString(XContentType.JSON, this);
+        return Strings.toString(XContentType.JSON, this);
     }
 
     @Override
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewRequest.java
index 3e4e6d7ec..787ebbb25 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewRequest.java
@@ -8,9 +8,9 @@
 import java.util.Locale;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.XContentParser;
 
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewResponse.java
index 62e8e6c7e..b5a7d5ac0 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewResponse.java
@@ -6,9 +6,9 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.securityanalytics.mapper.MapperUtils;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
@@ -18,6 +18,10 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.Strings;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.common.xcontent.XContentType;
 
 public class GetMappingsViewResponse extends ActionResponse implements ToXContentObject {
@@ -129,7 +133,7 @@ public List<String> getUnmappedIndexFields() {
 
     @Override
     public String toString() {
-        return org.opensearch.common.Strings.toString(XContentType.JSON, this);
+        return Strings.toString(XContentType.JSON, this);
     }
 
     @Override
diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.java
index ca1ed2595..1b70fb6c2 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.java
@@ -10,8 +10,8 @@
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.rest.RestRequest;
 
 import java.io.IOException;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleResponse.java b/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleResponse.java
index c72d4512a..d2442943b 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleResponse.java
@@ -8,12 +8,12 @@
 
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 
 import java.io.IOException;
 import org.opensearch.securityanalytics.model.CorrelationRule;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.java b/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.java
index 2f4d2eb93..9c8ba2dae 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.java
@@ -11,8 +11,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.support.WriteRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.securityanalytics.model.CustomLogType;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeResponse.java b/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeResponse.java
index 3a95d99b9..1f3410cd5 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeResponse.java
@@ -8,12 +8,12 @@
 
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.model.CustomLogType;
 
 import java.io.IOException;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorRequest.java b/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorRequest.java
index f31207b5d..7299d945c 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorRequest.java
@@ -7,8 +7,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.support.WriteRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.securityanalytics.model.Detector;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorResponse.java b/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorResponse.java
index 6e5a128c7..6a7c268c1 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorResponse.java
@@ -4,12 +4,12 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.model.Detector;
 
 import java.io.IOException;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/IndexRuleRequest.java
index 309789fc3..785438930 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/IndexRuleRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/IndexRuleRequest.java
@@ -10,8 +10,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.support.WriteRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.rest.RestRequest;
 
 import java.io.IOException;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexRuleResponse.java b/src/main/java/org/opensearch/securityanalytics/action/IndexRuleResponse.java
index 02e612ac7..7571d9ba2 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/IndexRuleResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/IndexRuleResponse.java
@@ -4,12 +4,12 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.model.Detector;
 import org.opensearch.securityanalytics.model.Rule;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsRequest.java
index ff3fd225c..51a6e0ca5 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsRequest.java
@@ -6,8 +6,8 @@
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsResponse.java
index 80eea0003..0b8df0cb0 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsResponse.java
@@ -4,9 +4,9 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import org.opensearch.action.ActionResponse;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.securityanalytics.model.CorrelatedFinding;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.java
index dcf4fb955..649067044 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.java
@@ -8,8 +8,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.search.SearchRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 
 public class SearchCorrelationRuleRequest extends ActionRequest {
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/SearchCustomLogTypeRequest.java b/src/main/java/org/opensearch/securityanalytics/action/SearchCustomLogTypeRequest.java
index f315a09ff..a9a387d36 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/SearchCustomLogTypeRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/SearchCustomLogTypeRequest.java
@@ -11,8 +11,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.search.SearchRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/SearchDetectorRequest.java b/src/main/java/org/opensearch/securityanalytics/action/SearchDetectorRequest.java
index ed289eabd..e3b9ed9bd 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/SearchDetectorRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/SearchDetectorRequest.java
@@ -7,8 +7,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.search.SearchRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/SearchRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/SearchRuleRequest.java
index 4b08c75bc..010ddb2fd 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/SearchRuleRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/SearchRuleRequest.java
@@ -7,8 +7,8 @@
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.search.SearchRequest;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 
 import java.io.IOException;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.java
index e9bef0c4d..def99049c 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.java
@@ -6,9 +6,9 @@
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
diff --git a/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesRequest.java b/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesRequest.java
index 7af8bed56..b925891dd 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesRequest.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesRequest.java
@@ -4,25 +4,21 @@
  */
 package org.opensearch.securityanalytics.action;
 
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Locale;
-import java.util.Map;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
-import org.opensearch.core.common.Strings;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.xcontent.XContentFactory;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.xcontent.XContentParserUtils;
 
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesResponse.java b/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesResponse.java
index 835bc65ec..776c0f303 100644
--- a/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesResponse.java
+++ b/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesResponse.java
@@ -4,12 +4,19 @@
  */
 package org.opensearch.securityanalytics.action;
 
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.ActionResponse;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.Strings;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.common.xcontent.XContentType;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 
@@ -69,7 +76,7 @@ public List<String> getNonapplicableFields() {
 
     @Override
     public String toString() {
-        return org.opensearch.common.Strings.toString(XContentType.JSON, this);
+        return Strings.toString(XContentType.JSON, this);
     }
 
     @Override
diff --git a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java
index 705f127a5..a61fe9d35 100644
--- a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java
+++ b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java
@@ -7,7 +7,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.support.GroupedActionListener;
 import org.opensearch.action.support.WriteRequest;
 import org.opensearch.client.Client;
@@ -18,7 +18,7 @@
 import org.opensearch.commons.alerting.action.GetAlertsRequest;
 import org.opensearch.commons.alerting.model.Alert;
 import org.opensearch.commons.alerting.model.Table;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.AckAlertsResponse;
 import org.opensearch.securityanalytics.action.AlertDto;
 import org.opensearch.securityanalytics.action.GetAlertsResponse;
diff --git a/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java b/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java
index 5e4bb6629..6921f096c 100644
--- a/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java
+++ b/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java
@@ -9,7 +9,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.search.MultiSearchRequest;
 import org.opensearch.action.search.MultiSearchResponse;
 import org.opensearch.action.search.SearchRequest;
@@ -25,7 +25,7 @@
 import org.opensearch.index.query.NestedQueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
 import org.opensearch.index.query.RangeQueryBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig;
diff --git a/src/main/java/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.java b/src/main/java/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.java
index f0f433d5e..82698325f 100644
--- a/src/main/java/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.java
+++ b/src/main/java/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.java
@@ -7,7 +7,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.bulk.BulkRequest;
 import org.opensearch.action.bulk.BulkResponse;
 import org.opensearch.action.index.IndexRequest;
@@ -25,7 +25,7 @@
 import org.opensearch.index.query.BoolQueryBuilder;
 import org.opensearch.index.query.MatchQueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.correlation.index.query.CorrelationQueryBuilder;
diff --git a/src/main/java/org/opensearch/securityanalytics/correlation/index/CorrelationParamsContext.java b/src/main/java/org/opensearch/securityanalytics/correlation/index/CorrelationParamsContext.java
index 1dbfba528..66fd6c23a 100644
--- a/src/main/java/org/opensearch/securityanalytics/correlation/index/CorrelationParamsContext.java
+++ b/src/main/java/org/opensearch/securityanalytics/correlation/index/CorrelationParamsContext.java
@@ -5,9 +5,9 @@
 package org.opensearch.securityanalytics.correlation.index;
 
 import org.apache.lucene.index.VectorSimilarityFunction;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
 import org.opensearch.core.xcontent.ToXContentFragment;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.index.mapper.MapperParsingException;
diff --git a/src/main/java/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryBuilder.java b/src/main/java/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryBuilder.java
index 84e99348c..2a51499c2 100644
--- a/src/main/java/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryBuilder.java
+++ b/src/main/java/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryBuilder.java
@@ -7,10 +7,10 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.Query;
-import org.opensearch.common.ParsingException;
+import org.opensearch.core.common.ParsingException;
 import org.opensearch.core.common.Strings;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.ParseField;
 import org.opensearch.core.common.Strings;
 import org.opensearch.core.xcontent.XContentBuilder;
diff --git a/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java b/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java
index 5047c0268..83d8ffbb3 100644
--- a/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java
+++ b/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java
@@ -13,14 +13,14 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.client.Client;
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.commons.alerting.AlertingPluginInterface;
 import org.opensearch.commons.alerting.model.DocLevelQuery;
 import org.opensearch.commons.alerting.model.FindingWithDocs;
 import org.opensearch.commons.alerting.model.Table;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.FindingDto;
 import org.opensearch.securityanalytics.action.GetDetectorAction;
 import org.opensearch.securityanalytics.action.GetDetectorRequest;
diff --git a/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java b/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java
index 444df5042..1fbe36b85 100644
--- a/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java
+++ b/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java
@@ -15,7 +15,7 @@
 import java.util.stream.Collectors;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.cluster.state.ClusterStateRequest;
 import org.opensearch.action.admin.cluster.state.ClusterStateResponse;
 import org.opensearch.action.admin.indices.delete.DeleteIndexRequest;
@@ -29,8 +29,8 @@
 import org.opensearch.cluster.metadata.AliasMetadata;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.component.AbstractLifecycleComponent;
 import org.opensearch.common.inject.Inject;
+import org.opensearch.common.lifecycle.AbstractLifecycleComponent;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig;
diff --git a/src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java b/src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java
index 14dad9e4c..0d28bce4d 100644
--- a/src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java
+++ b/src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java
@@ -19,7 +19,7 @@
 import java.util.stream.Stream;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.common.component.AbstractLifecycleComponent;
+import org.opensearch.common.lifecycle.AbstractLifecycleComponent;
 import org.opensearch.common.settings.SettingsException;
 import org.opensearch.common.xcontent.XContentHelper;
 import org.opensearch.common.xcontent.json.JsonXContent;
diff --git a/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java b/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java
index b54e4eb82..3d09bae52 100644
--- a/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java
+++ b/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java
@@ -25,7 +25,7 @@
 import org.opensearch.ExceptionsHelper;
 import org.opensearch.OpenSearchStatusException;
 import org.opensearch.ResourceAlreadyExistsException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.DocWriteRequest;
 import org.opensearch.action.admin.indices.create.CreateIndexRequest;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
@@ -49,7 +49,7 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.index.query.BoolQueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.aggregations.bucket.terms.Terms;
 import org.opensearch.search.aggregations.bucket.terms.TermsAggregationBuilder;
diff --git a/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateManager.java b/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateManager.java
index ecc684005..4bc41e4ba 100644
--- a/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateManager.java
+++ b/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateManager.java
@@ -16,7 +16,7 @@
 import java.util.Set;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.StepListener;
 import org.opensearch.action.admin.indices.template.delete.DeleteComponentTemplateAction;
 import org.opensearch.action.admin.indices.template.delete.DeleteComposableIndexTemplateAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.java b/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.java
index 26074dee3..73e366c77 100644
--- a/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.java
+++ b/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.java
@@ -13,7 +13,7 @@
 import org.opensearch.cluster.ClusterState;
 import org.opensearch.cluster.metadata.ComposableIndexTemplate;
 import org.opensearch.cluster.metadata.Template;
-import org.opensearch.common.bytes.BytesReference;
+import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.compress.CompressedXContent;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.XContentHelper;
diff --git a/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java b/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java
index 059150e6a..26f9c1602 100644
--- a/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java
+++ b/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java
@@ -19,7 +19,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.get.GetIndexRequest;
 import org.opensearch.action.admin.indices.get.GetIndexResponse;
 import org.opensearch.action.admin.indices.mapping.get.GetMappingsRequest;
@@ -32,10 +32,9 @@
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.metadata.MappingMetadata;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.Strings;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.GetIndexMappingsResponse;
 import org.opensearch.securityanalytics.action.GetMappingsViewResponse;
 import org.opensearch.securityanalytics.logtype.LogTypeService;
@@ -233,7 +232,7 @@ public void onResponse(List<LogType.Mapping> mappings) {
                                 }
                             }
                             aliasMappingsObj.field("properties", aliasMappingFields);
-                            String aliasMappings = Strings.toString(aliasMappingsObj.endObject());
+                            String aliasMappings = aliasMappingsObj.endObject().toString();
 
                             Pair<List<String>, List<String>> validationResult = MapperUtils.validateIndexMappings(indexName, mappingMetadata, aliasMappings);
                             List<String> missingPathsInIndex = validationResult.getLeft();
@@ -515,7 +514,7 @@ public void onResponse(GetMappingsResponse getMappingsResponse) {
                             }
                         }
                         aliasMappingsObj.field("properties", aliasMappingFields);
-                        String aliasMappingsJson = Strings.toString(aliasMappingsObj.endObject());
+                        String aliasMappingsJson = aliasMappingsObj.endObject().toString();
                         // Gather all applyable alias mappings
                         Map<String, Object> aliasMappings =
                                 MapperUtils.getAliasMappingsWithFilter(aliasMappingsJson, applyableAliases);
diff --git a/src/main/java/org/opensearch/securityanalytics/model/CorrelatedFinding.java b/src/main/java/org/opensearch/securityanalytics/model/CorrelatedFinding.java
index d5f68339b..811aab401 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/CorrelatedFinding.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/CorrelatedFinding.java
@@ -4,10 +4,10 @@
  */
 package org.opensearch.securityanalytics.model;
 
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java b/src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java
index d2940405c..480e8185d 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java
@@ -7,10 +7,10 @@
 import java.io.IOException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java b/src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java
index f29213e14..685b66c9b 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java
@@ -10,10 +10,10 @@
 import java.util.Objects;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java b/src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java
index 37a4217cf..fb9a05055 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java
@@ -6,10 +6,10 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.ParseField;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.ToXContentObject;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/Detector.java b/src/main/java/org/opensearch/securityanalytics/model/Detector.java
index 0769e74f8..9c7e48362 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/Detector.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/Detector.java
@@ -8,13 +8,13 @@
 import java.util.Map;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
 import org.opensearch.commons.alerting.model.CronSchedule;
 import org.opensearch.commons.alerting.model.Schedule;
 import org.opensearch.commons.authuser.User;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.ParseField;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.ToXContent;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java b/src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java
index da7d65cb2..1956274ca 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java
@@ -4,10 +4,10 @@
  */
 package org.opensearch.securityanalytics.model;
 
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.ParseField;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.ToXContentObject;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java b/src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java
index c002687d9..d6a031c51 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java
@@ -4,13 +4,13 @@
  */
 package org.opensearch.securityanalytics.model;
 
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
+import org.opensearch.core.xcontent.XContentParserUtils;
 
 import java.io.IOException;
 import java.util.ArrayList;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/DetectorTrigger.java b/src/main/java/org/opensearch/securityanalytics/model/DetectorTrigger.java
index 3291c07ae..ed454412a 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/DetectorTrigger.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/DetectorTrigger.java
@@ -8,10 +8,10 @@
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.common.UUIDs;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.commons.alerting.model.action.Action;
 import org.opensearch.core.ParseField;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/FieldMappingDoc.java b/src/main/java/org/opensearch/securityanalytics/model/FieldMappingDoc.java
index b2bd7763d..3a3edeedc 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/FieldMappingDoc.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/FieldMappingDoc.java
@@ -11,12 +11,12 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
 import org.opensearch.common.xcontent.XContentHelper;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.ToXContent;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/FindingWithScore.java b/src/main/java/org/opensearch/securityanalytics/model/FindingWithScore.java
index 2177d076e..35274727e 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/FindingWithScore.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/FindingWithScore.java
@@ -4,10 +4,10 @@
  */
 package org.opensearch.securityanalytics.model;
 
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/LogType.java b/src/main/java/org/opensearch/securityanalytics/model/LogType.java
index 0d221d1d7..7acc0d1f3 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/LogType.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/LogType.java
@@ -9,9 +9,9 @@
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 
diff --git a/src/main/java/org/opensearch/securityanalytics/model/Rule.java b/src/main/java/org/opensearch/securityanalytics/model/Rule.java
index 810492229..fcbd95349 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/Rule.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/Rule.java
@@ -7,10 +7,10 @@
 import org.apache.commons.lang3.tuple.Pair;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.ParseField;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.ToXContent;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java b/src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java
index a2abfa3ba..99a9384c2 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java
@@ -14,9 +14,9 @@
 import java.util.Map;
 import java.util.Objects;
 import org.opensearch.OpenSearchParseException;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
 import org.opensearch.common.settings.SettingsException;
 import org.opensearch.common.xcontent.XContentHelper;
 import org.opensearch.common.xcontent.json.JsonXContent;
diff --git a/src/main/java/org/opensearch/securityanalytics/model/Value.java b/src/main/java/org/opensearch/securityanalytics/model/Value.java
index 89298ae71..ff817131a 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/Value.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/Value.java
@@ -6,10 +6,10 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.java
index f02479c48..2a49e49cb 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.java
@@ -20,7 +20,7 @@
 import java.util.List;
 import java.util.Locale;
 
-import static org.opensearch.common.xcontent.XContentParserUtils.ensureExpectedToken;
+import static org.opensearch.core.xcontent.XContentParserUtils.ensureExpectedToken;
 
 /**
  * Acknowledge list of alerts generated by a detector.
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.java
index b0871c835..65297bed7 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.java
@@ -5,7 +5,7 @@
 package org.opensearch.securityanalytics.resthandler;
 
 import org.opensearch.client.node.NodeClient;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.rest.BaseRestHandler;
 import org.opensearch.rest.RestRequest;
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.java
index 692bd6e2c..18dfd7ec7 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.java
@@ -15,7 +15,7 @@
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.rest.BaseRestHandler;
 import org.opensearch.rest.RestRequest;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.rest.action.RestToXContentListener;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.action.DeleteCustomLogTypeAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java
index 42b5a80ad..d3d30ea73 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java
@@ -18,7 +18,7 @@
 import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestResponse;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.rest.action.RestResponseListener;
 
 import java.io.IOException;
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.java
index d927fdf55..052e3978a 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.java
@@ -11,7 +11,7 @@
 import org.apache.logging.log4j.Logger;
 import org.opensearch.action.support.WriteRequest;
 import org.opensearch.client.node.NodeClient;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.rest.BaseRestHandler;
@@ -19,7 +19,7 @@
 import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestResponse;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.rest.action.RestResponseListener;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.action.IndexCustomLogTypeAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction.java
index 62a59980e..489ce5ffb 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction.java
@@ -8,7 +8,7 @@
 import org.apache.logging.log4j.Logger;
 import org.opensearch.action.support.WriteRequest;
 import org.opensearch.client.node.NodeClient;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.rest.BaseRestHandler;
@@ -16,7 +16,7 @@
 import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestResponse;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.rest.action.RestResponseListener;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.action.IndexDetectorAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction.java
index 65484ec19..fcbdd64c8 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction.java
@@ -14,7 +14,7 @@
 import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestResponse;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.rest.action.RestResponseListener;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.action.IndexRuleAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction.java
index ce34c7904..e8030c197 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction.java
@@ -24,7 +24,7 @@
 import java.util.Locale;
 
 import static org.opensearch.rest.RestRequest.Method.GET;
-import static org.opensearch.rest.RestStatus.OK;
+import static org.opensearch.core.rest.RestStatus.OK;
 
 public class RestListCorrelationAction extends BaseRestHandler {
 
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.java
index e66e3ba7b..587d64e36 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.java
@@ -25,7 +25,7 @@
 import java.util.Locale;
 
 import static org.opensearch.rest.RestRequest.Method.GET;
-import static org.opensearch.rest.RestStatus.OK;
+import static org.opensearch.core.rest.RestStatus.OK;
 
 public class RestSearchCorrelationAction extends BaseRestHandler {
 
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction.java
index 83f4ffa83..58dc4c510 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction.java
@@ -13,7 +13,7 @@
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.client.node.NodeClient;
-import org.opensearch.common.bytes.BytesReference;
+import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.XContentType;
@@ -40,7 +40,7 @@
 import java.util.Locale;
 import java.util.Map;
 
-import static org.opensearch.rest.RestStatus.OK;
+import static org.opensearch.core.rest.RestStatus.OK;
 
 public class RestSearchCustomLogTypeAction extends BaseRestHandler {
 
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.java
index 34f6af368..c1ccd7ea9 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.java
@@ -7,12 +7,10 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import org.opensearch.ResourceNotFoundException;
-import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.client.node.NodeClient;
-import org.opensearch.common.bytes.BytesReference;
+import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.XContentType;
@@ -36,15 +34,12 @@
 import java.util.List;
 import java.util.Locale;
 
+import static org.opensearch.core.rest.RestStatus.OK;
 import static org.opensearch.rest.RestRequest.Method.POST;
-import static org.opensearch.rest.RestStatus.OK;
 
 import org.opensearch.securityanalytics.model.Detector;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 
-import static org.opensearch.securityanalytics.util.RestHandlerUtils._ID;
-import static org.opensearch.securityanalytics.util.RestHandlerUtils._VERSION;
-
 public class RestSearchDetectorAction extends BaseRestHandler {
 
     private static final Logger log = LogManager.getLogger(RestSearchDetectorAction.class);
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction.java
index 03003ca3f..bd01eb2b7 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction.java
@@ -9,7 +9,7 @@
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.client.node.NodeClient;
-import org.opensearch.common.bytes.BytesReference;
+import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.XContentType;
@@ -22,7 +22,7 @@
 import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestResponse;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.rest.action.RestResponseListener;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.builder.SearchSourceBuilder;
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.java
index 2f8371aa1..8a96bf9e6 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.java
@@ -5,7 +5,7 @@
 package org.opensearch.securityanalytics.resthandler;
 
 import org.opensearch.client.node.NodeClient;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.rest.BaseRestHandler;
 import org.opensearch.rest.RestRequest;
diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestValidateRulesAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestValidateRulesAction.java
index 7abf5421f..1dcd99590 100644
--- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestValidateRulesAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestValidateRulesAction.java
@@ -4,33 +4,20 @@
  */
 package org.opensearch.securityanalytics.resthandler;
 
-import java.io.IOException;
-import java.util.List;
-import java.util.Locale;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.support.WriteRequest;
 import org.opensearch.client.node.NodeClient;
-import org.opensearch.core.xcontent.ToXContent;
-import org.opensearch.common.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.XContentParser;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.rest.BaseRestHandler;
-import org.opensearch.rest.BytesRestResponse;
-import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
-import org.opensearch.rest.RestResponse;
-import org.opensearch.rest.RestStatus;
-import org.opensearch.rest.action.RestResponseListener;
 import org.opensearch.rest.action.RestToXContentListener;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
-import org.opensearch.securityanalytics.action.CreateIndexMappingsRequest;
-import org.opensearch.securityanalytics.action.IndexRuleAction;
-import org.opensearch.securityanalytics.action.IndexRuleRequest;
-import org.opensearch.securityanalytics.action.IndexRuleResponse;
 import org.opensearch.securityanalytics.action.ValidateRulesAction;
 import org.opensearch.securityanalytics.action.ValidateRulesRequest;
-import org.opensearch.securityanalytics.model.Detector;
-import org.opensearch.securityanalytics.util.RestHandlerUtils;
+
+import java.io.IOException;
+import java.util.List;
 
 public class RestValidateRulesAction extends BaseRestHandler {
 
diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
index 8335c51f6..ea26804c5 100644
--- a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
+++ b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
@@ -6,13 +6,13 @@
 
 import org.opensearch.OpenSearchParseException;
 import org.opensearch.common.UUIDs;
-import org.opensearch.common.bytes.BytesReference;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.io.stream.StreamOutput;
-import org.opensearch.common.io.stream.Writeable;
-import org.opensearch.common.xcontent.XContentFactory;
-import org.opensearch.common.xcontent.XContentParserUtils;
 import org.opensearch.commons.alerting.aggregation.bucketselectorext.BucketSelectorExtAggregationBuilder;
+import org.opensearch.core.common.bytes.BytesReference;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.common.xcontent.XContentFactory;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.java
index 6535901a8..16679e9b2 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.java
@@ -8,7 +8,7 @@
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchException;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.StepListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
@@ -20,7 +20,7 @@
 import org.opensearch.commons.alerting.model.Table;
 import org.opensearch.commons.authuser.User;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.AckAlertsRequest;
 import org.opensearch.securityanalytics.action.AckAlertsResponse;
 import org.opensearch.securityanalytics.action.AckAlertsAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java
index a8d4d8003..ef4e19949 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java
@@ -8,7 +8,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
@@ -24,8 +24,6 @@
 import org.opensearch.client.Client;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
-import org.opensearch.common.io.stream.InputStreamStreamInput;
-import org.opensearch.common.io.stream.OutputStreamStreamOutput;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
@@ -35,13 +33,15 @@
 import org.opensearch.commons.alerting.action.PublishFindingsRequest;
 import org.opensearch.commons.alerting.action.SubscribeFindingsResponse;
 import org.opensearch.commons.alerting.action.AlertingActions;
+import org.opensearch.core.common.io.stream.InputStreamStreamInput;
+import org.opensearch.core.common.io.stream.OutputStreamStreamOutput;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.index.query.BoolQueryBuilder;
 import org.opensearch.index.query.NestedQueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.SearchHits;
 import org.opensearch.search.builder.SearchSourceBuilder;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.java
index 162c45c16..f7f6d8261 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.java
@@ -4,7 +4,7 @@
  */
 package org.opensearch.securityanalytics.transport;
 
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.action.support.master.AcknowledgedResponse;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java
index 1dc220944..1af67bffd 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java
@@ -12,7 +12,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.action.support.WriteRequest;
@@ -23,7 +23,7 @@
 import org.opensearch.index.reindex.BulkByScrollResponse;
 import org.opensearch.index.reindex.DeleteByQueryAction;
 import org.opensearch.index.reindex.DeleteByQueryRequestBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.DeleteCorrelationRuleAction;
 import org.opensearch.securityanalytics.action.DeleteCorrelationRuleRequest;
 import org.opensearch.securityanalytics.model.CorrelationRule;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.java
index fb190e880..eadf0adb7 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.java
@@ -10,7 +10,7 @@
 
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.delete.DeleteRequest;
 import org.opensearch.action.delete.DeleteResponse;
@@ -28,7 +28,7 @@
 import org.opensearch.commons.authuser.User;
 import org.opensearch.index.query.QueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.action.DeleteCustomLogTypeAction;
 import org.opensearch.securityanalytics.action.DeleteCustomLogTypeRequest;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.java
index decf798a9..f23a0d9c7 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.java
@@ -13,7 +13,7 @@
 import org.apache.logging.log4j.Logger;
 import org.opensearch.common.SetOnce;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.delete.DeleteRequest;
 import org.opensearch.action.delete.DeleteResponse;
@@ -34,7 +34,7 @@
 import org.opensearch.commons.alerting.action.DeleteMonitorResponse;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.XContentParser;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.DeleteDetectorAction;
 import org.opensearch.securityanalytics.action.DeleteDetectorRequest;
 import org.opensearch.securityanalytics.action.DeleteDetectorResponse;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.java
index 639f8c823..44cb7ae56 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.java
@@ -8,7 +8,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.get.GetRequest;
 import org.opensearch.action.get.GetResponse;
@@ -29,7 +29,7 @@
 import org.opensearch.index.reindex.DeleteByQueryAction;
 import org.opensearch.index.reindex.DeleteByQueryRequestBuilder;
 import org.opensearch.rest.RestRequest;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.action.DeleteRuleAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java
index 8af3d0fd8..e664e75ae 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java
@@ -11,7 +11,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.action.support.ActionFilters;
@@ -24,7 +24,7 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.index.query.NestedQueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.action.GetAlertsAction;
 import org.opensearch.securityanalytics.action.GetAlertsRequest;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.java
index c8eedaa33..019f598fe 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.java
@@ -5,7 +5,7 @@
 package org.opensearch.securityanalytics.transport;
 
 import java.util.stream.Collectors;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.cluster.service.ClusterService;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.java
index 47c2e07e5..d23540d3b 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.java
@@ -8,7 +8,7 @@
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.get.GetRequest;
 import org.opensearch.action.get.GetResponse;
 import org.opensearch.action.support.ActionFilters;
@@ -17,19 +17,15 @@
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.commons.authuser.User;
 import org.opensearch.common.inject.Inject;
-import org.opensearch.common.io.stream.StreamInput;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentHelper;
-import org.opensearch.rest.RestResponse;
-import org.opensearch.rest.BytesRestResponse;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.XContentParser;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.GetDetectorAction;
 import org.opensearch.securityanalytics.model.Detector;
-import org.opensearch.securityanalytics.model.DetectorInput;
 import org.opensearch.securityanalytics.action.GetDetectorRequest;
 import org.opensearch.securityanalytics.action.GetDetectorResponse;
 import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
@@ -40,10 +36,9 @@
 import org.opensearch.transport.TransportService;
 
 import java.io.IOException;
-import java.util.List;
 
 
-import static org.opensearch.rest.RestStatus.OK;
+import static org.opensearch.core.rest.RestStatus.OK;
 
 public class TransportGetDetectorAction extends HandledTransportAction<GetDetectorRequest, GetDetectorResponse> implements SecureTransportAction {
 
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java
index 5af8eb608..e84f028fe 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java
@@ -11,7 +11,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.action.support.ActionFilters;
@@ -24,7 +24,7 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.index.query.NestedQueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.action.GetFindingsAction;
 import org.opensearch.securityanalytics.action.GetFindingsRequest;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java
index b8b9110d8..e2154f51a 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java
@@ -5,13 +5,13 @@
 package org.opensearch.securityanalytics.transport;
 
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.GetIndexMappingsAction;
 import org.opensearch.securityanalytics.mapper.MapperService;
 import org.opensearch.securityanalytics.action.GetIndexMappingsRequest;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java
index 319bc5bca..38c761261 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java
@@ -5,13 +5,13 @@
 package org.opensearch.securityanalytics.transport;
 
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.GetIndexMappingsAction;
 import org.opensearch.securityanalytics.action.GetIndexMappingsRequest;
 import org.opensearch.securityanalytics.action.GetIndexMappingsResponse;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.java
index defa51faa..1bb8f6f73 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.java
@@ -11,7 +11,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
 import org.opensearch.action.index.IndexRequest;
 import org.opensearch.action.index.IndexResponse;
@@ -26,7 +26,7 @@
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.rest.RestRequest;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.IndexCorrelationRuleAction;
 import org.opensearch.securityanalytics.action.IndexCorrelationRuleRequest;
 import org.opensearch.securityanalytics.action.IndexCorrelationRuleResponse;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.java
index 70e9b26f4..95f0ee93f 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.java
@@ -10,7 +10,7 @@
 
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
 import org.opensearch.action.index.IndexRequest;
@@ -32,7 +32,7 @@
 import org.opensearch.index.query.QueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
 import org.opensearch.rest.RestRequest;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.aggregations.AggregationBuilders;
 import org.opensearch.search.aggregations.metrics.Max;
 import org.opensearch.search.aggregations.metrics.MaxAggregationBuilder;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
index d8d4c99bf..c7d17e572 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
@@ -10,7 +10,7 @@
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.common.SetOnce;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.StepListener;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
@@ -32,16 +32,15 @@
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.metadata.MappingMetadata;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.CheckedConsumer;
 import org.opensearch.common.SetOnce;
 import org.opensearch.common.inject.Inject;
-import org.opensearch.common.io.stream.NamedWriteableRegistry;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.XContentHelper;
-import org.opensearch.core.xcontent.XContentParser;
+import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
+import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.commons.alerting.AlertingPluginInterface;
 import org.opensearch.commons.alerting.action.DeleteMonitorRequest;
@@ -60,6 +59,7 @@
 import org.opensearch.commons.authuser.User;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.index.query.BoolQueryBuilder;
 import org.opensearch.index.IndexNotFoundException;
 import org.opensearch.index.query.QueryBuilder;
@@ -69,7 +69,7 @@
 import org.opensearch.index.seqno.SequenceNumbers;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestRequest.Method;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.script.Script;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.SearchHits;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.java
index da0afefc0..d13d499d8 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.java
@@ -9,7 +9,6 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
 import org.opensearch.action.index.IndexRequest;
@@ -27,13 +26,14 @@
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.XContentType;
-import org.opensearch.core.xcontent.XContentParser;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.index.query.QueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
 import org.opensearch.rest.RestRequest;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.action.IndexDetectorAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.java
index e42266103..6e8a84296 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.java
@@ -7,7 +7,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchResponse;
@@ -20,7 +20,7 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.index.query.BoolQueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.action.ListCorrelationsAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction.java
index 9152f0042..b23b61396 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction.java
@@ -8,7 +8,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.search.MultiSearchRequest;
 import org.opensearch.action.search.MultiSearchResponse;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.java
index 4affd451f..d027d26de 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.java
@@ -11,7 +11,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.TotalHits;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.action.search.ShardSearchFailure;
 import org.opensearch.action.support.ActionFilters;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.java
index 340cfd9e0..373cbfa48 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.java
@@ -8,7 +8,7 @@
 
 package org.opensearch.securityanalytics.transport;
 
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.java
index a46952cc6..53ef22a76 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.java
@@ -7,29 +7,17 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import org.apache.lucene.search.TotalHits;
-import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.search.SearchResponse;
 
-import org.opensearch.action.search.SearchResponseSections;
-import org.opensearch.action.search.ShardSearchFailure;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.commons.authuser.User;
 import org.opensearch.client.Client;
 import org.opensearch.common.inject.Inject;
-import org.opensearch.common.io.stream.StreamInput;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
-import org.opensearch.rest.RestStatus;
-import org.opensearch.search.SearchHit;
-import org.opensearch.search.SearchHits;
-import org.opensearch.search.aggregations.InternalAggregations;
-import org.opensearch.search.internal.InternalSearchResponse;
-import org.opensearch.search.profile.SearchProfileShardResults;
-import org.opensearch.search.suggest.Suggest;
 import org.opensearch.securityanalytics.action.SearchDetectorAction;
 import org.opensearch.securityanalytics.action.SearchDetectorRequest;
 import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
@@ -39,11 +27,6 @@
 import org.opensearch.tasks.Task;
 import org.opensearch.transport.TransportService;
 
-
-import java.util.Collections;
-import java.util.Locale;
-
-import static org.opensearch.rest.RestStatus.OK;
 import static org.opensearch.securityanalytics.util.DetectorUtils.getEmptySearchResponse;
 
 public class TransportSearchDetectorAction extends HandledTransportAction<SearchDetectorRequest, SearchResponse> implements SecureTransportAction {
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchRuleAction.java
index 4f5f4c4d1..ec4b9bf93 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchRuleAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchRuleAction.java
@@ -7,7 +7,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
 import org.opensearch.action.bulk.BulkResponse;
@@ -24,7 +24,7 @@
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.index.reindex.BulkByScrollResponse;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.internal.InternalSearchResponse;
 import org.opensearch.securityanalytics.action.SearchRuleAction;
 import org.opensearch.securityanalytics.action.SearchRuleRequest;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java
index 3717e24b2..e1fc442d8 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java
@@ -5,14 +5,14 @@
 package org.opensearch.securityanalytics.transport;
 
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.action.support.master.AcknowledgedResponse;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.UpdateIndexMappingsAction;
 import org.opensearch.securityanalytics.mapper.MapperService;
 import org.opensearch.securityanalytics.action.UpdateIndexMappingsRequest;
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java
index 2023c25bc..f6151bd69 100644
--- a/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java
+++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java
@@ -6,7 +6,7 @@
 
 import java.util.List;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.StepListener;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
@@ -15,7 +15,7 @@
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.ValidateRulesAction;
 import org.opensearch.securityanalytics.action.ValidateRulesRequest;
 import org.opensearch.securityanalytics.action.ValidateRulesResponse;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/CorrelationIndices.java b/src/main/java/org/opensearch/securityanalytics/util/CorrelationIndices.java
index a68064853..efb96a45f 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/CorrelationIndices.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/CorrelationIndices.java
@@ -7,7 +7,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.create.CreateIndexRequest;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
 import org.opensearch.action.bulk.BulkRequest;
@@ -24,7 +24,7 @@
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 
 import java.io.IOException;
 import java.nio.charset.Charset;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/CorrelationRuleIndices.java b/src/main/java/org/opensearch/securityanalytics/util/CorrelationRuleIndices.java
index 69eb83bc7..d131e47b4 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/CorrelationRuleIndices.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/CorrelationRuleIndices.java
@@ -10,7 +10,7 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.create.CreateIndexRequest;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
 import org.opensearch.client.Client;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/CustomLogTypeIndices.java b/src/main/java/org/opensearch/securityanalytics/util/CustomLogTypeIndices.java
index 7b9e6e066..c2aa0d977 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/CustomLogTypeIndices.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/CustomLogTypeIndices.java
@@ -6,7 +6,7 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.create.CreateIndexRequest;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
 import org.opensearch.client.AdminClient;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java b/src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java
index f98cdef11..d6a81e134 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java
@@ -6,7 +6,7 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.create.CreateIndexRequest;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
 import org.opensearch.client.AdminClient;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java b/src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java
index 4a60a8fcb..d7f205c89 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java
@@ -5,7 +5,7 @@
 package org.opensearch.securityanalytics.util;
 
 import org.apache.lucene.search.TotalHits;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.action.search.ShardSearchFailure;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java b/src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java
index aaff505bc..1632b2188 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java
@@ -5,7 +5,7 @@
 package org.opensearch.securityanalytics.util;
 
 import java.util.SortedMap;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.mapping.put.PutMappingRequest;
 import org.opensearch.action.support.IndicesOptions;
 import org.opensearch.action.support.master.AcknowledgedResponse;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java b/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java
index 5a0da3a2e..6916f7532 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java
@@ -8,7 +8,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchStatusException;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.create.CreateIndexRequest;
 import org.opensearch.action.admin.indices.create.CreateIndexResponse;
 import org.opensearch.action.admin.indices.mapping.get.GetMappingsRequest;
@@ -39,7 +39,7 @@
 import org.opensearch.index.reindex.BulkByScrollResponse;
 import org.opensearch.index.reindex.DeleteByQueryAction;
 import org.opensearch.index.reindex.DeleteByQueryRequestBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.securityanalytics.logtype.LogTypeService;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/RuleTopicIndices.java b/src/main/java/org/opensearch/securityanalytics/util/RuleTopicIndices.java
index 13c4478ac..8f0f1cab5 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/RuleTopicIndices.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/RuleTopicIndices.java
@@ -12,7 +12,7 @@
 import java.util.stream.Collectors;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.template.put.PutComposableIndexTemplateAction;
 import org.opensearch.action.support.master.AcknowledgedResponse;
 import org.opensearch.client.Client;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java b/src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java
index 937265908..d5927088b 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java
@@ -8,7 +8,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.Collectors;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.StepListener;
 import org.opensearch.action.search.SearchRequest;
 import org.opensearch.action.search.SearchResponse;
diff --git a/src/main/java/org/opensearch/securityanalytics/util/SecurityAnalyticsException.java b/src/main/java/org/opensearch/securityanalytics/util/SecurityAnalyticsException.java
index b54ed9072..5c0b45265 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/SecurityAnalyticsException.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/SecurityAnalyticsException.java
@@ -10,7 +10,7 @@
 import org.opensearch.core.common.Strings;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 
 import java.io.IOException;
 import java.util.List;
@@ -78,7 +78,7 @@ public static OpenSearchException wrap(List<Exception> ex) {
                 log.error("Security Analytics error:", e);
             }
             builder.endObject();
-            String friendlyMsg = org.opensearch.common.Strings.toString(builder);
+            String friendlyMsg = builder.toString();
 
             return new SecurityAnalyticsException(friendlyMsg, status, new Exception(String.format(Locale.getDefault(), "%s: %s", ex.getClass().getName(), friendlyMsg)));
         } catch (IOException e) {
diff --git a/src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java b/src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java
index 1b3c21e8b..5389758af 100644
--- a/src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java
+++ b/src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java
@@ -7,16 +7,17 @@
 
 import java.io.IOException;
 import java.util.Map;
-import org.opensearch.common.bytes.BytesReference;
+import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.XContentHelper;
 import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.core.xcontent.MediaTypeRegistry;
 import org.opensearch.core.xcontent.XContentBuilder;
 
 public class XContentUtils {
 
     public static String parseMapToJsonString(Map<String, Object> map) throws IOException {
-        XContentBuilder builder = XContentFactory.contentBuilder(XContentType.JSON);
+        XContentBuilder builder = MediaTypeRegistry.JSON.contentBuilder();
         builder.map(map);
         return XContentHelper.convertToJson(
                 BytesReference.bytes(builder),
diff --git a/src/main/resources/OSMapping/ad_ldap_logtype.json b/src/main/resources/OSMapping/ad_ldap_logtype.json
index 70bfc9a02..e3434bca5 100644
--- a/src/main/resources/OSMapping/ad_ldap_logtype.json
+++ b/src/main/resources/OSMapping/ad_ldap_logtype.json
@@ -96,4 +96,4 @@
       "ecs":"azure.auditlogs.properties.activity_display_name"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/apache_access_logtype.json b/src/main/resources/OSMapping/apache_access_logtype.json
index 0cd1ecab4..7753c8440 100644
--- a/src/main/resources/OSMapping/apache_access_logtype.json
+++ b/src/main/resources/OSMapping/apache_access_logtype.json
@@ -3,4 +3,4 @@
   "description": "Apache Access Log type",
   "is_builtin": true,
   "mappings": []
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/azure_logtype.json b/src/main/resources/OSMapping/azure_logtype.json
index 649539383..ec9ae0502 100644
--- a/src/main/resources/OSMapping/azure_logtype.json
+++ b/src/main/resources/OSMapping/azure_logtype.json
@@ -212,4 +212,4 @@
       "ecs":"azure.signinlogs.properties.network_location_details"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/cloudtrail_logtype.json b/src/main/resources/OSMapping/cloudtrail_logtype.json
index f326a7146..389652373 100644
--- a/src/main/resources/OSMapping/cloudtrail_logtype.json
+++ b/src/main/resources/OSMapping/cloudtrail_logtype.json
@@ -219,4 +219,4 @@
       "ocsf": "time"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/dns_logtype.json b/src/main/resources/OSMapping/dns_logtype.json
index b286eb342..ca2f5451a 100644
--- a/src/main/resources/OSMapping/dns_logtype.json
+++ b/src/main/resources/OSMapping/dns_logtype.json
@@ -114,4 +114,4 @@
       "ocsf": "unmapped.creationTime"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/github_logtype.json b/src/main/resources/OSMapping/github_logtype.json
index 415d442e9..6369e2949 100644
--- a/src/main/resources/OSMapping/github_logtype.json
+++ b/src/main/resources/OSMapping/github_logtype.json
@@ -8,4 +8,4 @@
       "ecs":"github.action"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/gworkspace_logtype.json b/src/main/resources/OSMapping/gworkspace_logtype.json
index 4c3507ca5..b0006b6a3 100644
--- a/src/main/resources/OSMapping/gworkspace_logtype.json
+++ b/src/main/resources/OSMapping/gworkspace_logtype.json
@@ -16,4 +16,4 @@
       "ecs":"google_workspace.admin.new_value"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/linux_logtype.json b/src/main/resources/OSMapping/linux_logtype.json
index 0f8a54c4d..f719913c0 100644
--- a/src/main/resources/OSMapping/linux_logtype.json
+++ b/src/main/resources/OSMapping/linux_logtype.json
@@ -60,4 +60,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/logtypes.json b/src/main/resources/OSMapping/logtypes.json
index 4185696e5..13e90587e 100644
--- a/src/main/resources/OSMapping/logtypes.json
+++ b/src/main/resources/OSMapping/logtypes.json
@@ -175,4 +175,4 @@
       "correlation_id": 23
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/m365_logtype.json b/src/main/resources/OSMapping/m365_logtype.json
index 6c9b3eb8b..6547d3d63 100644
--- a/src/main/resources/OSMapping/m365_logtype.json
+++ b/src/main/resources/OSMapping/m365_logtype.json
@@ -20,4 +20,4 @@
       "ecs":"rsa.misc.payload_dst"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/netflow_logtype.json b/src/main/resources/OSMapping/netflow_logtype.json
index 2b8259f4c..d8ec32632 100644
--- a/src/main/resources/OSMapping/netflow_logtype.json
+++ b/src/main/resources/OSMapping/netflow_logtype.json
@@ -32,4 +32,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/network_logtype.json b/src/main/resources/OSMapping/network_logtype.json
index 0dddf260e..90f0b2ee6 100644
--- a/src/main/resources/OSMapping/network_logtype.json
+++ b/src/main/resources/OSMapping/network_logtype.json
@@ -132,4 +132,4 @@
       "ecs":"service"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/okta_logtype.json b/src/main/resources/OSMapping/okta_logtype.json
index 96bda55bb..8038b7f01 100644
--- a/src/main/resources/OSMapping/okta_logtype.json
+++ b/src/main/resources/OSMapping/okta_logtype.json
@@ -12,4 +12,4 @@
       "ecs":"okta.display_message"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/others_application_logtype.json b/src/main/resources/OSMapping/others_application_logtype.json
index 1c37fc5f6..d7faf8c94 100644
--- a/src/main/resources/OSMapping/others_application_logtype.json
+++ b/src/main/resources/OSMapping/others_application_logtype.json
@@ -20,4 +20,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/others_apt_logtype.json b/src/main/resources/OSMapping/others_apt_logtype.json
index 82b6bb873..ace55cbc3 100644
--- a/src/main/resources/OSMapping/others_apt_logtype.json
+++ b/src/main/resources/OSMapping/others_apt_logtype.json
@@ -20,4 +20,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/others_cloud_logtype.json b/src/main/resources/OSMapping/others_cloud_logtype.json
index 65fe1bc7d..b5da3e005 100644
--- a/src/main/resources/OSMapping/others_cloud_logtype.json
+++ b/src/main/resources/OSMapping/others_cloud_logtype.json
@@ -20,4 +20,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/others_compliance_logtype.json b/src/main/resources/OSMapping/others_compliance_logtype.json
index 71a29c40c..6f362d589 100644
--- a/src/main/resources/OSMapping/others_compliance_logtype.json
+++ b/src/main/resources/OSMapping/others_compliance_logtype.json
@@ -20,4 +20,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/others_macos_logtype.json b/src/main/resources/OSMapping/others_macos_logtype.json
index 4b29c6f77..50d1c2160 100644
--- a/src/main/resources/OSMapping/others_macos_logtype.json
+++ b/src/main/resources/OSMapping/others_macos_logtype.json
@@ -20,4 +20,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/others_proxy_logtype.json b/src/main/resources/OSMapping/others_proxy_logtype.json
index e43a543a9..aca4529d1 100644
--- a/src/main/resources/OSMapping/others_proxy_logtype.json
+++ b/src/main/resources/OSMapping/others_proxy_logtype.json
@@ -20,4 +20,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/others_web_logtype.json b/src/main/resources/OSMapping/others_web_logtype.json
index 62ce44168..ae8262d52 100644
--- a/src/main/resources/OSMapping/others_web_logtype.json
+++ b/src/main/resources/OSMapping/others_web_logtype.json
@@ -20,4 +20,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/s3_logtype.json b/src/main/resources/OSMapping/s3_logtype.json
index d91101e47..58c546258 100644
--- a/src/main/resources/OSMapping/s3_logtype.json
+++ b/src/main/resources/OSMapping/s3_logtype.json
@@ -16,4 +16,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/test_windows_logtype.json b/src/main/resources/OSMapping/test_windows_logtype.json
index 096c2b923..7491a954c 100644
--- a/src/main/resources/OSMapping/test_windows_logtype.json
+++ b/src/main/resources/OSMapping/test_windows_logtype.json
@@ -44,4 +44,4 @@
       "ecs":"timestamp"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/vpcflow_logtype.json b/src/main/resources/OSMapping/vpcflow_logtype.json
index 9c8fc38b0..c55305b6d 100644
--- a/src/main/resources/OSMapping/vpcflow_logtype.json
+++ b/src/main/resources/OSMapping/vpcflow_logtype.json
@@ -129,4 +129,4 @@
       "ocsf": "time"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/OSMapping/windows_logtype.json b/src/main/resources/OSMapping/windows_logtype.json
index 4806478c8..a5fef8ea7 100644
--- a/src/main/resources/OSMapping/windows_logtype.json
+++ b/src/main/resources/OSMapping/windows_logtype.json
@@ -832,4 +832,4 @@
       "ecs":"winlog.event_data.Signature"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/mappings/alert_mapping.json b/src/main/resources/mappings/alert_mapping.json
index fcb1d1c94..1d35d4744 100644
--- a/src/main/resources/mappings/alert_mapping.json
+++ b/src/main/resources/mappings/alert_mapping.json
@@ -154,4 +154,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/mappings/correlation.json b/src/main/resources/mappings/correlation.json
index 8fbe2ea71..9ba3292db 100644
--- a/src/main/resources/mappings/correlation.json
+++ b/src/main/resources/mappings/correlation.json
@@ -48,4 +48,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/mappings/detector-settings.json b/src/main/resources/mappings/detector-settings.json
index 53555ddb7..c1dea5b45 100644
--- a/src/main/resources/mappings/detector-settings.json
+++ b/src/main/resources/mappings/detector-settings.json
@@ -19,4 +19,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/mappings/detectors.json b/src/main/resources/mappings/detectors.json
index 0282ee77b..776ed1d39 100644
--- a/src/main/resources/mappings/detectors.json
+++ b/src/main/resources/mappings/detectors.json
@@ -171,4 +171,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/mappings/finding_mapping.json b/src/main/resources/mappings/finding_mapping.json
index 3ffc39478..18faa22f6 100644
--- a/src/main/resources/mappings/finding_mapping.json
+++ b/src/main/resources/mappings/finding_mapping.json
@@ -65,4 +65,4 @@
       "type": "keyword"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/mappings/rules.json b/src/main/resources/mappings/rules.json
index 397331805..0db570049 100644
--- a/src/main/resources/mappings/rules.json
+++ b/src/main/resources/mappings/rules.json
@@ -121,4 +121,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml
index 9e8562774..96daf5118 100644
--- a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml
+++ b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml
@@ -24,4 +24,4 @@ detection:
   condition: selection
 falsepositives:
   - Legitimate AD FS servers added to an AAD Health AD FS service instance
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml
index c325d3d38..f30d3ebd6 100644
--- a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml
+++ b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml
@@ -24,4 +24,4 @@ detection:
   condition: selection
 falsepositives:
   - Legitimate AAD Health AD FS service instances being deleted in a tenant
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml b/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml
index 39896aa3e..8888c9475 100644
--- a/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml
+++ b/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml
@@ -9,8 +9,8 @@ references:
 logsource:
     product: azure
     service: activitylogs
-detection: 
-   selection: 
+detection:
+   selection:
        Operation: 'Add member to role.'
        Workload: 'AzureActiveDirectory'
        ModifiedProperties.NewValue|endswith:
@@ -18,9 +18,9 @@ detection:
            - 'Administrator'
    condition: selection
 falsepositives:
-    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. 
+    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
 level: medium
 status: experimental
-tags: 
+tags:
     - attack.persistence
     - attack.t1098.003
diff --git a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml
index 8088ce3d7..7ea030282 100644
--- a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml
+++ b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml
@@ -24,4 +24,4 @@ detection:
   condition: selection
 falsepositives:
   - Legitimate AD FS servers added to an AAD Health AD FS service instance
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml
index 6fc97a25f..9d1966ce1 100644
--- a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml
+++ b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml
@@ -24,4 +24,4 @@ detection:
   condition: selection
 falsepositives:
   - Legitimate AAD Health AD FS service instances being deleted in a tenant
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/azure/azure_account_lockout.yml b/src/main/resources/rules/azure/azure_account_lockout.yml
index 4a13747c1..102f1de5c 100644
--- a/src/main/resources/rules/azure/azure_account_lockout.yml
+++ b/src/main/resources/rules/azure/azure_account_lockout.yml
@@ -1,8 +1,8 @@
-title: Account Lockout 
+title: Account Lockout
 id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
diff --git a/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml b/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml
index 1a765db8c..3b4020f58 100644
--- a/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml
+++ b/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml
@@ -1,6 +1,6 @@
 title: Application AppID Uri Configuration Changes
 id: 1b45b0d1-773f-4f23-aedc-814b759563b1
-description: Detects when a configuration change is made to an applications AppID URI. 
+description: Detects when a configuration change is made to an applications AppID URI.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/06/02
 references:
@@ -10,7 +10,7 @@ logsource:
   service: auditlogs
 detection:
   selection:
-    properties.message: 
+    properties.message:
       - Update Application
       - Update Service principal
   condition: selection
@@ -18,7 +18,7 @@ falsepositives:
   - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event.
 level: high
 status: experimental
-tags: 
+tags:
   - attack.t1528
   - attack.persistence
   - attack.credential_access
diff --git a/src/main/resources/rules/azure/azure_app_credential_added.yml b/src/main/resources/rules/azure/azure_app_credential_added.yml
index 0942ad419..21f08f9e1 100644
--- a/src/main/resources/rules/azure/azure_app_credential_added.yml
+++ b/src/main/resources/rules/azure/azure_app_credential_added.yml
@@ -1,6 +1,6 @@
 title: Added Credentials to Existing Application
 id: cbb67ecc-fb70-4467-9350-c910bdf7c628
-description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.  
+description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/05/26
 references:
@@ -10,7 +10,7 @@ logsource:
   service: auditlogs
 detection:
   selection:
-    properties.message: 
+    properties.message:
       - Update Application-Certificates and secrets management
       - Update Service principal/Update Application
   condition: selection
@@ -18,6 +18,6 @@ falsepositives:
   - When credentials are added/removed as part of the normal working hours/workflows
 level: high
 status: experimental
-tags: 
+tags:
   - attack.t1098
   - attack.persistence
diff --git a/src/main/resources/rules/azure/azure_app_credential_modification.yml b/src/main/resources/rules/azure/azure_app_credential_modification.yml
index bca556a2e..5f226d2fc 100644
--- a/src/main/resources/rules/azure/azure_app_credential_modification.yml
+++ b/src/main/resources/rules/azure/azure_app_credential_modification.yml
@@ -17,6 +17,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Application credential added may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Application credential added may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_app_device_code_authentication.yml b/src/main/resources/rules/azure/azure_app_device_code_authentication.yml
index 0854d4a5b..5301f8db6 100644
--- a/src/main/resources/rules/azure/azure_app_device_code_authentication.yml
+++ b/src/main/resources/rules/azure/azure_app_device_code_authentication.yml
@@ -19,7 +19,7 @@ detection:
 falsepositives:
   - Applications that are input constrained will need to use device code flow and are valid authentications.
 level: medium
-tags: 
+tags:
   - attack.t1078
   - attack.defense_evasion
   - attack.persistence
diff --git a/src/main/resources/rules/azure/azure_app_owner_added.yml b/src/main/resources/rules/azure/azure_app_owner_added.yml
index de29eb8ed..54b3b92f6 100644
--- a/src/main/resources/rules/azure/azure_app_owner_added.yml
+++ b/src/main/resources/rules/azure/azure_app_owner_added.yml
@@ -1,6 +1,6 @@
 title: Added Owner To Application
 id: 74298991-9fc4-460e-a92e-511aa60baec1
-description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. 
+description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/06/02
 references:
@@ -13,10 +13,10 @@ detection:
     properties.message: Add owner to application
   condition: selection
 falsepositives:
-  - When a new application owner is added by an administrator   
+  - When a new application owner is added by an administrator
 level: medium
 status: experimental
-tags: 
+tags:
   - attack.t1528
   - attack.persistence
   - attack.credential_access
diff --git a/src/main/resources/rules/azure/azure_app_ropc_authentication.yml b/src/main/resources/rules/azure/azure_app_ropc_authentication.yml
index f2cec560f..82222f0ca 100644
--- a/src/main/resources/rules/azure/azure_app_ropc_authentication.yml
+++ b/src/main/resources/rules/azure/azure_app_ropc_authentication.yml
@@ -1,6 +1,6 @@
 title: Applications That Are Using ROPC Authentication Flow
 id: 55695bc0-c8cf-461f-a379-2535f563c854
-description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.  
+description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/06/01
 references:
@@ -16,7 +16,7 @@ falsepositives:
   - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
 level: medium
 status: experimental
-tags: 
+tags:
   - attack.t1078
   - attack.defense_evasion
   - attack.persistence
diff --git a/src/main/resources/rules/azure/azure_app_uri_modifications.yml b/src/main/resources/rules/azure/azure_app_uri_modifications.yml
index d5724b91d..a2cda3522 100644
--- a/src/main/resources/rules/azure/azure_app_uri_modifications.yml
+++ b/src/main/resources/rules/azure/azure_app_uri_modifications.yml
@@ -1,8 +1,8 @@
 title: Application URI Configuration Changes
 id: 0055ad1f-be85-4798-83cf-a6da17c993b3
-description: Detects when a configuration change is made to an applications URI. 
+description: Detects when a configuration change is made to an applications URI.
   URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app,
-  or URIs that point to domains you do not control should be investigated.   
+  or URIs that point to domains you do not control should be investigated.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/06/02
 references:
@@ -15,10 +15,10 @@ detection:
     properties.message: Update Application Sucess- Property Name AppAddress
   condition: selection
 falsepositives:
-  - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. 
+  - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event.
 level: high
 status: experimental
-tags: 
+tags:
   - attack.t1528
   - attack.persistence
   - attack.credential_access
diff --git a/src/main/resources/rules/azure/azure_application_deleted.yml b/src/main/resources/rules/azure/azure_application_deleted.yml
index 6d3ee5b0d..a2e52ca9d 100644
--- a/src/main/resources/rules/azure/azure_application_deleted.yml
+++ b/src/main/resources/rules/azure/azure_application_deleted.yml
@@ -19,6 +19,6 @@ level: medium
 tags:
     - attack.defense_evasion
 falsepositives:
- - Application being deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Application being deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml
index dab3bf97c..d242e0caa 100644
--- a/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
             - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
     condition: selection
@@ -19,6 +19,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Application gateway being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Application gateway being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml
index a770842d0..abd3d183e 100644
--- a/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
             - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE
     condition: selection
@@ -19,6 +19,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Application security group being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Application security group being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_change_to_authentication_method.yml b/src/main/resources/rules/azure/azure_change_to_authentication_method.yml
index 812357a27..b251b5c25 100644
--- a/src/main/resources/rules/azure/azure_change_to_authentication_method.yml
+++ b/src/main/resources/rules/azure/azure_change_to_authentication_method.yml
@@ -2,7 +2,7 @@ title: Change to Authentication Method
 id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
diff --git a/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml b/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml
index b394ce894..e47111824 100644
--- a/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml
@@ -15,7 +15,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
             - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
     condition: selection
diff --git a/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml b/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml
index 0c33bda86..5fc10bc63 100644
--- a/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml
+++ b/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Device no longer compliant
             - Device no longer managed
     condition: selection
@@ -19,4 +19,4 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Administrator may have forgotten to review the device. 
+ - Administrator may have forgotten to review the device.
diff --git a/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml
index cc5aa33d2..9f18c1e9f 100644
--- a/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Delete device
             - Delete device configuration
             - Update device
@@ -21,6 +21,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Device or device configuration being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Device or device configuration being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml
index 80d55642b..faa86c01e 100644
--- a/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml
@@ -20,5 +20,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_federation_modified.yml b/src/main/resources/rules/azure/azure_federation_modified.yml
index e8c1458f5..4512ee967 100644
--- a/src/main/resources/rules/azure/azure_federation_modified.yml
+++ b/src/main/resources/rules/azure/azure_federation_modified.yml
@@ -20,7 +20,6 @@ tags:
     - attack.initial_access
     - attack.t1078
 falsepositives:
- - Federation Settings being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Federation Settings being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-
diff --git a/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml
index 2d09758ae..28c659a05 100644
--- a/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
             - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE
     condition: selection
@@ -19,5 +19,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml
index 30281498e..de1fc0c5d 100644
--- a/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
             - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
             - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
@@ -23,5 +23,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml
index fe2af9ae7..ab657e79c 100644
--- a/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
             - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
             - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
@@ -29,6 +29,6 @@ tags:
     - attack.t1552
     - attack.t1552.001
 falsepositives:
- - Key being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Key being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml
index cc596dcbf..d63cfe24d 100644
--- a/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml
@@ -24,6 +24,6 @@ tags:
     - attack.t1552
     - attack.t1552.001
 falsepositives:
- - Key Vault being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Key Vault being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml
index 53f85064a..b31895d4a 100644
--- a/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
             - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
             - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
@@ -28,6 +28,6 @@ tags:
     - attack.t1552
     - attack.t1552.001
 falsepositives:
- - Secrets being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Secrets being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml b/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml
index 3e2dbbbae..d8f36f7b2 100644
--- a/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml
+++ b/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml
@@ -30,5 +30,5 @@ tags:
     - attack.t1552
     - attack.t1552.007
 falsepositives:
-- Azure Kubernetes Admissions Controller may be done by a system administrator. 
+- Azure Kubernetes Admissions Controller may be done by a system administrator.
 - If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml
index 6af9fe8ac..d9be4f586 100644
--- a/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml
@@ -15,7 +15,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
     condition: selection
@@ -25,4 +25,3 @@ tags:
 falsepositives:
  - Kubernetes cluster being created or  deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- 
diff --git a/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml
index 7c4aefd91..9252c26fb 100644
--- a/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml
+++ b/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml
@@ -21,4 +21,3 @@ tags:
     - attack.t1562.001
 falsepositives:
 - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-
diff --git a/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml b/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml
index e731c0d87..71b65a4f2 100644
--- a/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml
+++ b/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml
@@ -15,9 +15,9 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE 
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
     condition: selection
diff --git a/src/main/resources/rules/azure/azure_kubernetes_role_access.yml b/src/main/resources/rules/azure/azure_kubernetes_role_access.yml
index b13335b6b..a3c9bf010 100644
--- a/src/main/resources/rules/azure/azure_kubernetes_role_access.yml
+++ b/src/main/resources/rules/azure/azure_kubernetes_role_access.yml
@@ -15,7 +15,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
diff --git a/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml
index 923169ffe..efea094a1 100644
--- a/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml
@@ -15,8 +15,8 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE 
+        properties.message:
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
@@ -26,6 +26,5 @@ tags:
     - attack.impact
     - attack.credential_access
 falsepositives:
- - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- 
diff --git a/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml b/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml
index 3f24ab0ba..f809df396 100644
--- a/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml
+++ b/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml
@@ -15,8 +15,8 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE 
+        properties.message:
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
diff --git a/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml
index 6a56ea6c6..355e7bd31 100644
--- a/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml
@@ -15,7 +15,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
diff --git a/src/main/resources/rules/azure/azure_login_to_disabled_account.yml b/src/main/resources/rules/azure/azure_login_to_disabled_account.yml
index 8f8392ca8..41c45d939 100644
--- a/src/main/resources/rules/azure/azure_login_to_disabled_account.yml
+++ b/src/main/resources/rules/azure/azure_login_to_disabled_account.yml
@@ -2,7 +2,7 @@ title: Login to Disabled Account
 id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Detect failed attempts to sign in to disabled accounts.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
@@ -13,7 +13,7 @@ detection:
   selection:
     ResultType: 50057
     ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
-  condition: selection 
+  condition: selection
 level: medium
 falsepositives:
   - Unknown
diff --git a/src/main/resources/rules/azure/azure_mfa_denies.yml b/src/main/resources/rules/azure/azure_mfa_denies.yml
index 97400b634..f0f63b75e 100644
--- a/src/main/resources/rules/azure/azure_mfa_denies.yml
+++ b/src/main/resources/rules/azure/azure_mfa_denies.yml
@@ -3,7 +3,7 @@ id: e40f4962-b02b-4192-9bfe-245f7ece1f99
 status: experimental
 author: AlertIQ
 date: 2022/03/24
-description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. 
+description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
 references:
   - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
 logsource:
diff --git a/src/main/resources/rules/azure/azure_mfa_interrupted.yml b/src/main/resources/rules/azure/azure_mfa_interrupted.yml
index 8d997688e..5919ea0fe 100644
--- a/src/main/resources/rules/azure/azure_mfa_interrupted.yml
+++ b/src/main/resources/rules/azure/azure_mfa_interrupted.yml
@@ -2,7 +2,7 @@ title: Multifactor Authentication Interupted
 id: 5496ff55-42ec-4369-81cb-00f417029e25
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
diff --git a/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml
index 2a36bbdab..a679d1892 100644
--- a/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
             - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
             - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
@@ -21,5 +21,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml
index a2ab1da57..42ef6878a 100644
--- a/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml
@@ -21,5 +21,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml
index c54bd0d56..16373fbd0 100644
--- a/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml
@@ -23,5 +23,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml
index cd2f06382..395880e92 100644
--- a/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml
@@ -23,5 +23,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml
index 5eefd7274..7e8ed5b4a 100644
--- a/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml
@@ -28,5 +28,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_new_cloudshell_created.yml b/src/main/resources/rules/azure/azure_new_cloudshell_created.yml
index faa1a2c7b..e06b47f2f 100644
--- a/src/main/resources/rules/azure/azure_new_cloudshell_created.yml
+++ b/src/main/resources/rules/azure/azure_new_cloudshell_created.yml
@@ -18,5 +18,4 @@ tags:
     - attack.execution
     - attack.t1059
 falsepositives:
- - A new cloudshell may be created by a system administrator. 
- 
+ - A new cloudshell may be created by a system administrator.
diff --git a/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml b/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml
index 57b3f464f..d32b447cf 100644
--- a/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml
+++ b/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Remove owner from service principal
             - Remove owner from application
     condition: selection
@@ -19,6 +19,6 @@ level: medium
 tags:
     - attack.defense_evasion
 falsepositives:
- - Owner being removed may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Owner being removed may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_service_principal_created.yml b/src/main/resources/rules/azure/azure_service_principal_created.yml
index 28d351a04..46a14b711 100644
--- a/src/main/resources/rules/azure/azure_service_principal_created.yml
+++ b/src/main/resources/rules/azure/azure_service_principal_created.yml
@@ -17,6 +17,6 @@ level: medium
 tags:
     - attack.defense_evasion
 falsepositives:
- - Service principal being created may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Service principal being created may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_service_principal_removed.yml b/src/main/resources/rules/azure/azure_service_principal_removed.yml
index fbda2c690..43328012b 100644
--- a/src/main/resources/rules/azure/azure_service_principal_removed.yml
+++ b/src/main/resources/rules/azure/azure_service_principal_removed.yml
@@ -17,6 +17,6 @@ level: medium
 tags:
     - attack.defense_evasion
 falsepositives:
- - Service principal being removed may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Service principal being removed may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml b/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml
index f71db67b8..18691dfd3 100644
--- a/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml
+++ b/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml
@@ -2,7 +2,7 @@ title: Azure Unusual Authentication Interruption
 id: 8366030e-7216-476b-9927-271d79f13cf3
 status: experimental
 author: Austin Songer @austinsonger
-date: 2021/11/26  
+date: 2021/11/26
 description: Detects when there is a interruption in the authentication process.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
@@ -19,7 +19,7 @@ detection:
     selection3:
           ResultType: 50158
           ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
-    condition: selection1 or selection2 or selection3 
+    condition: selection1 or selection2 or selection3
 level: medium
 falsepositives:
   - Unknown
diff --git a/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml b/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml
index 4b2b0bec9..5c087a6ee 100644
--- a/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml
+++ b/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml
@@ -2,7 +2,7 @@ title: User Access Blocked by Azure Conditional Access
 id: 9a60e676-26ac-44c3-814b-0c2a8b977adf
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
@@ -12,7 +12,7 @@ logsource:
 detection:
   selection:
     ResultType: 53003
-  condition: selection 
+  condition: selection
 level: medium
 falsepositives:
   - Unknown
diff --git a/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml
index 40a1604f6..6b25808c8 100644
--- a/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml
@@ -22,5 +22,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml
index e7cc2e36b..58d96b14e 100644
--- a/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml
+++ b/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml
@@ -19,5 +19,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml b/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml
index 83a17e8da..298585fae 100644
--- a/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml
+++ b/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml
@@ -18,5 +18,5 @@ level: medium
 tags:
     - attack.privilege_escalation
 falsepositives:
- - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/cloudtrail/aws_create_load_balancer_layer.yml b/src/main/resources/rules/cloudtrail/aws_create_load_balancer_layer.yml
index 5689743c9..037c1d866 100644
--- a/src/main/resources/rules/cloudtrail/aws_create_load_balancer_layer.yml
+++ b/src/main/resources/rules/cloudtrail/aws_create_load_balancer_layer.yml
@@ -19,4 +19,4 @@ tags:
   - attack.privilege_escalation
 falsepositives:
   - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
-  - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
\ No newline at end of file
+  - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/cloudtrail/aws_ec2_download_userdata.yml b/src/main/resources/rules/cloudtrail/aws_ec2_download_userdata.yml
index 22711310e..af4e5f631 100644
--- a/src/main/resources/rules/cloudtrail/aws_ec2_download_userdata.yml
+++ b/src/main/resources/rules/cloudtrail/aws_ec2_download_userdata.yml
@@ -21,5 +21,5 @@ falsepositives:
     - Assets management software like device42
 level: medium
 tags:
-    - attack.exfiltration 
+    - attack.exfiltration
     - attack.t1020
diff --git a/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml b/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml
index 57c2fa5c2..973cf9dc5 100644
--- a/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml
+++ b/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml
@@ -1,17 +1,17 @@
 title: AWS EC2 VM Export Failure
 id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
 status: experimental
-description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.     
+description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
 author: Diogo Braz
 date: 2020/04/16
 modified: 2021/08/20
-references: 
+references:
   - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
 logsource:
   product: aws
   service: cloudtrail
 detection:
-  selection:           
+  selection:
     eventName: 'CreateInstanceExportTask'
     eventSource: 'ec2.amazonaws.com'
   filter1:
@@ -23,8 +23,7 @@ detection:
   condition: selection and (filter1 or filter2 or filter3)
 level: low
 tags:
-- attack.collection    
-- attack.t1005      
+- attack.collection
+- attack.t1005
 - attack.exfiltration
 - attack.t1537
-
diff --git a/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml b/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml
index 65d3a3bac..49b53b0a6 100644
--- a/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml
+++ b/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
     selection:
         eventSource: eks.amazonaws.com
-        eventName: 
+        eventName:
             - CreateCluster
             - DeleteCluster
     condition: selection
@@ -21,6 +21,6 @@ tags:
     - attack.impact
     - attack.t1485
 falsepositives:
- - EKS Cluster being created or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - EKS Cluster being created or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml
index ed485043d..51ec4468c 100644
--- a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml
+++ b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml
@@ -1,6 +1,6 @@
 title: AWS ElastiCache Security Group Created
-id: 4ae68615-866f-4304-b24b-ba048dfa5ca7 
-description: Detects when an ElastiCache security group has been created. 
+id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
+description: Detects when an ElastiCache security group has been created.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/07/24
@@ -22,5 +22,3 @@ tags:
     - attack.t1136.003
 falsepositives:
 - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-
-
diff --git a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml
index fc7daf4a1..0ee02e0f6 100644
--- a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml
+++ b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         eventSource: elasticache.amazonaws.com
-        eventName: 
+        eventName:
             - 'DeleteCacheSecurityGroup'
             - 'AuthorizeCacheSecurityGroupIngress'
             - 'RevokeCacheSecurityGroupIngress'
@@ -26,5 +26,3 @@ tags:
     - attack.t1531
 falsepositives:
 - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-
-
diff --git a/src/main/resources/rules/cloudtrail/aws_enum_listing.yml b/src/main/resources/rules/cloudtrail/aws_enum_listing.yml
index 846144376..19143dc65 100644
--- a/src/main/resources/rules/cloudtrail/aws_enum_listing.yml
+++ b/src/main/resources/rules/cloudtrail/aws_enum_listing.yml
@@ -1,7 +1,7 @@
 title: Account Enumeration on AWS
-id: e9c14b23-47e2-4a8b-8a63-d36618e33d70 
+id: e9c14b23-47e2-4a8b-8a63-d36618e33d70
 status: experimental
-description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.  
+description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
 author: toffeebr33k
 date: 2020/11/21
 modified: 2021/08/09
diff --git a/src/main/resources/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml b/src/main/resources/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml
index c313afe95..1e680658a 100644
--- a/src/main/resources/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml
+++ b/src/main/resources/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml
@@ -23,5 +23,5 @@ tags:
     - attack.privilege_escalation
     - attack.t1078
 falsepositives:
-    - Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+    - Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
     - If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml b/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml
index 953d3066e..c8d356615 100644
--- a/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml
+++ b/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml
@@ -26,5 +26,5 @@ level: low
 tags:
     - attack.privilege_escalation
 falsepositives:
-    - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+    - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
     - If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml b/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml
index fa9b5171c..9e6219023 100644
--- a/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml
+++ b/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml
@@ -1,6 +1,6 @@
 title: AWS Route 53 Domain Transfer Lock Disabled
 id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
-description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. 
+description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
 author: Elastic, Austin Songer @austinsonger
 status: experimental
 date: 2021/07/22
@@ -23,4 +23,3 @@ tags:
     - attack.t1098
 falsepositives:
 - A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-
diff --git a/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml b/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml
index d6caa4835..08eabe4ce 100644
--- a/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml
+++ b/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml
@@ -1,4 +1,4 @@
-title: AWS Suspicious SAML Activity 
+title: AWS Suspicious SAML Activity
 id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
 description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
 author: Austin Songer
@@ -29,5 +29,5 @@ tags:
     - attack.t1550.001
 falsepositives:
  - Automated processes that uses Terraform may lead to false positives.
- - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml b/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml
index 093dbd905..acaebd91d 100644
--- a/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml
+++ b/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml
@@ -1,7 +1,7 @@
 title: AWS User Login Profile Was Modified
-id: 055fb148-60f8-462d-ad16-26926ce050f1 
+id: 055fb148-60f8-462d-ad16-26926ce050f1
 status: experimental
-description: | 
+description: |
  An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
  With this alert, it is used to detect anyone is changing password on behalf of other users.
 author: toffeebr33k
@@ -24,7 +24,7 @@ fields:
     - errorCode
     - errorMessage
 falsepositives:
-    - Legit User Account Administration 
+    - Legit User Account Administration
 level: high
 tags:
     - attack.persistence
diff --git a/src/main/resources/rules/dns/net_dns_external_service_interaction_domains.yml b/src/main/resources/rules/dns/net_dns_external_service_interaction_domains.yml
index 492fe39de..6a19e392e 100644
--- a/src/main/resources/rules/dns/net_dns_external_service_interaction_domains.yml
+++ b/src/main/resources/rules/dns/net_dns_external_service_interaction_domains.yml
@@ -32,4 +32,3 @@ tags:
     - attack.reconnaissance
     - attack.t1595.002
 level: high
-
diff --git a/src/main/resources/rules/dns/net_dns_high_bytes_out.yml b/src/main/resources/rules/dns/net_dns_high_bytes_out.yml
index 8ac851b89..4b0a9d2a2 100644
--- a/src/main/resources/rules/dns/net_dns_high_bytes_out.yml
+++ b/src/main/resources/rules/dns/net_dns_high_bytes_out.yml
@@ -17,4 +17,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/dns/net_dns_high_requests_rate.yml b/src/main/resources/rules/dns/net_dns_high_requests_rate.yml
index 87b45eb1d..1c6a2fe86 100644
--- a/src/main/resources/rules/dns/net_dns_high_requests_rate.yml
+++ b/src/main/resources/rules/dns/net_dns_high_requests_rate.yml
@@ -19,4 +19,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate high DNS requests rate to domain name which should be added to whitelist
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/dns/net_dns_mal_cobaltstrike.yml b/src/main/resources/rules/dns/net_dns_mal_cobaltstrike.yml
index a7c46dd46..64fb1ff74 100644
--- a/src/main/resources/rules/dns/net_dns_mal_cobaltstrike.yml
+++ b/src/main/resources/rules/dns/net_dns_mal_cobaltstrike.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection1:
         query|startswith:
-            - 'aaa.stage.' 
+            - 'aaa.stage.'
             - 'post.1'
     selection2:
         query|contains: '.stage.123456.'
diff --git a/src/main/resources/rules/dns/net_dns_susp_telegram_api.yml b/src/main/resources/rules/dns/net_dns_susp_telegram_api.yml
index b37de31a3..5066a1b2e 100644
--- a/src/main/resources/rules/dns/net_dns_susp_telegram_api.yml
+++ b/src/main/resources/rules/dns/net_dns_susp_telegram_api.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: medium
 tags:
     - attack.command_and_control
-    - attack.t1102.002
\ No newline at end of file
+    - attack.t1102.002
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml
index cfb085506..0692945f6 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml
@@ -1,7 +1,7 @@
 title: Audio Capture
 id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
 description: Detects attempts to record audio with arecord utility
-    #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay 
+    #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay
 author: 'Pawel Mazur'
 status: experimental
 date: 2021/09/04
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml
index e1305b103..2ee302365 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml
@@ -26,4 +26,4 @@ tags:
    - attack.t1548
 falsepositives:
    - Unknown
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
index ca7009ca1..b973b0bb2 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
@@ -15,10 +15,10 @@ detection:
     selection:
         type: EXECVE
         a0: xclip
-        a1: 
+        a1:
             - '-selection'
             - '-sel'
-        a2: 
+        a2:
             - clipboard
             - clip
         a3: '-o'
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml
index 9e3b3dce2..fb68c7a65 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml
@@ -4,10 +4,10 @@ description: Detects attempts to collect image data stored in the clipboard from
 author: 'Pawel Mazur'
 status: experimental
 date: 2021/10/01
-references: 
+references:
    - https://attack.mitre.org/techniques/T1115/
    - https://linux.die.net/man/1/xclip
-logsource: 
+logsource:
    product: linux
    service: auditd
 detection:
@@ -17,7 +17,7 @@ detection:
        a1:
          - '-selection'
          - '-sel'
-       a2: 
+       a2:
          - clipboard
          - clip
        a3: '-t'
@@ -29,4 +29,4 @@ tags:
    - attack.t1115
 falsepositives:
    - Legitimate usage of xclip tools
-level: low 
+level: low
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml
index 21c65eff0..5a7ec1d7a 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml
@@ -30,4 +30,4 @@ detection:
     condition: 1 of cmd*
 falsepositives:
     - Other tools that use a --cpu-priority flag
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
index 026b64af7..d8a6328fa 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
@@ -39,4 +39,4 @@ detection:
     condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8)
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
index eebe66655..64268f9b0 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
@@ -26,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml
index 1c3b6cbab..df50b8d15 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml
@@ -17,7 +17,7 @@ detection:
         proctitle: '(null)'
     syscall:
        type: SYSCALL
-       comm: pkexec 
+       comm: pkexec
        exe: '/usr/bin/pkexec'
     condition: proctitle and syscall
 tags:
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml
index 70a8dec73..77190c768 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml
@@ -22,4 +22,4 @@ tags:
    - attack.t1048.003
 falsepositives:
    - Legitimate usage of wget utility to post a file
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml
index 2ef02aebc..ef36926e6 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml
@@ -12,10 +12,10 @@ logsource:
 detection:
     selection:
         type: 'EXECVE'
-        a0|contains: 'dd'   
+        a0|contains: 'dd'
         a1|contains:
-            - 'if=/dev/null'    
-            - 'if=/dev/zero'    
+            - 'if=/dev/null'
+            - 'if=/dev/zero'
     condition: selection
 falsepositives:
     - Appending null bytes to files.
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml
index 11bdc3477..30428aa01 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml
@@ -14,7 +14,7 @@ logsource:
 detection:
   selection:
     type: 'SERVICE_STOP'
-    unit: 
+    unit:
          - 'firewalld'
          - 'iptables'
          - 'ufw'
@@ -24,4 +24,4 @@ falsepositives:
 level: high
 tags:
   - attack.t1562.004
-  - attack.defense_evasion
\ No newline at end of file
+  - attack.defense_evasion
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml
index 0af760ef4..4cd280f36 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml
@@ -1,7 +1,7 @@
 title: Linux Keylogging with Pam.d
 id: 49aae26c-450e-448b-911d-b3c13d178dfc
 description: Detect attempt to enable auditing of TTY input
-    # -w /etc/pam.d/ -p wa -k pam - this rule will help you detect changes to the pam.d files-  https://github.com/Neo23x0/auditd/blob/master/audit.rules 
+    # -w /etc/pam.d/ -p wa -k pam - this rule will help you detect changes to the pam.d files-  https://github.com/Neo23x0/auditd/blob/master/audit.rules
     # - the TTY events detection asumes that you do not expect them in your environment or add filtering on those users that you configured it for
 author: 'Pawel Mazur'
 status: experimental
@@ -18,7 +18,7 @@ logsource:
 detection:
    path_events:
        type: PATH
-       name: 
+       name:
        - '/etc/pam.d/system-auth'
        - '/etc/pam.d/password-auth'
    tty_events:
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml
index 4d3c28203..e017b7d48 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml
@@ -22,16 +22,16 @@ detection:
           - '/etc/security/pwquality.conf'
           - '/etc/pam.d/system-auth'
           - '/etc/login.defs'
-    chage: 
+    chage:
       type: 'EXECVE'
       a0: 'chage'
-      a1: 
+      a1:
          - '--list'
          - '-l'
     passwd:
       type: 'EXECVE'
       a0: 'passwd'
-      a1: 
+      a1:
          - '-S'
          - '--status'
     condition: files or chage or passwd
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml
index e411de683..4b9b6c736 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml
@@ -34,4 +34,4 @@ tags:
    - attack.t1113
 falsepositives:
    - Legitimate use of screenshot utility
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
index cd596493c..9dcd4df23 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
@@ -17,7 +17,7 @@ logsource:
    product: linux
    service: auditd
 detection:
-   selection: 
+   selection:
        type: EXECVE
        a0: steghide
        a1: extract
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
index 23c6037bd..b1cf17ce9 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
@@ -16,7 +16,7 @@ detection:
     exe|startswith:
             # Temporary folder
       - '/tmp/'
-            # Web server 
+            # Web server
       - '/var/www/'                    # Standard
       - '/home/*/public_html/'         # Per-user
       - '/usr/local/apache2/'          # Classical Apache
diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml
index 69a36bdc0..f9402ce14 100644
--- a/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml
+++ b/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml
@@ -22,4 +22,4 @@ falsepositives:
 level: critical
 tags:
     - attack.persistence
-    - attack.t1505.003
\ No newline at end of file
+    - attack.t1505.003
diff --git a/src/main/resources/rules/linux/builtin/lnx_buffer_overflows.yml b/src/main/resources/rules/linux/builtin/lnx_buffer_overflows.yml
index 747191af7..1449076e1 100644
--- a/src/main/resources/rules/linux/builtin/lnx_buffer_overflows.yml
+++ b/src/main/resources/rules/linux/builtin/lnx_buffer_overflows.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: high
 tags:
     - attack.t1068
-    - attack.privilege_escalation
\ No newline at end of file
+    - attack.privilege_escalation
diff --git a/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml b/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml
index df1dd7e53..dc5bde7ba 100644
--- a/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml
+++ b/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml
@@ -11,7 +11,7 @@ logsource:
     product: linux
     service: cron
 detection:
-    keywords: 
+    keywords:
         - 'REPLACE'
     condition: keywords
 falsepositives:
diff --git a/src/main/resources/rules/linux/builtin/lnx_ldso_preload_injection.yml b/src/main/resources/rules/linux/builtin/lnx_ldso_preload_injection.yml
index 2ddcb6d07..d4f3ef753 100644
--- a/src/main/resources/rules/linux/builtin/lnx_ldso_preload_injection.yml
+++ b/src/main/resources/rules/linux/builtin/lnx_ldso_preload_injection.yml
@@ -18,4 +18,4 @@ level: high
 tags:
     - attack.persistence
     - attack.privilege_escalation
-    - attack.t1574.006
\ No newline at end of file
+    - attack.t1574.006
diff --git a/src/main/resources/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/src/main/resources/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml
index 40b276bff..2a921b04a 100644
--- a/src/main/resources/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml
+++ b/src/main/resources/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: high
 tags:
   - attack.privilege_escalation
-  - attack.t1068
\ No newline at end of file
+  - attack.t1068
diff --git a/src/main/resources/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml b/src/main/resources/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml
index defe1cce7..d6f1d9351 100644
--- a/src/main/resources/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml
+++ b/src/main/resources/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml
@@ -4,20 +4,20 @@ status: experimental
 description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
 author: Sreeman
 date: 2022/01/26
-references: 
+references:
   - https://twitter.com/wdormann/status/1486161836961579020
-logsource: 
+logsource:
   product: linux
   service: auth
-detection: 
-  keyword: 
+detection:
+  keyword:
     - 'pkexec'
     - 'The value for environment variable XAUTHORITY contains suscipious content'
     - '[USER=root] [TTY=/dev/pts/0]'
   condition: all of keyword
-falsepositives: 
+falsepositives:
   - Unknown
 level: high
-tags: 
+tags:
   - attack.privilege_escalation
-  - attack.t1548.001
\ No newline at end of file
+  - attack.t1548.001
diff --git a/src/main/resources/rules/linux/builtin/lnx_shellshock.yml b/src/main/resources/rules/linux/builtin/lnx_shellshock.yml
index dd7cbc8c6..13ed22033 100644
--- a/src/main/resources/rules/linux/builtin/lnx_shellshock.yml
+++ b/src/main/resources/rules/linux/builtin/lnx_shellshock.yml
@@ -10,7 +10,7 @@ references:
 logsource:
     product: linux
 detection:
-    keywords: 
+    keywords:
         - '(){:;};'
         - '() {:;};'
         - '() { :;};'
@@ -21,4 +21,4 @@ falsepositives:
 level: high
 tags:
     - attack.persistence
-    - attack.t1505.003 
\ No newline at end of file
+    - attack.t1505.003
diff --git a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml b/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml
index b059c59d0..bc4c3da22 100644
--- a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml
+++ b/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml
@@ -22,4 +22,4 @@ detection:
     condition: selection_keywords
 falsepositives:
     - Unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml
index 160c8094b..d95240e1b 100644
--- a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml
+++ b/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml
@@ -28,4 +28,4 @@ detection:
     condition: selection_user
 falsepositives:
     - Unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml b/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml
index 4f0a15f8c..03ac93263 100644
--- a/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml
+++ b/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml
@@ -21,7 +21,7 @@ detection:
          - '/etc/cron.monthly/'
          - '/etc/cron.weekly/'
          - '/var/spool/cron/crontabs/'
-   selection2:   
+   selection2:
       TargetFilename|contains:
          - '/etc/cron.allow'
          - '/etc/cron.deny'
@@ -30,4 +30,3 @@ detection:
 falsepositives:
    - Any legitimate cron file.
 level: medium
-            
\ No newline at end of file
diff --git a/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml
index 0280e9ba9..b086a3a68 100644
--- a/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml
+++ b/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: medium
 tags:
     - attack.impact
-    - attack.t1499 
\ No newline at end of file
+    - attack.t1499
diff --git a/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml
index 63a2ffd49..cda154205 100644
--- a/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml
+++ b/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml
@@ -13,11 +13,10 @@ detection:
    selection:
       Image|endswith: '/bin/bash'
    filter:
-      DestinationIp: 
+      DestinationIp:
          - '127.0.0.1'
          - '0.0.0.0'
    condition: selection and not filter
 falsepositives:
    - Unknown
 level: critical
-
diff --git a/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml b/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml
index 3ae3b1a7a..33aff0f73 100644
--- a/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml
+++ b/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml
@@ -11,7 +11,7 @@ logsource:
     category: network_connection
 detection:
     selection:
-        DestinationHostname: 
+        DestinationHostname:
             - 'pool.minexmr.com'
             - 'fr.minexmr.com'
             - 'de.minexmr.com'
diff --git a/src/main/resources/rules/linux/other/lnx_clamav.yml b/src/main/resources/rules/linux/other/lnx_clamav.yml
index 852d2deeb..a4f6cec6e 100644
--- a/src/main/resources/rules/linux/other/lnx_clamav.yml
+++ b/src/main/resources/rules/linux/other/lnx_clamav.yml
@@ -22,4 +22,4 @@ falsepositives:
 level: high
 tags:
     - attack.resource_development
-    - attack.t1588.001
\ No newline at end of file
+    - attack.t1588.001
diff --git a/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml
index 096cbe2e9..096ab0368 100644
--- a/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml
+++ b/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: linux
     service: syslog
-detection: 
+detection:
     keywords:
         - '*stopping iptables*'
         - '*stopping ip6tables*'
@@ -26,4 +26,4 @@ detection:
     condition: keywords
 falsepositives:
     - Legitimate administration activities
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml
index e9c822de9..83e0dda21 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml
@@ -11,7 +11,7 @@ logsource:
   product: linux
 detection:
   selection:
-    Image|endswith: 
+    Image|endswith:
       - '/cat'
       - 'grep'
     CommandLine|contains: ' /etc/sudoers'
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml
index 44c782049..d826716e2 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml
@@ -25,4 +25,4 @@ detection:
    condition: selection
 falsepositives:
    - Log rotation.
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml
index f46c302f5..d585fc36c 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml
@@ -28,4 +28,4 @@ detection:
     condition: selection1 and selection2 and selection3 and selection4
 falsepositives:
    - Legitimate usage of xclip tools.
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml
index cc4e2eb28..6662c9e40 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml
@@ -25,7 +25,7 @@ detection:
         - 'LS1kb25hdGUtbGV2ZWw9'
         - '0tZG9uYXRlLWxldmVsP'
         - 'tLWRvbmF0ZS1sZXZlbD'
-        # base64 encoded: stratum+tcp:// and stratum+udp:// 
+        # base64 encoded: stratum+tcp:// and stratum+udp://
         - 'c3RyYXR1bSt0Y3A6Ly'
         - 'N0cmF0dW0rdGNwOi8v'
         - 'zdHJhdHVtK3RjcDovL'
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml
index ee132e94c..f6eb7104a 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml
@@ -17,7 +17,7 @@ detection:
       Image:
          - '/bin/dd'
          - '/usr/bin/dd'
-   selection2:   
+   selection2:
       CommandLine|contains: 'of='
    selection3:
       CommandLine|contains:
@@ -26,4 +26,4 @@ detection:
    condition: selection1 and selection2 and selection3
 falsepositives:
    - Any user deleting files that way.
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml
index 435b641c6..dff9dc956 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml
@@ -28,4 +28,4 @@ detection:
   condition: (netcat and not netcat_listen_flag) or network_scanning_tools
 falsepositives:
   - Legitimate administration activities
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
index 5288f13df..90ed0cf16 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
@@ -27,4 +27,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate use of SCX RunAsProvider ExecuteScript.
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
index 5e9c8b81b..50d18a1dd 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
@@ -27,4 +27,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
index 7b7fbcd02..b56b56825 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
@@ -26,4 +26,4 @@ detection:
     condition: selection_image and 1 of selection_cli*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml
index 0455235a2..b82d1f331 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml
@@ -80,4 +80,4 @@ detection:
     condition: 1 of selection*
 falsepositives:
     - Legitimate administration activities
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml
index 3727dee7e..a9dc1f6ff 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml
@@ -13,7 +13,7 @@ detection:
   selection:
     Image|endswith: '/rm'
   selection_history:
-    - CommandLine|contains: 
+    - CommandLine|contains:
       - '/.bash_history'
       - '/.zsh_history'
     - CommandLine|endswith: '_history'
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml
index 93b722ac9..a91de0a28 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml
@@ -13,7 +13,7 @@ detection:
   selection:
     Image|endswith: '/cat'
   selection_history:
-    - CommandLine|contains: 
+    - CommandLine|contains:
       - '/.bash_history'
       - '/.zsh_history'
     - CommandLine|endswith: '_history'
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml
index 5401c761c..6009d43ce 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml
@@ -18,7 +18,7 @@ detection:
         - 'base64'
         - 'pty.spawn'
    anomaly2:
-      Image|endswith: 
+      Image|endswith:
          - 'whoami'
          - 'iptables'
          - '/ncat'
@@ -28,4 +28,3 @@ detection:
 falsepositives:
    - Legitimate software that uses these patterns
 level: medium
-
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml
index 1ae661068..e89e239d6 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml
@@ -26,4 +26,3 @@ detection:
 falsepositives:
    - Legitimate software that uses these patterns
 level: medium
-
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml
index b5c14e47b..190477e5a 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml
@@ -11,7 +11,7 @@ logsource:
   product: linux
 detection:
   selection:
-    CommandLine|contains: 
+    CommandLine|contains:
       - ' -name .htpasswd'
       - ' -perm -4000 '
   condition: selection
diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
index 7a1fac49c..2d6feee4a 100644
--- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
+++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
@@ -40,4 +40,3 @@ detection:
 falsepositives:
    - Web applications that invoke Linux command line tools
 level: high
-
diff --git a/src/main/resources/rules/network/firewall/net_firewall_high_dns_bytes_out.yml b/src/main/resources/rules/network/firewall/net_firewall_high_dns_bytes_out.yml
index 4bb365c61..aa45e6691 100644
--- a/src/main/resources/rules/network/firewall/net_firewall_high_dns_bytes_out.yml
+++ b/src/main/resources/rules/network/firewall/net_firewall_high_dns_bytes_out.yml
@@ -17,4 +17,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/network/firewall/net_firewall_high_dns_requests_rate.yml b/src/main/resources/rules/network/firewall/net_firewall_high_dns_requests_rate.yml
index 17177fb63..da2188e8c 100644
--- a/src/main/resources/rules/network/firewall/net_firewall_high_dns_requests_rate.yml
+++ b/src/main/resources/rules/network/firewall/net_firewall_high_dns_requests_rate.yml
@@ -13,10 +13,10 @@ tags:
 logsource:
     category: firewall
 detection:
-    selection:    
+    selection:
         dst_port: 53
     timeframe: 1m
     condition: selection
 falsepositives:
     - Legitimate high DNS requests rate to domain name which should be added to whitelist
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml b/src/main/resources/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml
index 4b290d67c..bd4e97784 100644
--- a/src/main/resources/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml
+++ b/src/main/resources/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml
@@ -22,4 +22,4 @@ level: medium
 fields:
     - src_ip
     - dst_ip
-    - dst_port
\ No newline at end of file
+    - dst_port
diff --git a/src/main/resources/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/src/main/resources/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml
index a70acd1c1..9972480a8 100644
--- a/src/main/resources/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml
+++ b/src/main/resources/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml
@@ -19,7 +19,7 @@ detection:
         operation:
             #- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon
             #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call
-            - LsarLookupNames3 #method translates a batch of security principal names to their SID form  
+            - LsarLookupNames3 #method translates a batch of security principal names to their SID form
             - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms
             - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of
             - SamrLookupIdsInDomain #method translates a set of RIDs into account names
@@ -32,4 +32,4 @@ falsepositives:
     - Devices that may do authentication like a VPN or a firewall that looksup IPs to username
     - False positives depend on scripts and administrative tools used in the monitored environment
 level: medium
-status: experimental
\ No newline at end of file
+status: experimental
diff --git a/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
index fe577fcd9..489e3932c 100644
--- a/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
+++ b/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
@@ -1,4 +1,4 @@
-title: Potential PetitPotam Attack Via EFS RPC Calls 
+title: Potential PetitPotam Attack Via EFS RPC Calls
 id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
 description: |
     Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
diff --git a/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
index 2178cd31e..abcb28927 100644
--- a/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
+++ b/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
@@ -5,7 +5,7 @@ status: experimental
 author: Bhabesh Raj
 date: 2021/06/23
 modified: 2021/08/24
-references: 
+references:
   - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
 tags:
   - attack.command_and_control
diff --git a/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml b/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml
index 38a787730..a227bb586 100644
--- a/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml
+++ b/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml
@@ -7,9 +7,9 @@ references:
 date: 2021/08/15
 author: Saw Winn Naung , Azure-Sentinel
 level: medium
-logsource: 
-    service: dns  
-    product: zeek 
+logsource:
+    service: dns
+    product: zeek
 tags:
   - attack.t1048
 detection:
diff --git a/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml
index df467848c..f8f5fc693 100644
--- a/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml
+++ b/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml
@@ -20,7 +20,7 @@ tags:
 logsource:
     product: zeek
     service: http
-    definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/header-names.zeek 
+    definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/header-names.zeek
 detection:
     selection:
         status_code: 200
@@ -38,7 +38,7 @@ detection:
     condition: selection and not auth_header and not too_small_http_client_body
     #condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
 falsepositives:
-    - Exploits that were attempted but unsuccessful. 
+    - Exploits that were attempted but unsuccessful.
     - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.
 level: high
 fields:
diff --git a/src/main/resources/rules/others_application/antivirus/av_relevant_files.yml b/src/main/resources/rules/others_application/antivirus/av_relevant_files.yml
index 0017e0124..fc2377166 100644
--- a/src/main/resources/rules/others_application/antivirus/av_relevant_files.yml
+++ b/src/main/resources/rules/others_application/antivirus/av_relevant_files.yml
@@ -75,4 +75,4 @@ falsepositives:
 level: high
 tags:
     - attack.resource_development
-    - attack.t1588
\ No newline at end of file
+    - attack.t1588
diff --git a/src/main/resources/rules/others_application/django/appframework_django_exceptions.yml b/src/main/resources/rules/others_application/django/appframework_django_exceptions.yml
index 233cc72d6..a2646738a 100644
--- a/src/main/resources/rules/others_application/django/appframework_django_exceptions.yml
+++ b/src/main/resources/rules/others_application/django/appframework_django_exceptions.yml
@@ -33,4 +33,4 @@ falsepositives:
 level: medium
 tags:
     - attack.initial_access
-    - attack.t1190
\ No newline at end of file
+    - attack.t1190
diff --git a/src/main/resources/rules/others_application/python/app_python_sql_exceptions.yml b/src/main/resources/rules/others_application/python/app_python_sql_exceptions.yml
index a070253a0..fcc646a69 100644
--- a/src/main/resources/rules/others_application/python/app_python_sql_exceptions.yml
+++ b/src/main/resources/rules/others_application/python/app_python_sql_exceptions.yml
@@ -22,4 +22,4 @@ falsepositives:
 level: medium
 tags:
     - attack.initial_access
-    - attack.t1190
\ No newline at end of file
+    - attack.t1190
diff --git a/src/main/resources/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml b/src/main/resources/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml
index 2a058bb7c..0c2e54770 100644
--- a/src/main/resources/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml
+++ b/src/main/resources/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml
@@ -26,4 +26,4 @@ falsepositives:
 level: medium
 tags:
     - attack.initial_access
-    - attack.t1190
\ No newline at end of file
+    - attack.t1190
diff --git a/src/main/resources/rules/others_application/spring/appframework_spring_exceptions.yml b/src/main/resources/rules/others_application/spring/appframework_spring_exceptions.yml
index fe97e056c..c3fe5e068 100644
--- a/src/main/resources/rules/others_application/spring/appframework_spring_exceptions.yml
+++ b/src/main/resources/rules/others_application/spring/appframework_spring_exceptions.yml
@@ -25,4 +25,4 @@ falsepositives:
 level: medium
 tags:
     - attack.initial_access
-    - attack.t1190
\ No newline at end of file
+    - attack.t1190
diff --git a/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml b/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml
index 8088ce3d7..7ea030282 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml
@@ -24,4 +24,4 @@ detection:
   condition: selection
 falsepositives:
   - Legitimate AD FS servers added to an AAD Health AD FS service instance
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml b/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml
index 6fc97a25f..9d1966ce1 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml
@@ -24,4 +24,4 @@ detection:
   condition: selection
 falsepositives:
   - Legitimate AAD Health AD FS service instances being deleted in a tenant
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/others_cloud/azure/azure_account_lockout.yml b/src/main/resources/rules/others_cloud/azure/azure_account_lockout.yml
index 4a13747c1..102f1de5c 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_account_lockout.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_account_lockout.yml
@@ -1,8 +1,8 @@
-title: Account Lockout 
+title: Account Lockout
 id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
diff --git a/src/main/resources/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml b/src/main/resources/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml
index c85eeffd0..a6019c0af 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml
@@ -9,8 +9,8 @@ references:
 logsource:
     product: azure
     service: activitylogs
-detection: 
-   selection: 
+detection:
+   selection:
        Operation: 'Add member to role.'
        Workload: 'AzureActiveDirectory'
        ModifiedProperties.NewValue|endswith:
@@ -18,9 +18,9 @@ detection:
            - 'Administrator'
    condition: selection
 falsepositives:
-    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. 
+    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
 level: medium
 status: experimental
-tags: 
+tags:
     - attack.persistence
     - attack.t1098.003
diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_appid_uri_changes.yml b/src/main/resources/rules/others_cloud/azure/azure_app_appid_uri_changes.yml
index 1a765db8c..3b4020f58 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_app_appid_uri_changes.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_app_appid_uri_changes.yml
@@ -1,6 +1,6 @@
 title: Application AppID Uri Configuration Changes
 id: 1b45b0d1-773f-4f23-aedc-814b759563b1
-description: Detects when a configuration change is made to an applications AppID URI. 
+description: Detects when a configuration change is made to an applications AppID URI.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/06/02
 references:
@@ -10,7 +10,7 @@ logsource:
   service: auditlogs
 detection:
   selection:
-    properties.message: 
+    properties.message:
       - Update Application
       - Update Service principal
   condition: selection
@@ -18,7 +18,7 @@ falsepositives:
   - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event.
 level: high
 status: experimental
-tags: 
+tags:
   - attack.t1528
   - attack.persistence
   - attack.credential_access
diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_credential_added.yml b/src/main/resources/rules/others_cloud/azure/azure_app_credential_added.yml
index 0942ad419..21f08f9e1 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_app_credential_added.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_app_credential_added.yml
@@ -1,6 +1,6 @@
 title: Added Credentials to Existing Application
 id: cbb67ecc-fb70-4467-9350-c910bdf7c628
-description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.  
+description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/05/26
 references:
@@ -10,7 +10,7 @@ logsource:
   service: auditlogs
 detection:
   selection:
-    properties.message: 
+    properties.message:
       - Update Application-Certificates and secrets management
       - Update Service principal/Update Application
   condition: selection
@@ -18,6 +18,6 @@ falsepositives:
   - When credentials are added/removed as part of the normal working hours/workflows
 level: high
 status: experimental
-tags: 
+tags:
   - attack.t1098
   - attack.persistence
diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_credential_modification.yml b/src/main/resources/rules/others_cloud/azure/azure_app_credential_modification.yml
index bca556a2e..5f226d2fc 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_app_credential_modification.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_app_credential_modification.yml
@@ -17,6 +17,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Application credential added may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Application credential added may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_device_code_authentication.yml b/src/main/resources/rules/others_cloud/azure/azure_app_device_code_authentication.yml
index 0854d4a5b..5301f8db6 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_app_device_code_authentication.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_app_device_code_authentication.yml
@@ -19,7 +19,7 @@ detection:
 falsepositives:
   - Applications that are input constrained will need to use device code flow and are valid authentications.
 level: medium
-tags: 
+tags:
   - attack.t1078
   - attack.defense_evasion
   - attack.persistence
diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_owner_added.yml b/src/main/resources/rules/others_cloud/azure/azure_app_owner_added.yml
index de29eb8ed..54b3b92f6 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_app_owner_added.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_app_owner_added.yml
@@ -1,6 +1,6 @@
 title: Added Owner To Application
 id: 74298991-9fc4-460e-a92e-511aa60baec1
-description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. 
+description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/06/02
 references:
@@ -13,10 +13,10 @@ detection:
     properties.message: Add owner to application
   condition: selection
 falsepositives:
-  - When a new application owner is added by an administrator   
+  - When a new application owner is added by an administrator
 level: medium
 status: experimental
-tags: 
+tags:
   - attack.t1528
   - attack.persistence
   - attack.credential_access
diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_ropc_authentication.yml b/src/main/resources/rules/others_cloud/azure/azure_app_ropc_authentication.yml
index f2cec560f..82222f0ca 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_app_ropc_authentication.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_app_ropc_authentication.yml
@@ -1,6 +1,6 @@
 title: Applications That Are Using ROPC Authentication Flow
 id: 55695bc0-c8cf-461f-a379-2535f563c854
-description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.  
+description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/06/01
 references:
@@ -16,7 +16,7 @@ falsepositives:
   - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
 level: medium
 status: experimental
-tags: 
+tags:
   - attack.t1078
   - attack.defense_evasion
   - attack.persistence
diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_uri_modifications.yml b/src/main/resources/rules/others_cloud/azure/azure_app_uri_modifications.yml
index d5724b91d..a2cda3522 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_app_uri_modifications.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_app_uri_modifications.yml
@@ -1,8 +1,8 @@
 title: Application URI Configuration Changes
 id: 0055ad1f-be85-4798-83cf-a6da17c993b3
-description: Detects when a configuration change is made to an applications URI. 
+description: Detects when a configuration change is made to an applications URI.
   URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app,
-  or URIs that point to domains you do not control should be investigated.   
+  or URIs that point to domains you do not control should be investigated.
 author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 date: 2022/06/02
 references:
@@ -15,10 +15,10 @@ detection:
     properties.message: Update Application Sucess- Property Name AppAddress
   condition: selection
 falsepositives:
-  - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. 
+  - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event.
 level: high
 status: experimental
-tags: 
+tags:
   - attack.t1528
   - attack.persistence
   - attack.credential_access
diff --git a/src/main/resources/rules/others_cloud/azure/azure_application_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_application_deleted.yml
index 6d3ee5b0d..a2e52ca9d 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_application_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_application_deleted.yml
@@ -19,6 +19,6 @@ level: medium
 tags:
     - attack.defense_evasion
 falsepositives:
- - Application being deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Application being deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml
index dab3bf97c..d242e0caa 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
             - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
     condition: selection
@@ -19,6 +19,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Application gateway being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Application gateway being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml
index a770842d0..abd3d183e 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
             - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE
     condition: selection
@@ -19,6 +19,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Application security group being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Application security group being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_change_to_authentication_method.yml b/src/main/resources/rules/others_cloud/azure/azure_change_to_authentication_method.yml
index 812357a27..b251b5c25 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_change_to_authentication_method.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_change_to_authentication_method.yml
@@ -2,7 +2,7 @@ title: Change to Authentication Method
 id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
diff --git a/src/main/resources/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml
index b394ce894..e47111824 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml
@@ -15,7 +15,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
             - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
     condition: selection
diff --git a/src/main/resources/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/src/main/resources/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml
index 0c33bda86..5fc10bc63 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Device no longer compliant
             - Device no longer managed
     condition: selection
@@ -19,4 +19,4 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Administrator may have forgotten to review the device. 
+ - Administrator may have forgotten to review the device.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
index cc5aa33d2..9f18c1e9f 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Delete device
             - Delete device configuration
             - Update device
@@ -21,6 +21,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Device or device configuration being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Device or device configuration being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml
index 80d55642b..faa86c01e 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml
@@ -20,5 +20,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_federation_modified.yml b/src/main/resources/rules/others_cloud/azure/azure_federation_modified.yml
index e8c1458f5..4512ee967 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_federation_modified.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_federation_modified.yml
@@ -20,7 +20,6 @@ tags:
     - attack.initial_access
     - attack.t1078
 falsepositives:
- - Federation Settings being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Federation Settings being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-
diff --git a/src/main/resources/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml
index 2d09758ae..28c659a05 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
             - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE
     condition: selection
@@ -19,5 +19,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml
index 30281498e..de1fc0c5d 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
             - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
             - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
@@ -23,5 +23,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml
index fe2af9ae7..ab657e79c 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
             - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
             - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
@@ -29,6 +29,6 @@ tags:
     - attack.t1552
     - attack.t1552.001
 falsepositives:
- - Key being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Key being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml
index cc596dcbf..d63cfe24d 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml
@@ -24,6 +24,6 @@ tags:
     - attack.t1552
     - attack.t1552.001
 falsepositives:
- - Key Vault being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Key Vault being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml
index 53f85064a..b31895d4a 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
             - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
             - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
@@ -28,6 +28,6 @@ tags:
     - attack.t1552
     - attack.t1552.001
 falsepositives:
- - Secrets being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Secrets being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml
index 3e2dbbbae..d8f36f7b2 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml
@@ -30,5 +30,5 @@ tags:
     - attack.t1552
     - attack.t1552.007
 falsepositives:
-- Azure Kubernetes Admissions Controller may be done by a system administrator. 
+- Azure Kubernetes Admissions Controller may be done by a system administrator.
 - If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml
index 6af9fe8ac..d9be4f586 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml
@@ -15,7 +15,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
     condition: selection
@@ -25,4 +25,3 @@ tags:
 falsepositives:
  - Kubernetes cluster being created or  deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- 
diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml
index 7c4aefd91..9252c26fb 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml
@@ -21,4 +21,3 @@ tags:
     - attack.t1562.001
 falsepositives:
 - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-
diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml
index e731c0d87..71b65a4f2 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml
@@ -15,9 +15,9 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE 
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
     condition: selection
diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_role_access.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_role_access.yml
index b13335b6b..a3c9bf010 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_role_access.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_role_access.yml
@@ -15,7 +15,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml
index 923169ffe..efea094a1 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml
@@ -15,8 +15,8 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE 
+        properties.message:
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
@@ -26,6 +26,5 @@ tags:
     - attack.impact
     - attack.credential_access
 falsepositives:
- - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- 
diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml
index 3f24ab0ba..f809df396 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml
@@ -15,8 +15,8 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE 
+        properties.message:
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml
index 6a56ea6c6..355e7bd31 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml
@@ -15,7 +15,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
             - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
diff --git a/src/main/resources/rules/others_cloud/azure/azure_login_to_disabled_account.yml b/src/main/resources/rules/others_cloud/azure/azure_login_to_disabled_account.yml
index 8f8392ca8..41c45d939 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_login_to_disabled_account.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_login_to_disabled_account.yml
@@ -2,7 +2,7 @@ title: Login to Disabled Account
 id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Detect failed attempts to sign in to disabled accounts.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
@@ -13,7 +13,7 @@ detection:
   selection:
     ResultType: 50057
     ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
-  condition: selection 
+  condition: selection
 level: medium
 falsepositives:
   - Unknown
diff --git a/src/main/resources/rules/others_cloud/azure/azure_mfa_denies.yml b/src/main/resources/rules/others_cloud/azure/azure_mfa_denies.yml
index 97400b634..f0f63b75e 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_mfa_denies.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_mfa_denies.yml
@@ -3,7 +3,7 @@ id: e40f4962-b02b-4192-9bfe-245f7ece1f99
 status: experimental
 author: AlertIQ
 date: 2022/03/24
-description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. 
+description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
 references:
   - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
 logsource:
diff --git a/src/main/resources/rules/others_cloud/azure/azure_mfa_interrupted.yml b/src/main/resources/rules/others_cloud/azure/azure_mfa_interrupted.yml
index 8d997688e..5919ea0fe 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_mfa_interrupted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_mfa_interrupted.yml
@@ -2,7 +2,7 @@ title: Multifactor Authentication Interupted
 id: 5496ff55-42ec-4369-81cb-00f417029e25
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml
index 2a36bbdab..a679d1892 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
             - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
             - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
@@ -21,5 +21,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml
index a2ab1da57..42ef6878a 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml
@@ -21,5 +21,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml
index c54bd0d56..16373fbd0 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml
@@ -23,5 +23,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml
index cd2f06382..395880e92 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml
@@ -23,5 +23,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml
index 5eefd7274..7e8ed5b4a 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml
@@ -28,5 +28,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_new_cloudshell_created.yml b/src/main/resources/rules/others_cloud/azure/azure_new_cloudshell_created.yml
index faa1a2c7b..e06b47f2f 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_new_cloudshell_created.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_new_cloudshell_created.yml
@@ -18,5 +18,4 @@ tags:
     - attack.execution
     - attack.t1059
 falsepositives:
- - A new cloudshell may be created by a system administrator. 
- 
+ - A new cloudshell may be created by a system administrator.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/src/main/resources/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
index 57b3f464f..d32b447cf 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
@@ -11,7 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Remove owner from service principal
             - Remove owner from application
     condition: selection
@@ -19,6 +19,6 @@ level: medium
 tags:
     - attack.defense_evasion
 falsepositives:
- - Owner being removed may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Owner being removed may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_service_principal_created.yml b/src/main/resources/rules/others_cloud/azure/azure_service_principal_created.yml
index 28d351a04..46a14b711 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_service_principal_created.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_service_principal_created.yml
@@ -17,6 +17,6 @@ level: medium
 tags:
     - attack.defense_evasion
 falsepositives:
- - Service principal being created may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Service principal being created may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_service_principal_removed.yml b/src/main/resources/rules/others_cloud/azure/azure_service_principal_removed.yml
index fbda2c690..43328012b 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_service_principal_removed.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_service_principal_removed.yml
@@ -17,6 +17,6 @@ level: medium
 tags:
     - attack.defense_evasion
 falsepositives:
- - Service principal being removed may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Service principal being removed may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml b/src/main/resources/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml
index f71db67b8..18691dfd3 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml
@@ -2,7 +2,7 @@ title: Azure Unusual Authentication Interruption
 id: 8366030e-7216-476b-9927-271d79f13cf3
 status: experimental
 author: Austin Songer @austinsonger
-date: 2021/11/26  
+date: 2021/11/26
 description: Detects when there is a interruption in the authentication process.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
@@ -19,7 +19,7 @@ detection:
     selection3:
           ResultType: 50158
           ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
-    condition: selection1 or selection2 or selection3 
+    condition: selection1 or selection2 or selection3
 level: medium
 falsepositives:
   - Unknown
diff --git a/src/main/resources/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/src/main/resources/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml
index 4b2b0bec9..5c087a6ee 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml
@@ -2,7 +2,7 @@ title: User Access Blocked by Azure Conditional Access
 id: 9a60e676-26ac-44c3-814b-0c2a8b977adf
 status: experimental
 author: AlertIQ
-date: 2021/10/10  
+date: 2021/10/10
 description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
 references:
   - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
@@ -12,7 +12,7 @@ logsource:
 detection:
   selection:
     ResultType: 53003
-  condition: selection 
+  condition: selection
 level: medium
 falsepositives:
   - Unknown
diff --git a/src/main/resources/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml
index 40a1604f6..6b25808c8 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml
@@ -22,5 +22,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml
index e7cc2e36b..58d96b14e 100644
--- a/src/main/resources/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml
@@ -19,5 +19,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_bucket_enumeration.yml b/src/main/resources/rules/others_cloud/gcp/gcp_bucket_enumeration.yml
index e7f8fc61f..a94ef6b8a 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_bucket_enumeration.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_bucket_enumeration.yml
@@ -11,7 +11,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - storage.buckets.list
             - storage.buckets.listChannels
     condition: selection
@@ -19,5 +19,5 @@ level: low
 tags:
     - attack.discovery
 falsepositives:
- - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml
index ac5017c9f..514277727 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - storage.buckets.delete
             - storage.buckets.insert
             - storage.buckets.update
@@ -21,5 +21,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml
index 9455782d4..4dfeac4be 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Google Cloud DNS Zone Modified or Deleted
 id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3
-description: Identifies when a DNS Zone is modified or deleted in Google Cloud. 
+description: Identifies when a DNS Zone is modified or deleted in Google Cloud.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/08/15
@@ -11,7 +11,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - Dns.ManagedZones.Delete
             - Dns.ManagedZones.Update
             - Dns.ManagedZones.Patch
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml
index 4cb33dd81..73ed0ef20 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml
@@ -12,7 +12,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - v*.Compute.Firewalls.Delete
             - v*.Compute.Firewalls.Patch
             - v*.Compute.Firewalls.Update
@@ -23,5 +23,5 @@ tags:
     - attack.defense_evasion
     - attack.t1562
 falsepositives:
- - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected. 
+ - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
  - Exceptions can be added to this rule to filter expected behavior.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/src/main/resources/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml
index cd29c4055..4cd3bf090 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml
@@ -12,7 +12,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - v*.Compute.PacketMirrorings.Get
             - v*.Compute.PacketMirrorings.Delete
             - v*.Compute.PacketMirrorings.Insert
@@ -25,5 +25,5 @@ tags:
     - attack.collection
     - attack.t1074
 falsepositives:
-  - Full Network Packet Capture may be done by a system or network administrator. 
+  - Full Network Packet Capture may be done by a system or network administrator.
   - If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml
index 9bdabb295..f152d8fa0 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml
@@ -32,5 +32,5 @@ tags:
     - attack.t1552
     - attack.t1552.007
 falsepositives:
-- Google Cloud Kubernetes Admission Controller may be done by a system administrator. 
+- Google Cloud Kubernetes Admission Controller may be done by a system administrator.
 - If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml
index 4ab7a9613..bb3852358 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml
@@ -13,7 +13,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - io.k8s.api.batch.v*.Job
             - io.k8s.api.batch.v*.CronJob
     condition: selection
@@ -23,5 +23,5 @@ tags:
     - attack.privilege_escalation
     - attack.execution
 falsepositives:
-- Google Cloud Kubernetes CronJob/Job may be done by a system administrator. 
+- Google Cloud Kubernetes CronJob/Job may be done by a system administrator.
 - If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml
index 472ff97b5..008193831 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml
@@ -15,7 +15,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - io.k8s.authorization.rbac.v*.clusterrolebindings.create
             - io.k8s.authorization.rbac.v*.rolebindings.create
             - io.k8s.authorization.rbac.v*.clusterrolebindings.patch
@@ -29,5 +29,5 @@ level: medium
 tags:
     - attack.credential_access
 falsepositives:
- - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml
index 35f1ebda3..e609e9e64 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml
@@ -11,15 +11,15 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - io.k8s.core.v*.secrets.create
             - io.k8s.core.v*.secrets.update
             - io.k8s.core.v*.secrets.patch
-            - io.k8s.core.v*.secrets.delete 
+            - io.k8s.core.v*.secrets.delete
     condition: selection
 level: medium
 tags:
     - attack.credential_access
 falsepositives:
- - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml
index c265f7c9d..3976deaf5 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Google Cloud Service Account Disabled or Deleted
 id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
-description: Identifies when a service account is disabled or deleted in Google Cloud. 
+description: Identifies when a service account is disabled or deleted in Google Cloud.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/08/14
@@ -11,7 +11,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name|endswith: 
+        gcp.audit.method_name|endswith:
             - .serviceAccounts.disable
             - .serviceAccounts.delete
     condition: selection
@@ -20,5 +20,5 @@ tags:
     - attack.impact
     - attack.t1531
 falsepositives:
- - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_service_account_modified.yml b/src/main/resources/rules/others_cloud/gcp/gcp_service_account_modified.yml
index b990d00a4..d43c7e012 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_service_account_modified.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_service_account_modified.yml
@@ -1,6 +1,6 @@
 title: Google Cloud Service Account Modified
 id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
-description: Identifies when a service account is modified in Google Cloud. 
+description: Identifies when a service account is modified in Google Cloud.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/08/14
@@ -11,7 +11,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name|endswith: 
+        gcp.audit.method_name|endswith:
             - .serviceAccounts.patch
             - .serviceAccounts.create
             - .serviceAccounts.update
@@ -22,5 +22,5 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml
index c2693f286..d3b4232fe 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml
@@ -11,7 +11,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - cloudsql.instances.create
             - cloudsql.instances.delete
             - cloudsql.users.update
@@ -21,6 +21,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - SQL Database being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - SQL Database being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml
index 8171bb42a..781bef103 100644
--- a/src/main/resources/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Google Cloud VPN Tunnel Modified or Deleted
 id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1
-description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. 
+description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/08/16
@@ -11,7 +11,7 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - compute.vpnTunnels.insert
             - compute.vpnTunnels.delete
     condition: selection
@@ -19,6 +19,6 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - VPN Tunnel being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - VPN Tunnel being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_application_removed.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_application_removed.yml
index 176b7f9f3..e0ea857f7 100644
--- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_application_removed.yml
+++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_application_removed.yml
@@ -14,7 +14,7 @@ logsource:
 detection:
     selection:
         eventService: admin.googleapis.com
-        eventName: 
+        eventName:
             - REMOVE_APPLICATION
             - REMOVE_APPLICATION_FROM_WHITELIST
     condition: selection
diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml
index e177ee7d1..dab6f04db 100644
--- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml
+++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml
@@ -21,4 +21,3 @@ tags:
     - attack.t1098
 falsepositives:
  - Unknown
- 
diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml
index 26b636d99..ce2c1b0e9 100644
--- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml
+++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml
@@ -15,7 +15,7 @@ logsource:
 detection:
     selection_base:
         eventService: admin.googleapis.com
-        eventName: 
+        eventName:
             - ENFORCE_STRONG_AUTHENTICATION
             - ALLOW_STRONG_AUTHENTICATION
     selection_eventValue:
@@ -26,4 +26,3 @@ tags:
     - attack.impact
 falsepositives:
  - MFA may be disabled and performed by a system administrator.
- 
\ No newline at end of file
diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml
index 18c23bc28..4d37bb058 100644
--- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         eventService: admin.googleapis.com
-        eventName: 
+        eventName:
             - DELETE_ROLE
             - RENAME_ROLE
             - UPDATE_ROLE
@@ -23,4 +23,3 @@ tags:
     - attack.impact
 falsepositives:
  - Unknown
- 
diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml
index bbe666a6e..0a81d079f 100644
--- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml
+++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml
@@ -20,4 +20,3 @@ tags:
     - attack.impact
 falsepositives:
  - Unknown
- 
diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml
index 802f60526..73c8fe835 100644
--- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml
+++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml
@@ -1,6 +1,6 @@
 title: Google Workspace User Granted Admin Privileges
 id: 2d1b83e4-17c6-4896-a37b-29140b40a788
-description: Detects when an Google Workspace user is granted admin privileges. 
+description: Detects when an Google Workspace user is granted admin privileges.
 author: Austin Songer
 status: experimental
 date: 2021/08/23
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         eventService: admin.googleapis.com
-        eventName: 
+        eventName:
             - GRANT_DELEGATED_ADMIN_PRIVILEGES
             - GRANT_ADMIN_PRIVILEGE
     condition: selection
@@ -22,4 +22,4 @@ tags:
     - attack.persistence
     - attack.t1098
 falsepositives:
- - Google Workspace admin role privileges, may be modified by system administrators.
\ No newline at end of file
+ - Google Workspace admin role privileges, may be modified by system administrators.
diff --git a/src/main/resources/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml b/src/main/resources/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml
index 3694bf34c..a23c08c4b 100644
--- a/src/main/resources/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml
+++ b/src/main/resources/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml
@@ -1,7 +1,7 @@
 title: Activity from Suspicious IP Addresses
 id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
 status: experimental
-description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. 
+description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
 author: Austin Songer @austinsonger
 date: 2021/08/23
 references:
diff --git a/src/main/resources/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml b/src/main/resources/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml
index 7136534ab..efa9b6799 100644
--- a/src/main/resources/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml
+++ b/src/main/resources/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml
@@ -23,5 +23,3 @@ level: medium
 tags:
   - attack.initial_access
   - attack.t1078
-
-
diff --git a/src/main/resources/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/src/main/resources/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml
index 32b496a79..2574abf14 100644
--- a/src/main/resources/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml
+++ b/src/main/resources/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml
@@ -13,7 +13,7 @@ logsource:
   service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - group.privilege.grant
             - user.account.privilege.grant
     condition: selection
@@ -21,5 +21,4 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Administrator roles could be assigned to users or group by other admin users. 
- 
+ - Administrator roles could be assigned to users or group by other admin users.
diff --git a/src/main/resources/rules/others_cloud/okta/okta_api_token_created.yml b/src/main/resources/rules/others_cloud/okta/okta_api_token_created.yml
index a39c3ae70..8f816d033 100644
--- a/src/main/resources/rules/others_cloud/okta/okta_api_token_created.yml
+++ b/src/main/resources/rules/others_cloud/okta/okta_api_token_created.yml
@@ -20,4 +20,3 @@ tags:
     - attack.persistence
 falsepositives:
  - Unknown
-
diff --git a/src/main/resources/rules/others_cloud/okta/okta_api_token_revoked.yml b/src/main/resources/rules/others_cloud/okta/okta_api_token_revoked.yml
index 644f1aea5..9919a5085 100644
--- a/src/main/resources/rules/others_cloud/okta/okta_api_token_revoked.yml
+++ b/src/main/resources/rules/others_cloud/okta/okta_api_token_revoked.yml
@@ -20,4 +20,3 @@ tags:
     - attack.impact
 falsepositives:
  - Unknown
- 
diff --git a/src/main/resources/rules/others_cloud/okta/okta_application_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_application_modified_or_deleted.yml
index 35cbd1b95..849da89b0 100644
--- a/src/main/resources/rules/others_cloud/okta/okta_application_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/okta/okta_application_modified_or_deleted.yml
@@ -13,7 +13,7 @@ logsource:
   service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - application.lifecycle.update
             - application.lifecycle.delete
     condition: selection
@@ -22,4 +22,3 @@ tags:
     - attack.impact
 falsepositives:
  - Unknown
- 
diff --git a/src/main/resources/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml
index 0520ddd6b..bff4ff5ef 100644
--- a/src/main/resources/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml
@@ -13,7 +13,7 @@ logsource:
   service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - application.policy.sign_on.update
             - application.policy.sign_on.rule.delete
     condition: selection
@@ -21,4 +21,4 @@ level: medium
 tags:
     - attack.impact
 falsepositives:
- - Unknown
\ No newline at end of file
+ - Unknown
diff --git a/src/main/resources/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml b/src/main/resources/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml
index 69185811f..48d0ac8fc 100644
--- a/src/main/resources/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml
+++ b/src/main/resources/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml
@@ -13,7 +13,7 @@ logsource:
   service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - user.mfa.factor.deactivate
             - user.mfa.factor.reset_all
     condition: selection
@@ -21,4 +21,4 @@ level: medium
 tags:
     - attack.persistence
 falsepositives:
- - If a MFA reset or deactivated was performed by a system administrator. 
+ - If a MFA reset or deactivated was performed by a system administrator.
diff --git a/src/main/resources/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml
index b4f6adf83..f0d5aa802 100644
--- a/src/main/resources/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml
@@ -13,7 +13,7 @@ logsource:
   service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - zone.deactivate
             - zone.delete
     condition: selection
@@ -22,4 +22,3 @@ tags:
     - attack.impact
 falsepositives:
  - Unknown
- 
diff --git a/src/main/resources/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml
index 247901b96..bfca326f5 100644
--- a/src/main/resources/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml
@@ -13,7 +13,7 @@ logsource:
   service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - policy.lifecycle.update
             - policy.lifecycle.delete
     condition: selection
@@ -21,6 +21,6 @@ level: low
 tags:
     - attack.impact
 falsepositives:
- - Okta Policies being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Okta Policies being modified or deleted may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/src/main/resources/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml
index 9a1ab4bf7..7a1d4fe6d 100644
--- a/src/main/resources/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml
+++ b/src/main/resources/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml
@@ -13,7 +13,7 @@ logsource:
   service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - policy.rule.update
             - policy.rule.delete
     condition: selection
@@ -22,4 +22,3 @@ tags:
     - attack.impact
 falsepositives:
  - Unknown
- 
diff --git a/src/main/resources/rules/others_compliance/firewall_cleartext_protocols.yml b/src/main/resources/rules/others_compliance/firewall_cleartext_protocols.yml
index 1a1f3d7e9..dcaf8405e 100644
--- a/src/main/resources/rules/others_compliance/firewall_cleartext_protocols.yml
+++ b/src/main/resources/rules/others_compliance/firewall_cleartext_protocols.yml
@@ -82,4 +82,4 @@ level: low
     # - PCI DSS 3.2 4.3
     # - PCI DSS 3.2 7.1
     # - PCI DSS 3.2 7.2
-    # - PCI DSS 3.2 7.3
\ No newline at end of file
+    # - PCI DSS 3.2 7.3
diff --git a/src/main/resources/rules/others_compliance/netflow_cleartext_protocols.yml b/src/main/resources/rules/others_compliance/netflow_cleartext_protocols.yml
index 4592b6975..6bb172cd8 100644
--- a/src/main/resources/rules/others_compliance/netflow_cleartext_protocols.yml
+++ b/src/main/resources/rules/others_compliance/netflow_cleartext_protocols.yml
@@ -76,4 +76,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/others_proxy/proxy_apt_domestic_kitten.yml b/src/main/resources/rules/others_proxy/proxy_apt_domestic_kitten.yml
index 963c9efe7..4e697a836 100644
--- a/src/main/resources/rules/others_proxy/proxy_apt_domestic_kitten.yml
+++ b/src/main/resources/rules/others_proxy/proxy_apt_domestic_kitten.yml
@@ -12,7 +12,7 @@ logsource:
     category: proxy
 detection:
     selection:
-        c-uri|contains: 
+        c-uri|contains:
             - 'Get~~~AllBrowser'
             - 'Get~~~HardwareInfo'
             - 'Take~~RecordCall'
diff --git a/src/main/resources/rules/others_proxy/proxy_baby_shark.yml b/src/main/resources/rules/others_proxy/proxy_baby_shark.yml
index 5b6f980b6..07342d1de 100644
--- a/src/main/resources/rules/others_proxy/proxy_baby_shark.yml
+++ b/src/main/resources/rules/others_proxy/proxy_baby_shark.yml
@@ -17,4 +17,4 @@ falsepositives:
 level: critical
 tags:
     - attack.command_and_control
-    - attack.t1071.001
\ No newline at end of file
+    - attack.t1071.001
diff --git a/src/main/resources/rules/others_proxy/proxy_cobalt_amazon.yml b/src/main/resources/rules/others_proxy/proxy_cobalt_amazon.yml
index 7301303a0..d7b410e72 100644
--- a/src/main/resources/rules/others_proxy/proxy_cobalt_amazon.yml
+++ b/src/main/resources/rules/others_proxy/proxy_cobalt_amazon.yml
@@ -30,4 +30,3 @@ tags:
   - attack.defense_evasion
   - attack.command_and_control
   - attack.t1071.001
- 
\ No newline at end of file
diff --git a/src/main/resources/rules/others_proxy/proxy_cobalt_malformed_uas.yml b/src/main/resources/rules/others_proxy/proxy_cobalt_malformed_uas.yml
index 43553af44..a7fec2988 100644
--- a/src/main/resources/rules/others_proxy/proxy_cobalt_malformed_uas.yml
+++ b/src/main/resources/rules/others_proxy/proxy_cobalt_malformed_uas.yml
@@ -11,7 +11,7 @@ logsource:
   category: proxy
 detection:
   selection1:
-    c-useragent: 
+    c-useragent:
       - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
       - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
       - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
diff --git a/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml b/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml
index af0556668..3d7648457 100644
--- a/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml
+++ b/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml
@@ -9,7 +9,7 @@ logsource:
 detection:
     selection:
         c-useragent|startswith: 'Microsoft BITS/'
-        cs-host|startswith: 
+        cs-host|startswith:
             - '1'
             - '2'
             - '3'
diff --git a/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml b/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml
index 6516f0304..2264b0d86 100644
--- a/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml
+++ b/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml
@@ -12,9 +12,9 @@ detection:
         c-useragent|startswith: 'Microsoft BITS/'
     falsepositives:
         r-dns|endswith:
-            - '.com' 
-            - '.net' 
-            - '.org' 
+            - '.com'
+            - '.net'
+            - '.org'
             - '.scdn.co' # spotify streaming
     condition: selection and not falsepositives
 fields:
diff --git a/src/main/resources/rules/others_proxy/proxy_ua_susp.yml b/src/main/resources/rules/others_proxy/proxy_ua_susp.yml
index 19bad81c9..8ec2f44f2 100644
--- a/src/main/resources/rules/others_proxy/proxy_ua_susp.yml
+++ b/src/main/resources/rules/others_proxy/proxy_ua_susp.yml
@@ -44,4 +44,4 @@ falsepositives:
 level: high
 tags:
     - attack.command_and_control
-    - attack.t1071.001
\ No newline at end of file
+    - attack.t1071.001
diff --git a/src/main/resources/rules/others_proxy/proxy_ursnif_malware_download_url.yml b/src/main/resources/rules/others_proxy/proxy_ursnif_malware_download_url.yml
index a320ba350..c5c95890e 100644
--- a/src/main/resources/rules/others_proxy/proxy_ursnif_malware_download_url.yml
+++ b/src/main/resources/rules/others_proxy/proxy_ursnif_malware_download_url.yml
@@ -9,7 +9,7 @@ logsource:
   category: proxy
 detection:
   selection:
-    c-uri|contains|all: 
+    c-uri|contains|all:
       - '/'
       - '.php?l='
     c-uri|endswith: '.cab'
@@ -22,4 +22,4 @@ fields:
   - c-ua
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml b/src/main/resources/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml
index 1412d23d8..2f2468e9e 100644
--- a/src/main/resources/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml
+++ b/src/main/resources/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml
@@ -33,4 +33,4 @@ level: high
 tags:
     - attack.t1190
     - attack.initial_access
-    - cve.2020.28188
\ No newline at end of file
+    - cve.2020.28188
diff --git a/src/main/resources/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml b/src/main/resources/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml
index 98eb7aa2e..8a63e9291 100644
--- a/src/main/resources/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml
+++ b/src/main/resources/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml
@@ -32,4 +32,4 @@ level: high
 tags:
     - attack.t1190
     - attack.initial_access
-    - cve.2020.3452
\ No newline at end of file
+    - cve.2020.3452
diff --git a/src/main/resources/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml b/src/main/resources/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml
index 4cf8badf1..32a1aea47 100644
--- a/src/main/resources/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml
+++ b/src/main/resources/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml
@@ -37,4 +37,4 @@ detection:
       - '/loginerror.html'
       - '/loginexclude.html'
       - '/loginlock.html'
-  condition: (path_traversal or config_file_inj) and noauth_list
\ No newline at end of file
+  condition: (path_traversal or config_file_inj) and noauth_list
diff --git a/src/main/resources/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml b/src/main/resources/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml
index 410ad1e43..777706ad2 100644
--- a/src/main/resources/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml
+++ b/src/main/resources/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml
@@ -1,7 +1,7 @@
 title: Oracle WebLogic Exploit CVE-2021-2109
 id: 687f6504-7f44-4549-91fc-f07bab065821
 status: experimental
-description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109 
+description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
 author: Bhabesh Raj
 date: 2021/01/20
 references:
@@ -26,4 +26,4 @@ level: critical
 tags:
     - attack.t1190
     - attack.initial_access
-    - cve.2021.2109
\ No newline at end of file
+    - cve.2021.2109
diff --git a/src/main/resources/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml b/src/main/resources/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml
index 30d7e2378..c3227b744 100644
--- a/src/main/resources/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml
+++ b/src/main/resources/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml
@@ -1,4 +1,4 @@
-title: CVE-2021-21972 VSphere Exploitation 
+title: CVE-2021-21972 VSphere Exploitation
 id: 179ed852-0f9b-4009-93a7-68475910fd86
 status: experimental
 description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
diff --git a/src/main/resources/rules/others_web/web_cve_2021_26814_wzuh_rce.yml b/src/main/resources/rules/others_web/web_cve_2021_26814_wzuh_rce.yml
index c40bd1505..c399a6bb9 100644
--- a/src/main/resources/rules/others_web/web_cve_2021_26814_wzuh_rce.yml
+++ b/src/main/resources/rules/others_web/web_cve_2021_26814_wzuh_rce.yml
@@ -22,4 +22,4 @@ tags:
     - attack.initial_access
     - attack.t1190
     - cve.2021.21978
-    - cve.2021.26814
\ No newline at end of file
+    - cve.2021.26814
diff --git a/src/main/resources/rules/others_web/web_cve_2021_28480_exchange_exploit.yml b/src/main/resources/rules/others_web/web_cve_2021_28480_exchange_exploit.yml
index b3b3f21bf..ba169ee6e 100644
--- a/src/main/resources/rules/others_web/web_cve_2021_28480_exchange_exploit.yml
+++ b/src/main/resources/rules/others_web/web_cve_2021_28480_exchange_exploit.yml
@@ -20,4 +20,4 @@ detection:
   condition: selection and not filter
 falsepositives:
   - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml b/src/main/resources/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml
index ad016091d..85dc9cf97 100644
--- a/src/main/resources/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml
+++ b/src/main/resources/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml
@@ -1,7 +1,7 @@
 title: CVE-2021-33766 Exchange ProxyToken Exploitation
 id: 56973b50-3382-4b56-bdf5-f51a3183797a
 status: experimental
-description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766 
+description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
 author: Florian Roth, Max Altgelt, Christian Burkard
 date: 2021/08/30
 references:
@@ -19,7 +19,7 @@ detection:
             - '/RulesEditor/InboxRules.svc/NewObject'
         sc-status: 500
     selection2:
-        c-uri|contains|all: 
+        c-uri|contains|all:
             - 'SecurityToken='
             - '/ecp/'
         sc-status: 500
diff --git a/src/main/resources/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml b/src/main/resources/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml
index 29b8d5fa2..3cf4909da 100644
--- a/src/main/resources/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml
+++ b/src/main/resources/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml
@@ -16,7 +16,7 @@ logsource:
   category: webserver
 detection:
     selection:
-        c-uri|contains: 
+        c-uri|contains:
             - '/cgi-bin/.%2e/'
             - '/icons/.%2e/'
             - '/cgi-bin/.%%32%65/'
@@ -24,9 +24,9 @@ detection:
             - '/cgi-bin/.%%%25%33'
             - '/icons/.%%%25%33'
     selection_success:
-        sc-status: 
+        sc-status:
             - 200
-            - 301    
+            - 301
     condition: selection and selection_success
 falsepositives:
     - Unknown
diff --git a/src/main/resources/rules/others_web/web_cve_2021_43798_grafana.yml b/src/main/resources/rules/others_web/web_cve_2021_43798_grafana.yml
index fc4fc7478..e4622ae43 100644
--- a/src/main/resources/rules/others_web/web_cve_2021_43798_grafana.yml
+++ b/src/main/resources/rules/others_web/web_cve_2021_43798_grafana.yml
@@ -1,7 +1,7 @@
 title: Grafana Path Traversal Exploitation CVE-2021-43798
 id: 7b72b328-5708-414f-9a2a-6a6867c26e16
 status: experimental
-description: Detects a successful Grafana path traversal exploitation 
+description: Detects a successful Grafana path traversal exploitation
 author: Florian Roth
 references:
   - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
diff --git a/src/main/resources/rules/others_web/web_cve_2021_44228_log4j_fields.yml b/src/main/resources/rules/others_web/web_cve_2021_44228_log4j_fields.yml
index 3304fa06e..d9db60b6b 100644
--- a/src/main/resources/rules/others_web/web_cve_2021_44228_log4j_fields.yml
+++ b/src/main/resources/rules/others_web/web_cve_2021_44228_log4j_fields.yml
@@ -43,7 +43,7 @@ detection:
          - '${${lower:j}ndi:'
          - '${${upper:j}ndi:'
          - '${${::-j}${::-n}${::-d}${::-i}:'
-   selection2:         
+   selection2:
       user-agent|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
diff --git a/src/main/resources/rules/others_web/web_exchange_exploitation_hafnium.yml b/src/main/resources/rules/others_web/web_exchange_exploitation_hafnium.yml
index d9bdd9bd7..28b35918f 100644
--- a/src/main/resources/rules/others_web/web_exchange_exploitation_hafnium.yml
+++ b/src/main/resources/rules/others_web/web_exchange_exploitation_hafnium.yml
@@ -1,7 +1,7 @@
 title: Exchange Exploitation Used by HAFNIUM
 id: 67bce556-312f-4c81-9162-c3c9ff2599b2
 status: experimental
-description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity 
+description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
 references:
   - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
   - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
@@ -37,16 +37,16 @@ detection:
       - 'python-requests/2.19.1'
       - 'python-requests/2.25.1'
   selection4:
-    c-uri|contains: 
+    c-uri|contains:
       - '/aspnet_client/'
       - '/owa/'
-    cs-method: 'POST'  
+    cs-method: 'POST'
     c-useragent:
       - 'antSword/v2.1'
       - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)'
       - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
   selection5:
-    c-uri|contains: 
+    c-uri|contains:
       - '/owa/auth/Current/'
       - '/ecp/default.flt'
       - '/ecp/main.css'
@@ -55,8 +55,8 @@ detection:
     cs-method: 'POST'
     c-uri|contains|all:
       - '/ecp/'
-      - '.js'   
+      - '.js'
   condition: 1 of selection*
 falsepositives:
   - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/others_web/web_exchange_proxyshell.yml b/src/main/resources/rules/others_web/web_exchange_proxyshell.yml
index 97c00b76a..751759022 100644
--- a/src/main/resources/rules/others_web/web_exchange_proxyshell.yml
+++ b/src/main/resources/rules/others_web/web_exchange_proxyshell.yml
@@ -25,14 +25,14 @@ detection:
     selection:
         sc-status: 401
     selection_poc:
-        c-uri|contains: 
+        c-uri|contains:
             # since we don't know how it will appear in the log files, we'll just use all versions
             - 'autodiscover.json?@'
             - 'autodiscover.json%3f@'
             - '%3f@foo.com'
             - 'Email=autodiscover/autodiscover.json'
             - 'json?@foo.com'
-    condition: selection_auto and selection_uri or selection_poc 
+    condition: selection_auto and selection_uri or selection_poc
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/others_web/web_exchange_proxyshell_successful.yml b/src/main/resources/rules/others_web/web_exchange_proxyshell_successful.yml
index a4dd76a07..eb0acb362 100644
--- a/src/main/resources/rules/others_web/web_exchange_proxyshell_successful.yml
+++ b/src/main/resources/rules/others_web/web_exchange_proxyshell_successful.yml
@@ -22,10 +22,10 @@ detection:
             - '/EWS'
             - 'X-Rps-CAT'
     selection_success:
-        sc-status: 
+        sc-status:
             - 200
             - 301
     condition: selection_auto and selection_uri and selection_success
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/others_web/web_iis_tilt_shortname_scan.yml b/src/main/resources/rules/others_web/web_iis_tilt_shortname_scan.yml
index eebef6273..7f2358b40 100644
--- a/src/main/resources/rules/others_web/web_iis_tilt_shortname_scan.yml
+++ b/src/main/resources/rules/others_web/web_iis_tilt_shortname_scan.yml
@@ -27,4 +27,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/others_web/web_solarwinds_supernova_webshell.yml b/src/main/resources/rules/others_web/web_solarwinds_supernova_webshell.yml
index ec43bcd23..4e3434d56 100644
--- a/src/main/resources/rules/others_web/web_solarwinds_supernova_webshell.yml
+++ b/src/main/resources/rules/others_web/web_solarwinds_supernova_webshell.yml
@@ -27,4 +27,4 @@ fields:
     - response
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/others_web/web_sonicwall_jarrewrite_exploit.yml b/src/main/resources/rules/others_web/web_sonicwall_jarrewrite_exploit.yml
index b96b9bd73..0b003911c 100644
--- a/src/main/resources/rules/others_web/web_sonicwall_jarrewrite_exploit.yml
+++ b/src/main/resources/rules/others_web/web_sonicwall_jarrewrite_exploit.yml
@@ -14,7 +14,7 @@ logsource:
 detection:
     selection:
         c-uri|contains: '/cgi-bin/jarrewrite.sh'
-        c-useragent|contains: 
+        c-useragent|contains:
             - ':;'
             - '() {'
             - '/bin/bash -c'
diff --git a/src/main/resources/rules/others_web/web_susp_windows_path_uri.yml b/src/main/resources/rules/others_web/web_susp_windows_path_uri.yml
index e21fa6fce..122a29d5a 100644
--- a/src/main/resources/rules/others_web/web_susp_windows_path_uri.yml
+++ b/src/main/resources/rules/others_web/web_susp_windows_path_uri.yml
@@ -25,4 +25,3 @@ tags:
     - attack.persistence
     - attack.exfiltration
     - attack.t1505.003
-
diff --git a/src/main/resources/rules/others_web/web_unc2546_dewmode_php_webshell.yml b/src/main/resources/rules/others_web/web_unc2546_dewmode_php_webshell.yml
index 3904369b9..47992070c 100644
--- a/src/main/resources/rules/others_web/web_unc2546_dewmode_php_webshell.yml
+++ b/src/main/resources/rules/others_web/web_unc2546_dewmode_php_webshell.yml
@@ -28,4 +28,4 @@ fields:
     - response
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/rule_categories.json b/src/main/resources/rules/rule_categories.json
index 25ddee7d8..9b7b9c36b 100644
--- a/src/main/resources/rules/rule_categories.json
+++ b/src/main/resources/rules/rule_categories.json
@@ -57,4 +57,4 @@
       "display_name": "VpcFlow logs"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/src/main/resources/rules/test_windows/dns_query_win_regsvr32_network_activity.yml b/src/main/resources/rules/test_windows/dns_query_win_regsvr32_network_activity.yml
index c812ab379..49ae2ab56 100644
--- a/src/main/resources/rules/test_windows/dns_query_win_regsvr32_network_activity.yml
+++ b/src/main/resources/rules/test_windows/dns_query_win_regsvr32_network_activity.yml
@@ -32,4 +32,4 @@ fields:
     - DestinationPort
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/test_windows/net_connection_win_regsvr32_network_activity.yml b/src/main/resources/rules/test_windows/net_connection_win_regsvr32_network_activity.yml
index 908fda8a4..cbef59a86 100644
--- a/src/main/resources/rules/test_windows/net_connection_win_regsvr32_network_activity.yml
+++ b/src/main/resources/rules/test_windows/net_connection_win_regsvr32_network_activity.yml
@@ -29,4 +29,4 @@ tags:
     - attack.execution
     - attack.t1559.001
     - attack.defense_evasion
-    - attack.t1218.010
\ No newline at end of file
+    - attack.t1218.010
diff --git a/src/main/resources/rules/test_windows/proc_creation_win_susp_regsvr32_no_dll.yml b/src/main/resources/rules/test_windows/proc_creation_win_susp_regsvr32_no_dll.yml
index 6207cc6ec..e29832568 100644
--- a/src/main/resources/rules/test_windows/proc_creation_win_susp_regsvr32_no_dll.yml
+++ b/src/main/resources/rules/test_windows/proc_creation_win_susp_regsvr32_no_dll.yml
@@ -18,7 +18,7 @@ detection:
     selection:
         Image|endswith: '\regsvr32.exe'
     filter:
-        CommandLine|contains: 
+        CommandLine|contains:
             - '.dll'
             - '.ocx'
             - '.cpl'
diff --git a/src/main/resources/rules/test_windows/win_sample_rule.yml b/src/main/resources/rules/test_windows/win_sample_rule.yml
index 141c58b32..b55e9c9b7 100644
--- a/src/main/resources/rules/test_windows/win_sample_rule.yml
+++ b/src/main/resources/rules/test_windows/win_sample_rule.yml
@@ -21,4 +21,4 @@ detection:
     HostName|startswith: 'EC2AMAZ'
   condition: selection
 falsepositives:
-  - Unknown
\ No newline at end of file
+  - Unknown
diff --git a/src/main/resources/rules/windows/builtin/application/win_audit_cve.yml b/src/main/resources/rules/windows/builtin/application/win_audit_cve.yml
index acb6c0672..611690797 100644
--- a/src/main/resources/rules/windows/builtin/application/win_audit_cve.yml
+++ b/src/main/resources/rules/windows/builtin/application/win_audit_cve.yml
@@ -34,4 +34,3 @@ detection:
 falsepositives:
     - Unknown
 level: critical
-
diff --git a/src/main/resources/rules/windows/builtin/application/win_builtin_remove_application.yml b/src/main/resources/rules/windows/builtin/application/win_builtin_remove_application.yml
index 3209074b4..6f99ba7ac 100644
--- a/src/main/resources/rules/windows/builtin/application/win_builtin_remove_application.yml
+++ b/src/main/resources/rules/windows/builtin/application/win_builtin_remove_application.yml
@@ -19,4 +19,4 @@ falsepositives:
 level: low
 tags:
     - attack.impact
-    - attack.t1489 
+    - attack.t1489
diff --git a/src/main/resources/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml b/src/main/resources/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml
index 5c38131a1..546a1025e 100644
--- a/src/main/resources/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml
+++ b/src/main/resources/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml
@@ -2,15 +2,15 @@ title: Atera Agent Installation
 id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
 status: experimental
 description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
-references: 
+references:
   - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
 date: 2021/09/01
 modified: 2021/10/13
 author: Bhabesh Raj
 level: high
-logsource:                     
-    service: application  
-    product: windows 
+logsource:
+    service: application
+    product: windows
 tags:
     - attack.t1219
 detection:
diff --git a/src/main/resources/rules/windows/builtin/application/win_vul_cve_2020_0688.yml b/src/main/resources/rules/windows/builtin/application/win_vul_cve_2020_0688.yml
index 679f144f8..4cb0310d2 100644
--- a/src/main/resources/rules/windows/builtin/application/win_vul_cve_2020_0688.yml
+++ b/src/main/resources/rules/windows/builtin/application/win_vul_cve_2020_0688.yml
@@ -1,7 +1,7 @@
 title: CVE-2020-0688 Exploitation via Eventlog
 id: d6266bf5-935e-4661-b477-78772735a7cb
 status: experimental
-description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 
+description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
 references:
     - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
     - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml
index 4379c3a40..a9e423769 100644
--- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml
+++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         EventID: 16403
-        RemoteName|contains: 
+        RemoteName|contains:
             - 'raw.githubusercontent.com'
             - 'gist.githubusercontent.com'
             - 'pastebin.com'
diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml
index bab6511bd..8e699ef1c 100644
--- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml
+++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml
@@ -26,9 +26,9 @@ detection:
         RemoteName|contains: '.com'
     condition: selection and not filter
 falsepositives:
-    - Administrator PowerShell scripts 
+    - Administrator PowerShell scripts
 level: medium
 tags:
     - attack.defense_evasion
     - attack.persistence
-    - attack.t1197
\ No newline at end of file
+    - attack.t1197
diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml
index 662ef1a86..443a3a906 100644
--- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml
+++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml
@@ -20,9 +20,9 @@ detection:
             - '\Desktop\'
     condition: selection
 falsepositives:
-    - Administrator PowerShell scripts 
+    - Administrator PowerShell scripts
 level: high
 tags:
     - attack.defense_evasion
     - attack.persistence
-    - attack.t1197
\ No newline at end of file
+    - attack.t1197
diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml
index 6a9c27b1b..b9155cce9 100644
--- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml
+++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml
@@ -17,9 +17,9 @@ detection:
         processPath|endswith: '\powershell.exe'
     condition: selection
 falsepositives:
-    - Administrator PowerShell scripts 
+    - Administrator PowerShell scripts
 level: low
 tags:
     - attack.defense_evasion
     - attack.persistence
-    - attack.t1197
\ No newline at end of file
+    - attack.t1197
diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml
index 1ccb2af71..bb6cd9ce7 100644
--- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml
+++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml
@@ -17,9 +17,9 @@ detection:
         processPath|endswith: '\bitsadmin.exe'
     condition: selection
 falsepositives:
-    - Administrator PowerShell scripts 
+    - Administrator PowerShell scripts
 level: low
 tags:
     - attack.defense_evasion
     - attack.persistence
-    - attack.t1197
\ No newline at end of file
+    - attack.t1197
diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml
index b8da1a08b..5b158ed1e 100644
--- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml
+++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml
@@ -15,7 +15,7 @@ detection:
     selection:
         EventID: 16403
     filter:
-        RemoteName|contains: 
+        RemoteName|contains:
             - '.com'
             - '.azureedge.net'
             - '.sfx.ms'
diff --git a/src/main/resources/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml b/src/main/resources/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml
index 69d0d3b0f..e45571159 100644
--- a/src/main/resources/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml
+++ b/src/main/resources/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml
@@ -17,4 +17,4 @@ detection:
     condition: keywords
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/dns_server/win_apt_gallium.yml b/src/main/resources/rules/windows/builtin/dns_server/win_apt_gallium.yml
index cc1c0ca84..b17cd3797 100644
--- a/src/main/resources/rules/windows/builtin/dns_server/win_apt_gallium.yml
+++ b/src/main/resources/rules/windows/builtin/dns_server/win_apt_gallium.yml
@@ -21,7 +21,7 @@ logsource:
 detection:
     selection:
         EventID: 257
-        QNAME: 
+        QNAME:
             - 'asyspy256.ddns.net'
             - 'hotkillmail9sddcc.ddns.net'
             - 'rosaf112.ddns.net'
@@ -32,4 +32,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/src/main/resources/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml
index c7d8834e1..a85be1a4d 100644
--- a/src/main/resources/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml
+++ b/src/main/resources/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml
@@ -13,7 +13,7 @@ logsource:
 # EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2
 detection:
     selection:
-        EventID: 
+        EventID:
             - 2002  # A Windows Firewall setting has changed.
             - 2003  # A Windows Firewall setting in the %1 profile has changed.
             - 2008  # Windows Firewall Group Policy settings have changed. The new settings have been applied
diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml
index baaab06e8..d5014c88f 100644
--- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml
+++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml
@@ -11,7 +11,7 @@ logsource:
     service: msexchange-management
 detection:
     selection:
-        EventID: 
+        EventID:
             - 6
             - 8
     keywords:
@@ -23,4 +23,4 @@ falsepositives:
 level: high
 tags:
     - attack.lateral_movement
-    - attack.t1210
\ No newline at end of file
+    - attack.t1210
diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
index 138d45dcd..14cbf6759 100644
--- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
+++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
@@ -24,4 +24,4 @@ falsepositives:
 level: critical
 tags:
     - attack.t1587.001
-    - attack.resource_development
\ No newline at end of file
+    - attack.resource_development
diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
index 4155f0add..d3d5c4b72 100644
--- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
+++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
@@ -7,11 +7,11 @@ references:
 author: Florian Roth, Rich Warren, Christian Burkard
 date: 2021/08/09
 modified: 2022/02/01
-logsource:        
+logsource:
     service: msexchange-management
     product: windows
 detection:
-    export_command: 
+    export_command:
         - 'New-MailboxExportRequest'
         - ' -Mailbox '
     export_params:
@@ -27,5 +27,5 @@ falsepositives:
     - Unlikely
 level: critical
 tags:
-    - attack.persistence  
-    - attack.t1505.003  
+    - attack.persistence
+    - attack.t1505.003
diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml
index 663155d08..870647eeb 100644
--- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml
+++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml
@@ -6,11 +6,11 @@ references:
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
 author: Christian Burkard
 date: 2021/08/27
-logsource:        
+logsource:
     service: msexchange-management
     product: windows
 detection:
-    command: 
+    command:
         - 'Remove-MailboxExportRequest'
         - ' -Identity '
         - ' -Confirm "False"'
diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent.yml
index 6eca37cc7..ab0112399 100644
--- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent.yml
+++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent.yml
@@ -8,9 +8,9 @@ description: Detects the Installation of a Exchange Transport Agent
 references:
     - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
 tags:
-    - attack.persistence  
-    - attack.t1505.002    
-author: Tobias Michalski  
+    - attack.persistence
+    - attack.t1505.002
+author: Tobias Michalski
 date: 2021/06/08
 modified: 2021/09/19
 logsource:
@@ -24,4 +24,4 @@ fields:
     - AssemblyPath
 falsepositives:
     - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml
index faad6e0f5..8024b0ca3 100644
--- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml
+++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml
@@ -5,16 +5,16 @@ description: Detects a failed installation of a Exchange Transport Agent
 references:
     - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
 tags:
-    - attack.persistence  
-    - attack.t1505.002    
-author: Tobias Michalski  
-date: 2021/06/08  
-logsource:        
+    - attack.persistence
+    - attack.t1505.002
+author: Tobias Michalski
+date: 2021/06/08
+logsource:
     service: msexchange-management
     product: windows
 detection:
     selection:
-        EventID: 6 
+        EventID: 6
     keywords:
         - 'Install-TransportAgent'
     condition: selection and keywords
diff --git a/src/main/resources/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml b/src/main/resources/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml
index 93459eaac..f770f9afd 100644
--- a/src/main/resources/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml
+++ b/src/main/resources/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml
@@ -28,5 +28,5 @@ detection:
             - 'Windows2019'
     condition: selection and devicename
 falsepositives:
-    - Systems with names equal to the spoofed ones used by the brute force tools 
+    - Systems with names equal to the spoofed ones used by the brute force tools
 level: medium
diff --git a/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml b/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml
index 53898222e..60f4c658a 100644
--- a/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml
+++ b/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml
@@ -12,7 +12,7 @@ date: 2021/06/30
 modified: 2022/06/22
 tags:
     - attack.execution
-    - attack.t1569    
+    - attack.t1569
     - cve.2021.1675
 logsource:
     product: windows
diff --git a/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml b/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml
index 5564f0358..3a0286b03 100644
--- a/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml
+++ b/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml
@@ -16,7 +16,7 @@ logsource:
 detection:
     selection:
         EventID: '316'
-    keywords: 
+    keywords:
         - 'UNIDRV.DLL, kernelbase.dll, '
         - ' 123 '
         - ' 1234 '
diff --git a/src/main/resources/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml b/src/main/resources/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml
index 9218d3288..822abaa5d 100644
--- a/src/main/resources/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml
@@ -19,7 +19,7 @@ detection:
     selection:
         EventID: 5136
         AttributeLDAPDisplayName: 'ntSecurityDescriptor'
-        AttributeValue|contains: 
+        AttributeValue|contains:
          - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
          - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
          - '89e95b76-444d-4c62-991a-0facbeda640c'
diff --git a/src/main/resources/rules/windows/builtin/security/win_ad_user_enumeration.yml b/src/main/resources/rules/windows/builtin/security/win_ad_user_enumeration.yml
index 37a865e95..4715c923e 100644
--- a/src/main/resources/rules/windows/builtin/security/win_ad_user_enumeration.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_ad_user_enumeration.yml
@@ -19,7 +19,7 @@ logsource:
 detection:
     selection:
         EventID: 4662
-        ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2' 
+        ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
         # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
         # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user)
     filter:
diff --git a/src/main/resources/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml b/src/main/resources/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml
index e0ebcca25..4af69d83e 100644
--- a/src/main/resources/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml
@@ -20,7 +20,7 @@ detection:
     selection2:
         EventID: 4899
         NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
-    condition: selection1 or selection2 
+    condition: selection1 or selection2
 falsepositives:
     - Administrator activity
     - Proxy SSL certificate with subject modification
diff --git a/src/main/resources/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml b/src/main/resources/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml
index cf19a17c0..16663c185 100644
--- a/src/main/resources/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml
@@ -18,7 +18,7 @@ detection:
     EventID: 4738
   filter_null:
     - AllowedToDelegateTo: '-'
-    - AllowedToDelegateTo: 
+    - AllowedToDelegateTo:
   selection_5136_1:
     EventID: 5136
     AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
diff --git a/src/main/resources/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml b/src/main/resources/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml
index 5843d6bf9..2701b413f 100644
--- a/src/main/resources/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml
@@ -32,4 +32,4 @@ detection:
     condition: selection_service
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/builtin/security/win_apt_slingshot.yml b/src/main/resources/rules/windows/builtin/security/win_apt_slingshot.yml
index 4345b4aa2..9bfa8a128 100644
--- a/src/main/resources/rules/windows/builtin/security/win_apt_slingshot.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_apt_slingshot.yml
@@ -25,4 +25,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/builtin/security/win_apt_wocao.yml b/src/main/resources/rules/windows/builtin/security/win_apt_wocao.yml
index 8dcb9b26c..875dbf2dc 100644
--- a/src/main/resources/rules/windows/builtin/security/win_apt_wocao.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_apt_wocao.yml
@@ -7,7 +7,7 @@ references:
     - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
     - https://twitter.com/SBousseaden/status/1207671369963646976
 tags:
-    - attack.discovery 
+    - attack.discovery
     - attack.t1012
     - attack.defense_evasion
     - attack.t1036.004
@@ -28,4 +28,4 @@ detection:
     condition: selection
 falsepositives:
     - Administrators that use checkadmin.exe tool to enumerate local administrators
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/security/win_dcsync.yml b/src/main/resources/rules/windows/builtin/security/win_dcsync.yml
index 4bc9b53db..ebc1a76a5 100644
--- a/src/main/resources/rules/windows/builtin/security/win_dcsync.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_dcsync.yml
@@ -40,4 +40,3 @@ falsepositives:
     - Valid DC Sync that is not covered by the filters; please report
     - Local Domain Admin account used for Azure AD Connect
 level: high
-
diff --git a/src/main/resources/rules/windows/builtin/security/win_disable_event_logging.yml b/src/main/resources/rules/windows/builtin/security/win_disable_event_logging.yml
index 1975bc806..1ad62692c 100644
--- a/src/main/resources/rules/windows/builtin/security/win_disable_event_logging.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_disable_event_logging.yml
@@ -16,7 +16,7 @@ detection:
     EventID: 4719
     AuditPolicyChanges|contains:
       - '%%8448'       # This is "Success removed"
-      - '%%8450'       # This is "Failure removed" 
+      - '%%8450'       # This is "Failure removed"
   condition: selection
 falsepositives:
   - Unknown
diff --git a/src/main/resources/rules/windows/builtin/security/win_event_log_cleared.yml b/src/main/resources/rules/windows/builtin/security/win_event_log_cleared.yml
index 3bb242439..cabe56531 100644
--- a/src/main/resources/rules/windows/builtin/security/win_event_log_cleared.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_event_log_cleared.yml
@@ -2,15 +2,15 @@ title: Security Event Log Cleared
 id: a122ac13-daf8-4175-83a2-72c387be339d
 status: experimental
 description: Checks for event id 1102 which indicates the security event log was cleared.
-references: 
+references:
   - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
 date: 2021/08/15
 modified: 2021/10/13
 author: Saw Winn Naung
 level: medium
-logsource:                     
-    service: security  
-    product: windows 
+logsource:
+    service: security
+    product: windows
 tags:
     - attack.t1070.001
 detection:
diff --git a/src/main/resources/rules/windows/builtin/security/win_external_device.yml b/src/main/resources/rules/windows/builtin/security/win_external_device.yml
index 9a64bb7af..46ca97b77 100644
--- a/src/main/resources/rules/windows/builtin/security/win_external_device.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_external_device.yml
@@ -16,10 +16,10 @@ logsource:
 detection:
     selection:
         EventID: 6416
-        ClassName: 'DiskDrive'  
+        ClassName: 'DiskDrive'
     selection2:
         DeviceDescription: 'USB Mass Storage Device'
     condition: selection or selection2
-falsepositives: 
+falsepositives:
     - Legitimate administrative activity
 level: low
diff --git a/src/main/resources/rules/windows/builtin/security/win_global_catalog_enumeration.yml b/src/main/resources/rules/windows/builtin/security/win_global_catalog_enumeration.yml
index 5c968fb9d..c642fd20c 100644
--- a/src/main/resources/rules/windows/builtin/security/win_global_catalog_enumeration.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_global_catalog_enumeration.yml
@@ -1,4 +1,4 @@
-title: Enumeration via the Global Catalog 
+title: Enumeration via the Global Catalog
 description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.
 status: experimental
 author: Chakib Gzenayi (@Chak092), Hosni Mribah
diff --git a/src/main/resources/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml b/src/main/resources/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml
index 7b2b0166d..4920ba035 100644
--- a/src/main/resources/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml
@@ -7,7 +7,7 @@ modified: 2021/08/09
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.persistence
-    - attack.t1554 
+    - attack.t1554
 references:
     - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 logsource:
@@ -17,7 +17,7 @@ detection:
     selection:
         EventID: 4697
         ServiceName: HybridConnectionManager
-        ServiceFileName|contains: HybridConnectionManager 
+        ServiceFileName|contains: HybridConnectionManager
     condition: selection
 falsepositives:
     - Legitimate use of Hybrid Connection Manager via Azure function apps.
diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml
index 332f8a4c0..86a21a0c1 100644
--- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml
@@ -23,11 +23,11 @@ detection:
     selection:
         Provider_Name: 'Microsoft-Windows-Security-Auditing'
         EventID: 4697
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
            - 'cmd'
            - '&&'
            - 'clipboard]::'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml
index 14b5f86e4..28ae08952 100644
--- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml
@@ -4,7 +4,7 @@ related:
     - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
       type: derived
 description: 'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references'
-references: 
+references:
     - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
 status: experimental
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
@@ -30,4 +30,4 @@ detection:
     condition: selection and selection_1
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml
index 028da309b..d3d88f0ba 100644
--- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml
@@ -21,7 +21,7 @@ logsource:
 detection:
     selection:
         EventID: 4697
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
             - 'cmd'
             - 'powershell'
     selection2:
diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml
index 08bb35cb3..ece0cd7e4 100644
--- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml
@@ -26,4 +26,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-
diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml
index cb53ad051..97c7eb609 100644
--- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml
@@ -2,7 +2,7 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION
 id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
 related:
     - id: 175997c5-803c-4b08-8bb0-70b099f47595
-      type: derived  
+      type: derived
 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
 author: Timur Zinniatullin, oscd.community
@@ -20,8 +20,8 @@ logsource:
     service: security
 detection:
     selection:
-        EventID: 4697 
-        ServiceFileName|contains|all: 
+        EventID: 4697
+        ServiceFileName|contains|all:
             - 'new-object'
             - 'text.encoding]::ascii'
             - 'readtoend'
diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml
index b4d6ee2fd..37d24774a 100644
--- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml
@@ -20,7 +20,7 @@ logsource:
     service: security
 detection:
     selection:
-        EventID: 4697 
+        EventID: 4697
         ServiceFileName|contains|all:
             - 'rundll32.exe'
             - 'shell32.dll'
diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml
index e539fc6af..bbe1c468b 100644
--- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml
@@ -21,7 +21,7 @@ logsource:
 detection:
     selection:
         EventID: 4697
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
             - 'set'
             - '&&'
         ServiceFileName|contains:
diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml
index 302f7f1eb..b99780d7a 100644
--- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml
@@ -26,5 +26,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-
-
diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml
index 4e451e116..22ec368bb 100644
--- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml
@@ -21,7 +21,7 @@ logsource:
 detection:
     selection:
         EventID: 4697
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
             - 'mshta'
             - 'vbscript:createobject'
             - '.run'
diff --git a/src/main/resources/rules/windows/builtin/security/win_iso_mount.yml b/src/main/resources/rules/windows/builtin/security/win_iso_mount.yml
index 1e9b3836f..e548fe058 100644
--- a/src/main/resources/rules/windows/builtin/security/win_iso_mount.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_iso_mount.yml
@@ -5,7 +5,7 @@ status: experimental
 date: 2021/05/29
 modified: 2021/11/20
 author: Syed Hasan (@syedhasan009)
-references: 
+references:
     - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
     - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
     - https://twitter.com/MsftSecIntel/status/1257324139515269121
@@ -17,7 +17,7 @@ logsource:
     service: security
     definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
 detection:
-    selection: 
+    selection:
         EventID: 4663
         ObjectServer: 'Security'
         ObjectType: 'File'
diff --git a/src/main/resources/rules/windows/builtin/security/win_lsass_access_non_system_account.yml b/src/main/resources/rules/windows/builtin/security/win_lsass_access_non_system_account.yml
index 4db2ccc9e..54bf1cb41 100644
--- a/src/main/resources/rules/windows/builtin/security/win_lsass_access_non_system_account.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_lsass_access_non_system_account.yml
@@ -50,7 +50,7 @@ detection:
     filter1:
         SubjectUserName|endswith: '$'
     filter2:
-        ProcessName|startswith: 'C:\Program Files'  # too many false positives with legitimate AV and EDR solutions    
+        ProcessName|startswith: 'C:\Program Files'  # too many false positives with legitimate AV and EDR solutions
     condition: selection and not 1 of filter*
 fields:
     - ComputerName
diff --git a/src/main/resources/rules/windows/builtin/security/win_metasploit_authentication.yml b/src/main/resources/rules/windows/builtin/security/win_metasploit_authentication.yml
index 2addf4d35..431cea87c 100644
--- a/src/main/resources/rules/windows/builtin/security/win_metasploit_authentication.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_metasploit_authentication.yml
@@ -5,7 +5,7 @@ id: 72124974-a68b-4366-b990-d30e0b2a190d
 author: Chakib Gzenayi (@Chak092), Hosni Mribah
 date: 2020/05/06
 modified: 2021/07/07
-references: 
+references:
     - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
 tags:
     - attack.lateral_movement
diff --git a/src/main/resources/rules/windows/builtin/security/win_net_ntlm_downgrade.yml b/src/main/resources/rules/windows/builtin/security/win_net_ntlm_downgrade.yml
index 59519734f..74873dccf 100644
--- a/src/main/resources/rules/windows/builtin/security/win_net_ntlm_downgrade.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_net_ntlm_downgrade.yml
@@ -22,11 +22,11 @@ logsource:
 detection:
     selection:
         EventID: 4657
-        ObjectName|contains|all: 
+        ObjectName|contains|all:
             - '\REGISTRY\MACHINE\SYSTEM'
             - 'ControlSet'
             - '\Control\Lsa'
-        ObjectValueName: 
+        ObjectValueName:
             - 'LmCompatibilityLevel'
             - 'NtlmMinClientSec'
             - 'RestrictSendingNTLMTraffic'
diff --git a/src/main/resources/rules/windows/builtin/security/win_scheduled_task_deletion.yml b/src/main/resources/rules/windows/builtin/security/win_scheduled_task_deletion.yml
index f423f4a6e..7359fb944 100644
--- a/src/main/resources/rules/windows/builtin/security/win_scheduled_task_deletion.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_scheduled_task_deletion.yml
@@ -1,5 +1,5 @@
 title: Scheduled Task Deletion
-id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 
+id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
 description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
 status: experimental
 author: David Strassegger, Tim Shelton
diff --git a/src/main/resources/rules/windows/builtin/security/win_scm_database_handle_failure.yml b/src/main/resources/rules/windows/builtin/security/win_scm_database_handle_failure.yml
index 8c4b4c652..6bb3dd362 100644
--- a/src/main/resources/rules/windows/builtin/security/win_scm_database_handle_failure.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_scm_database_handle_failure.yml
@@ -14,7 +14,7 @@ logsource:
     product: windows
     service: security
 detection:
-    selection: 
+    selection:
         EventID: 4656
         ObjectType: 'SC_MANAGER OBJECT'
         ObjectName: 'ServicesActive'
diff --git a/src/main/resources/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/src/main/resources/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml
index fde145255..12fd99c0d 100644
--- a/src/main/resources/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml
@@ -15,7 +15,7 @@ modified: 2021/09/21
 tags:
     - attack.execution
     - attack.privilege_escalation
-    - attack.lateral_movement 
+    - attack.lateral_movement
     - attack.t1021.002
     - attack.t1543.003
     - attack.t1569.002
@@ -26,11 +26,11 @@ detection:
     event_id:
         EventID: 4697
     selection1:
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
             - 'ADMIN$'
             - '.exe'
     selection2:
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
             - '%COMSPEC%'
             - 'start'
             - 'powershell'
@@ -41,4 +41,4 @@ detection:
     condition: event_id and 1 of selection*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/security/win_security_mal_creddumper.yml b/src/main/resources/rules/windows/builtin/security/win_security_mal_creddumper.yml
index ca29a8a52..95f66cdf8 100644
--- a/src/main/resources/rules/windows/builtin/security/win_security_mal_creddumper.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_security_mal_creddumper.yml
@@ -37,4 +37,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate Administrator using credential dumping tool for password recovery
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/security/win_security_mal_service_installs.yml b/src/main/resources/rules/windows/builtin/security/win_security_mal_service_installs.yml
index e1025f86f..0ba86a667 100644
--- a/src/main/resources/rules/windows/builtin/security/win_security_mal_service_installs.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_security_mal_service_installs.yml
@@ -30,4 +30,4 @@ detection:
     condition: selection and 1 of malsvc_*
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/src/main/resources/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
index dc3f59989..dfcd1fd8e 100644
--- a/src/main/resources/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
@@ -37,4 +37,4 @@ fields:
     - ServiceFileName
 falsepositives:
     - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/src/main/resources/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
index aa946c489..513322d52 100644
--- a/src/main/resources/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
@@ -53,4 +53,4 @@ fields:
     - ServiceFileName
 falsepositives:
     - Highly unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/src/main/resources/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml
index 9d561344f..7e6a20112 100644
--- a/src/main/resources/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml
@@ -19,10 +19,10 @@ logsource:
 detection:
     selection:
         EventID: 4697
-        ServiceFileName|contains: 
+        ServiceFileName|contains:
           - 'powershell'
           - 'pwsh'
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/src/main/resources/rules/windows/builtin/security/win_security_tap_driver_installation.yml
index 93f211542..32f87fdbe 100644
--- a/src/main/resources/rules/windows/builtin/security/win_security_tap_driver_installation.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_security_tap_driver_installation.yml
@@ -21,4 +21,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate OpenVPN TAP insntallation
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/builtin/security/win_security_wmi_persistence.yml b/src/main/resources/rules/windows/builtin/security/win_security_wmi_persistence.yml
index 8df4d41a1..75140c58b 100644
--- a/src/main/resources/rules/windows/builtin/security/win_security_wmi_persistence.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_security_wmi_persistence.yml
@@ -26,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown (data set is too small; further testing needed)
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logon_source.yml b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logon_source.yml
index 798435a98..ab1b0f3cb 100644
--- a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logon_source.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logon_source.yml
@@ -36,7 +36,7 @@ detection:
       - '127.'       #127.0.0.0/8
       - '169.254.'       #169.254.0.0/16
   ip_privatev6:
-    - IpAddress: '::1'     #loopback 
+    - IpAddress: '::1'     #loopback
     - IpAddress|startswith:
       - 'fe80::'       #link-local
       - 'fc00::'       #unique local
diff --git a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml
index 29578f6bb..a2b8fa74f 100644
--- a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml
@@ -25,4 +25,4 @@ falsepositives:
     - Jump servers
     - Other multiuser systems like Citrix server farms
     - Workstations with frequently changing users
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml
index 22c6a9b92..710840fc0 100644
--- a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml
@@ -27,4 +27,4 @@ falsepositives:
     - Jump servers
     - Other multiuser systems like Citrix server farms
     - Workstations with frequently changing users
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml b/src/main/resources/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml
index d44cab80b..52b30afca 100644
--- a/src/main/resources/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml
@@ -17,7 +17,7 @@ logsource:
 detection:
     selection:
         EventID: 4720
-        SamAccountName|contains|all: 
+        SamAccountName|contains|all:
             - 'ANONYMOUS'
             - 'LOGON'
     condition: selection
diff --git a/src/main/resources/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml b/src/main/resources/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml
index fe7574613..d4b6dcfab 100644
--- a/src/main/resources/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml
+++ b/src/main/resources/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml
@@ -17,10 +17,10 @@ detection:
     selection:
         Provider_Name: Microsoft-Windows-Security-Auditing
         AuditSourceName: VSSAudit
-        EventID: 
+        EventID:
             - 4904
             - 4905
     condition: selection
 falsepositives:
     - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe.
-level: informational
\ No newline at end of file
+level: informational
diff --git a/src/main/resources/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml b/src/main/resources/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml
index 12ed9a6da..2115aca14 100644
--- a/src/main/resources/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml
+++ b/src/main/resources/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml
@@ -6,7 +6,7 @@ date: 2021/04/12
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.persistence
-    - attack.t1554 
+    - attack.t1554
 references:
     - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 logsource:
diff --git a/src/main/resources/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml b/src/main/resources/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml
index 7a6fae07e..37c88c60a 100644
--- a/src/main/resources/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml
+++ b/src/main/resources/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml
@@ -27,4 +27,4 @@ falsepositives:
     - Account fallback reasons (after failed login with specific account)
 tags:
     - attack.credential_access
-    - attack.t1110.001
\ No newline at end of file
+    - attack.t1110.001
diff --git a/src/main/resources/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml b/src/main/resources/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml
index d196830fe..b3a58abc0 100644
--- a/src/main/resources/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml
@@ -30,4 +30,4 @@ detection:
     condition: selection_service
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml b/src/main/resources/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml
index 7e7a6f2a7..c977f6bc6 100644
--- a/src/main/resources/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml
@@ -12,7 +12,7 @@ modified: 2021/09/30
 tags:
     - attack.execution
     - attack.privilege_escalation
-    - attack.lateral_movement 
+    - attack.lateral_movement
     - attack.t1021.002
     - attack.t1543.003
     - attack.t1569.002
@@ -24,11 +24,11 @@ detection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
     selection1:
-        ImagePath|contains|all: 
+        ImagePath|contains|all:
             - 'ADMIN$'
             - '.exe'
     selection2:
-        ImagePath|contains|all: 
+        ImagePath|contains|all:
             - '%COMSPEC%'
             - 'start'
             - 'powershell'
@@ -39,4 +39,4 @@ detection:
     condition: selection_id and (selection1 or selection2 or selection3 or selection4)
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml
index c1651e417..366f76087 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml
@@ -26,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml
index 54c521f46..37fa23d87 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml
@@ -27,4 +27,4 @@ detection:
     condition: selection and selection_1
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml
index 2d94cee7b..6a3304222 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml
@@ -20,7 +20,7 @@ detection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
         ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml
index b1a682084..1a7134b55 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml
@@ -23,4 +23,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml
index 3c43072d9..d352618cf 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml
@@ -21,7 +21,7 @@ detection:
             - 'new-object'
             - 'text.encoding]::ascii'
             - 'readtoend'
-        ImagePath|contains:    
+        ImagePath|contains:
             - ':system.io.compression.deflatestream'
             - 'system.io.streamreader'
     condition: selection
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml
index 1120cebf7..a9f2ec4db 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml
@@ -14,7 +14,7 @@ detection:
     selection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-        ImagePath|contains|all: 
+        ImagePath|contains|all:
             - 'rundll32.exe'
             - 'shell32.dll'
             - 'shellexec_rundll'
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml
index 8d61dc7af..95d3e028a 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml
@@ -23,4 +23,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml
index ac4e8e0c7..a2188690e 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml
@@ -23,4 +23,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml
index 22ba3b190..d9654f0c4 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml
@@ -19,7 +19,7 @@ detection:
             - 'rundll32'
             - 'shell32.dll'
             - 'shellexec_rundll'
-        ImagePath|contains:    
+        ImagePath|contains:
             - 'value'
             - 'invoke'
             - 'comspec'
diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml
index 63960a89c..32bd20a15 100644
--- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml
@@ -23,4 +23,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/system/win_mal_creddumper.yml b/src/main/resources/rules/windows/builtin/system/win_mal_creddumper.yml
index fcd6b5124..4da49c9d3 100644
--- a/src/main/resources/rules/windows/builtin/system/win_mal_creddumper.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_mal_creddumper.yml
@@ -35,4 +35,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate Administrator using credential dumping tool for password recovery
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/src/main/resources/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
index ed7240a58..d6f450247 100644
--- a/src/main/resources/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -52,4 +52,4 @@ fields:
     - ImagePath
 falsepositives:
     - Highly unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/builtin/system/win_moriya_rootkit.yml b/src/main/resources/rules/windows/builtin/system/win_moriya_rootkit.yml
index d0ac46774..2e76873d4 100644
--- a/src/main/resources/rules/windows/builtin/system/win_moriya_rootkit.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_moriya_rootkit.yml
@@ -22,4 +22,4 @@ detection:
     condition: selection
 level: critical
 falsepositives:
-    - Unknown
\ No newline at end of file
+    - Unknown
diff --git a/src/main/resources/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml b/src/main/resources/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml
index 98d0f2b8d..4fed8d12f 100644
--- a/src/main/resources/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml
@@ -17,7 +17,7 @@ detection:
         Provider_Name: Ntfs
         EventID: 55
         Origin: 'File System Driver'
-        Description|contains|all: 
+        Description|contains|all:
             - 'contains a corrupted file record'
             - 'The name of the file is "\"'
     condition: selection
@@ -25,5 +25,5 @@ falsepositives:
     - Unlikely
 level: high
 tags:
-    - attack.impact 
-    - attack.t1499.001
\ No newline at end of file
+    - attack.impact
+    - attack.t1499.001
diff --git a/src/main/resources/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml b/src/main/resources/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml
index 518019105..f9fabebe0 100644
--- a/src/main/resources/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml
@@ -17,7 +17,7 @@ detection:
     selection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-        ImagePath|contains: 
+        ImagePath|contains:
           - 'powershell'
           - 'pwsh'
     condition: selection
diff --git a/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml b/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml
index e0bb61e09..96d8dc2c2 100644
--- a/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml
@@ -21,4 +21,4 @@ detection:
     hostname|startswith: 'EC2AMAZ'
   condition: selection
 falsepositives:
-  - Unknown
\ No newline at end of file
+  - Unknown
diff --git a/src/main/resources/rules/windows/builtin/system/win_susp_system_update_error.yml b/src/main/resources/rules/windows/builtin/system/win_susp_system_update_error.yml
index a5ac5e52c..2c8c43cd6 100644
--- a/src/main/resources/rules/windows/builtin/system/win_susp_system_update_error.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_susp_system_update_error.yml
@@ -11,7 +11,7 @@ logsource:
 detection:
   selection:
     Provider_Name: Microsoft-Windows-WindowsUpdateClient
-    EventID: 
+    EventID:
         - 16 # Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule
         - 20 # Installation Failure: Windows failed to install the following update with error
         - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error
diff --git a/src/main/resources/rules/windows/builtin/system/win_system_defender_disabled.yml b/src/main/resources/rules/windows/builtin/system/win_system_defender_disabled.yml
index 8ca595d0a..0e90cb0b9 100644
--- a/src/main/resources/rules/windows/builtin/system/win_system_defender_disabled.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_system_defender_disabled.yml
@@ -29,4 +29,4 @@ detection:
 falsepositives:
     - Administrator actions
     - Auto updates of Windows Defender causes restarts
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/windows/builtin/system/win_tap_driver_installation.yml b/src/main/resources/rules/windows/builtin/system/win_tap_driver_installation.yml
index 5dafe8ebd..22d07bc85 100644
--- a/src/main/resources/rules/windows/builtin/system/win_tap_driver_installation.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_tap_driver_installation.yml
@@ -19,4 +19,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate OpenVPN TAP insntallation
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/builtin/system/win_tool_psexec.yml b/src/main/resources/rules/windows/builtin/system/win_tool_psexec.yml
index ab96a2619..b4dba36c5 100644
--- a/src/main/resources/rules/windows/builtin/system/win_tool_psexec.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_tool_psexec.yml
@@ -35,4 +35,4 @@ detection:
     condition: service_installation or service_execution
 falsepositives:
     - Unknown
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml b/src/main/resources/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml
index de018ad86..eda4c6ff8 100644
--- a/src/main/resources/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml
@@ -14,7 +14,7 @@ logsource:
     product: windows
     service: system
 detection:
-    selection: 
+    selection:
         Provider_Name: Microsoft-Windows-Ntfs
         EventID: 98
         DeviceName|contains: HarddiskVolumeShadowCopy
diff --git a/src/main/resources/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml b/src/main/resources/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
index 9c6a9048d..055af6722 100644
--- a/src/main/resources/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
+++ b/src/main/resources/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
@@ -29,8 +29,8 @@ detection:
 fields:
     - samAccountName
 falsepositives:
-    - Unknown 
+    - Unknown
 level: medium
 tags:
     - attack.credential_access
-    - attack.t1558.003 
+    - attack.t1558.003
diff --git a/src/main/resources/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/src/main/resources/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml
index 3bb8f4418..ccd60dc7b 100644
--- a/src/main/resources/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml
+++ b/src/main/resources/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: high
 tags:
     - attack.execution
-    - attack.t1059 
+    - attack.t1059
diff --git a/src/main/resources/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/src/main/resources/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml
index 39a621373..8073ece28 100644
--- a/src/main/resources/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml
+++ b/src/main/resources/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml
@@ -21,4 +21,4 @@ detection:
         Value|endswith:
             - '\Windows Defender\DisableAntiSpyware = 0x1()'
             - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
-    condition: selection
\ No newline at end of file
+    condition: selection
diff --git a/src/main/resources/rules/windows/builtin/windefend/win_defender_threat.yml b/src/main/resources/rules/windows/builtin/windefend/win_defender_threat.yml
index 00e059bd7..345122da2 100644
--- a/src/main/resources/rules/windows/builtin/windefend/win_defender_threat.yml
+++ b/src/main/resources/rules/windows/builtin/windefend/win_defender_threat.yml
@@ -22,4 +22,4 @@ falsepositives:
 level: high
 tags:
     - attack.execution
-    - attack.t1059 
\ No newline at end of file
+    - attack.t1059
diff --git a/src/main/resources/rules/windows/builtin/wmi/win_wmi_persistence.yml b/src/main/resources/rules/windows/builtin/wmi/win_wmi_persistence.yml
index 25fba3e66..f6ae6b4e6 100644
--- a/src/main/resources/rules/windows/builtin/wmi/win_wmi_persistence.yml
+++ b/src/main/resources/rules/windows/builtin/wmi/win_wmi_persistence.yml
@@ -34,4 +34,4 @@ detection:
     condition: ( (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) ) and not filter_scmevent
 falsepositives:
     - Unknown (data set is too small; further testing needed)
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/src/main/resources/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml
index 0340c45b7..bf2d24713 100644
--- a/src/main/resources/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml
+++ b/src/main/resources/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml
@@ -11,7 +11,7 @@ logsource:
    category: create_remote_thread
 detection:
    selection:
-      TargetImage|endswith: 
+      TargetImage|endswith:
          - '\mspaint.exe'
          - '\calc.exe'
          - '\notepad.exe'
diff --git a/src/main/resources/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/src/main/resources/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
index daf111a32..789a75e2f 100644
--- a/src/main/resources/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
+++ b/src/main/resources/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
@@ -16,7 +16,7 @@ logsource:
     category: create_remote_thread
 detection:
     selection:
-        StartAddress|endswith: 
+        StartAddress|endswith:
             - '0B80'
             - '0C7C'
             - '0C88'
@@ -24,4 +24,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_ammyy.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_ammyy.yml
index 893f21290..c2c2cf4b5 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_ammyy.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_ammyy.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
 author: frack113
@@ -21,4 +21,4 @@ falsepositives:
 level: medium
 tags:
     - attack.command_and_control
-    - attack.t1219
\ No newline at end of file
+    - attack.t1219
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_gotoopener.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_gotoopener.yml
index 75fc35c4d..a9c071e4f 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_gotoopener.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_gotoopener.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
 author: frack113
@@ -18,4 +18,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml
index fd8ae4cfe..34975571f 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml
@@ -7,7 +7,7 @@ modified: 2021/06/10
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.persistence
-    - attack.t1554 
+    - attack.t1554
 references:
     - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 logsource:
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml
index a39bb70fe..33995812f 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml
@@ -20,4 +20,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_logmein.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_logmein.yml
index 0a1879aee..f4e6eb493 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_logmein.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_logmein.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
 author: frack113
@@ -21,4 +21,4 @@ falsepositives:
 level: medium
 tags:
     - attack.command_and_control
-    - attack.t1219
\ No newline at end of file
+    - attack.t1219
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml
index 7c80fd93b..66e18dd60 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml
@@ -16,7 +16,7 @@ logsource:
 detection:
     selection1:
         QueryName|startswith:
-            - 'aaa.stage.' 
+            - 'aaa.stage.'
             - 'post.1'
     selection2:
         QueryName|contains: '.stage.123456.'
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_mega_nz.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_mega_nz.yml
index 31d9cafc3..13e935a91 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_mega_nz.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_mega_nz.yml
@@ -18,4 +18,4 @@ logsource:
 detection:
     selection:
         QueryName|contains: userstorage.mega.co.nz
-    condition: selection
\ No newline at end of file
+    condition: selection
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml
index 0a9ffb60d..0a7623d98 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml
@@ -32,4 +32,4 @@ fields:
     - DestinationPort
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_susp_ipify.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_susp_ipify.yml
index cf893946b..aa4a5832c 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_susp_ipify.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_susp_ipify.yml
@@ -19,7 +19,7 @@ logsource:
     category: dns_query
 detection:
     dns_request:
-        QueryName: 
+        QueryName:
             - canireachthe.net
             - ipv4.icanhazip.com
             - ip.anysrc.net
diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml
index ddfe7f510..8887b00cb 100644
--- a/src/main/resources/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml
+++ b/src/main/resources/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml
@@ -15,7 +15,7 @@ logsource:
     category: dns_query
 detection:
     dns_request:
-        QueryName: 
+        QueryName:
             - 'taf.teamviewer.com'
             - 'udp.ping.teamviewer.com'
     filter:
@@ -24,4 +24,4 @@ detection:
 falsepositives:
     - Unknown binary names of TeamViewer
     - Other programs that also lookup the observed domain
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/src/main/resources/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
index 172b3e23f..ebb133409 100644
--- a/src/main/resources/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/src/main/resources/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -51,4 +51,4 @@ fields:
     - ImagePath
 falsepositives:
     - Highly unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/src/main/resources/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml
index 1bb1c9653..019ba4c96 100644
--- a/src/main/resources/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml
+++ b/src/main/resources/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml
@@ -18,10 +18,10 @@ logsource:
     category: driver_load
 detection:
     selection:
-        ImageLoaded|contains: 
+        ImageLoaded|contains:
           - 'powershell'
           - 'pwsh'
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/src/main/resources/rules/windows/driver_load/driver_load_vuln_dell_driver.yml
index 15439f86e..9189ac959 100644
--- a/src/main/resources/rules/windows/driver_load/driver_load_vuln_dell_driver.yml
+++ b/src/main/resources/rules/windows/driver_load/driver_load_vuln_dell_driver.yml
@@ -12,7 +12,7 @@ logsource:
 tags:
     - attack.privilege_escalation
     - cve.2021.21551
-    - attack.t1543 
+    - attack.t1543
 detection:
     selection_image:
         ImageLoaded|contains: '\DBUtil_2_3.Sys'
diff --git a/src/main/resources/rules/windows/driver_load/driver_load_windivert.yml b/src/main/resources/rules/windows/driver_load/driver_load_windivert.yml
index 3f3de4609..07aba491d 100644
--- a/src/main/resources/rules/windows/driver_load/driver_load_windivert.yml
+++ b/src/main/resources/rules/windows/driver_load/driver_load_windivert.yml
@@ -17,7 +17,7 @@ logsource:
     product: windows
 detection:
     selection:
-        ImageLoaded|contains: 
+        ImageLoaded|contains:
             - '\WinDivert.sys'
             - '\WinDivert64.sys'
     condition: selection
diff --git a/src/main/resources/rules/windows/file_delete/file_delete_win_delete_appli_log.yml b/src/main/resources/rules/windows/file_delete/file_delete_win_delete_appli_log.yml
index 5266a1518..9784d7b64 100644
--- a/src/main/resources/rules/windows/file_delete/file_delete_win_delete_appli_log.yml
+++ b/src/main/resources/rules/windows/file_delete/file_delete_win_delete_appli_log.yml
@@ -13,7 +13,7 @@ detection:
     selection_teamviewer:
         TargetFilename|endswith: '.log'
         TargetFilename|contains: '\TeamViewer_'
-    filter: 
+    filter:
         Image: C:\Windows\system32\svchost.exe
     condition: selection_teamviewer and not filter
 falsepositives:
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml b/src/main/resources/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml
index 4fdf3650c..4d9c576cb 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml
@@ -1,4 +1,4 @@
-title: Advanced IP Scanner 
+title: Advanced IP Scanner
 id: fed85bf9-e075-4280-9159-fbe8a023d6fa
 related:
     - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
@@ -26,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate administrative use
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_anydesk_artefact.yml b/src/main/resources/rules/windows/file_event/file_event_win_anydesk_artefact.yml
index 0d2800f5c..ef64bbc3c 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_anydesk_artefact.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_anydesk_artefact.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
 author: frack113
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_apt_unidentified_nov_18.yml b/src/main/resources/rules/windows/file_event/file_event_win_apt_unidentified_nov_18.yml
index 687865be6..00b912d4d 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_apt_unidentified_nov_18.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_apt_unidentified_nov_18.yml
@@ -19,6 +19,6 @@ logsource:
     category: file_event
 detection:
     selection:
-        TargetFilename|contains: 'ds7002.lnk' 
+        TargetFilename|contains: 'ds7002.lnk'
     condition: selection
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml b/src/main/resources/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml
index d4b6e6cce..7669e2412 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml
@@ -55,4 +55,4 @@ detection:
     condition: 1 of selection*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_creation_new_shim_database.yml b/src/main/resources/rules/windows/file_event/file_event_win_creation_new_shim_database.yml
index c00f31c4e..cbf136c33 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_creation_new_shim_database.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_creation_new_shim_database.yml
@@ -1,7 +1,7 @@
 title: New Shim Database Created in the Default Directory
 id: ee63c85c-6d51-4d12-ad09-04e25877a947
 status: experimental
-description: | 
+description: |
   Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
   The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
 author: frack113
@@ -15,7 +15,7 @@ detection:
   selection:
     TargetFilename|endswith: '.sdb'
     TargetFilename|contains: '\Windows\apppatch\Custom\'
-  condition: selection 
+  condition: selection
 falsepositives:
   - Unknown
 level: medium
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml
index 5d16e8fb9..6f0272819 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml
@@ -1,7 +1,7 @@
 title: Suspicious Screensaver Binary File Creation
 id: 97aa2e88-555c-450d-85a6-229bcd87efb8
 status: experimental
-description: | 
+description: |
   Adversaries may establish persistence by executing malicious content triggered by user inactivity.
   Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
 author: frack113
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_creation_system_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_creation_system_file.yml
index e3bcec0fd..bccee29ce 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_creation_system_file.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_creation_system_file.yml
@@ -47,7 +47,7 @@ detection:
             - 'C:\Windows\winsxs\'
             - 'C:\Windows\WinSxS\'
             - '\SystemRoot\System32\'
-        Image|endswith: 
+        Image|endswith:
             - '\Windows\System32\dism.exe'
             - '\TiWorker.exe'
     filter2:
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml b/src/main/resources/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml
index 5b2dfdcb1..d5b2c30b7 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml
@@ -1,9 +1,9 @@
 title: Creation Exe for Service with Unquoted Path
 id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
 status: experimental
-description: | 
+description: |
   Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
-  Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. 
+  Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
 author: frack113
 references:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md
@@ -14,11 +14,11 @@ logsource:
 detection:
   selection:
     # Feel free to add more
-    TargetFilename: 'C:\program.exe' 
-  condition: selection 
+    TargetFilename: 'C:\program.exe'
+  condition: selection
 falsepositives:
   - Unknown
 level: high
 tags:
   - attack.persistence
-  - attack.t1547.009
\ No newline at end of file
+  - attack.t1547.009
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml b/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml
index 07cbb1170..570cf2de7 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml
@@ -19,7 +19,7 @@ detection:
     selection:
         Image|endswith: 'UMWorkerProcess.exe'
     filter:
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - 'CacheCleanup.bin'
             - '.txt'
             - '.LOG'
@@ -31,4 +31,4 @@ fields:
     - TargetFilename
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml b/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
index 1c07a1d31..2cbe51874 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -34,4 +34,4 @@ detection:
     condition: selection
 falsepositives:
     - Unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml b/src/main/resources/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml
index 1a32e0300..fed59b85d 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml
@@ -24,4 +24,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml b/src/main/resources/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml
index c4fb4645b..aaef76f84 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml
@@ -3,7 +3,7 @@ id: 602a1f13-c640-4d73-b053-be9a2fa58b96
 status: experimental
 description:
  Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
- In it's default mode, it builds a self deleting .bat file which executes malicious command. 
+ In it's default mode, it builds a self deleting .bat file which executes malicious command.
  The detection rule relies on creation of the malicious bat file (debug.bat by default).
 references:
     - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_gotoopener_artefact.yml b/src/main/resources/rules/windows/file_event/file_event_win_gotoopener_artefact.yml
index 427980d1b..d633bf4f1 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_gotoopener_artefact.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_gotoopener_artefact.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
 author: frack113
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_hack_dumpert.yml b/src/main/resources/rules/windows/file_event/file_event_win_hack_dumpert.yml
index 74a805179..464dfebf2 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_hack_dumpert.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_hack_dumpert.yml
@@ -18,9 +18,9 @@ logsource:
     category: file_event
     product: windows
 detection:
-    selection: 
+    selection:
         TargetFilename: C:\Windows\Temp\dumpert.dmp
     condition: selection
 falsepositives:
     - Very unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml b/src/main/resources/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml
index f21f487db..397d44e03 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml
@@ -18,19 +18,19 @@ tags:
     - cve.2021.36934
 detection:
     selection:
-        - TargetFilename|contains: 
+        - TargetFilename|contains:
             - '\hive_sam_'  # Go version
             - '\SAM-2021-'  # C++ version
             - '\SAM-2022-'  # C++ version
             - '\SAM-2023-'  # C++ version
             - '\SAM-haxx'   # Early C++ versions
             - '\Sam.save'   # PowerShell version
-        - TargetFilename: 
+        - TargetFilename:
             - 'C:\windows\temp\sam'  # C# version of HiveNightmare
     condition: selection
 fields:
     - CommandLine
     - ParentCommandLine
 falsepositives:
-    - Files that accidentally contain these strings 
+    - Files that accidentally contain these strings
 level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_hktl_nppspy.yml b/src/main/resources/rules/windows/file_event/file_event_win_hktl_nppspy.yml
index ed4a60dac..5066f50e2 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_hktl_nppspy.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_hktl_nppspy.yml
@@ -14,10 +14,10 @@ logsource:
     category: file_event
 detection:
     selection:
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - '\NPPSpy.txt'
             - '\NPPSpy.dll'
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml b/src/main/resources/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml
index 151147665..2028e4111 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml
@@ -1,7 +1,7 @@
 title: Installation of TeamViewer Desktop
 id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
 status: experimental
-description: TeamViewer_Desktop.exe is create during install 
+description: TeamViewer_Desktop.exe is create during install
 author: frack113
 references:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
@@ -12,7 +12,7 @@ logsource:
 detection:
   selection:
     TargetFilename|endswith: \TeamViewer_Desktop.exe
-  condition: selection 
+  condition: selection
 falsepositives:
   - Unknown
 level: medium
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_lsass_dump.yml b/src/main/resources/rules/windows/file_event/file_event_win_lsass_dump.yml
index d6b6e0b67..a31fa1f33 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_lsass_dump.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_lsass_dump.yml
@@ -22,7 +22,7 @@ logsource:
     category: file_event
 detection:
     selection1:
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - '\lsass.dmp'
             - '\lsass.zip'
             - '\lsass.rar'
@@ -47,4 +47,4 @@ detection:
     condition: 1 of selection*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_macro_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_macro_file.yml
index 55e102b80..ed1123d89 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_macro_file.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_macro_file.yml
@@ -11,15 +11,15 @@ logsource:
     category: file_event
     product: windows
 detection:
-    selection_ext: 
+    selection_ext:
         TargetFilename|endswith:
             - .docm
             - .dotm
             - .xlsm
             - .xltm
-            - .potm 
+            - .potm
             - .pptm
-            - .pptx 
+            - .pptx
     selection_cmd:
         - Image|endswith:
             - \cmd.exe
@@ -33,4 +33,4 @@ falsepositives:
 level: medium
 tags:
     - attack.initial_access
-    - attack.t1566.001
\ No newline at end of file
+    - attack.t1566.001
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_mal_adwind.yml b/src/main/resources/rules/windows/file_event/file_event_win_mal_adwind.yml
index 1e79f6b12..9c5a88686 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_mal_adwind.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_mal_adwind.yml
@@ -27,4 +27,4 @@ detection:
             - '\Retrive'
             - '.vbs'
     condition: selection
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_moriya_rootkit.yml b/src/main/resources/rules/windows/file_event/file_event_win_moriya_rootkit.yml
index 47213161f..c20249a0b 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_moriya_rootkit.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_moriya_rootkit.yml
@@ -23,4 +23,4 @@ detection:
     condition: selection
 level: critical
 falsepositives:
-    - Unknown
\ No newline at end of file
+    - Unknown
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_ntds_dit.yml b/src/main/resources/rules/windows/file_event/file_event_win_ntds_dit.yml
index d95195744..8f1e16af1 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_ntds_dit.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_ntds_dit.yml
@@ -4,7 +4,7 @@ description: Detects suspicious creations of a file named ntds.dit, e.g. by a Po
 status: experimental
 author: Florian Roth
 references:
-    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration 
+    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
     - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
     - https://pentestlab.blog/tag/ntds-dit/
     - https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1
@@ -19,7 +19,7 @@ detection:
     selection_file:
         TargetFilename|endswith: '\ntds.dit'
     selection_process:
-        - ParentImage|endswith: 
+        - ParentImage|endswith:
             - '\powershell.exe'
             - '\wscript.exe'
             - '\cscript.exe'
@@ -42,4 +42,4 @@ detection:
     condition: selection_file and 1 of selection_process*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml b/src/main/resources/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml
index 055ca56b7..818dbd79b 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml
@@ -16,10 +16,10 @@ logsource:
     category: file_event
 detection:
     selection_file:
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps
             - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
     condition: selection_file
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml b/src/main/resources/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml
index a7b44dbb1..a1ff5fb0e 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml
@@ -1,7 +1,7 @@
 title: Outlook C2 Macro Creation
 id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
 status: experimental
-description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time. 
+description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
 references:
     - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
 author: '@ScoubiMtl'
@@ -16,7 +16,7 @@ logsource:
     category: file_event
     product: windows
 detection:
-    selection:        
+    selection:
         TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
     condition: selection
 falsepositives:
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml
index f4668f6cc..ce3b34d87 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml
@@ -15,7 +15,7 @@ logsource:
     category: file_event
     product: windows
 detection:
-    selection: 
+    selection:
         TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
     condition: selection
 falsepositives:
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_pingback_backdoor.yml b/src/main/resources/rules/windows/file_event/file_event_win_pingback_backdoor.yml
index 5b9417ab3..c5681493d 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_pingback_backdoor.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_pingback_backdoor.yml
@@ -15,10 +15,10 @@ logsource:
     product: windows
     category: file_event
 detection:
-    selection: 
+    selection:
         Image|endswith: updata.exe
         TargetFilename: 'C:\Windows\oci.dll'
     condition: selection
 falsepositives:
     - Very unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml b/src/main/resources/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml
index a7ed3cfae..07352b86e 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml
@@ -2,7 +2,7 @@ title: PowerShell Writing Startup Shortcuts
 id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
 description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
 status: experimental
-references: 
+references:
     - https://redcanary.com/blog/intelligence-insights-october-2021/
     - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
 tags:
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_rclone_exec_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_rclone_exec_file.yml
index 126403a34..d022d2a48 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_rclone_exec_file.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_rclone_exec_file.yml
@@ -12,7 +12,7 @@ tags:
     - attack.t1567.002
 falsepositives:
     - Legitimate Rclone usage (rare)
-level: high 
+level: high
 logsource:
     product: windows
     category: file_event
@@ -21,4 +21,4 @@ detection:
         TargetFilename|contains|all:
             - ':\Users\'
             - '\.config\rclone\'
-    condition: selection
\ No newline at end of file
+    condition: selection
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_sam_dump.yml b/src/main/resources/rules/windows/file_event/file_event_win_sam_dump.yml
index 32302222c..1415a867e 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_sam_dump.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_sam_dump.yml
@@ -18,7 +18,7 @@ logsource:
     category: file_event
 detection:
     selection:
-        - TargetFilename|endswith: 
+        - TargetFilename|endswith:
             - '\Temp\sam'
             - '\sam.sav'
             - '\Intel\sam'
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_screenconnect_artefact.yml b/src/main/resources/rules/windows/file_event/file_event_win_screenconnect_artefact.yml
index 60416b5f9..5a3e18eb5 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_screenconnect_artefact.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_screenconnect_artefact.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
 author: frack113
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_script_creation_by_office_using_file_ext.yml b/src/main/resources/rules/windows/file_event/file_event_win_script_creation_by_office_using_file_ext.yml
index 373c4c6dd..e0cddd951 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_script_creation_by_office_using_file_ext.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_script_creation_by_office_using_file_ext.yml
@@ -1,6 +1,6 @@
 title: Created Files by Office Applications
 id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
-description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.  
+description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
 references:
     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
     - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_desktop_txt.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_desktop_txt.yml
index 2f2608892..d889bf947 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_susp_desktop_txt.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_desktop_txt.yml
@@ -11,7 +11,7 @@ logsource:
   category: file_event
 detection:
   selection:
-    Image|endswith: \cmd.exe 
+    Image|endswith: \cmd.exe
     TargetFilename|contains|all:
         - \Users\
         - \Desktop\
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_diagcab.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_diagcab.yml
index da940be20..773ec8ee5 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_susp_diagcab.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_diagcab.yml
@@ -12,9 +12,9 @@ logsource:
 detection:
   selection:
     TargetFilename|endswith: '.diagcab'
-  condition: selection 
+  condition: selection
 falsepositives:
-  - Legitimate microsoft diagcab 
+  - Legitimate microsoft diagcab
 level: medium
 tags:
   - attack.resource_development
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_dropper.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_dropper.yml
index 978eb6ae1..6fe4fcf55 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_susp_dropper.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_dropper.yml
@@ -15,7 +15,7 @@ detection:
     Image|endswith: '.exe'
     TargetFilename|endswith: '.exe'
   filter_whitelist:
-    Image: 
+    Image:
       - 'C:\Windows\System32\msiexec.exe'
       - 'C:\Windows\system32\cleanmgr.exe'
       - 'C:\Windows\explorer.exe'
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_exchange_aspx_write.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_exchange_aspx_write.yml
index 82ed285c9..644d6dba8 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_susp_exchange_aspx_write.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_exchange_aspx_write.yml
@@ -17,7 +17,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\MSExchangeMailboxReplication.exe'
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - '.aspx'
             - '.asp'
     condition: selection
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_get_variable.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_get_variable.yml
index d5060e84e..60044d5a4 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_susp_get_variable.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_get_variable.yml
@@ -1,4 +1,4 @@
-title: Suspicious Get-Variable.exe Creation 
+title: Suspicious Get-Variable.exe Creation
 id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
 status: experimental
 description: |
@@ -16,7 +16,7 @@ logsource:
 detection:
   selection:
     TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
-  condition: selection 
+  condition: selection
 falsepositives:
   - Unknown
 level: high
@@ -25,4 +25,3 @@ tags:
   - attack.t1546
   - attack.defense_evasion
   - attack.t1027
-  
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml
index 06d957aa8..b8e54a0e4 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml
@@ -11,7 +11,7 @@ logsource:
   category: file_event
 detection:
   selection:
-    TargetFilename: 
+    TargetFilename:
     - 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'
     - 'C:\Windows\System32\config\systemprofile\AppData\\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
   condition: selection
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_task_write.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_task_write.yml
index c2cee9c49..cf1572edd 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_susp_task_write.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_task_write.yml
@@ -10,14 +10,14 @@ modified: 2022/01/12
 tags:
     - attack.persistence
     - attack.execution
-    - attack.t1053 
+    - attack.t1053
 logsource:
     product: windows
     category: file_event
 detection:
     selection:
         TargetFilename|contains: '\Windows\System32\Tasks'
-        Image|contains: 
+        Image|contains:
             - '\AppData\'
             - 'C:\PerfLogs'
             - '\Windows\System32\config\systemprofile'
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml
index 8d6fd06ce..bc6e34bd4 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml
@@ -14,11 +14,11 @@ logsource:
     category: file_event
 detection:
     selection1:
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - '\TeamViewer\RemotePrinting\tvprint.db'
             - '\TeamViewer\TVNetwork.log'
     selection2:
-        TargetFilename|contains|all: 
+        TargetFilename|contains|all:
             - '\TeamViewer'
             - '_Logfile.log'
     condition: 1 of selection*
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_tool_psexec.yml b/src/main/resources/rules/windows/file_event/file_event_win_tool_psexec.yml
index b51057aa6..5abde5b85 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_tool_psexec.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_tool_psexec.yml
@@ -32,4 +32,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_win_cscript_wscript_dropper.yml b/src/main/resources/rules/windows/file_event/file_event_win_win_cscript_wscript_dropper.yml
index b28196367..65f80bfd4 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_win_cscript_wscript_dropper.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_win_cscript_wscript_dropper.yml
@@ -2,7 +2,7 @@ title: WScript or CScript Dropper
 id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
 status: experimental
 description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
-related: 
+related:
     - id: cea72823-df4d-4567-950c-0b579eaf0846
       type: derived
 references:
@@ -18,10 +18,10 @@ detection:
         Image|endswith:
             - '\wscript.exe'
             - '\cscript.exe'
-        TargetFilename|startswith: 
+        TargetFilename|startswith:
             - 'C:\Users\'
             - 'C:\ProgramData'
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - '.jse'
             - '.vbe'
             - '.js'
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml b/src/main/resources/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml
index 9de9a86c8..da3ed3385 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml
@@ -21,7 +21,7 @@ detection:
             - '\bash.exe'
             - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
             - '\certutil.exe'
-        TargetFilename|contains: 
+        TargetFilename|contains:
             - 'C:\Users\Public'
             - 'C:\PerfLogs'
     selection_program:
@@ -33,7 +33,7 @@ detection:
             - '\forfiles.exe'
             - '\scriptrunner.exe'
             - '\certutil.exe'
-        TargetFilename|contains: 
+        TargetFilename|contains:
             - 'C:\Users\Public'
             - 'C:\PerfLogs'
             - '\AppData\'
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml b/src/main/resources/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml
index 572c319f9..5768143dc 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml
@@ -18,7 +18,7 @@ logsource:
     category: file_event
 detection:
     system_files:
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - 'WsmPty.xsl'
             - 'WsmTxt.xsl'
     in_system_folder:
@@ -28,4 +28,4 @@ detection:
     condition: system_files and not in_system_folder
 level: medium
 falsepositives:
-    - Unlikely
\ No newline at end of file
+    - Unlikely
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml b/src/main/resources/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
index 07e01fa6a..c7d94671c 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
@@ -22,4 +22,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/file_event/file_event_win_writing_local_admin_share.yml b/src/main/resources/rules/windows/file_event/file_event_win_writing_local_admin_share.yml
index 5df4b850e..6c7ca5e58 100644
--- a/src/main/resources/rules/windows/file_event/file_event_win_writing_local_admin_share.yml
+++ b/src/main/resources/rules/windows/file_event/file_event_win_writing_local_admin_share.yml
@@ -1,7 +1,7 @@
 title: Writing Local Admin Share
 id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
 status: experimental
-description: | 
+description: |
   Aversaries may use to interact with a remote network share using Server Message Block (SMB).
   This technique is used by post-exploitation frameworks.
 author: frack113
@@ -16,10 +16,10 @@ detection:
     TargetFilename|contains|all:
         - '\\127.0.0'
         - '\ADMIN$\'
-  condition: selection 
+  condition: selection
 falsepositives:
   - Unknown
 level: medium
 tags:
   - attack.lateral_movement
-  - attack.t1546.002
\ No newline at end of file
+  - attack.t1546.002
diff --git a/src/main/resources/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml b/src/main/resources/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
index ddd6e5490..a38f37e52 100644
--- a/src/main/resources/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
@@ -29,4 +29,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Unknown
-level: low 
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/windows/image_load/image_load_msdt_sdiageng.yml b/src/main/resources/rules/windows/image_load/image_load_msdt_sdiageng.yml
index 1db0d173d..a57e21014 100644
--- a/src/main/resources/rules/windows/image_load/image_load_msdt_sdiageng.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_msdt_sdiageng.yml
@@ -1,7 +1,7 @@
 title: MSDT.exe Loading Diagnostic Library
 id: ec8c4047-fad9-416a-8c81-0f479353d7f6
 status: experimental
-description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary 
+description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary
 author: Greg (rule)
 references:
   - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
diff --git a/src/main/resources/rules/windows/image_load/image_load_pcre_net_load.yml b/src/main/resources/rules/windows/image_load/image_load_pcre_net_load.yml
index 3debcfa6f..00899b15c 100644
--- a/src/main/resources/rules/windows/image_load/image_load_pcre_net_load.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_pcre_net_load.yml
@@ -15,7 +15,7 @@ logsource:
     category: image_load
     product: windows
 detection:
-    selection: 
+    selection:
         ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
     condition: selection
 falsepositives:
diff --git a/src/main/resources/rules/windows/image_load/image_load_pingback_backdoor.yml b/src/main/resources/rules/windows/image_load/image_load_pingback_backdoor.yml
index fd9ed05c8..b148df4a1 100644
--- a/src/main/resources/rules/windows/image_load/image_load_pingback_backdoor.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_pingback_backdoor.yml
@@ -21,4 +21,4 @@ detection:
     condition: selection
 falsepositives:
     - Very unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/src/main/resources/rules/windows/image_load/image_load_silenttrinity_stage_use.yml
index f935150fd..65e325d77 100644
--- a/src/main/resources/rules/windows/image_load/image_load_silenttrinity_stage_use.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_silenttrinity_stage_use.yml
@@ -22,4 +22,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/image_load/image_load_spoolsv_dll_load.yml b/src/main/resources/rules/windows/image_load/image_load_spoolsv_dll_load.yml
index 9d3a83290..65488a97d 100644
--- a/src/main/resources/rules/windows/image_load/image_load_spoolsv_dll_load.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_spoolsv_dll_load.yml
@@ -28,4 +28,4 @@ tags:
     - attack.privilege_escalation
     - attack.t1574
     - cve.2021.1675
-    - cve.2021.34527
\ No newline at end of file
+    - cve.2021.34527
diff --git a/src/main/resources/rules/windows/image_load/image_load_susp_python_image_load.yml b/src/main/resources/rules/windows/image_load/image_load_susp_python_image_load.yml
index 79b4ceff8..40bc1f50d 100644
--- a/src/main/resources/rules/windows/image_load/image_load_susp_python_image_load.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_susp_python_image_load.yml
@@ -18,7 +18,7 @@ detection:
   selection:
     Description: 'Python Core'
   filter:
-    - Image|contains: 
+    - Image|contains:
       - 'Python'  # FPs with python38.dll, python.exe etc.
     - Image|startswith:
       - 'C:\Program Files\'
@@ -28,4 +28,4 @@ fields:
   - Description
 falsepositives:
   - Legit Py2Exe Binaries
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/src/main/resources/rules/windows/image_load/image_load_susp_system_drawing_load.yml
index 866440fb5..870eb65ff 100644
--- a/src/main/resources/rules/windows/image_load/image_load_susp_system_drawing_load.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_susp_system_drawing_load.yml
@@ -18,7 +18,7 @@ detection:
     selection:
         ImageLoaded|endswith: '\System.Drawing.ni.dll'
     filter:
-        # The number of false positives was too high - we had to do this broader filter 
+        # The number of false positives was too high - we had to do this broader filter
         # based on the following paths that shouldn't be writable to an unprivileged user
         Image|startswith:
             - 'C:\Program Files\'
@@ -34,4 +34,4 @@ detection:
     condition: selection and not 1 of filter*
 falsepositives:
     - Unknown
-level: low  # too many false positives
\ No newline at end of file
+level: low  # too many false positives
diff --git a/src/main/resources/rules/windows/image_load/image_load_tttracer_mod_load.yml b/src/main/resources/rules/windows/image_load/image_load_tttracer_mod_load.yml
index c40117488..564dad973 100644
--- a/src/main/resources/rules/windows/image_load/image_load_tttracer_mod_load.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_tttracer_mod_load.yml
@@ -6,7 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
     - https://twitter.com/mattifestation/status/1196390321783025666
     - https://twitter.com/oulusoyum/status/1191329746069655553
-author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' 
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
 date: 2020/10/06
 modified: 2021/09/21
 tags:
@@ -26,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate usage by software developers/testers
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml b/src/main/resources/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml
index ae9008a44..d516ccc03 100644
--- a/src/main/resources/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml
@@ -20,4 +20,4 @@ level: high
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
-    - attack.t1055
\ No newline at end of file
+    - attack.t1055
diff --git a/src/main/resources/rules/windows/image_load/image_load_wmi_module_load.yml b/src/main/resources/rules/windows/image_load/image_load_wmi_module_load.yml
index 971fdb340..d4794d086 100644
--- a/src/main/resources/rules/windows/image_load/image_load_wmi_module_load.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_wmi_module_load.yml
@@ -14,7 +14,7 @@ logsource:
     category: image_load
     product: windows
 detection:
-    selection: 
+    selection:
         ImageLoaded|endswith:
             - '\wmiclnt.dll'
             - '\WmiApRpl.dll'
@@ -63,4 +63,3 @@ fields:
 falsepositives:
     - Unknown
 level: informational  # too many false positives
-
diff --git a/src/main/resources/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/src/main/resources/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
index 46a28be56..35b8901b4 100644
--- a/src/main/resources/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
@@ -15,7 +15,7 @@ references:
 logsource:
     product: windows
     category: image_load
-detection: 
+detection:
     selection:
         Image|endswith: '\wmiprvse.exe'
         ImageLoaded|endswith: '\wbem\wbemcomn.dll'
diff --git a/src/main/resources/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/src/main/resources/rules/windows/image_load/image_load_wsman_provider_image_load.yml
index 0866768d5..001e3ec92 100644
--- a/src/main/resources/rules/windows/image_load/image_load_wsman_provider_image_load.yml
+++ b/src/main/resources/rules/windows/image_load/image_load_wsman_provider_image_load.yml
@@ -32,23 +32,23 @@ detection:
         Image|endswith: '\svchost.exe'
         OriginalFileName: 'WsmWmiPl.dll'
     filter_general:
-        Image|endswith: 
+        Image|endswith:
             - '\powershell.exe'
             - 'C:\Windows\System32\sdiagnhost.exe'
             - 'C:\Windows\System32\services.exe'
     filter_svchost: # not available in Sysmon data, but Aurora logs
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'svchost.exe -k netsvcs -p -s BITS'
             - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'
             - 'svchost.exe -k NetworkService -p -s Wecsvc'
             - 'svchost.exe -k netsvcs'
     filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
-        Image|startswith: 
+        Image|startswith:
             - C:\Windows\Microsoft.NET\Framework64\v
             - C:\Windows\Microsoft.NET\Framework\v
         Image|endswith: \mscorsvw.exe
     filter_svr_2019:
-        Image: 
+        Image:
             - 'C:\Windows\System32\Configure-SMRemoting.exe'
             - 'C:\Windows\System32\ServerManager.exe'
     filter_nextron:
diff --git a/src/main/resources/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml b/src/main/resources/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml
index 3070ecd6c..32b74d4f4 100644
--- a/src/main/resources/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml
+++ b/src/main/resources/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
   selection:
     Initiated: 'true'
-    Image|endswith: 
+    Image|endswith:
       - '\regsvr32.exe'
       - '\rundll32.exe'
       - '\dllhost.exe'
diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_crypto_mining.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_crypto_mining.yml
index 10fbd6fe1..01b69c254 100644
--- a/src/main/resources/rules/windows/network_connection/net_connection_win_crypto_mining.yml
+++ b/src/main/resources/rules/windows/network_connection/net_connection_win_crypto_mining.yml
@@ -11,7 +11,7 @@ logsource:
     product: windows
 detection:
     selection:
-        DestinationHostname: 
+        DestinationHostname:
             - 'pool.minexmr.com'
             - 'fr.minexmr.com'
             - 'de.minexmr.com'
@@ -40,4 +40,4 @@ falsepositives:
 level: high
 tags:
     - attack.impact
-    - attack.t1496
\ No newline at end of file
+    - attack.t1496
diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_imewdbld.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_imewdbld.yml
index bbd5d676c..e996d5152 100644
--- a/src/main/resources/rules/windows/network_connection/net_connection_win_imewdbld.yml
+++ b/src/main/resources/rules/windows/network_connection/net_connection_win_imewdbld.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: high
 tags:
     - attack.command_and_control
-    - attack.t1105
\ No newline at end of file
+    - attack.t1105
diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_msiexec.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_msiexec.yml
index 4233f744c..e4c475456 100644
--- a/src/main/resources/rules/windows/network_connection/net_connection_win_msiexec.yml
+++ b/src/main/resources/rules/windows/network_connection/net_connection_win_msiexec.yml
@@ -15,11 +15,11 @@ logsource:
 detection:
   selection:
     Initiated: 'true'
-    Image|endswith: '\msiexec.exe' 
+    Image|endswith: '\msiexec.exe'
   condition: selection
 falsepositives:
   - Legitimate msiexec over networks
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1218.007
\ No newline at end of file
+    - attack.t1218.007
diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_python.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_python.yml
index 5f1b656af..f74eda369 100644
--- a/src/main/resources/rules/windows/network_connection/net_connection_win_python.yml
+++ b/src/main/resources/rules/windows/network_connection/net_connection_win_python.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: high
 tags:
     - attack.discovery
-    - attack.t1046
\ No newline at end of file
+    - attack.t1046
diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml
index 79d24648f..5102e5bf7 100644
--- a/src/main/resources/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml
+++ b/src/main/resources/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml
@@ -29,4 +29,4 @@ tags:
     - attack.execution
     - attack.t1559.001
     - attack.defense_evasion
-    - attack.t1218.010
\ No newline at end of file
+    - attack.t1218.010
diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml
index 4442ccbe7..ea7ccaada 100644
--- a/src/main/resources/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml
+++ b/src/main/resources/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
    selection:
       Initiated: 'true'
-      DestinationHostname|endswith: 
+      DestinationHostname|endswith:
          - 'api.dropboxapi.com'
          - 'content.dropboxapi.com'
    filter:
diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml
index e6f09eb98..8ad5d65cd 100644
--- a/src/main/resources/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml
+++ b/src/main/resources/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml
@@ -3,7 +3,7 @@ id: 9976fa64-2804-423c-8a5b-646ade840773
 status: experimental
 description: |
   Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
-  The data may also be sent to an alternate network location from the main command and control server. 
+  The data may also be sent to an alternate network location from the main command and control server.
 references:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
   - https://www.ietf.org/rfc/rfc2821.txt
@@ -15,7 +15,7 @@ logsource:
   product: windows
 detection:
   selection:
-    DestinationPort: 
+    DestinationPort:
         - 25
         - 587
         - 465
@@ -33,4 +33,4 @@ falsepositives:
 level: medium
 tags:
     - attack.exfiltration
-    - attack.t1048.003
\ No newline at end of file
+    - attack.t1048.003
diff --git a/src/main/resources/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml b/src/main/resources/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml
index d55792423..548eec632 100644
--- a/src/main/resources/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml
+++ b/src/main/resources/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml
@@ -19,7 +19,7 @@ logsource:
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
 detection:
    selection_MSSE:
-      PipeName|contains|all: 
+      PipeName|contains|all:
          - '\MSSE-'
          - '-server'
    selection_postex:
diff --git a/src/main/resources/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml b/src/main/resources/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml
index 0ed419a21..3f0b76b69 100644
--- a/src/main/resources/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml
+++ b/src/main/resources/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml
@@ -24,34 +24,34 @@ logsource:
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
 detection:
    selection:
-      PipeName: 
+      PipeName:
          - '\isapi_http'  # Uroburos Malware
-         - '\isapi_dg'  # Uroburos Malware 
+         - '\isapi_dg'  # Uroburos Malware
          - '\isapi_dg2'  # Uroburos Malware
          - '\sdlrpc'  # Cobra Trojan
          - '\ahexec'  # Sofacy group malware
-         - '\winsession'  # Wild Neutron APT malware 
-         - '\lsassw'  # Wild Neutron APT malware 
-         - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron 
+         - '\winsession'  # Wild Neutron APT malware
+         - '\lsassw'  # Wild Neutron APT malware
+         - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron
          - '\9f81f59bc58452127884ce513865ed20'  # Project Sauron
-         - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron 
-         - '\rpchlp_3'  # Project Sauron 
-         - '\NamePipe_MoreWindows'  # Cloud Hopper - RedLeaves 
+         - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron
+         - '\rpchlp_3'  # Project Sauron
+         - '\NamePipe_MoreWindows'  # Cloud Hopper - RedLeaves
          - '\pcheap_reuse'  # Pipe used by Equation Group malware
-         - '\gruntsvc' # Covenant default 
+         - '\gruntsvc' # Covenant default
          # - '\status_*' # CS default  https://github.com/Neo23x0/sigma/issues/253
-         - '\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware 
-         - '\bizkaz'  # Snatch Ransomware 
-         - '\svcctl' #Crackmapexec smbexec default 
-         - '\Posh*' #PoshC2 default 
-         - '\jaccdpqnvbrrxlaf' #PoshC2 default 
+         - '\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware
+         - '\bizkaz'  # Snatch Ransomware
+         - '\svcctl' #Crackmapexec smbexec default
+         - '\Posh*' #PoshC2 default
+         - '\jaccdpqnvbrrxlaf' #PoshC2 default
          - '\csexecsvc' #CSEXEC default
-         - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake 
-         - '\adschemerpc'  # Turla HyperStack 
+         - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake
+         - '\adschemerpc'  # Turla HyperStack
          - '\AnonymousPipe'  # Hidden Cobra Hoplight
-         - '\bc367'  # Pacifier 
-         - '\bc31a7'  # Pacifier 
-         - '\testPipe'  # Emissary Panda Hyperbro 
+         - '\bc367'  # Pacifier
+         - '\bc31a7'  # Pacifier
+         - '\testPipe'  # Emissary Panda Hyperbro
          - '\dce_3d' #Qbot
    condition: selection
 tags:
diff --git a/src/main/resources/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml b/src/main/resources/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml
index 20ee7ade7..f794b01e6 100644
--- a/src/main/resources/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml
+++ b/src/main/resources/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml
@@ -18,5 +18,5 @@ falsepositives:
     - Unknown
 level: high
 tags:
-    - attack.t1047 
-    - attack.execution
\ No newline at end of file
+    - attack.t1047
+    - attack.execution
diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
index af42eb123..285b24179 100644
--- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
@@ -28,4 +28,4 @@ falsepositives:
     - Programs using PowerShell directly without invocation of a dedicated interpreter
     - MSP Detection Searcher
     - Citrix ConfigSync.ps1
-level: medium 
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml
index b9e8c6e79..42a52cfe2 100644
--- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml
@@ -24,7 +24,7 @@ detection:
         HostApplication|contains:
             - 'powercat '
             - 'powercat.ps1'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml
index 4ce2aad71..d1916221e 100644
--- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml
@@ -26,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate use remote PowerShell sessions
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
index 21bd9de4b..fd28305e9 100644
--- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
@@ -35,4 +35,4 @@ fields:
     - ParentCommandLine
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml
index 183154501..5d5b9af66 100644
--- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml
@@ -27,4 +27,4 @@ detection:
     condition: downloadfile or downloadstring
 falsepositives:
     - PowerShell scripts that download content from the Internet
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml
index 9f8b0ad7e..5011d11e9 100644
--- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml
@@ -1,4 +1,4 @@
-title: Use Get-NetTCPConnection 
+title: Use Get-NetTCPConnection
 id: b366adb4-d63d-422d-8a2c-186463b5ded0
 status: experimental
 description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
@@ -13,10 +13,10 @@ logsource:
 detection:
     selection:
         HostApplication|contains: Get-NetTCPConnection
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
 level: low
 tags:
     - attack.discovery
-    - attack.t1049
\ No newline at end of file
+    - attack.t1049
diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml
index 70fa976b4..f648428d8 100644
--- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml
@@ -24,7 +24,7 @@ detection:
             - ' -Path '
             - ' -DestinationPath '
             - '$env:TEMP\'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
index 3fc16fea8..5a935ec9d 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
@@ -30,4 +30,4 @@ falsepositives:
     - Programs using PowerShell directly without invocation of a dedicated interpreter
     - MSP Detection Searcher
     - Citrix ConfigSync.ps1
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
index af98c89a7..02efbcd55 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
@@ -24,4 +24,4 @@ detection:
     condition: selection_4103
 falsepositives:
     - Unknown
-level: informational
\ No newline at end of file
+level: informational
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
index baf228bd5..3bdbe17a9 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
@@ -21,4 +21,4 @@ detection:
     condition: selection_4103
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
index 73f8b09f4..50e52f205 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
@@ -25,4 +25,4 @@ detection:
     condition: selection_4103
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
index 483b4c343..2f211d1a8 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
@@ -2,7 +2,7 @@ title: Invoke-Obfuscation STDIN+ Launcher
 id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
 related:
     - id: 779c8c12-0eb1-11eb-adc1-0242ac120002
-      type: derived    
+      type: derived
 description: Detects Obfuscated use of stdin to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
@@ -25,4 +25,4 @@ detection:
     condition: selection_4103
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
index 91aec4b61..b6b9c30aa 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
@@ -25,4 +25,4 @@ detection:
     condition: selection_4103
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml
index a8ad4066e..099fd1085 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml
@@ -16,7 +16,7 @@ logsource:
     definition: PowerShell Module Logging must be enabled
 detection:
     selection_4103:
-        Payload|contains|all: 
+        Payload|contains|all:
             - 'rundll32.exe'
             - 'shell32.dll'
             - 'shellexec_rundll'
@@ -29,4 +29,4 @@ tags:
     - attack.defense_evasion
     - attack.t1027
     - attack.execution
-    - attack.t1059.001 
+    - attack.t1059.001
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml
index a7861292b..84c716916 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml
@@ -21,7 +21,7 @@ detection:
             - 'rundll32'
             - 'shell32.dll'
             - 'shellexec_rundll'
-        Payload|contains:    
+        Payload|contains:
             - 'value'
             - 'invoke'
             - 'comspec'
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_powercat.yml
index ef9261cae..cc1304699 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_powercat.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_powercat.yml
@@ -21,7 +21,7 @@ detection:
         ContextInfo|contains:
             - 'powercat '
             - 'powercat.ps1'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
index 606af813f..987b92358 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
@@ -19,8 +19,8 @@ logsource:
 detection:
     selection:
         ContextInfo|contains|all:
-            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte = 
-            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte = 
+            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte =
+            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte =
     false_positive_1:
         ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
     condition: selection and not 1 of false_positive*
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
index b5f3c115a..99fd7801d 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
@@ -1,9 +1,9 @@
-title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User 
+title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User
 id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4
 description: |
   Adversaries may attempt to find domain-level groups and permission settings.
   The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
-  Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. 
+  Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md
 status: experimental
@@ -33,4 +33,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1069.001
\ No newline at end of file
+    - attack.t1069.001
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
index cd9751e11..e265f181f 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
@@ -32,4 +32,4 @@ fields:
     - ParentCommandLine
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml
index 598a3549e..613488c01 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml
@@ -24,4 +24,4 @@ detection:
     condition: webclient and download
 falsepositives:
     - PowerShell scripts that download content from the Internet
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
index 39394b907..32b72a2f5 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
@@ -1,4 +1,4 @@
-title: Use Get-NetTCPConnection 
+title: Use Get-NetTCPConnection
 id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1
 status: experimental
 description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
@@ -13,10 +13,10 @@ logsource:
 detection:
     selection:
         ContextInfo|contains: 'Get-NetTCPConnection'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
 level: low
 tags:
     - attack.discovery
-    - attack.t1049
\ No newline at end of file
+    - attack.t1049
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
index 4e9033945..164442de5 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
@@ -3,7 +3,7 @@ id: cef24b90-dddc-4ae1-a09a-8764872f69fc
 description: |
     Adversaries may attempt to find local system groups and permission settings.
     The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
-    Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. 
+    Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
 status: experimental
@@ -33,4 +33,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1069.001
\ No newline at end of file
+    - attack.t1069.001
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml
index 801228c9d..044061b79 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml
@@ -15,8 +15,8 @@ detection:
         ContextInfo|contains: 'Reset-ComputerMachinePassword'
     condition: selection
 falsepositives:
-    - Administrator PowerShell scripts 
+    - Administrator PowerShell scripts
 level: medium
 tags:
     - attack.initial_access
-    - attack.t1078
\ No newline at end of file
+    - attack.t1078
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
index 7dcc21f35..f1a8d129d 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
@@ -3,7 +3,7 @@ id: 6942bd25-5970-40ab-af49-944247103358
 description: |
   Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
   to identify potential systems of interest for Lateral Movement.
-  Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. 
+  Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md
 status: experimental
@@ -22,4 +22,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1069.001
\ No newline at end of file
+    - attack.t1069.001
diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
index 11dae35ce..62e7b3f06 100644
--- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
@@ -24,4 +24,4 @@ detection:
     condition: selection
 falsepositives:
     - App-V clients
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
index 71c604502..3668a234f 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
@@ -18,11 +18,11 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_cmd:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
             - Copy-Item
             - '-Destination'
     selection_path:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
             - '\Opera Software\Opera Stable\Login Data'
             - '\Mozilla\Firefox\Profiles'
             - '\Microsoft\Edge\User Data\Default'
@@ -34,4 +34,4 @@ falsepositives:
 level: medium
 tags:
     - attack.credential_access
-    - attack.t1555.003
\ No newline at end of file
+    - attack.t1555.003
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml
index 799b4e99c..1aa963ff0 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml
@@ -1,7 +1,7 @@
 title: PowerShell ADRecon Execution
 id: bf72941a-cba0-41ea-b18c-9aca3925690d
 status: experimental
-description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 
+description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
 references:
     - https://github.com/sense-of-security/ADRecon
     - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
index f76e0c978..a219f672c 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
@@ -1,4 +1,4 @@
-title: Get-ADUser Enumeration Using UserAccountControl Flags 
+title: Get-ADUser Enumeration Using UserAccountControl Flags
 id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8
 status: experimental
 description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
@@ -14,12 +14,12 @@ logsource:
 detection:
     selection:
         #4194304 DONT_REQ_PREAUTH
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
             - 'Get-ADUser'
             - '-Filter'
             - 'useraccountcontrol'
             - '-band'
-            - '4194304' 
+            - '4194304'
     condition: selection
 falsepositives:
     - Legitimate PowerShell scripts
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml
index 8c8880442..ae25086d7 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml
@@ -23,4 +23,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
index 3f5bab8a1..c181b4e0b 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
@@ -12,7 +12,7 @@ logsource:
     category: ps_script
 detection:
     selection_cmdlet:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
             - 'New-ScheduledTaskAction'
             - 'New-ScheduledTaskTrigger'
             - 'New-ScheduledTaskPrincipal'
@@ -31,5 +31,5 @@ falsepositives:
   - Unknown
 level: medium
 tags:
-  - attack.persistence 
-  - attack.t1053.005
\ No newline at end of file
+  - attack.persistence
+  - attack.t1053.005
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml
index 600e33579..734b29785 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: high
 tags:
     - attack.credential_access
-    - attack.t1556.002
\ No newline at end of file
+    - attack.t1556.002
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml
index 49c656f18..604ca9a53 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml
@@ -6,7 +6,7 @@ description: |
   The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).
   These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.
   (Citation: Microsoft Profiling Mar 2017)
-  (Citation: Microsoft COR_PROFILER Feb 2013) 
+  (Citation: Microsoft COR_PROFILER Feb 2013)
 author: frack113
 date: 2021/12/30
 references:
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml
index ab12a9c07..2180d16e4 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml
@@ -8,7 +8,7 @@ tags:
     - attack.execution
     - attack.t1059.001
     - attack.persistence
-    - attack.t1136.001  
+    - attack.t1136.001
 author: '@ROxPinTeddy'
 date: 2020/04/11
 modified: 2021/10/16
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
index 6c098c110..897fe2a92 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
@@ -23,4 +23,4 @@ falsepositives:
 level: high
 tags:
     - attack.credential_access
-    - attack.t1003.003 
+    - attack.t1003.003
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
index 0ce4802c0..63a080f64 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
@@ -17,11 +17,11 @@ logsource:
     definition: EnableScriptBlockLogging must be set to enable
 detection:
     selection_action:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
             - Get-WmiObject
             - gwmi
     selection_module:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
             - MSAcpi_ThermalZoneTemperature
             - Win32_ComputerSystem
     condition: all of selection*
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml
index fac4d03e1..fe83b4807 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml
@@ -14,7 +14,7 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_kiddie:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
             - 'Get-PasswordVaultCredentials'
             - 'Get-CredManCreds'
     selection_rename_Password:
@@ -34,4 +34,4 @@ falsepositives:
 level: medium
 tags:
     - attack.credential_access
-    - attack.t1555
\ No newline at end of file
+    - attack.t1555
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml
index 5a5d0f0c0..091c18d97 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml
@@ -1,7 +1,7 @@
 title: Enable Windows Remote Management
 id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
 status: experimental
-description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. 
+description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
index dca1798f0..f0b742a4e 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
@@ -14,7 +14,7 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_cmd:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
             - vaultcmd
             - '/listcreds:'
     selection_option:
@@ -27,4 +27,4 @@ falsepositives:
 level: medium
 tags:
     - attack.credential_access
-    - attack.t1555
\ No newline at end of file
+    - attack.t1555
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
index e639d7baf..40211e6b8 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
@@ -3,7 +3,7 @@ id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
 description: |
   Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
   Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
-  including whether or not the adversary fully infects the target and/or attempts specific actions. 
+  including whether or not the adversary fully infects the target and/or attempts specific actions.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
 status: experimental
@@ -14,7 +14,7 @@ logsource:
     category: ps_script
 detection:
     selection:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
             - ls
             - get-childitem
             - gci
@@ -26,4 +26,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1083
\ No newline at end of file
+    - attack.t1083
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml
index 0664cf3ce..49e0b6d9c 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml
@@ -1,4 +1,4 @@
-title: Service Registry Permissions Weakness Check 
+title: Service Registry Permissions Weakness Check
 id: 95afc12e-3cbb-40c3-9340-84a032e596a3
 status: experimental
 description: |
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
index 2518b05ed..28e7efa15 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
@@ -1,9 +1,9 @@
 title: Suspicious Get-ADReplAccount
 id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
 status: experimental
-description: 
+description:
   The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
-  These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. 
+  These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
 date: 2022/02/06
 author: frack113
 references:
@@ -15,7 +15,7 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
             - Get-ADReplAccount
             - '-All '
             - '-Server '
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml
index f6a1ad514..8eb259f39 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml
@@ -19,7 +19,7 @@ detection:
             - 'Get-ChildItem'
             - ' -Recurse '
             - ' -Path '
-            - ' -Filter Bookmarks' 
+            - ' -Filter Bookmarks'
             - ' -ErrorAction SilentlyContinue'
             - ' -Force'
     condition: selection
@@ -29,4 +29,3 @@ level: low
 tags:
     - attack.discovery
     - attack.t1217
-
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
index 298d4ba4b..c387e0af4 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
@@ -1,7 +1,7 @@
 title: Execute Invoke-command on Remote Host
 id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
 status: experimental
-description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. 
+description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
index b4aa1b056..366fdfe36 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
@@ -22,4 +22,4 @@ detection:
     condition: selection_4104
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
index 334e424a2..4a543c4c4 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
@@ -22,4 +22,4 @@ detection:
     condition: selection_4104
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
index ae25eadb5..48972bb50 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
@@ -22,4 +22,4 @@ detection:
     condition: selection_4104
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml
index e855b695c..28bf3e0dc 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml
@@ -13,10 +13,10 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
             - 'new-object'
             - 'text.encoding]::ascii'
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
             - 'system.io.compression.deflatestream'
             - 'system.io.streamreader'
         ScriptBlockText|endswith: 'readtoend'
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml
index 6e2b8b568..07d8dda35 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml
@@ -17,7 +17,7 @@ logsource:
     definition: EnableScriptBlockLogging must be set to enable
 detection:
     selection_basic:
-        ScriptBlockText|contains: 'Get-Keystrokes'    
+        ScriptBlockText|contains: 'Get-Keystrokes'
     selection_high: # want to run in background and keyboard
         ScriptBlockText|contains|all:
             - 'Get-ProcAddress user32.dll GetAsyncKeyState'
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml
index 7c532498b..6b9458323 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml
@@ -20,6 +20,6 @@ detection:
     selection:
         ScriptBlockText|contains: 'PromptForCredential'
     condition: selection
-falsepositives: 
+falsepositives:
     - Unknown
 level: high
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
index bbc104ada..65fe0f938 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: high
 tags:
     - attack.credential_access
-    - attack.t1558.003
\ No newline at end of file
+    - attack.t1558.003
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml
index 1dfe52048..b204d7129 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml
@@ -26,4 +26,4 @@ detection:
     condition: selection1 or selection2
 level: medium
 falsepositives:
-    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
\ No newline at end of file
+    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml
index 08bf14405..be121b39f 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml
@@ -31,4 +31,3 @@ level: low
 tags:
     - attack.discovery
     - attack.t1518.001
-
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
index 55560cea3..98fa104c1 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
@@ -3,7 +3,7 @@ id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
 status: experimental
 description: |
   Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
-  The data may also be sent to an alternate network location from the main command and control server. 
+  The data may also be sent to an alternate network location from the main command and control server.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
index 6db433c5c..d0bf59f69 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
@@ -32,4 +32,4 @@ detection:
     condition: cmdlet and option and not filter
 falsepositives:
     - Administrator script
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml
index c299fe7e3..53d1d8ad4 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml
@@ -16,7 +16,7 @@ logsource:
     definition: EnableScriptBlockLogging must be set to enable
 detection:
     selection_compspec:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
             - 'Start-Process'
             - '-FilePath "$env:comspec" '
             - '-ArgumentList '
@@ -24,4 +24,4 @@ detection:
     condition: selection_compspec
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml
index 23da97199..9ace3769e 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml
@@ -1,9 +1,9 @@
-title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User 
+title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User
 id: 88f0884b-331d-403d-a3a1-b668cf035603
 description: |
   Adversaries may attempt to find domain-level groups and permission settings.
   The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
-  Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. 
+  Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md
 status: experimental
@@ -20,11 +20,11 @@ detection:
             - get-aduser
             - '-f '
             - '-pr '
-            - DoesNotRequirePreAuth 
+            - DoesNotRequirePreAuth
     condition: 1 of test_*
 falsepositives:
     - Unknown
 level: low
 tags:
     - attack.discovery
-    - attack.t1069.001
\ No newline at end of file
+    - attack.t1069.001
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml
index f291e4a53..64f384a08 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml
@@ -24,7 +24,7 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate PowerShell scripts
-level: medium 
+level: medium
 tags:
     - attack.discovery
     - attack.t1083
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
index b533bf04b..816e8ea86 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
@@ -24,4 +24,4 @@ detection:
     condition: webclient and download
 falsepositives:
     - PowerShell scripts that download content from the Internet
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
index 6c9bd060f..516cf747c 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
@@ -27,4 +27,4 @@ falsepositives:
 level: medium
 tags:
     - attack.execution
-    - attack.t1059.003
\ No newline at end of file
+    - attack.t1059.003
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml
index b8be6f52d..cf140767f 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml
@@ -26,4 +26,4 @@ falsepositives:
 level: medium
 tags:
     - attack.credential_access
-    - attack.t1552.001
\ No newline at end of file
+    - attack.t1552.001
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml
index 6dc8e7ace..1f220fcb7 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml
@@ -22,4 +22,3 @@ level: low
 tags:
     - attack.discovery
     - attack.t1018
-
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml
index ecb0a5a27..f11c3655d 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml
@@ -22,4 +22,3 @@ level: low
 tags:
     - attack.discovery
     - attack.t1069.002
-
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
index 2477e7898..0b03fc80c 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
@@ -5,7 +5,7 @@ author: frack113
 date: 2022/01/23
 description: |
   Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
-  Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 
+  Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
 logsource:
@@ -24,4 +24,3 @@ level: medium
 tags:
     - attack.command_and_control
     - attack.t1071.001
-
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml
index f81018dbe..76b352066 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml
@@ -14,7 +14,7 @@ logsource:
 detection:
     selection:
         ScriptBlockText|contains|all:
-            - New-Object 
+            - New-Object
             - IO.FileStream
             - '\\\\.\\'
     condition: selection
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml
index d613d7246..77b95ed88 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml
@@ -27,4 +27,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1069.001
\ No newline at end of file
+    - attack.t1069.001
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
index b89413bba..f6838768d 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
@@ -4,7 +4,7 @@ status: experimental
 author: frack113
 date: 2021/07/21
 modified: 2021/10/16
-description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. 
+description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
 tags:
@@ -21,7 +21,7 @@ detection:
             - 'Microsoft.Office.Interop.Outlook'
             - 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
             - '-comobject outlook.application'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
 level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml
index c5d2142b3..1e2b477ef 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml
@@ -23,4 +23,4 @@ falsepositives:
 level: low
 tags:
     - attack.credential_access
-    - attack.t1110.001
\ No newline at end of file
+    - attack.t1110.001
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
index 7a45d7ab6..81d7735a7 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
@@ -1,6 +1,6 @@
 title: Suspicious New-PSDrive to Admin Share
 id: 1c563233-030e-4a07-af8c-ee0490a66d3a
-description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. 
+description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
@@ -25,4 +25,4 @@ falsepositives:
 level: medium
 tags:
     - attack.lateral_movement
-    - attack.t1021.002
\ No newline at end of file
+    - attack.t1021.002
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
index b58fc1988..612144471 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
@@ -5,7 +5,7 @@ author: frack113
 date: 2021/12/26
 description: |
   Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
-  Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. 
+  Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
 logsource:
@@ -17,7 +17,7 @@ detection:
         ScriptBlockText|contains|all:
             - 'Remove-ADGroupMember'
             - '-Identity '
-            - '-Members ' 
+            - '-Members '
     condition: selection
 falsepositives:
     - Unknown
@@ -25,4 +25,3 @@ level: medium
 tags:
     - attack.impact
     - attack.t1531
-
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml
index 6800f9f92..039832956 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml
@@ -3,7 +3,7 @@ id: 95f0643a-ed40-467c-806b-aac9542ec5ab
 description: |
   Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
   to identify potential systems of interest for Lateral Movement.
-  Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. 
+  Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md
 status: experimental
@@ -21,4 +21,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1069.001
\ No newline at end of file
+    - attack.t1069.001
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
index ff6cadd46..15b142c7f 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
@@ -16,7 +16,7 @@ detection:
             - System.Net.Security.SslStream
             - Net.Security.RemoteCertificateValidationCallback
             - '.AuthenticateAsClient'
-    condition: selection 
+    condition: selection
 falsepositives:
   - Legitimate administrative script
 level: low
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml
index 543556f4c..c5aaf2895 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml
@@ -17,7 +17,7 @@ detection:
         ScriptBlockText|contains|all:
             - 'Get-ItemProperty'
             - 'Registry::'
-            - 'HKEY_CURRENT_USER\Control Panel\Desktop\' 
+            - 'HKEY_CURRENT_USER\Control Panel\Desktop\'
             - 'WallPaper'
     selection_2:
         ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
@@ -28,4 +28,3 @@ level: low
 tags:
     - attack.impact
     - attack.t1491.001
-
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml
index 1a394505a..82241fb7b 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml
@@ -4,7 +4,7 @@ status: experimental
 author: frack113
 date: 2021/08/23
 modified: 2021/10/16
-description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. 
+description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
 tags:
@@ -20,4 +20,4 @@ detection:
     condition: selection
 falsepositives:
     - Admin script
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
index 862a0d9c0..a19f3895c 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
@@ -15,7 +15,7 @@ detection:
         ScriptBlockText|contains|all:
             - 'Get-WmiObject'
             - 'Win32_Shadowcopy'
-            - '.Delete()' 
+            - '.Delete()'
     condition: selection
 falsepositives:
     - Unknown
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
index da2d506fd..83b97f656 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
@@ -14,11 +14,11 @@ logsource:
     category: ps_script
 detection:
     selection:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
             - 'powershell'
             - 'WindowStyle'
             - 'Hidden'
     condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
index 49bfae4ab..4a9ef0e2f 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
@@ -24,4 +24,4 @@ detection:
     condition: selection
 falsepositives:
     - App-V clients
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml
index 0585dba7f..c711828fe 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml
@@ -3,7 +3,7 @@ id: adf876b3-f1f8-4aa9-a4e4-a64106feec06
 status: experimental
 description: |
   Adversaries may communicate using a protocol and port paring that are typically not associated.
-  For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. 
+  For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
     - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml
index ac9457f21..4059395bb 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml
@@ -4,7 +4,7 @@ status: experimental
 author: frack113
 date: 2021/08/03
 modified: 2021/10/16
-description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. 
+description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
     - https://www.offensive-security.com/metasploit-unleashed/timestomp/
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml
index 99083248d..4e4ff9649 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml
@@ -19,11 +19,11 @@ detection:
         ScriptBlockText|contains|all:
             - 'Add-Content'
             - '$profile'
-            - '-Value' 
-        ScriptBlockText|contains: 
+            - '-Value'
+        ScriptBlockText|contains:
             - 'Start-Process'
             - '""'  #cleanup action
     condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
index a245cab0b..d049f3be2 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
@@ -13,7 +13,7 @@ references:
 logsource:
       product: windows
       category: ps_script
-detection: 
+detection:
     selection:
         ScriptBlockText|contains|all:
             - Set-NetFirewallProfile
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml
index b52c9b8a4..d6df2ed44 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml
@@ -24,4 +24,4 @@ falsepositives:
 level: medium
 tags:
     - attack.persistence
-    - attack.t1547.004
\ No newline at end of file
+    - attack.t1547.004
diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml
index 65677d9dc..8091fff0d 100644
--- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml
+++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml
@@ -4,7 +4,7 @@ status: experimental
 author: frack113
 date: 2021/08/19
 modified: 2021/10/16
-description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. 
+description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
     - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
@@ -17,17 +17,17 @@ logsource:
     definition: EnableScriptBlockLogging must be set to enable
 detection:
     selection_ioc:
-        - ScriptBlockText|contains|all: 
+        - ScriptBlockText|contains|all:
             - 'New-CimInstance '
             - '-Namespace root/subscription '
             - '-ClassName __EventFilter '
-            - '-Property ' #is a variable name 
+            - '-Property ' #is a variable name
         - ScriptBlockText|contains|all:
             - 'New-CimInstance '
             - '-Namespace root/subscription '
             - '-ClassName CommandLineEventConsumer '
-            - '-Property ' #is a variable name 
+            - '-Property ' #is a variable name
     condition: selection_ioc
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml b/src/main/resources/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
index 181ec14a3..f29719782 100644
--- a/src/main/resources/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
+++ b/src/main/resources/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
@@ -13,9 +13,9 @@ detection:
     selection:
         TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
         GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
-    
+
     call_trace:  # C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
-        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+' 
+        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
         CallTrace|contains: '|UNKNOWN('
         CallTrace|endswith: ')'
     condition: selection and call_trace
diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml b/src/main/resources/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml
index 5fe6da531..54e9202ae 100644
--- a/src/main/resources/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml
+++ b/src/main/resources/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml
@@ -14,9 +14,9 @@ logsource:
     category: process_access
     product: windows
 detection:
-    selection: 
+    selection:
         TargetImage|endswith: '\lsass.exe'
-        CallTrace|contains|all: 
+        CallTrace|contains|all:
             - 'C:\\Windows\\SYSTEM32\\ntdll.dll+'
             - '|C:\\Windows\\System32\\KERNELBASE.dll+'
             - '_ctypes.pyd+'
diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump.yml
index 6ae6c2ee1..86e14c192 100644
--- a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump.yml
+++ b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump.yml
@@ -43,4 +43,4 @@ detection:
     condition: selection and not 1 of filter*
 falsepositives:
     - False positives are present when looking for 0x1410. Exclusions may be required.
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml
index 8aa0e4c52..45526792a 100644
--- a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml
+++ b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml
@@ -18,8 +18,8 @@ logsource:
 detection:
     selection:
         TargetImage|endswith: '\lsass.exe'
-        SourceImage|endswith: 
-            - '\TrolleyExpress.exe'  # Citrix 
+        SourceImage|endswith:
+            - '\TrolleyExpress.exe'  # Citrix
             - '\ProcessDump.exe'     # Cisco Jabber
             - '\dump64.exe'          # Visual Studio
         GrantedAccess|endswith:
@@ -52,4 +52,4 @@ detection:
     condition: selection
 falsepositives:
     - Unlikely, since these tools shouldn't access lsass.exe at all
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml
index ea79a4243..7036a2bcc 100644
--- a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml
+++ b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml
@@ -48,4 +48,4 @@ detection:
     condition: selection
 falsepositives:
     - Rare programs that contain the word dump in their name and access lsass
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml b/src/main/resources/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml
index 53b05c85e..ace45af4d 100644
--- a/src/main/resources/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml
+++ b/src/main/resources/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml
@@ -13,9 +13,9 @@ logsource:
     category: process_access
     product: windows
 detection:
-    selection: 
+    selection:
         TargetImage|endswith: '\lsass.exe'
-        CallTrace|contains|all: 
+        CallTrace|contains|all:
             - 'C:\Windows\SYSTEM32\ntdll.dll+'
             - 'C:\Windows\System32\KERNELBASE.dll+'
             - 'libffi-7.dll'
@@ -25,4 +25,4 @@ detection:
     condition: selection
 level: critical
 falsepositives:
-    - Unknown
\ No newline at end of file
+    - Unknown
diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml b/src/main/resources/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml
index 167885c57..4fe2e10f8 100644
--- a/src/main/resources/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml
+++ b/src/main/resources/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml
@@ -15,7 +15,7 @@ detection:
     selection_memory:
         GrantedAccess: '0x143a'
     filter_trusted_process_access:
-        SourceImage|endswith: 
+        SourceImage|endswith:
           - '*\services.exe'
           - '*\msiexec.exe'
     condition: selection_process and selection_memory and not filter_trusted_process_access
diff --git a/src/main/resources/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/src/main/resources/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
index 171a30883..190438d77 100644
--- a/src/main/resources/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
+++ b/src/main/resources/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
@@ -13,11 +13,11 @@ logsource:
     product: windows
 detection:
     selection:
-        GrantedAccess: 
+        GrantedAccess:
             - '0x147a'
             - '0x1f3fff'
         CallTrace|contains: 'UNKNOWN'
     condition: selection
 falsepositives:
     - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml
index 817143908..610dd49e8 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml
@@ -22,7 +22,7 @@ logsource:
     category: process_creation
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'schtasks'
             - '\Application Experience\Microsoft Compatibility Appraiser'
     condition: selection
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml
index 93d568e96..aa8388f20 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml
@@ -18,7 +18,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains:  
+        CommandLine|contains:
             - 'domainlist'
             - 'trustdmp'
             - 'dcmodes'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml
index badd22c44..c54e305fe 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml
@@ -37,7 +37,7 @@ detection:
             - ' /y '
             - ' /d '
             - ' /o '
-    condition: selection_stream and (1 of selection_tools_*) 
+    condition: selection_stream and (1 of selection_tools_*)
 falsepositives:
     - Unknown
 level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk.yml
index ab64b9b31..c623859af 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
 author: frack113
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml
index 4cf3b46ed..33c429734 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml
@@ -14,7 +14,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - '--install'
             - '--start-with-win'
             - '--silent'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml
index 275c219cf..d0d8be62a 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
 author: Florian Roth
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml
index f32610c6b..2a018c3f9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml
@@ -23,7 +23,7 @@ fields:
 falsepositives:
   - Unlikely
 level: high
-tags: 
+tags:
     - attack.persistence
     - attack.t1053
     - attack.t1053.005
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml
index a831dbe8d..4e52d620c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml
@@ -26,7 +26,7 @@ logsource:
 detection:
     selection_process0:
         CommandLine|contains: '\Service.exe'
-        CommandLine|endswith: 
+        CommandLine|endswith:
             - 'i'
             - 'u'
     selection_process1:
@@ -36,7 +36,7 @@ detection:
         Image|contains: '\Windows\Temp\DB\'
         Image|endswith: '.exe'
     selection_process3:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - '\nslookup.exe'
             - '-q=TXT'
         ParentImage|contains: '\Autoit'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium.yml
index ffabc8685..551a1f74f 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium.yml
@@ -29,4 +29,4 @@ detection:
     condition: legitimate_executable and not legitimate_process_path
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml
index 3edf95205..907c72e52 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml
@@ -10,7 +10,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
 tags:
     - attack.credential_access
-    - attack.t1212 
+    - attack.t1212
     - attack.command_and_control
     - attack.t1071
 logsource:
@@ -41,4 +41,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml
index c4c312d17..e575abcb4 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml
@@ -21,7 +21,7 @@ detection:
             - '-autoreconnect '
             - '-connect '
             - '-id:'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml
index aba2a631d..66419bf7a 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml
@@ -30,7 +30,7 @@ detection:
         CommandLine|contains|all:
             - 'vssadmin list shadows'
             - 'Temp\__output'
-    selection4: 
+    selection4:
         CommandLine|contains: '%TEMP%\execute.bat'
     selection5:
         Image|endswith: 'Users\Public\opera\Opera_browser.exe'
@@ -52,11 +52,11 @@ detection:
             - 'Microsoft\Exchange Server\'
             - 'inetpub\wwwroot'
     selection10:
-        CommandLine|contains: 
+        CommandLine|contains:
             - '\Temp\xx.bat'
             - 'Windows\WwanSvcdcs'
             - 'Windows\Temp\cw.exe'
-    selection11: 
+    selection11:
         CommandLine|contains|all:
             - '\comsvcs.dll'
             - 'Minidump'
@@ -71,6 +71,6 @@ falsepositives:
     - Unknown
 level: high
 tags:
-    - attack.persistence 
+    - attack.persistence
     - attack.t1546
-    - attack.t1053 
\ No newline at end of file
+    - attack.t1053
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml
index 5de08498b..36f33bd8f 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml
@@ -13,7 +13,7 @@ logsource:
   product: windows
 detection:
   selection1:
-        # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. 
+        # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys.
         # Setting these registry keys is unique to the Ke3chang and TidePool malware families.
         # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
         # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml
index b6c6b6aef..8124b9920 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml
@@ -28,4 +28,4 @@ detection:
     condition: 1 of selection*
 falsepositives:
     - Should not be any false positives
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml
index 95d5e2288..7cbf61784 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml
@@ -8,7 +8,7 @@ references:
 tags:
     - attack.g0032
     - attack.execution
-    - attack.t1059 
+    - attack.t1059
 author: Florian Roth, wagga
 date: 2020/12/23
 modified: 2021/06/27
@@ -17,7 +17,7 @@ logsource:
     product: windows
 detection:
     selection_cmd1:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'cmd.exe /c '
             - ' -p 0x'
     selection_cmd2:
@@ -25,7 +25,7 @@ detection:
             - 'C:\ProgramData\'
             - 'C:\RECYCLER\'
     selection_rundll1:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'rundll32.exe '
             - 'C:\ProgramData\'
     selection_rundll2:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml
index 6e04b4af0..ebdc98e0b 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml
@@ -26,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml
index 120eaa9c6..2b3d0f50e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml
@@ -28,4 +28,4 @@ detection:
    condition: selection
 level: critical
 falsepositives:
-   - Unknown
\ No newline at end of file
+   - Unknown
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml
index 86ddd5b56..22f09208c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml
@@ -44,4 +44,4 @@ detection:
     condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 )
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml
index 27dc40646..b0bf138df 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml
@@ -19,14 +19,14 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'Invoke-WMIMethod win32_process -name create -argumentlist'
             - 'rundll32 c:\windows'
     selection2:
-         CommandLine|contains|all: 
+         CommandLine|contains|all:
             - 'wmic /node:'
-            - 'process call create "rundll32 c:\windows'   
+            - 'process call create "rundll32 c:\windows'
     condition: selection1 or selection2
 falsepositives:
     - Unknown, unlikely, but possible
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_wocao.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_wocao.yml
index 8897c3feb..5aeb7d762 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_wocao.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_wocao.yml
@@ -10,7 +10,7 @@ references:
     - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
     - https://twitter.com/SBousseaden/status/1207671369963646976
 tags:
-    - attack.discovery 
+    - attack.discovery
     - attack.t1012
     - attack.defense_evasion
     - attack.t1036.004
@@ -25,7 +25,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'checkadmin.exe 127.0.0.1 -all'
             - 'netsh advfirewall firewall add rule name=powershell dir=in'
             - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'
@@ -39,4 +39,4 @@ detection:
     condition: selection
 falsepositives:
     - Administrators that use checkadmin.exe tool to enumerate local administrators
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml
index f31bf7fe5..20b74d7fe 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml
@@ -7,7 +7,7 @@ date: 2020/03/13
 modified: 2022/04/14
 references:
     - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
-tags: 
+tags:
     - attack.t1204
     - attack.t1566.001
     - attack.execution
@@ -21,9 +21,9 @@ detection:
     filter:
         CommandLine|contains: 'immersivecontrolpanel'
     condition: selection and not filter
-falsepositives: 
+falsepositives:
     - Unknown
-fields: 
+fields:
     - ParentProcess
     - CommandLine
     - ParentCommandLine
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system.yml
index 36d0cb0d8..f12680402 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: low
 tags:
     - attack.defense_evasion
-    - attack.t1564.001
\ No newline at end of file
+    - attack.t1564.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml
index 8c2ea4c57..0652c0250 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml
@@ -42,4 +42,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1564.001
\ No newline at end of file
+    - attack.t1564.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_automated_collection.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_automated_collection.yml
index 05550d6de..882e7da6b 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_automated_collection.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_automated_collection.yml
@@ -29,7 +29,7 @@ detection:
             - ' /s '
     selection_findstr:
         OriginalFileName: FINDSTR.EXE
-        CommandLine|contains: 
+        CommandLine|contains:
             - ' /e '
             - ' /si '
     condition: selection_ext and (selection_dir or selection_findstr)
@@ -40,4 +40,4 @@ tags:
     - attack.collection
     - attack.t1119
     - attack.credential_access
-    - attack.t1552.001
\ No newline at end of file
+    - attack.t1552.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml
index 7aa6fba00..f4bb79986 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml
@@ -37,4 +37,4 @@ fields:
   - CommandLine
 falsepositives:
   - Unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml
index e318064d8..172f2fdc9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml
@@ -18,7 +18,7 @@ logsource:
 detection:
   selection:
     # Win32_Shadowcopy | ForEach-Object
-    CommandLine|contains: 
+    CommandLine|contains:
       - 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA'
       - 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A'
       - 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA'
@@ -28,4 +28,4 @@ fields:
   - ParentCommandLine
 falsepositives:
   - Unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml
index 7e159e1a2..ea671c75e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml
@@ -43,4 +43,4 @@ fields:
   - CommandLine
 falsepositives:
   - Unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml
index 1a7b53840..5756e3196 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml
@@ -20,12 +20,12 @@ logsource:
 detection:
     selection:
         Image|endswith: '\bitsadmin.exe'
-        CommandLine|contains: 
+        CommandLine|contains:
             - ' /transfer '
             - ' /create '
             - ' /addfile '
     selection_domain:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'raw.githubusercontent.com'
             - 'gist.githubusercontent.com'
             - 'pastebin.com'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml
index 1d5d7a4ed..05c65a9ed 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml
@@ -25,7 +25,7 @@ detection:
             - ' /create '
             - ' /addfile '
     selection_extension:
-        CommandLine|contains: 
+        CommandLine|contains:
             - '.asax'
             - '.ashx'
             - '.asmx'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml
index c334f2492..2b4dbee13 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml
@@ -25,7 +25,7 @@ detection:
             - ' /create '
             - ' /addfile '
     selection_folder:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'C:\Users\Public\'
             - '%public%'
             - '\Desktop\'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_clip.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_clip.yml
index 9bef6b0f7..f95c5d73f 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_clip.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_clip.yml
@@ -3,7 +3,7 @@ id: ddeff553-5233-4ae9-bbab-d64d2bd634be
 status: experimental
 author: frack113
 date: 2021/07/27
-description: Adversaries may collect data stored in the clipboard from users copying information within or between applications. 
+description: Adversaries may collect data stored in the clipboard from users copying information within or between applications.
 references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md
@@ -16,7 +16,7 @@ logsource:
 detection:
     selection:
         OriginalFileName: clip.exe
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
 level: low
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_cmd_delete.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_cmd_delete.yml
index 9c8a3796b..29d1b1cd9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_cmd_delete.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_cmd_delete.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   Adversaries may delete files left behind by the actions of their intrusion activity.
   Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
-  Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. 
+  Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 author: frack113
 date: 2022/01/15
 references:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml
index 33a39958b..a8628b4b0 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml
@@ -36,4 +36,4 @@ falsepositives:
 level: high
 tags:
   - attack.execution
-  - attack.t1059.003
\ No newline at end of file
+  - attack.t1059.003
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml
index 871b46ca3..a4eaf8209 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml
@@ -34,4 +34,4 @@ falsepositives:
 level: high
 tags:
   - attack.execution
-  - attack.t1059.003
\ No newline at end of file
+  - attack.t1059.003
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml
index 851989769..47c8f63d1 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml
@@ -10,22 +10,22 @@ date: 2021/07/27
 modified: 2022/03/05
 tags:
     - attack.execution
-    - attack.t1059 
+    - attack.t1059
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection1: 
+    selection1:
         CommandLine|contains: '\cmd.exe /C whoami'
         ParentImage|startswith: 'C:\Temp'
     selection2:
         CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1'
-        ParentCommandLine|contains: 
+        ParentCommandLine|contains:
             - '/C whoami'
             - 'cmd.exe /C echo'
             - ' > \\\\.\\pipe'
     selection3:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'cmd.exe /c echo'
             - '> \\\\.\\pipe'
             - '\whoami.exe'
@@ -38,4 +38,3 @@ detection:
 falsepositives:
     - Other programs that cause these patterns (please report)
 level: high
-
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml
index 51f19e6c2..506842b8b 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml
@@ -4,9 +4,9 @@ status: experimental
 author: frack113
 date: 2021/08/16
 modified: 2021/12/02
-description: Detects a command used by conti to dump database 
+description: Detects a command used by conti to dump database
 references:
-    - https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself 
+    - https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself
     - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
     - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
 tags:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml
index 46ac08371..1ac92010e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml
@@ -35,4 +35,4 @@ detection:
     condition: 1 of selection*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml
index ddea6a389..bc8e51117 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml
@@ -11,7 +11,7 @@ logsource:
   category: process_creation
   product: windows
 detection:
-    # Shutdown in safe mode immediately 
+    # Shutdown in safe mode immediately
   selection:
     CommandLine|contains:
       - 'shutdown /r /f /t 00'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml
index 4db11b093..043064bfa 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml
@@ -23,7 +23,7 @@ detection:
             - 'LS1kb25hdGUtbGV2ZWw9'
             - '0tZG9uYXRlLWxldmVsP'
             - 'tLWRvbmF0ZS1sZXZlbD'
-            # base64 encoded: stratum+tcp:// and stratum+udp:// 
+            # base64 encoded: stratum+tcp:// and stratum+udp://
             - 'c3RyYXR1bSt0Y3A6Ly'
             - 'N0cmF0dW0rdGNwOi8v'
             - 'zdHJhdHVtK3RjcDovL'
@@ -36,4 +36,4 @@ falsepositives:
 level: high
 tags:
     - attack.impact
-    - attack.t1496
\ No newline at end of file
+    - attack.t1496
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml
index a4002af91..e121e8c1c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml
@@ -28,4 +28,4 @@ falsepositives:
 level: high
 tags:
     - attack.impact
-    - attack.t1490
\ No newline at end of file
+    - attack.t1490
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml
index cc35645cb..2b78addfd 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1036
\ No newline at end of file
+    - attack.t1036
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_dinjector.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_dinjector.yml
index 929306f10..7ca3b9bdc 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_dinjector.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_dinjector.yml
@@ -26,4 +26,4 @@ detection:
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml
index 7f43e5439..3a29b3b41 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml
@@ -21,7 +21,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\dnscmd.exe'
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - '/config'
             - '/serverlevelplugindll'
     condition: selection
@@ -34,4 +34,4 @@ fields:
     - ParentCommandLine
     - Image
     - User
-    - TargetObject
\ No newline at end of file
+    - TargetObject
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_dsim_remove.yml
index a6cd04c13..1abb6da40 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_dsim_remove.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_dsim_remove.yml
@@ -1,7 +1,7 @@
 title: Dism Remove Online Package
 id: 43e32da2-fdd0-4156-90de-50dfd62636f9
 status: experimental
-description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images 
+description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
 author: frack113
 date: 2022/01/16
 references:
@@ -34,4 +34,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml
index 4c90e2588..097b81ebe 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml
@@ -22,4 +22,4 @@ falsepositives:
 level: medium
 tags:
     - attack.execution
-    - attack.t1059.001 
+    - attack.t1059.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml
index 0f13b0414..1070b6286 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml
@@ -41,4 +41,4 @@ falsepositives:
 level: medium
 tags:
     - attack.credential_access
-    - attack.t1552.002
\ No newline at end of file
+    - attack.t1552.002
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml
index c07194735..9347b05e4 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml
@@ -34,4 +34,4 @@ falsepositives:
 level: medium
 tags:
     - attack.credential_access
-    - attack.t1552.002
\ No newline at end of file
+    - attack.t1552.002
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml
index 4e7dbfd6f..1c69fcb1c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml
@@ -1,4 +1,4 @@
-title: Esentutl Steals Browser Information 
+title: Esentutl Steals Browser Information
 id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
 status: experimental
 description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_evil_winrm.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_evil_winrm.yml
index 5ee88e8ea..08aa18ec1 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_evil_winrm.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_evil_winrm.yml
@@ -1,7 +1,7 @@
 title: WinRM Access with Evil-WinRM
 id: a197e378-d31b-41c0-9635-cfdf1c1bb423
 status: experimental
-description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. 
+description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
 author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
index 1202cc9f2..31d4a0d2e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
@@ -33,4 +33,4 @@ fields:
     - ParentCommandLine
 falsepositives:
     - System administrator Usage
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml
index cd26057e0..97619c96f 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml
@@ -1,4 +1,4 @@
-title: Possible InstallerFileTakeOver LPE CVE-2021-41379 
+title: Possible InstallerFileTakeOver LPE CVE-2021-41379
 id: af8bbce4-f751-46b4-8d91-82a33a736f61
 status: experimental
 description: Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml
index 05869db8d..f305b18a8 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml
@@ -156,9 +156,9 @@ detection:
             - '\Winobj.exe'
             - '\Winobj64.exe'
             - '\ZoomIt.exe'
-            - '\ZoomIt64.exe'     
+            - '\ZoomIt64.exe'
     filter_valid:
-        Company: 
+        Company:
             - 'Sysinternals - www.sysinternals.com'
             - 'Sysinternals'
     filter_empty:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml
index 75e245400..8a3068193 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml
@@ -13,7 +13,7 @@ detection:
     selection:
         Image|endswith: \findstr.exe
         CommandLine|contains|all:
-            - cpassword 
+            - cpassword
             - \sysvol\
             - .xml
     condition: selection
@@ -21,5 +21,5 @@ falsepositives:
     - Unknown
 level: high
 tags:
-    - attack.credential_access 
-    - attack.t1552.006
\ No newline at end of file
+    - attack.credential_access
+    - attack.t1552.006
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_gotoopener.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_gotoopener.yml
index 74f481130..d1e507a3b 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_gotoopener.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_gotoopener.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
 author: frack113
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml
index 98602bc2c..1d1819a16 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml
@@ -20,4 +20,4 @@ detection:
     condition: selection
 falsepositives:
     - Very unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_koadic.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_koadic.yml
index 8d07794d6..c4b0d6eac 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_koadic.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_koadic.yml
@@ -30,4 +30,4 @@ tags:
   - attack.execution
   - attack.t1059.003
   - attack.t1059.005
-  - attack.t1059.007
\ No newline at end of file
+  - attack.t1059.007
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_wce.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_wce.yml
index cd0b2e9c0..78b12947c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_wce.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_wce.yml
@@ -30,4 +30,4 @@ detection:
     condition: ( selection1 or selection2 ) and not filter
 falsepositives:
     - Another service that uses a single -s command line switch
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml
index 97c1e893e..912fe263e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml
@@ -12,7 +12,7 @@ logsource:
     product: windows
 detection:
     selection:
-        - Imphash: 
+        - Imphash:
             - BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
             - 3A19059BD7688CB88E70005F18EFC439 # PetitPotam
             - 9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
@@ -23,7 +23,7 @@ detection:
             - 725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
             - 672B13F4A0B6F27D29065123FE882DFC # Mimikatz
             - 0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
-            - 23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato 
+            - 23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
             - 9FB060C2977A9D9B782440B98D410C3E # RoguePotato
             - B18A1401FF8F444056D29450FBC0A6CE # Pwdump
             - 13F08707F759AF6003837A150A371BA1 # Pwdump
@@ -53,7 +53,7 @@ detection:
             - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
             - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
             - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
-            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato 
+            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
             - IMPHASH=9FB060C2977A9D9B782440B98D410C3E # RoguePotato
             - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
             - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
@@ -75,4 +75,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate use of one of these tools
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hh_chm.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hh_chm.yml
index 33f18d2c5..b626091a2 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hh_chm.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hh_chm.yml
@@ -25,4 +25,4 @@ falsepositives:
 level: high
 tags:
   - attack.defense_evasion
-  - attack.t1218.001
\ No newline at end of file
+  - attack.t1218.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml
index eae281baf..fb4cf5b64 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml
@@ -22,4 +22,4 @@ detection:
     condition: 1 of selection*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml
index 4843a988b..19fe6fbd3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml
@@ -12,9 +12,9 @@ logsource:
 detection:
     selection:
         Image|endswith: \appcmd.exe
-        CommandLine|contains|all: 
-            - set 
-            - config 
+        CommandLine|contains|all:
+            - set
+            - config
             - '/section:httplogging'
             - '/dontLog:true'
     condition: selection
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml
index 9eb0aefd9..0facc5ef1 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml
@@ -14,7 +14,7 @@ logsource:
     product: windows
 detection:
     selection:
-        - Image|contains: 
+        - Image|contains:
             - '\goldenPac'
             - '\karmaSMB'
             - '\kintercept'
@@ -26,7 +26,7 @@ detection:
             - '\smbrelayx'
             - '\wmiexec'
             - '\wmipersist'
-        - Image|endswith: 
+        - Image|endswith:
             # - '\addcomputer_windows.exe'
             - '\atexec_windows.exe'
             - '\dcomexec_windows.exe'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml
index a2e1a6ffa..3c0650742 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml
@@ -15,12 +15,12 @@ logsource:
   product: windows
 detection:
   selection_other:
-        # *** wmiexec.py 
+        # *** wmiexec.py
         #    parent is wmiprvse.exe
         #    examples:
         #       cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
         #       cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
-        # *** dcomexec.py -object MMC20 
+        # *** dcomexec.py -object MMC20
         #   parent is mmc.exe
         #   example:
         #       "C:\Windows\System32\cmd.exe" /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml
index 85986ef84..d058ba773 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml
@@ -15,7 +15,7 @@ detection:
         CommandLine|contains|all:
             - 'InfDefaultInstall.exe '
             - '.inf'
-    condition: selection 
+    condition: selection
 fields:
     - ComputerName
     - User
@@ -26,4 +26,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1218
\ No newline at end of file
+    - attack.t1218
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
index a4892354d..7d894c189 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
@@ -17,7 +17,7 @@ detection:
       - 'rundll32'
       - 'shell32.dll'
       - 'shellexec_rundll'
-    CommandLine|contains:  
+    CommandLine|contains:
       - 'value'
       - 'invoke'
       - 'comspec'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_logmein.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_logmein.yml
index ccde53ca3..461d533c3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_logmein.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_logmein.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
 author: frack113
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml
index 7214f0343..8b29e96c3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml
@@ -1,7 +1,7 @@
 title: Suspicious Subsystem for Linux Bash Execution
 id: 5edc2273-c26f-406c-83f3-f4d948e740dd
 status: experimental
-description: Performs execution of specified file, can be used as a defensive evasion. 
+description: Performs execution of specified file, can be used as a defensive evasion.
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Bash/
 tags:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml
index 04a8b5dd2..4f999508b 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml
@@ -16,11 +16,11 @@ logsource:
     product: windows
 detection:
     selection:
-      CommandLine|contains|all: 
+      CommandLine|contains|all:
         - 'CL_Invocation.ps1'
         - 'SyncInvoke'
       # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe"
     condition: selection
-falsepositives: 
+falsepositives:
  - Unknown
 level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
index 177e320df..de4795593 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml
@@ -3,7 +3,7 @@ id: 575dce0c-8139-4e30-9295-1ee75969f7fe
 description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target
 status: experimental
 references:
-    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs 
+    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
 author: blueteamer8699
 date: 2022/01/03
 tags:
@@ -18,7 +18,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'cscript.exe'
             - 'gatherNetworkInfo.vbs'
     condition: selection
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml
index cd7c5c12c..ec4bf10f3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml
@@ -1,4 +1,4 @@
-title: Suspicious Diantz Alternate Data Stream Execution 
+title: Suspicious Diantz Alternate Data Stream Execution
 id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd
 status: experimental
 description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
@@ -18,7 +18,7 @@ detection:
             - diantz.exe
             - .cab
         CommandLine|re: ':[^\\\\]'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Very Possible
 level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml
index 5b7ef48c7..f9e2b4aee 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml
@@ -1,7 +1,7 @@
 title: Suspicious Diantz Download and Compress Into a CAB File
 id: 185d7418-f250-42d0-b72e-0c8b70661e93
 status: experimental
-description: Download and compress a remote file and store it in a cab file on local machine. 
+description: Download and compress a remote file and store it in a cab file on local machine.
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Diantz/
 tags:
@@ -16,9 +16,9 @@ detection:
     selection:
         CommandLine|contains|all:
             - diantz.exe
-            - ' \\' 
+            - ' \\'
             - '.cab'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
 level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml
index 34abd4ae3..104dd0bc4 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml
@@ -1,4 +1,4 @@
-title: Suspicious Dump64.exe Execution 
+title: Suspicious Dump64.exe Execution
 id: 129966c9-de17-4334-a123-8b58172e664d
 description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder
 status: experimental
@@ -9,7 +9,7 @@ references:
 logsource:
       product: windows
       category: process_creation
-detection: 
+detection:
     selection:
         Image|endswith: '\dump64.exe'
     procdump_flags:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml
index 7911e9cc3..38b34c640 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml
@@ -2,7 +2,7 @@ title: Monitoring Winget For LOLbin Execution
 id: 313d6012-51a0-4d93-8dfc-de8553239e25
 description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
 status: experimental
-references: 
+references:
     - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
 author: Sreeman, Florian Roth, Frack113
 date: 2020/04/21
@@ -16,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'winget'
             - 'install'
         CommandLine|contains:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml
index 079772176..d47b5ada6 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml
@@ -1,4 +1,4 @@
-title: Suspicious Extrac32 Alternate Data Stream Execution 
+title: Suspicious Extrac32 Alternate Data Stream Execution
 id: 4b13db67-0c45-40f1-aba8-66a1a7198a1e
 status: experimental
 description: Extract data from cab file and hide it in an alternate data stream
@@ -6,7 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
 tags:
     - attack.defense_evasion
-    - attack.t1564.004 
+    - attack.t1564.004
 author: frack113
 date: 2021/11/26
 logsource:
@@ -18,7 +18,7 @@ detection:
             - extrac32.exe
             - .cab
         CommandLine|re: ':[^\\\\]'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
 level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml
index 9970234f9..a8d172171 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml
@@ -42,4 +42,4 @@ tags:
     - attack.t1218
     - attack.t1564.004
     - attack.t1552.001
-    - attack.t1105
\ No newline at end of file
+    - attack.t1105
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml
index 02c87ce21..18d0ececa 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml
@@ -19,7 +19,7 @@ detection:
         CurrentDirectory:
             - 'c:\windows\system32\'
             - 'c:\windows\sysWOW64\'
-    filter_missing: 
+    filter_missing:
         CurrentDirectory: null
     condition: lolbin and not 1 of filter_*
 falsepositives:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
index 2a0444ef5..485d94708 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
@@ -13,7 +13,7 @@ detection:
     selection:
         Image|endswith: '\jsc.exe'
         CommandLine|contains: '.js'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
 level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml
index 7053d03df..fdffaa1db 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml
@@ -1,7 +1,7 @@
 title: Suspicious OfflineScannerShell.exe Execution From Another Folder
 id: 02b18447-ea83-4b1b-8805-714a8a34546a
 status: experimental
-description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory 
+description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
 author: frack113
@@ -14,7 +14,7 @@ detection:
         Image|endswith: '\OfflineScannerShell.exe'
     filter_correct:
         CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
-    filter_missing: 
+    filter_missing:
         CurrentDirectory: null
     condition: lolbas and not 1 of filter_*
 falsepositives:
@@ -22,4 +22,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1218 
+    - attack.t1218
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml
index a9e8bce20..096e79af5 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml
@@ -12,15 +12,15 @@ logsource:
 detection:
     selection:
         Image|endswith: '\PrintBrm.exe'
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - ' -f'
             - '.zip'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
 level: high
 tags:
     - attack.command_and_control
-    - attack.t1105 
+    - attack.t1105
     - attack.defense_evasion
-    - attack.t1564.004 
+    - attack.t1564.004
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml
index c99fcd5f1..7ff14b998 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1216.001 
\ No newline at end of file
+    - attack.t1216.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml
index 0264f5a95..1043b5b95 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml
@@ -15,7 +15,7 @@ detection:
     selection:
         Image|endswith: '\replace.exe'
     argument:
-        CommandLine|contains: 
+        CommandLine|contains:
             - '/a'
             - '-a'
     condition: selection and argument
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml
index 693a98743..2da66feb5 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml
@@ -24,4 +24,4 @@ detection:
     condition: all of selection*
 falsepositives:
     - Legitimate use of the UI Accessibility Checker
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml
index 05d87b214..aeef7b3ec 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml
@@ -21,4 +21,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml
index 0883160aa..6ab82c6c9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml
@@ -19,4 +19,4 @@ falsepositives:
 level: medium
 tags:
   - attack.defense_evasion
-  - attack.t1127 
+  - attack.t1127
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml
index ffccba042..78cff6c86 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml
@@ -9,7 +9,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
     - https://twitter.com/mattifestation/status/1196390321783025666
     - https://twitter.com/oulusoyum/status/1191329746069655553
-author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' 
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
 date: 2020/10/06
 modified: 2021/09/21
 tags:
@@ -26,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate usage by software developers/testers
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml
index f05033d91..4176c1fe6 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml
@@ -38,4 +38,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
index b593a5104..d702f8db1 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
@@ -1,6 +1,6 @@
 title: Lolbins Process Creation with WmiPrvse
 id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
-description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.  
+description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.
 references:
     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
     - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml
index 2241ded9a..cc0c5ff35 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml
@@ -26,7 +26,7 @@ fields:
     - CommandLine
     - ParentCommandLine
 tags:
-   - attack.persistence  
+   - attack.persistence
    - attack.t1505.003
    - attack.resource_development
-   - attack.t1584.006
\ No newline at end of file
+   - attack.t1584.006
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_adwind.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_adwind.yml
index b777f363a..c4acf4239 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_adwind.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_adwind.yml
@@ -26,4 +26,4 @@ detection:
             - 'Retrive'
             - '.vbs '
     condition: selection
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml
index c5ff7aa41..018edade4 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml
@@ -29,4 +29,4 @@ detection:
     condition: sc_cmd or wmic_cmd
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml
index 6a98c74bc..88b420528 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml
@@ -13,7 +13,7 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine|contains: 
+        CommandLine|contains:
             - '=[char][byte](''0x''+'
             - ' -work worker0 -path '
     selection2:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti.yml
index e2be55465..821c35409 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti.yml
@@ -25,4 +25,4 @@ falsepositives:
 level: high
 tags:
     - attack.t1587.001
-    - attack.resource_development
\ No newline at end of file
+    - attack.resource_development
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml
index 23a992248..ea9da151e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: high
 tags:
    - attack.collection
-   - attack.t1560
\ No newline at end of file
+   - attack.t1560
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml
index 36f686290..b8418cbdf 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml
@@ -26,4 +26,4 @@ falsepositives:
 level: medium
 tags:
     - attack.impact
-    - attack.t1490
\ No newline at end of file
+    - attack.t1490
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_emotet.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_emotet.yml
index c0ba595f8..e730908b0 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_emotet.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_emotet.yml
@@ -39,4 +39,3 @@ fields:
 falsepositives:
   - Unlikely
 level: high
-
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml
index 61ff3daf2..208a2822e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml
@@ -18,7 +18,7 @@ detection:
       - '\\\\.\\pipe\\'
   select_rundll32_dash1:
     Image|endswith: '\rundll32.exe'
-    CommandLine|endswith: 
+    CommandLine|endswith:
       - '.dat,#1'
       - '.dat #1' # Sysmon removes comma
   select_perfc_keyword:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
index 59be92668..f04667dd3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
@@ -18,7 +18,7 @@ logsource:
 detection:
     selection_1:
         ParentImage|endswith: '\services.exe'
-    selection_2:    
+    selection_2:
         # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
         - CommandLine|contains|all:
             - 'cmd'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml
index b0f591390..47e22650b 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml
@@ -20,7 +20,7 @@ detection:
             - 'sc '
             - 'config '
             - 'binpath='
-    selection_cmdline_2: 
+    selection_cmdline_2:
         CommandLine|contains|all:
             - 'sc '
             - 'failure'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml
index 633f97bac..403dc86c1 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml
@@ -17,7 +17,7 @@ detection:
         CommandLine|contains|all:
             - 'bitsadmin'
             - '/SetNotifyCmdLine'
-        CommandLine|contains:  
+        CommandLine|contains:
             - '%COMSPEC%'
             - 'cmd.exe'
             - 'regsvr32.exe'
@@ -25,7 +25,7 @@ detection:
         CommandLine|contains|all:
             - 'bitsadmin'
             - '/Addfile'
-        CommandLine|contains:    
+        CommandLine|contains:
             - 'http:'
             - 'https:'
             - 'ftp:'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml
index cc45d4445..ec9f2eaf9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml
@@ -14,7 +14,7 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\msiexec.exe' 
+        Image|endswith: '\msiexec.exe'
         CommandLine|contains|all:
             - ' /i'
             - ' /q'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml
index 78b37477c..82099cf89 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml
@@ -10,7 +10,7 @@ modified: 2021/06/13
 tags:
     - car.2013-04-002
     - attack.execution
-    - attack.t1059 
+    - attack.t1059
 logsource:
     category: process_creation
     product: windows
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_net_enum.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_net_enum.yml
index a2b549207..a5e750a8e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_net_enum.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_net_enum.yml
@@ -16,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: 
+        Image|endswith:
             - '\net.exe'
             - '\net1.exe'
         CommandLine|contains: 'view'
@@ -29,4 +29,4 @@ fields:
     - CommandLine
 falsepositives:
     - Legitimate use of net.exe utility by legitimate user
-level: low 
+level: low
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_netcat_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_netcat_execution.yml
index 0e8c831ce..21f473896 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_netcat_execution.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_netcat_execution.yml
@@ -6,7 +6,7 @@ date: 2021/07/21
 modified: 2022/02/23
 description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
 references:
-    - https://nmap.org/ncat/   
+    - https://nmap.org/ncat/
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
 tags:
     - attack.command_and_control
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml
index d42eda483..7ef17113c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml
@@ -27,4 +27,4 @@ falsepositives:
 level: medium
 tags:
   - attack.defense_evasion
-  - attack.t1562.004
\ No newline at end of file
+  - attack.t1562.004
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml
index 10d445ccc..7453ff803 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml
@@ -13,11 +13,11 @@ logsource:
   product: windows
 detection:
   selection_loop:
-    CommandLine|contains: 
+    CommandLine|contains:
         - 'for '
         - 'foreach '
   selection_tools:
-    CommandLine|contains:   
+    CommandLine|contains:
         - 'nslookup'
         - 'ping'
   condition: all of selection_*
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml
index c772b686b..9261c196c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml
@@ -17,7 +17,7 @@ detection:
     selection:
         Image|endswith: '\powershell.exe'
     filter:
-        ParentImage|endswith: 
+        ParentImage|endswith:
             - '\explorer.exe'
             - '\CompatTelRunner.exe'
     condition: selection and not filter
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_outlook_shell.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_outlook_shell.yml
index 789858b24..79c7db19b 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_outlook_shell.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_outlook_shell.yml
@@ -40,7 +40,7 @@ detection:
       - '\msbuild.exe'        # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
       - '\msdt.exe'           # CVE-2022-30190
 
-  # Several FPs with rundll32.exe - we started excluding specific use cases and 
+  # Several FPs with rundll32.exe - we started excluding specific use cases and
   # ended commenting out all rundll32.exe sub processes
 
   #filter_outlook_photoviewer:  # https://twitter.com/Luke_Hamp/status/1495919717760237568
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml
index bb111e313..8dd9fad21 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml
@@ -25,4 +25,4 @@ detection:
     condition: selection
 falsepositives:
     - Very unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml
index 2342152ff..afc8a8bd3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml
@@ -17,7 +17,7 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'Add-MpPreference '
             - 'Set-MpPreference '
     selection2:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml
index c4351ed3b..367a2d1d5 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\powershell.exe'
-        CommandLine|contains: 
+        CommandLine|contains:
             - '-f C:\Users\Public'
             - '-f "C:\Users\Public'
             - '-f %Public%'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
index 2c86cf79d..aabd6844d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
@@ -1,6 +1,6 @@
 title: CreateDump Process Dump
 id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
-description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory 
+description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
 status: experimental
 references:
     - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml
index abb3d0378..2cbc426a3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml
@@ -1,6 +1,6 @@
 title: RdrLeakDiag Process Dump
 id: 6355a919-2e97-4285-a673-74645566340d
-description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory 
+description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory
 status: experimental
 references:
     - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml
index 49ce2e9e4..75550dc0d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml
@@ -1,6 +1,6 @@
 title: Suspicious DumpMinitool Usage
 id: eb1c4225-1c23-4241-8dd4-051389fde4ce
-description: Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe 
+description: Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe
 status: experimental
 references:
     - https://twitter.com/mrd0x/status/1511415432888131586
@@ -19,13 +19,13 @@ detection:
         - Image|endswith: '\DumpMinitool.exe'
         - OriginalName: 'DumpMinitool.exe'
     filter_folder:
-        Image|contains: 
+        Image|contains:
             - '\Microsoft Visual Studio\'
             - '\Extensions\'  # https://github.com/microsoft/vstest/blob/main/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
     susp_flags:
         CommandLine|contains: '.txt'
     cmd_has_flags:
-        CommandLine|contains: ' Full' 
+        CommandLine|contains: ' Full'
     filter_cmd_misses_flags:
         CommandLine|contains: '--dumpType'
     condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml
index 438d33ed7..529008b0a 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml
@@ -26,7 +26,7 @@ detection:
             - '\wininit.exe'
             - '\winlogon.exe'
     filter_sys:
-        - ParentImage|endswith: 
+        - ParentImage|endswith:
             - '\SavService.exe'
             - '\ngen.exe'
         - ParentImage|contains:
@@ -47,4 +47,4 @@ level: low
 tags:
     - attack.defense_evasion
     - attack.t1036.003
-    - attack.t1036.005
\ No newline at end of file
+    - attack.t1036.005
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
index 96687d496..2bd1fb2f2 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
@@ -1,5 +1,5 @@
 title: Process Dump via RdrLeakDiag.exe
-id: edadb1e5-5919-4e4c-8462-a9e643b02c4b 
+id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
 description: Detects a process memory dump performed by RdrLeakDiag.exe
 status: experimental
 level: high
@@ -18,5 +18,5 @@ detection:
         OriginalFileName: RdrLeakDiag.exe
         CommandLine|contains: fullmemdmp
     condition: selection
-falsepositives: 
+falsepositives:
     - Unknown
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml
index 9bacedfbd..7c6584b38 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml
@@ -20,7 +20,7 @@ logsource:
     product: windows
 detection:
     selection_comsvcs:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'comsvcs.dll'
             - 'rundll32'
             - '.dmp'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml
index 9cd29abb4..9cf8b2fa7 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml
@@ -18,7 +18,7 @@ detection:
         CommandLine|contains|all:
             - '"ms-word'
             - '.docx"'
-    condition: selection 
+    condition: selection
 fields:
     - ComputerName
     - User
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml
index eda2ef47b..fae149933 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
   selection:
     ParentImage|startswith: 'C:\Users\Public\'
-    CommandLine|contains: 
+    CommandLine|contains:
       - 'powershell'
       - 'cmd.exe /c '
       - 'cmd /c '
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml
index 987211efa..1fcf82b53 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml
@@ -23,4 +23,4 @@ falsepositives:
 level: critical
 tags:
     - attack.t1587
-    - attack.resource_development
\ No newline at end of file
+    - attack.resource_development
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_pypykatz.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_pypykatz.yml
index 3fd5ac17d..f081e6c49 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_pypykatz.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_pypykatz.yml
@@ -24,4 +24,4 @@ falsepositives:
 level: high
 tags:
     - attack.credential_access
-    - attack.t1003.002
\ No newline at end of file
+    - attack.t1003.002
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml
index 7c99f0283..5642cdece 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml
@@ -27,4 +27,4 @@ detection:
     condition: selection_image and 1 of selection_cli*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml
index ef9ededa7..b7f7e0c8e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml
@@ -12,7 +12,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'reg'
             - ' ADD '
             - 'Software\Microsoft\Windows\CurrentVersion\Run'
@@ -22,4 +22,4 @@ falsepositives:
 level: medium
 tags:
     - attack.persistence
-    - attack.t1547.001
\ No newline at end of file
+    - attack.t1547.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml
index 48e1577e4..edc9994c5 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml
@@ -29,4 +29,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1562.001 
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml
index 7b56642af..e055c07b6 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml
@@ -1,7 +1,7 @@
 title: Enabling RDP Service via Reg.exe
 id: 0d5675be-bc88-4172-86d3-1e96a4476536
 status: experimental
-description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host 
+description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
 author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T'
 references:
   - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml
index 0cff37fc3..6305e59cc 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml
@@ -30,4 +30,4 @@ falsepositives:
 level: medium
 tags:
   - attack.persistence
-  - attack.t1574.011
\ No newline at end of file
+  - attack.t1574.011
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_regini.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_regini.yml
index c8ce2752f..20c482457 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_regini.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_regini.yml
@@ -27,4 +27,4 @@ fields:
     - CommandLine
 falsepositives:
     - Legitimate modification of keys
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_regini_ads.yml
index 4541b899f..a59b4e9ea 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_regini_ads.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_regini_ads.yml
@@ -27,4 +27,4 @@ fields:
     - CommandLine
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml
index 86fe6b6cc..a23433dd1 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml
@@ -19,7 +19,7 @@ detection:
         CommandLine|contains|all:
             - ' -RemoveDefinitions'
             - ' -All'
-    condition: selection 
+    condition: selection
 fields:
     - ComputerName
     - User
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml
index 7aafd7fa7..44e963fda 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml
@@ -20,4 +20,4 @@ detection:
    condition: selection and not 1 of filter*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml
index 8cfbde408..bceec686f 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml
@@ -19,7 +19,7 @@ logsource:
 detection:
     selection1:
         Image|endswith: '\certutil.exe'     # Example: certutil -addstore -f -user ROOT CertificateFileName.der
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - '-addstore'
             - 'root'
     selection2:
@@ -30,4 +30,4 @@ detection:
     condition: selection1 or selection2
 level: medium
 falsepositives:
-    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
\ No newline at end of file
+    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_run_from_zip.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_run_from_zip.yml
index cca0a3e26..fc3791c26 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_run_from_zip.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_run_from_zip.yml
@@ -18,4 +18,4 @@ falsepositives:
 level: medium
 tags:
     - attack.impact
-    - attack.t1485
\ No newline at end of file
+    - attack.t1485
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml
index 20c4e94b9..3c38dbceb 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml
@@ -18,7 +18,7 @@ logsource:
     product: windows
 detection:
     selection_1:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'VBoxRT.dll,RTR3Init'
             - 'VBoxC.dll'
             - 'VBoxDrv.sys'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml
index ccb3294ad..c4aa4da56 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml
@@ -5,7 +5,7 @@ description: Detects rundll32.exe executing from an abnormal drive such as a mou
 author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
 date: 2022/01/25
 modified: 2022/02/14
-references: 
+references:
     - https://thedfirreport.com/2021/12/13/diavol-ransomware/
 tags:
     - attack.t1218.001
@@ -15,7 +15,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\rundll32.exe'
-    filter: 
+    filter:
         - CurrentDirectory|contains: 'C:\'
         - CurrentDirectory: ''
     filter_null:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
index 22ca470aa..5dfcdc7f4 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
@@ -23,4 +23,4 @@ falsepositives:
     - Unknown
 level: medium
 tags:
-    - attack.defense_evasion 
\ No newline at end of file
+    - attack.defense_evasion
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml
index 48dc6b8a8..d94dca336 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml
@@ -1,7 +1,7 @@
 title: Rundll32 Registered COM Objects
 id: f1edd233-30b5-4823-9e6a-c4171b24d316
 status: experimental
-description: load malicious registered COM objects 
+description: load malicious registered COM objects
 references:
     - https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml
index a0b203ea0..c42f1058c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml
@@ -3,7 +3,7 @@ id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
 status: experimental
 description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
 author: 'pH-T'
-references: 
+references:
   - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
 date: 2022/03/15
 logsource:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml
index 137c87fb9..18efe706d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml
@@ -3,7 +3,7 @@ id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
 status: experimental
 description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
 author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T'
-references: 
+references:
   - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
 date: 2022/02/12
 modified: 2022/03/15
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_screenconnect.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_screenconnect.yml
index 446bee5d3..411f6ea0c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_screenconnect.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_screenconnect.yml
@@ -4,7 +4,7 @@ status: experimental
 description: |
   An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
   These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
 author: frack113
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml
index 8cb212b0f..37f1a9e4d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml
@@ -19,4 +19,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_software_discovery.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_software_discovery.yml
index 7e296e62d..116cd4794 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_software_discovery.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_software_discovery.yml
@@ -28,4 +28,4 @@ detection:
     condition: selection
 level: medium
 falsepositives:
-    - Legitimate administration activities
\ No newline at end of file
+    - Legitimate administration activities
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml
index 897fde0bb..8d1d9a5b3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml
@@ -3,7 +3,7 @@ id: b57ba453-b384-4ab9-9f40-1038086b4e53
 status: experimental
 author: frack113
 date: 2021/12/20
-description: Detects dump of credentials in VeeamBackup dbo 
+description: Detects dump of credentials in VeeamBackup dbo
 references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml
index 38423a777..4d88c7bd3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml
@@ -34,4 +34,4 @@ detection:
     condition: selection_process
 falsepositives:
     - Unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml
index 2eeba8dcf..88c8d0dbc 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml
@@ -1,6 +1,6 @@
-title: Suspicious Auditpol Usage 
+title: Suspicious Auditpol Usage
 id: 0a13e132-651d-11eb-ae93-0242ac130002
-description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. 
+description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
 status: experimental
 author: Janantha Marasinghe (https://github.com/blueteam0ps)
 references:
@@ -18,7 +18,7 @@ detection:
     selection_auditpol_binary:
         Image|endswith: '\auditpol.exe'
     selection_auditpol_command:
-        CommandLine|contains:  
+        CommandLine|contains:
             - 'disable' # disables a specific audit policy
             - 'clear'   # delete or clears audit policy
             - 'remove'  # removes an audit policy
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml
index 89f588498..b4d4e4fe0 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml
@@ -25,4 +25,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1069.001
\ No newline at end of file
+    - attack.t1069.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind.yml
index 831fefe48..7512f1f64 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind.yml
@@ -1,7 +1,7 @@
 title: Suspicious AdFind Execution
 id: 75df3b17-8bcc-4565-b89b-c9898acef911
 status: experimental
-description: Detects the execution of a AdFind for Active Directory enumeration 
+description: Detects the execution of a AdFind for Active Directory enumeration
 references:
     - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
     - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml
index b04dbd07e..d8f700180 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml
@@ -1,7 +1,7 @@
 title: Suspicious AdFind Enumerate
 id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
 status: experimental
-description: Detects the execution of a AdFind for enumeration 
+description: Detects the execution of a AdFind for enumeration
 references:
     - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md
@@ -24,7 +24,7 @@ detection:
             - pwdhistorylength
             - pwdproperties
     test_6: #Enumerate Active Directory Admins
-        CommandLine|contains: '-sc admincountdmp' 
+        CommandLine|contains: '-sc admincountdmp'
     test_8: #Enumerate Active Directory Exchange AD Objects
         CommandLine|contains: '-sc exchaddresses'
     condition: selection and 1 of test_*
@@ -33,4 +33,4 @@ falsepositives:
 level: medium
 tags:
     - attack.discovery
-    - attack.t1087.002
\ No newline at end of file
+    - attack.t1087.002
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml
index 479f969a6..2b444e299 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml
@@ -1,4 +1,4 @@
-title: Suspicious Execution of Adidnsdump 
+title: Suspicious Execution of Adidnsdump
 id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
 status: experimental
 description: |
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml
index 30aa152ec..b60392f04 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml
@@ -1,7 +1,7 @@
 title: Suspicious AdvancedRun Runas Priv User
 id: fa00b701-44c6-4679-994d-5a18afa8a707
 status: experimental
-description: Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts 
+description: Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
 references:
     - https://twitter.com/splinter_code/status/1483815103279603714
     - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
@@ -19,12 +19,12 @@ detection:
             - '/EXEFilename'
             - '/CommandLine'
     selection_runas:
-        - CommandLine|contains: 
+        - CommandLine|contains:
             - ' /RunAs 8 '
             - ' /RunAs 4 '
             - ' /RunAs 10 '
             - ' /RunAs 11 '
-        - CommandLine|endswith: 
+        - CommandLine|endswith:
             - '/RunAs 8'
             - '/RunAs 4'
             - '/RunAs 10'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
index 073b04bb3..1eadb9f0a 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml
@@ -34,4 +34,4 @@ fields:
     - ParentCommandLine
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml
index 4a1fc1312..073a8e99d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml
@@ -43,4 +43,4 @@ fields:
   - CommandLine
 falsepositives:
   - Unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml
index d64eb0441..dbf90dbf3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml
@@ -5,7 +5,7 @@ description: Detects transferring files from system on a server bitstransfer Pow
 references:
     - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
 tags:
-    - attack.exfiltration 
+    - attack.exfiltration
     - attack.persistence
     - attack.t1197
 date: 2021/08/19
@@ -15,11 +15,11 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: 
+        Image|endswith:
             - '\powershell.exe'
             - '\powershell_ise.exe'
             - '\pwsh.exe'
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'Get-BitsTransfer'
             - 'Add-BitsFile'
     condition: selection
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml
index 75a8be92a..108da327a 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml
@@ -1,7 +1,7 @@
 title: Obfuscated Command Line Using Special Unicode Characters
 id: e0552b19-5a83-4222-b141-b36184bb8d79
 status: experimental
-description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. 
+description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
 author: frack113
 references:
     - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         #find the sysmon event
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'â'
             - '€'
             - '£'
@@ -27,4 +27,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1027
\ No newline at end of file
+    - attack.t1027
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cipher.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cipher.yml
index 0c0d63abc..f42064359 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cipher.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cipher.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: medium
 tags:
     - attack.impact
-    - attack.t1485
\ No newline at end of file
+    - attack.t1485
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml
index a03d6071b..89f409b05 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml
@@ -19,4 +19,4 @@ falsepositives:
 level: medium
 tags:
     - attack.impact
-    - attack.t1490
\ No newline at end of file
+    - attack.t1490
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml
index c3e68b05b..7a167be95 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml
@@ -16,7 +16,7 @@ detection:
     ParentImage|endswith: '\cmd.exe'
     ParentCommandLine|contains: ' /c '
     Image|endswith: '\chcp.com'
-    CommandLine|endswith: 
+    CommandLine|endswith:
       - 'chcp'
       - 'chcp '
       - 'chcp  '
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_covenant.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_covenant.yml
index e1c9bd854..cfc788414 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_covenant.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_covenant.yml
@@ -32,4 +32,4 @@ tags:
   - attack.execution
   - attack.defense_evasion
   - attack.t1059.001
-  - attack.t1564.003
\ No newline at end of file
+  - attack.t1564.003
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_csi.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_csi.yml
index d34670f50..6135c39be 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_csi.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_csi.yml
@@ -1,4 +1,4 @@
-title: Suspicious Csi.exe Usage 
+title: Suspicious Csi.exe Usage
 id: 40b95d31-1afc-469e-8d34-9a3a667d058e
 description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
 status: experimental
@@ -22,17 +22,17 @@ detection:
     basic:
         - Image|endswith: '\csi.exe'
         - Image|endswith: '\rcsi.exe'
-    renamed:    
+    renamed:
         - OriginalFileName: 'csi.exe'
         - OriginalFileName: 'rcsi.exe'
-    selection:    
+    selection:
         Company: 'Microsoft Corporation'
     condition: (basic or renamed) and selection
 fields:
     - ComputerName
     - User
     - CommandLine
-    - ParentCommandLine    
+    - ParentCommandLine
 falsepositives:
-    - Legitimate usage by software developers 
+    - Legitimate usage by software developers
 level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_del.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_del.yml
index c065e0976..ff006662d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_del.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_del.yml
@@ -8,7 +8,7 @@ references:
     - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
 tags:
     - attack.defense_evasion
-    - attack.t1070.004 
+    - attack.t1070.004
 logsource:
     category: process_creation
     product: windows
@@ -23,7 +23,7 @@ detection:
             - 'del *.dll'
             - 'C:\ProgramData\'
     condition: susp_del_exe or susp_del_dll
-#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit 
+#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit
 falsepositives:
     - Unknown
 level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml
index 75afd1572..61030766e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml
@@ -15,10 +15,10 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - ' -t msi-install '
             - ' -i http'
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml
index 9dfc4ab19..167441ed1 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: high
 tags:
   - attack.defense_evasion
-  - attack.t1218 
+  - attack.t1218
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_dir.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_dir.yml
index 81cd2e782..5fa80c212 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_dir.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_dir.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1217
\ No newline at end of file
+    - attack.t1217
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml
index 0d6f91371..f2e93c18e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml
@@ -9,7 +9,7 @@ tags:
     - attack.defense_evasion
     - attack.t1562.001
     - attack.t1070.001
-author: Florian Roth 
+author: Florian Roth
 date: 2021/02/11
 modified: 2021/12/02
 logsource:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml
index 2f2336e35..e29ff857d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml
@@ -1,13 +1,13 @@
 title: Raccine Uninstall
 id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
 status: experimental
-description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. 
+description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
 references:
     - https://github.com/Neo23x0/Raccine
 tags:
     - attack.defense_evasion
     - attack.t1562.001
-author: Florian Roth 
+author: Florian Roth
 date: 2021/01/21
 modified: 2021/07/14
 logsource:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml
index e7fd6469d..ba1c7f4e2 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml
@@ -19,4 +19,4 @@ falsepositives:
 level: high
 tags:
     - attack.discovery
-    - attack.t1518.001
\ No newline at end of file
+    - attack.t1518.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml
index e82c9ff8b..c84925073 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml
@@ -20,4 +20,4 @@ detection:
     condition: selection
 falsepositives:
     - Admin activity (unclear what they do nowadays with finger.exe)
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_firewall_disable.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_firewall_disable.yml
index ebcb5e299..abf94646d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_firewall_disable.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_firewall_disable.yml
@@ -21,7 +21,7 @@ detection:
       - opmode
       - 'mode=disable'
   selection_2:
-    CommandLine|contains|all:    
+    CommandLine|contains|all:
       - netsh
       - advfirewall
       - set
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml
index 0c73ba0dc..adf81da73 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml
@@ -5,7 +5,7 @@ description: Detects cases in which a user uses the built-in Windows utility gpr
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
-    - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ 
+    - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
     - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
 author: frack113
 date: 2022/05/01
@@ -18,7 +18,7 @@ detection:
         CommandLine|contains:
             - '/z'
             - '/v'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
 level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_hostname.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_hostname.yml
index c2b6eccf7..49fb52c83 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_hostname.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_hostname.yml
@@ -1,4 +1,4 @@
-title: Suspicious Execution of Hostname 
+title: Suspicious Execution of Hostname
 id: 7be5fb68-f9ef-476d-8b51-0256ebece19e
 status: experimental
 description: Use of hostname to get information
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml
index d4ece5241..4a01fbe5f 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml
@@ -1,4 +1,4 @@
-title: Suspicious Execution of InstallUtil Without Log 
+title: Suspicious Execution of InstallUtil Without Log
 id: d042284c-a296-4988-9be5-f424fadcc28c
 status: experimental
 description: Uses the .NET InstallUtil.exe application in order to execute image without log
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml
index f5b113d91..48f3736aa 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml
@@ -15,7 +15,7 @@ detection:
         CommandLine|contains|all:
             - 'SOFTWARE\Microsoft\Cryptography'
             - '/v '
-            - 'MachineGuid'  
+            - 'MachineGuid'
     condition: selection
 falsepositives:
     - Unknown
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml
index efe15ece8..926748839 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml
@@ -21,10 +21,10 @@ detection:
         - Imphash: 'd8b52ef6aaa3a81501bdfff9dbb96217'
         - Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217'
     selection_flags:
-        CommandLine|contains: 
+        CommandLine|contains:
             - ' /n 1 '
             - ' -n 1 '
     condition: all of selection*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml
index 83266600c..18b283524 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml
@@ -8,7 +8,7 @@ references:
     - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
 tags:
     - attack.execution
-    - attack.t1106 
+    - attack.t1106
 author: Florian Roth
 date: 2021/07/17
 logsource:
@@ -25,10 +25,10 @@ detection:
             - '\powershell.exe'
     # Suspicious folders
     selection2:
-        CommandLine|contains: 
+        CommandLine|contains:
             - '\AppData\Local'
             - 'C:\Windows\Temp'
-            - 'C:\Users\Public' 
+            - 'C:\Users\Public'
     # Suspicious Execution Locations
     filter3:
         Image|contains:
@@ -36,10 +36,10 @@ detection:
             - 'C:\Windows\SysWOW64'
     # Suspicious extensions
     filter4:
-        CommandLine|contains: 
+        CommandLine|contains:
             - '.htm'
             - '.hta'
-        CommandLine|endswith: 
+        CommandLine|endswith:
             - 'mshta.exe'
             - 'mshta'
     condition: selection_base and ( selection1 or selection2 ) or ( selection_base and not filter3 ) or ( selection_base and not filter4 )
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml
index 76e390e19..741d2a37d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml
@@ -13,7 +13,7 @@ detection:
     selection1:
         Image: C:\Windows\System32\net.exe
     selection2:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'net'
             - ' use '
             - ':*\\'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml
index 279ff01f6..64d6195c1 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml
@@ -1,7 +1,7 @@
 title: Suspicious Listing of Network Connections
 id: 1c67a717-32ba-409b-a45d-0fb704a73a81
 status: experimental
-description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 
+description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
 author: frack113
@@ -28,4 +28,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1049
\ No newline at end of file
+    - attack.t1049
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nmap.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nmap.yml
index 28482d55f..6a2564354 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nmap.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nmap.yml
@@ -13,10 +13,10 @@ logsource:
 detection:
     selection:
         OriginalFileName: nmap.exe
-    condition: selection 
+    condition: selection
 falsepositives:
     - Network administator computeur
 level: high
 tags:
     - attack.discovery
-    - attack.t1046
\ No newline at end of file
+    - attack.t1046
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
index d89582a80..9d7aba57e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
@@ -86,4 +86,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml
index fbb423399..53f8b708d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml
@@ -1,6 +1,6 @@
-title: Suspicious NT Resource Kit Auditpol Usage 
+title: Suspicious NT Resource Kit Auditpol Usage
 id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
-description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. 
+description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
 status: experimental
 author: Nasreddine Bencherchali @nas_bench
 references:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml
index 6369ab36d..dfadff5f2 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml
@@ -6,7 +6,7 @@ references:
     - https://www.x86matthew.com/view_post?id=ntdll_pipe
 tags:
     - attack.defense_evasion
-author: Florian Roth 
+author: Florian Roth
 date: 2022/03/05
 logsource:
     category: process_creation
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntds.yml
index 73f856eca..307aa72b4 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntds.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntds.yml
@@ -4,7 +4,7 @@ description: Detects suspicious process patterns used in NTDS.DIT exfiltration
 status: experimental
 author: Florian Roth
 references:
-    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration 
+    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
     - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
     - https://pentestlab.blog/tag/ntds-dit/
     - https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1
@@ -20,7 +20,7 @@ logsource:
 detection:
     selection_tool:
         # https://github.com/zcgonvh/NTDSDumpEx
-        - Image|endswith: 
+        - Image|endswith:
             - '\NTDSDump.exe'
             - '\NTDSDumpEx.exe'
         - CommandLine|contains|all:
@@ -62,4 +62,4 @@ detection:
     condition: 1 of selection* or all of set1*
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml
index 2da28f36c..994bbc3ae 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml
@@ -15,7 +15,7 @@ logsource:
 detection:
   encoded:
     Image|endswith: '\powershell.exe'
-    CommandLine|contains: 
+    CommandLine|contains:
         - ' -e '
         - ' -en '
         - ' -enc '
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml
index 830281b0b..1709d4bc9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml
@@ -15,7 +15,7 @@ logsource:
     product: windows
 detection:
     selection_1:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - '\HarddiskVolumeShadowCopy'
             - 'ystem32\config\sam'
     selection_2:
@@ -26,7 +26,7 @@ detection:
             - 'copy $_.'
             - '.File]::Copy('
     condition: all of selection*
-falsepositives: 
+falsepositives:
     - Some rare backup scenarios
     - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
 level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml
index 13baad93e..6d24ff9f2 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml
@@ -25,4 +25,4 @@ detection:
 falsepositives:
     - Other tools with the same command line flag combination
     - Legitimate uses as part of Visual Studio development
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml
index 1d194067c..fa2478c4c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml
@@ -20,10 +20,10 @@ detection:
             - 'PAExec'
             - 'accepteula'
             - 'cmd /c '
-    condition: selection_supporting_flags and selection_cmd_to_system 
+    condition: selection_supporting_flags and selection_cmd_to_system
 falsepositives:
-    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) 
+    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
 level: high
 tags:
     - attack.develop_capabilities
-    - attack.t1587.001
\ No newline at end of file
+    - attack.t1587.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml
index 972ce610d..132e57978 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml
@@ -1,4 +1,4 @@
-title: PsExec/PAExec Flags 
+title: PsExec/PAExec Flags
 id: 207b0396-3689-42d9-8399-4222658efc99
 status: experimental
 description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line
@@ -14,7 +14,7 @@ logsource:
     product: windows
 detection:
     selection_flags_1: # Escalation to LOCAL_SYSTEM
-        CommandLine|endswith: 
+        CommandLine|endswith:
             - ' -s cmd.exe'
             - ' -s -i cmd.exe'
     selection_flags_2:
@@ -24,14 +24,14 @@ detection:
             - ' -p '
             - ' \\'
     filter:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'paexec'
             - 'PsExec'
     condition: ( selection_flags_1 or selection_flags_2 ) and not filter
 falsepositives:
     - Weird admins that rename their tools
-    - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing 
+    - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
 level: high
 tags:
     - attack.develop_capabilities
-    - attack.t1587.001
\ No newline at end of file
+    - attack.t1587.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml
index 28e8f04fa..671a957d9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml
@@ -1,4 +1,4 @@
-title: Rar Usage with Password and Compression Level 
+title: Rar Usage with Password and Compression Level
 id: faa48cae-6b25-4f00-a094-08947fef582f
 status: experimental
 description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
@@ -26,4 +26,4 @@ detection:
 falsepositives:
     - Legitimate use of Winrar command line version
     - Other command line tools, that use these flags
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml
index 9e29faf26..aaf52a7e9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml
@@ -23,4 +23,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - User selecting a different installation folder (check for other sub processes of this explorer.exe process)
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml
index 9dfaab71a..1b7415fcf 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml
@@ -1,8 +1,8 @@
 title: Rclone Execution via Command Line or PowerShell
-id: e37db05d-d1f9-49c8-b464-cee1a4b11638 
+id: e37db05d-d1f9-49c8-b464-cee1a4b11638
 related:
     - id: a0d63692-a531-4912-ad39-4393325b2a9c
-      type: obsoletes 
+      type: obsoletes
     - id: cb7286ba-f207-44ab-b9e6-760d82b84253
       type: obsoletes
 description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml
index 040477109..f91da6f4e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml
@@ -12,7 +12,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains: 
+        CommandLine|contains:
             - '> \\\\127.0.0.1\\admin$'
             - '> \\\\localhost\\admin$'
     condition: selection
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml
index d5231b3d5..2059613d5 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml
@@ -21,7 +21,7 @@ detection:
         CommandLine|contains|all:
             - 'reg'
             - 'add'
-            - 'hkcu\software\classes\ms-settings\shell\open\command' 
+            - 'hkcu\software\classes\ms-settings\shell\open\command'
             - '/v'
             - 'DelegateExecute'
     selection_3:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml
index b210e6045..46f8a0bb0 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\regedit.exe'
-        ParentImage|endswith: 
+        ParentImage|endswith:
             - '\TrustedInstaller.exe'
             - '\ProcessHacker.exe'
     condition: selection
@@ -21,4 +21,4 @@ falsepositives:
 level: high
 tags:
     - attack.privilege_escalation
-    - attack.t1548 
\ No newline at end of file
+    - attack.t1548
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml
index f7690358b..2f12c76eb 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml
@@ -15,7 +15,7 @@ logsource:
     product: windows
 detection:
     selection_flags:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - ' /s'
             - ' /u'
     selection_ip:
@@ -32,4 +32,4 @@ detection:
     condition: all of selection*
 falsepositives:
     - FQDNs that start with a number
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml
index 28d587b80..146940354 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml
@@ -7,7 +7,7 @@ references:
     - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
 tags:
     - attack.defense_evasion
-    - attack.t1218.010 
+    - attack.t1218.010
 author: frack113
 date: 2021/11/29
 logsource:
@@ -16,7 +16,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\regsvr32.exe'
-        CommandLine|endswith: '.jpg' # can add other 
+        CommandLine|endswith: '.jpg' # can add other
     condition: selection
 falsepositives:
     - Unknown
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml
index 5fd6ffc94..0d1c958eb 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml
@@ -18,7 +18,7 @@ detection:
     selection:
         Image|endswith: '\regsvr32.exe'
     filter:
-        CommandLine|contains: 
+        CommandLine|contains:
             - '.dll'
             - '.ocx'
             - '.cpl'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml
index 06c4680f6..2d75f71b0 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml
@@ -16,14 +16,14 @@ detection:
     selection2:
         OriginalFileName: 'PAExec.exe'
     filter:
-        Image|endswith: 
+        Image|endswith:
             - '\PAexec.exe'
             - '\paexec.exe'
     condition: ( selection1 or selection2 ) and not filter
 falsepositives:
     - Weird admins that rename their tools
-    - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing 
+    - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing
 level: high
 tags:
-    - attack.defense_evasion 
-    - attack.t1202 
\ No newline at end of file
+    - attack.defense_evasion
+    - attack.t1202
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml
index d53ee33f4..65c3d22ba 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml
@@ -17,7 +17,7 @@ detection:
             - '\Temp\'
             - '\Temporary Internet'
     filter_parent:
-        - ParentImage: 
+        - ParentImage:
             - 'C:\Windows\System32\cleanmgr.exe'
             - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe'
             - 'C:\Windows\System32\dxgiadaptercache.exe'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml
index 7018898a6..5caaf7710 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml
@@ -11,7 +11,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'rundll32.exe'
             - 'Execute'
             - 'RegRead'
@@ -22,4 +22,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1055
\ No newline at end of file
+    - attack.t1055
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml
index dfef79f64..7348fff7a 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml
@@ -23,4 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml
index bf9d1b0e9..619e4ec24 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml
@@ -7,7 +7,7 @@ references:
 author: Florian Roth
 date: 2022/04/21
 tags:
-   - attack.credential_access 
+   - attack.credential_access
    - attack.t1555.004
 logsource:
    category: process_creation
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml
index b1a6486ae..867728a58 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml
@@ -15,7 +15,7 @@ detection:
     filter1:
         ParentImage|endswith: '\svchost.exe'
     filter2:
-        ParentImage|contains: 
+        ParentImage|contains:
             - '\AppData\Local\'
             - '\Microsoft\Edge\'
     condition: selection and not filter1 and not filter2
@@ -26,5 +26,5 @@ falsepositives:
     - Possible but rare
 level: high
 tags:
-    - attack.defense_evasion 
-    - attack.t1202 
\ No newline at end of file
+    - attack.defense_evasion
+    - attack.t1202
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml
index 746676b78..e283ab2e7 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml
@@ -25,4 +25,4 @@ falsepositives:
 level: medium
 tags:
   - attack.defense_evasion
-  - attack.t1218.011 
+  - attack.t1218.011
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml
index 4dccc6f8a..67dc98497 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml
@@ -14,7 +14,7 @@ detection:
         Image|endswith: '\rundll32.exe'
         ParentImage|endswith: '\cmd.exe'
         CommandLine|contains: 'user32.dll,'
-    selection_function: 
+    selection_function:
         CommandLine|contains: 'LockWorkStation'
     condition: all of selection*
 fields:
@@ -24,4 +24,4 @@ falsepositives:
     - Scritps or links on the user desktop used to lock the workstation instead of Windows+L or the menu option
 level: medium
 tags:
-    - attack.defense_evasion 
+    - attack.defense_evasion
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml
index 65fda53ba..03ad8b432 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\schtasks.exe'
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - ' /create '
             - ' /sc once '
             - '\Temp\'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml
index 394bb15fe..42bebe751 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml
@@ -12,13 +12,13 @@ logsource:
 detection:
     schtasks_exe:
         Image|endswith: \schtasks.exe
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - /Change
             - /TN
             - /disable
-    #split to add other 
+    #split to add other
     schtasks_name:
-        CommandLine|contains: '\Microsoft\Windows\SystemRestore\SR' 
+        CommandLine|contains: '\Microsoft\Windows\SystemRestore\SR'
     condition: all of schtasks_*
 falsepositives:
     - Unknown
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml
index 6d9b0e34e..16169d293 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml
@@ -7,7 +7,7 @@ references:
     - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
 tags:
     - attack.execution
-    - attack.t1053.005 
+    - attack.t1053.005
 author: Florian Roth
 date: 2022/02/21
 modified: 2022/03/11
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml
index ac588817b..276f358ef 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml
@@ -6,7 +6,7 @@ references:
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
 tags:
     - attack.execution
-    - attack.t1053.005 
+    - attack.t1053.005
 author: Florian Roth
 date: 2022/04/15
 logsource:
@@ -17,12 +17,12 @@ detection:
         Image|endswith: '\schtasks.exe'
         CommandLine|contains: ' /create '
     selection_command:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'powershell'
             - 'cmd /c '
             - 'cmd.exe /c '
     selection1_all_folders:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'C:\ProgramData\'
             - '%ProgramData%'
     condition: all of selection*
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml
index 57497150c..7ae9ac3bd 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml
@@ -1,4 +1,4 @@
-title: Suspicious Add Scheduled Task From User AppData Temp 
+title: Suspicious Add Scheduled Task From User AppData Temp
 id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8
 description: schtasks.exe create task from user AppData\Local\Temp
 status: experimental
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml
index d146d9dca..a4f02fda3 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)
 references:
     - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
-author: Florian Roth 
+author: Florian Roth
 date: 2021/02/11
 logsource:
     category: process_creation
@@ -22,5 +22,5 @@ falsepositives:
     - Legitimate use by administrative staff
 level: high
 tags:
-    - attack.initial_access 
-    - attack.t1133 
\ No newline at end of file
+    - attack.initial_access
+    - attack.t1133
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml
index 27fc22b0d..e1edd3d4d 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml
@@ -1,4 +1,4 @@
-title: Suspicious ScreenSave Change by Reg.exe  
+title: Suspicious ScreenSave Change by Reg.exe
 id: 0fc35fc3-efe6-4898-8a37-0b233339524f
 status: experimental
 author: frack113
@@ -50,4 +50,4 @@ detection:
     condition: selection_reg and 1 of selection_option_*
 falsepositives:
     - GPO
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml
index 8ac20c618..6aee99e26 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml
@@ -34,7 +34,7 @@ detection:
             - 'cscript.exe'
             - 'cmd.exe'
     folders:
-        Image|contains: 
+        Image|contains:
             - '\Windows\Temp'
             - '\Temporary Internet'
             - '\AppData\Local\Temp'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml
index fa3b379c8..fab55fe05 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml
@@ -20,7 +20,7 @@ detection:
             - '\mshta.exe'
             - '\wscript.exe'
             - '\cscript.exe'
-        CommandLine|contains: 
+        CommandLine|contains:
             - '\Windows\Temp'
             - '\Temporary Internet'
             - '\AppData\Local\Temp'
@@ -29,7 +29,7 @@ detection:
             - '%TMP%'
             - '%LocalAppData%\Temp'
     filter:
-        CommandLine|contains: 
+        CommandLine|contains:
             - ' >'
             - 'Out-File'
             - 'ConvertTo-Json'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml
index 9b011d35f..073315698 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml
@@ -29,4 +29,3 @@ tags:
   - attack.execution
   - attack.t1059.005
   - attack.t1059.007
-  
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml
index f435334e9..0702c4ae9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml
@@ -11,13 +11,13 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|contains: 
+        Image|contains:
             - '\Users\Public\'
             - '\$Recycle.bin'
             - '\Users\All Users\'
             - '\Users\Default\'
             - '\Users\Contacts\'
-            - '\Users\Searches\' 
+            - '\Users\Searches\'
             - 'C:\Perflogs\'
             - '\config\systemprofile\'
             - '\Windows\Fonts\'
@@ -31,5 +31,5 @@ falsepositives:
     - Unknown
 level: high
 tags:
-    - attack.defense_evasion 
-    - attack.t1202 
\ No newline at end of file
+    - attack.defense_evasion
+    - attack.t1202
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml
index dbc592b76..4d80a6f19 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml
@@ -23,7 +23,7 @@ detection:
             - ' McAfeeDLPAgentService'
             - ' Trend Micro Deep Security Manager'
             - ' TMBMServer'
-            # Feel free to add more service name         
+            # Feel free to add more service name
     condition: all of selection*
 fields:
     - ComputerName
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
index 25032789c..2440ff83a 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml
@@ -1,7 +1,7 @@
 title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
 id: 75578840-9526-4b2a-9462-af469a45e767
 status: experimental
-description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 
+description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
 author: Florian Roth
 date: 2021/07/14
 references:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml
index 9e057ebfc..b3e728136 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml
@@ -11,7 +11,7 @@ logsource:
     product: windows
 tags:
     - attack.credential_access
-    - attack.t1555 
+    - attack.t1555
     - cve.2021.35211
 detection:
     selection:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml
index 34ff6cca7..cfe78a138 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml
@@ -1,4 +1,4 @@
-title: Suspicious Execution of SharpView Aka PowerView 
+title: Suspicious Execution of SharpView Aka PowerView
 id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
 status: experimental
 description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
@@ -152,4 +152,4 @@ tags:
     - attack.t1069.002
     - attack.t1482
     - attack.t1135
-    - attack.t1033
\ No newline at end of file
+    - attack.t1033
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml
index 0ae38fb87..05fa8106c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml
@@ -1,7 +1,7 @@
-title: Suspicious Execution of Shutdown 
+title: Suspicious Execution of Shutdown
 id: 34ebb878-1b15-4895-b352-ca2eeb99b274
 status: experimental
-description: Use of the commandline to shutdown or reboot windows 
+description: Use of the commandline to shutdown or reboot windows
 author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
@@ -13,8 +13,8 @@ logsource:
 detection:
     selection:
         Image|endswith: \shutdown.exe
-        CommandLine|contains: 
-            - '/r ' 
+        CommandLine|contains:
+            - '/r '
             - '/s '
     condition: selection
 falsepositives:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml
index 92bb4848c..91f76524f 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml
@@ -19,5 +19,5 @@ falsepositives:
     - Unknown
 level: high
 tags:
-    - attack.defense_evasion 
-    - attack.t1202 
\ No newline at end of file
+    - attack.defense_evasion
+    - attack.t1202
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml
index cf2c22f48..113c0103c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml
@@ -78,4 +78,4 @@ fields:
     - CommandLine
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml
index 797350510..93ecbe42c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml
@@ -63,4 +63,4 @@ falsepositives:
     - Gitkraken
     - Slack
     - Teams
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
index 6c8d7a93a..4da12b0b0 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -62,7 +62,7 @@ detection:
             - 'token::'      #Mimikatz
             - 'vault::cred'     #Mimikatz
             - 'vault::list'     #Mimikatz
-            - ' p::d '  # Mimikatz 
+            - ' p::d '  # Mimikatz
             - ';iex('  # PowerShell IEX
             - 'MiniDump'  # Process dumping method apart from procdump
             - 'net user '
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml
index 814f9e17a..adb410b5f 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml
@@ -1,4 +1,4 @@
-title: Suspicious Execution of Systeminfo 
+title: Suspicious Execution of Systeminfo
 id: 0ef56343-059e-4cb6-adc1-4c3c967c5e46
 status: experimental
 description: Use of systeminfo to get information
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_takeown.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_takeown.yml
index 962297b44..5fed6efa6 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_takeown.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_takeown.yml
@@ -1,4 +1,4 @@
-title: Suspicious Recursif Takeown 
+title: Suspicious Recursif Takeown
 id: 554601fb-9b71-4bcc-abf4-21a611be4fde
 status: experimental
 description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
index 2b71b9c66..9b16b2985 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
@@ -26,4 +26,3 @@ detection:
 falsepositives:
     - The process spawned by vsjitdebugger.exe is uncommon.
 level: medium
-
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml
index b286838b9..785cd57d8 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml
@@ -27,4 +27,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1055
\ No newline at end of file
+    - attack.t1055
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml
index 03e4273c5..9552c6bc5 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml
@@ -1,7 +1,7 @@
 title: Windows Credential Manager Access via VaultCmd
 id: 58f50261-c53b-4c88-bd12-1d71f12eda4c
 status: experimental
-description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe 
+description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
 author: frack113
 date: 2022/04/08
 modified: 2022/05/13
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml
index cc1721cc0..4e1d52901 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml
@@ -25,4 +25,4 @@ falsepositives:
 level: high
 tags:
     - attack.persistence
-    - attack.t1547.001
\ No newline at end of file
+    - attack.t1547.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml
index 416b8f301..20a1c76e9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml
@@ -17,7 +17,7 @@ detection:
         CommandLine|contains|all:
             - 'reg'
             - ' add '
-            - '\Services\VSS\Diag' 
+            - '\Services\VSS\Diag'
             - '/d Disabled'
     condition: selection
 falsepositives:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml
index ef3327d7d..e1311e134 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml
@@ -26,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml
index 46b127cb1..541e66dc0 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml
@@ -38,4 +38,4 @@ falsepositives:
 level: low
 tags:
     - attack.discovery
-    - attack.t1217
\ No newline at end of file
+    - attack.t1217
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml
index 7fa86299a..0dcff7cec 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml
@@ -24,4 +24,4 @@ falsepositives:
 level: high
 tags:
     - attack.collection
-    - attack.t1560.001
\ No newline at end of file
+    - attack.t1560.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml
index 3f65047b3..2b6723bd9 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml
@@ -15,16 +15,16 @@ logsource:
     product: windows
 detection:
     selection:
-        - Image|endswith: 
+        - Image|endswith:
             - '\rar.exe'
             - '\winrar.exe'
         - Description: 'Command line RAR'
     filter:
-        Image|contains: 
+        Image|contains:
             - '\WinRAR'
             - 'C:\Windows\Temp'
             - '\UnRAR.exe'
     condition: selection and not filter
 falsepositives:
     - Legitimate use of WinRAR in a folder of a software that bundles WinRAR
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml
index bfd2f6cf6..3f15726f5 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml
@@ -14,14 +14,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    contains_format_pretty_arg:       
+    contains_format_pretty_arg:
         CommandLine|contains:
             - 'format:pretty'
             - 'format:"pretty"'
             - 'format:"text"'
             - 'format:text'
     image_from_system_folder:
-        Image|startswith: 
+        Image|startswith:
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'
     contains_winrm:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml
index caf3e2331..48afb3863 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml
@@ -23,7 +23,7 @@ detection:
             - ' -Path '
             - ' -DestinationPath '
             - '$env:TEMP\'
-    condition: selection 
+    condition: selection
 falsepositives:
     - Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml
index 09e2c4428..628c2e045 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml
@@ -11,8 +11,8 @@ date: 2017/08/28
 modified: 2021/09/12
 author: Markus Neis
 tags:
-    - attack.resource_development 
-    - attack.t1588.002 
+    - attack.resource_development
+    - attack.t1588.002
 logsource:
     category: process_creation
     product: windows
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml
index 505f7d952..b7627f599 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml
@@ -22,7 +22,7 @@ detection:
             - 'unload'
             - 'sys'
     condition: selection
-falsepositives: 
+falsepositives:
     - Unknown
 level: high
 fields:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml
index b461488fb..418bdb816 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml
@@ -2,7 +2,7 @@ title: UAC Bypass via Event Viewer
 id: be344333-921d-4c4d-8bb8-e584cf584780
 related:
     - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
-      type: derived  
+      type: derived
 status: experimental
 description: Detects UAC bypass method using Windows event viewer
 references:
@@ -30,4 +30,4 @@ fields:
     - ParentCommandLine
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_psexec.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_psexec.yml
index 194a60308..e94199583 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_psexec.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_psexec.yml
@@ -35,4 +35,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: low
\ No newline at end of file
+level: low
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml
index ea0ad60e7..4796a0437 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml
@@ -25,4 +25,4 @@ fields:
     - ParentCommandLine
 falsepositives:
     - Legitimate use by administrators
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_tor_browser.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_tor_browser.yml
index 9c858b127..6fd41d735 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_tor_browser.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_tor_browser.yml
@@ -11,7 +11,7 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: 
+        Image|endswith:
             - '\tor.exe'
             - '\Tor Browser\Browser\firefox.exe'
     condition: selection
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_trust_discovery.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_trust_discovery.yml
index 02b621faf..1abe05231 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_trust_discovery.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_trust_discovery.yml
@@ -23,7 +23,7 @@ logsource:
 detection:
     selection_nltest_v1:
         Image|endswith: '\nltest.exe'
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'domain_trusts'
             - 'all_trusts'
             - '/trusted_domains'
@@ -31,7 +31,7 @@ detection:
     selection_dsquery_v1:
         Image|endswith: '\dsquery.exe'
         CommandLine|contains: 'trustedDomain'
-    selection_dsquery_v2:    
+    selection_dsquery_v2:
         Image|endswith: '\dsquery.exe'
         CommandLine|contains|all:
             - '-filter'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml
index 81de7aa9d..ae502a214 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml
@@ -18,7 +18,7 @@ detection:
             - '\WindowsSensor.exe'
             - ' /uninstall'
             - ' /quiet'
-    condition: selection 
+    condition: selection
 fields:
     - ComputerName
     - User
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml
index d948f9b39..7a2561d1c 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml
@@ -1,4 +1,4 @@
-title: Uninstall Sysinternals Sysmon 
+title: Uninstall Sysinternals Sysmon
 id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939
 status: experimental
 description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion
@@ -11,7 +11,7 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: 
+        Image|endswith:
             - \Sysmon64.exe
             - \Sysmon.exe
         CommandLine|contains: '-u'
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml
index 75b3ec1fa..e777d578a 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml
@@ -26,17 +26,17 @@ detection:
          - '\caddy.exe'
          - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
-      ParentImage|endswith: 
+      ParentImage|endswith:
          - '\java.exe'
          - '\javaw.exe'
-      ParentImage|contains: 
+      ParentImage|contains:
          - '-tomcat-'
          - '\tomcat'
    selection_webserver_characteristics_tomcat2:
-      ParentImage|endswith: 
+      ParentImage|endswith:
          - '\java.exe'
          - '\javaw.exe'
-      CommandLine|contains: 
+      CommandLine|contains:
          - 'catalina.jar'
          - 'CATALINA_HOME'
    # Suspicious child processes
@@ -67,7 +67,7 @@ detection:
       Image|endswith:
          # Credential stealing
          - '\ntdsutil.exe'
-         # AD recon 
+         # AD recon
          - '\ldifde.exe'
          - '\adfind.exe'
          # Process dumping
@@ -82,11 +82,11 @@ detection:
          - ' -NoP '  # Often used in malicious PowerShell commands
          - ' -W Hidden '  # Often used in malicious PowerShell commands
          - ' -decode '  # Used with certutil
-         - ' /decode '  # Used with certutil 
+         - ' /decode '  # Used with certutil
          - 'reg save '  # save registry SAM - syskey extraction
          - '.downloadstring('  # PowerShell download command
          - '.downloadfile('  # PowerShell download command
-         - 'FromBase64String' # PowerShell encoded payload 
+         - 'FromBase64String' # PowerShell encoded payload
          - ' /ticket:'  # Rubeus
          - ' sekurlsa'  # Mimikatz
          - '.dmp full'  # Process dumping method apart from procdump
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml
index 344808bb8..cbfe56d48 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml
@@ -23,17 +23,17 @@ detection:
          - '\caddy.exe'
          - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
-      ParentImage|endswith: 
+      ParentImage|endswith:
          - '\java.exe'
          - '\javaw.exe'
-      ParentImage|contains: 
+      ParentImage|contains:
          - '-tomcat-'
          - '\tomcat'
    selection_webserver_characteristics_tomcat2:
-      ParentImage|endswith: 
+      ParentImage|endswith:
          - '\java.exe'
          - '\javaw.exe'
-      CommandLine|contains: 
+      CommandLine|contains:
          - 'catalina.jar'
          - 'CATALINA_HOME'
    recon:
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
index 3f89a2ea0..51c274424 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
@@ -24,17 +24,17 @@ detection:
          - '\tomcat.exe'
          - '\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
    selection_webserver_characteristics_tomcat1:
-      ParentImage|endswith: 
+      ParentImage|endswith:
          - '\java.exe'
          - '\javaw.exe'
-      ParentImage|contains: 
+      ParentImage|contains:
          - '-tomcat-'
          - '\tomcat'
    selection_webserver_characteristics_tomcat2:
-      ParentImage|endswith: 
+      ParentImage|endswith:
          - '\java.exe'
          - '\javaw.exe'
-      ParentCommandLine|contains: 
+      ParentCommandLine|contains:
          - 'catalina.jar'
          - 'CATALINA_HOME'
          - 'catalina.home'
@@ -52,4 +52,3 @@ fields:
 falsepositives:
    - Particular web applications may spawn a shell process legitimately
 level: high
-
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_whoami_priv.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_whoami_priv.yml
index bd98b67a3..7370c9299 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_whoami_priv.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_whoami_priv.yml
@@ -1,7 +1,7 @@
 title: Run Whoami Showing Privileges
 id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
 status: experimental
-description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. 
+description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.
 references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
 author: Florian Roth
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml
index 59c7fc5b5..0539acb6e 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml
@@ -5,9 +5,9 @@ description: Detects the Installation of a Exchange Transport Agent
 references:
     - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
 tags:
-    - attack.persistence  
-    - attack.t1505.002    
-author: Tobias Michalski  
+    - attack.persistence
+    - attack.t1505.002
+author: Tobias Michalski
 date: 2021/06/08
 modified: 2021/09/19
 logsource:
@@ -21,4 +21,4 @@ falsepositives:
     - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
 level: medium
 fields:
-    - AssemblyPath
\ No newline at end of file
+    - AssemblyPath
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml
index 750a2cc57..4b27580a6 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml
@@ -29,4 +29,4 @@ level: high
 tags:
     - attack.execution
     - attack.t1047
-    - attack.t1059.001
\ No newline at end of file
+    - attack.t1059.001
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml
index ac6ec4bbd..2906b7e70 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml
@@ -20,7 +20,7 @@ detection:
             - process
             - qfe
     filter:
-        CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` 
+        CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
             - call
             - create
     condition: all of selection* and not filter
diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml
index 260821395..d825996fa 100644
--- a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml
+++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml
@@ -1,4 +1,4 @@
-title: WMI Uninstall An Application 
+title: WMI Uninstall An Application
 id: b53317a0-8acf-4fd1-8de8-a5401e776b96
 status: experimental
 description: Uninstall an application with wmic
diff --git a/src/main/resources/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/src/main/resources/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
index 6011077e3..6fe3d89c0 100644
--- a/src/main/resources/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
+++ b/src/main/resources/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -64,4 +64,3 @@ fields:
 falsepositives:
     - Legitimate Administrator using tool for raw access or ongoing forensic investigation
 level: low  # far too many false positives
-
diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_netwire.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_netwire.yml
index 94dfc6975..e6c953b42 100644
--- a/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_netwire.yml
+++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_netwire.yml
@@ -1,8 +1,8 @@
 title: NetWire RAT Registry Key
 id: 1d218616-71b0-4c40-855b-9dbe75510f7f
 description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
-Note: You likely will have to change the sysmon configuration file. 
-    Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, 
+Note: You likely will have to change the sysmon configuration file.
+    Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for,
     or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation"
     Therefore I set <TargetObject condition="contains">netwire</TargetObjecct> in my configuration.
 status: experimental
@@ -28,4 +28,4 @@ falsepositives:
     - Unknown
 tags:
     - attack.defense_evasion
-    - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
\ No newline at end of file
+    - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml
index e9c902311..fd1ff07c7 100644
--- a/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml
+++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml
@@ -27,4 +27,4 @@ falsepositives:
 level: high
 tags:
     - attack.execution
-    - attack.t1112
\ No newline at end of file
+    - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml
index 03df88539..54bbe11f7 100644
--- a/src/main/resources/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml
+++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         EventType: 'CreateKey'  # don't want DeleteKey events
-        TargetObject|contains|all: 
+        TargetObject|contains|all:
             - 'HKU\'
             - 'Classes\CLSID\'
             - '\TreatAs'
@@ -23,4 +23,4 @@ falsepositives:
 level: medium
 tags:
     - attack.persistence
-    - attack.t1546.015
\ No newline at end of file
+    - attack.t1546.015
diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml
index 7f17c2c24..0e5d1bf47 100644
--- a/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml
+++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml
@@ -20,5 +20,5 @@ falsepositives:
     - Programs that use the same Registry Key
 level: low
 tags:
-    - attack.resource_development 
-    - attack.t1588.002 
\ No newline at end of file
+    - attack.resource_development
+    - attack.t1588.002
diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml
index 7d197391c..b7ad3deff 100644
--- a/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml
+++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1070.004
\ No newline at end of file
+    - attack.t1070.004
diff --git a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
index 3ef2e1734..5a5361916 100644
--- a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
+++ b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
@@ -24,4 +24,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
index c6c92af1f..4a86ef0f6 100644
--- a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
+++ b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
@@ -21,7 +21,7 @@ detection:
   filter_svchost:
     Image: 'C:\Windows\system32\svchost.exe'
   filter_office:
-    Image|startswith: 
+    Image|startswith:
       - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
       - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
     Image|endswith: '\OfficeClickToRun.exe'
diff --git a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml
index c4b5492dd..095596979 100644
--- a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml
+++ b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         EventType: DeleteKey
-        TargetObject|contains|all: 
+        TargetObject|contains|all:
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
             - 'SD'
     condition: selection
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml
index 36a523e37..2b0840d32 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml
@@ -15,7 +15,7 @@ logsource:
    product: windows
 detection:
     selection_reg1:
-        TargetObject|endswith: 
+        TargetObject|endswith:
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
     condition: selection_reg1
@@ -31,4 +31,4 @@ tags:
     - attack.defense_evasion
     - attack.t1112
     - attack.command_and_control
-    - attack.t1071.004
\ No newline at end of file
+    - attack.t1071.004
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml
index 26311a8cc..c38885543 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml
@@ -17,4 +17,4 @@ detection:
 level: critical
 tags:
     - attack.persistence
-    - attack.t1547.001
\ No newline at end of file
+    - attack.t1547.001
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
index ae48ef5e2..7ae99d471 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
@@ -15,7 +15,7 @@ logsource:
     category: registry_event
     product: windows
 detection:
-    selection:        
+    selection:
         TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
     condition: selection
 falsepositives:
@@ -27,4 +27,4 @@ fields:
     - ParentCommandLine
     - Image
     - User
-    - TargetObject
\ No newline at end of file
+    - TargetObject
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml
index 782a2365c..5d3ab56e9 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml
@@ -26,4 +26,4 @@ tags:
     - attack.execution
     - attack.t1218.003
     - attack.g0069
-    - car.2019-04-001
\ No newline at end of file
+    - car.2019-04-001
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml
index be96ca227..23bb0e95d 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: medium
 tags:
     - attack.t1564
-    - attack.t1112
\ No newline at end of file
+    - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
index 08a48fe20..7daca86b1 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -30,4 +30,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml
index ca584c21e..9d178c8c6 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml
@@ -16,7 +16,7 @@ logsource:
     product: windows
     category: registry_event
 detection:
-    selection: 
+    selection:
         TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
     condition: selection
 falsepositives:
@@ -28,4 +28,4 @@ fields:
     - ParentCommandLine
     - Image
     - User
-    - TargetObject
\ No newline at end of file
+    - TargetObject
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml
index 0be34ed13..7dc78a7fe 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml
@@ -1,4 +1,4 @@
-title: Esentutl Volume Shadow Copy Service Keys 
+title: Esentutl Volume Shadow Copy Service Keys
 id: 5aad0995-46ab-41bd-a9ff-724f41114971
 description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
 status: experimental
@@ -18,7 +18,7 @@ detection:
         TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
         Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter
     filter:
-        TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'        
+        TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
     condition: selection and not filter
 falsepositives:
     - Unknown
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml
index 3dbb8e686..7382a751a 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml
@@ -17,7 +17,7 @@ detection:
     selection1:
         TargetObject|contains: '\Services\HybridConnectionManager'
     selection2:
-        EventType: SetValue 
+        EventType: SetValue
         Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe'
     condition: selection1 or selection2
 falsepositives:
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
index 6ded1f970..3665eacc1 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml
@@ -1,4 +1,4 @@
-title: PrinterNightmare Mimimkatz Driver Name 
+title: PrinterNightmare Mimimkatz Driver Name
 id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
 status: experimental
 description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
index 0e70d3dfd..c275f908c 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml
@@ -16,7 +16,7 @@ logsource:
     category: registry_event
 detection:
     selection:
-        TargetObject|contains|all: 
+        TargetObject|contains|all:
             - 'SYSTEM\'
             - 'ControlSet'
             - '\Control\Lsa'
@@ -27,4 +27,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
index 08baeb45e..ff3f398c3 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
@@ -33,4 +33,4 @@ falsepositives:
 level: medium
 tags:
     - attack.persistence
-    - attack.t1546.010
\ No newline at end of file
+    - attack.t1546.010
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml
index 1ff0dd3e1..d44d040b0 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml
@@ -19,7 +19,7 @@ detection:
     condition: Create_key or Set_key
 tags:
     - attack.persistence
-    - attack.t1547 
+    - attack.t1547
 falsepositives:
     - Unknown
 level: high
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
index cb73fa4c4..592689d35 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
@@ -20,14 +20,14 @@ logsource:
     product: windows
 detection:
     selection1:
-        EventType: SetValue 
+        EventType: SetValue
         TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
         Details|contains: '\Software\Classes\{'
     selection2:
         TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
     selection3:
         EventType: SetValue
-        TargetObject|endswith: 
+        TargetObject|endswith:
             - 'Classes\ms-settings\shell\open\command\(Default)'
             - 'Classes\exefile\shell\open\command\(Default)'
     filter_sel3:
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml
index 18f83195a..df44b42ca 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml
@@ -14,9 +14,9 @@ logsource:
     category: registry_event
     product: windows
 detection:
-    selection:       
+    selection:
         TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
     condition: selection
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml
index 7a542b20e..a4a48839e 100644
--- a/src/main/resources/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml
+++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml
@@ -29,4 +29,4 @@ tags:
     - attack.persistence
     - attack.t1546.008
     - car.2014-11-003
-    - car.2014-11-008
\ No newline at end of file
+    - car.2014-11-008
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml
index f6b74bfaa..e052b6aab 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml
@@ -19,7 +19,7 @@ detection:
     selection:
         EventType: SetValue
         TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
-        Details|endswith: 
+        Details|endswith:
             - .sh
             - .exe
             - .dll
@@ -41,4 +41,4 @@ tags:
     - attack.defense_evasion
     - attack.persistence
     - attack.t1112
-    - attack.t1053
\ No newline at end of file
+    - attack.t1053
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml
index 0c7940cfd..4452c86e4 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml
@@ -30,4 +30,4 @@ falsepositives:
 level: high
 tags:
   - attack.persistence
-  - attack.t1547.010
\ No newline at end of file
+  - attack.t1547.010
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml
index a8504a2b4..eebb61cc7 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml
@@ -14,10 +14,10 @@ logsource:
 detection:
     selection:
         EventType: SetValue
-        TargetObject: 
+        TargetObject:
             - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
             - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections
-            - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled 
+            - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled
         Details: DWORD (0x00000001)
     condition: selection
 falsepositives:
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml
index effa3e7b5..d99836568 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml
@@ -15,7 +15,7 @@ detection:
     selection:
         EventType: SetValue
         TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
-    filter:    
+    filter:
         Details: '%SystemRoot%\system32\mmc.exe "%1" %*'
     condition: selection and not filter
 falsepositives:
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml
index 4f64f24b9..9831116a8 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml
@@ -23,4 +23,4 @@ level: high
 tags:
   - attack.privilege_escalation
   - attack.defense_evasion
-  - attack.t1548.002
\ No newline at end of file
+  - attack.t1548.002
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml
index b078a5993..5ea491e52 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml
@@ -17,7 +17,7 @@ detection:
     selection:
         EventType: SetValue
         TargetObject: HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
-    filter:    
+    filter:
         Details: DWORD (0x00000d3d)
     condition: selection and not filter
 falsepositives:
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_chrome_extension.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_chrome_extension.yml
index 852a13bed..af0c7627a 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_chrome_extension.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_chrome_extension.yml
@@ -17,112 +17,112 @@ detection:
         EventType: SetValue
     chrome_vpn:
         TargetObject|contains:
-            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN 
-            - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN 
-            - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN 
-            - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN 
-            - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN 
-            - gjknjjomckknofjidppipffbpoekiipm # VPN Free 
-            - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN 
-            - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN 
-            - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN 
-            - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN 
+            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
+            - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
+            - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
+            - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
+            - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
+            - gjknjjomckknofjidppipffbpoekiipm # VPN Free
+            - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
+            - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
+            - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
+            - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
             - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
-            - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free 
-            - jljopmgdobloagejpohpldgkiellmfnc # PP VPN 
-            - lochiccbgeohimldjooaakjllnafhaid # IP Unblock 
-            - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN 
-            - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN 
-            - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN 
-            - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy 
-            - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN 
-            - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER 
-            - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN 
-            - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy 
-            - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional 
-            - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN 
-            - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN 
-            - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN 
-            - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN 
-            - hipncndjamdcmphkgngojegjblibadbe # RusVPN 
-            - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN 
-            - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN 
-            - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN 
-            - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN 
-            - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy 
-            - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN 
-            - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN 
-            - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker 
-            - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN 
-            - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN 
-            - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome 
-            - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN 
-            - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN 
-            - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access 
-            - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC 
-            - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe 
-            - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN 
-            - kcndmbbelllkmioekdagahekgimemejo # VPN.AC 
-            - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN 
-            - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN 
-            - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn 
-            - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN 
-            - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN 
-            - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy 
-            - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN 
-            - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy 
-            - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN 
-            - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN 
-            - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN 
-            - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master 
-            - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites 
-            - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN 
-            - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN 
-            - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA 
-            - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT 
-            - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn 
-            - apcfdffemoinopelidncddjbhkiblecc # Soul VPN 
-            - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN 
-            - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy 
-            - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN 
-            - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN 
-            - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN 
-            - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN 
-            - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server 
-            - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy 
-            - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN 
-            - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN 
-            - eidnihaadmmancegllknfbliaijfmkgo # Push VPN 
-            - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN 
-            - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN 
-            - chioafkonnhbpajpengbalkececleldf # BullVPN 
-            - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN 
-            - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow 
-            - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN 
-            - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN 
-            - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN 
-            - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet 
-            - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN 
-            - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN 
-            - bnijmipndnicefcdbhgcjoognndbgkep # Veee 
-            - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser 
-            - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN 
-            - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN 
-            - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN 
-            - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic 
-            - almalgbpmcfpdaopimbdchdliminoign # Urban Shield 
-            - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN 
-            - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind 
-            - bniikohfmajhdcffljgfeiklcbgffppl # Upnet 
-            - lejgfmmlngaigdmmikblappdafcmkndb # uVPN 
-            - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN 
-            - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard 
-            - pooljnboifbodgifngpppfklhifechoe # GeoProxy 
-            - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN 
-            - aakchaleigkohafkfjfjbblobjifikek # ProxFlow 
-            - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp 
-            - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega 
-            - bfidboloedlamgdmenmlbipfnccokknp # PureVPN 
+            - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
+            - jljopmgdobloagejpohpldgkiellmfnc # PP VPN
+            - lochiccbgeohimldjooaakjllnafhaid # IP Unblock
+            - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
+            - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
+            - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
+            - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
+            - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
+            - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
+            - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
+            - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
+            - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
+            - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
+            - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
+            - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
+            - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
+            - hipncndjamdcmphkgngojegjblibadbe # RusVPN
+            - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
+            - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
+            - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
+            - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
+            - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
+            - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
+            - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
+            - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
+            - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
+            - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
+            - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
+            - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
+            - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
+            - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
+            - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
+            - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
+            - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
+            - kcndmbbelllkmioekdagahekgimemejo # VPN.AC
+            - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
+            - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
+            - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
+            - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
+            - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
+            - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
+            - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
+            - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
+            - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
+            - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
+            - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
+            - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
+            - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
+            - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
+            - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
+            - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
+            - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
+            - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
+            - apcfdffemoinopelidncddjbhkiblecc # Soul VPN
+            - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
+            - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
+            - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
+            - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
+            - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
+            - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
+            - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
+            - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
+            - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
+            - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
+            - eidnihaadmmancegllknfbliaijfmkgo # Push VPN
+            - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
+            - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
+            - chioafkonnhbpajpengbalkececleldf # BullVPN
+            - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
+            - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
+            - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
+            - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
+            - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
+            - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
+            - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
+            - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
+            - bnijmipndnicefcdbhgcjoognndbgkep # Veee
+            - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
+            - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
+            - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
+            - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
+            - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
+            - almalgbpmcfpdaopimbdchdliminoign # Urban Shield
+            - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
+            - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
+            - bniikohfmajhdcffljgfeiklcbgffppl # Upnet
+            - lejgfmmlngaigdmmikblappdafcmkndb # uVPN
+            - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
+            - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
+            - pooljnboifbodgifngpppfklhifechoe # GeoProxy
+            - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
+            - aakchaleigkohafkfjfjbblobjifikek # ProxFlow
+            - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
+            - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
+            - bfidboloedlamgdmenmlbipfnccokknp # PureVPN
     condition: all of chrome_*
 falsepositives:
     - Unknown
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml
index 55e9b6900..41c465024 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml
@@ -1,6 +1,6 @@
 title: CobaltStrike Service Installations in Registry
 id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
-description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. 
+description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
     We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)
     In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.
 status: experimental
@@ -17,7 +17,7 @@ detection:
         EventType: SetValue
         TargetObject|contains: 'HKLM\System\CurrentControlSet\Services'
     selection2:
-        Details|contains|all: 
+        Details|contains|all:
             - 'ADMIN$'
             - '.exe'
     selection3:
@@ -32,7 +32,7 @@ level: critical
 tags:
     - attack.execution
     - attack.privilege_escalation
-    - attack.lateral_movement 
+    - attack.lateral_movement
     - attack.t1021.002
     - attack.t1543.003
-    - attack.t1569.002
\ No newline at end of file
+    - attack.t1569.002
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml
index 72aac06dc..5ed032bcd 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml
@@ -1,6 +1,6 @@
 title: Service Binary in Suspicious Folder
 id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
-description: Detect the creation of a service with a service binary located in a suspicious directory 
+description: Detect the creation of a service with a service binary located in a suspicious directory
 status: experimental
 date: 2022/05/02
 author: Florian Roth
@@ -14,11 +14,11 @@ detection:
         EventType: SetValue
         TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
         TargetObject|endswith: '\Start'
-        Image|contains: 
+        Image|contains:
             - '\Users\Public\'
             - '\Perflogs\'
             - '\ADMIN$\'
-        Details: 
+        Details:
             - 'DWORD (0x00000000)'  # boot
             - 'DWORD (0x00000001)'  # System
             - 'DWORD (0x00000002)'  # Automatic
@@ -37,4 +37,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1112 
+    - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml
index 1af6b983d..211ec6d33 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml
@@ -1,6 +1,6 @@
 title: Service Binary in Temp Folder
 id: c0abc838-36b0-47c9-b3b3-a90c39455382
-description: Detect the creation of a service with a service binary located in a temporary directory 
+description: Detect the creation of a service with a service binary located in a temporary directory
 status: experimental
 date: 2022/05/01
 author: frack113
@@ -15,7 +15,7 @@ detection:
         TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
         TargetObject|endswith: '\Start'
         Image|contains: '\Temp\'
-        Details: 
+        Details:
             - 'DWORD (0x00000000)'  # boot
             - 'DWORD (0x00000001)'  # System
             - 'DWORD (0x00000002)'  # Automatic
@@ -31,4 +31,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1112 
+    - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
index a12c8d8f6..620e21526 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
@@ -1,6 +1,6 @@
 title: Service Binary in Uncommon Folder
 id: 277dc340-0540-42e7-8efb-5ff460045e07
-description: Detect the creation of a service with a service binary located in a uncommon directory 
+description: Detect the creation of a service with a service binary located in a uncommon directory
 status: experimental
 date: 2022/05/02
 modified: 2022/05/04
@@ -15,10 +15,10 @@ detection:
         EventType: SetValue
         TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
         TargetObject|endswith: '\Start'
-        Image|contains: 
+        Image|contains:
             - '\AppData\Local\'
             - '\AppData\Roaming\'
-        Details: 
+        Details:
             - 'DWORD (0x00000000)'  # boot
             - 'DWORD (0x00000001)'  # System
             - 'DWORD (0x00000002)'  # Automatic
@@ -31,10 +31,10 @@ detection:
             - '\AppData\Local\'
             - '\AppData\Roaming\'
     filter:
-        - Image|contains: 
+        - Image|contains:
             - '\AppData\Roaming\Zoom'
             - '\AppData\Local\Zoom'
-        - Details|contains: 
+        - Details|contains:
             - '\AppData\Roaming\Zoom'
             - '\AppData\Local\Zoom'
     condition: 1 of selection_* and not filter
@@ -43,4 +43,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1112 
+    - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_disabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_disabled.yml
index f5310f11e..891ee4c32 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_disabled.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_disabled.yml
@@ -18,7 +18,7 @@ logsource:
 detection:
     tamper_registry:
         EventType: SetValue
-        TargetObject: 
+        TargetObject:
             - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware'
             - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus'
         Details: 'DWORD (0x00000001)'
@@ -35,4 +35,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml
index d938019a3..fcaab709d 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml
@@ -24,4 +24,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_realtime_protection_disabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_realtime_protection_disabled.yml
index 0385570f6..34be0cd84 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_realtime_protection_disabled.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_realtime_protection_disabled.yml
@@ -6,7 +6,7 @@ modified: 2022/03/26
 author: AlertIQ
 references:
     - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
-    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 
+    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
 status: experimental
 logsource:
     product: windows
@@ -14,7 +14,7 @@ logsource:
 detection:
     tamper_registry1:
         EventType: SetValue
-        TargetObject: 
+        TargetObject:
           - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring'
           - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection'
           - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection'
@@ -24,7 +24,7 @@ detection:
         Details: 'DWORD (0x00000001)'
     tamper_registry2:
         EventType: SetValue
-        TargetObject: 
+        TargetObject:
           - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting'
           - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent'
         Details: 'DWORD (0x00000000)'
@@ -34,4 +34,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml
index 4f8419f9e..f61d1fd13 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml
@@ -14,7 +14,7 @@ detection:
     selection:
         EventType: SetValue
         TargetObject|startswith: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\
-        TargetObject|endswith: 
+        TargetObject|endswith:
             - AutoShareWks
             - AutoShareServer
         Details: DWORD (0x00000000)
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml
index 6b6ef0791..7e417fdfc 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml
@@ -14,10 +14,10 @@ logsource:
     category: registry_set
     definition: key must be add to the sysmon configuration to works
                     # Sysmon
-                    # <TargetObject name="T1562,office" condition="end with">\VBAWarnings</TargetObject> 
+                    # <TargetObject name="T1562,office" condition="end with">\VBAWarnings</TargetObject>
                     # <TargetObject name="T1562,office" condition="end with">\DisableInternetFilesInPV</TargetObject>
-                    # <TargetObject name="T1562,office" condition="end with">\DisableUnsafeLocationsInPV</TargetObject> 
-                    # <TargetObject name="T1562,office" condition="end with">\DisableAttachementsInPV</TargetObject>   
+                    # <TargetObject name="T1562,office" condition="end with">\DisableUnsafeLocationsInPV</TargetObject>
+                    # <TargetObject name="T1562,office" condition="end with">\DisableAttachementsInPV</TargetObject>
 detection:
     selection:
         EventType: SetValue
@@ -34,4 +34,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
index 08cfbfacd..15b657d5f 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
@@ -1,4 +1,4 @@
-title: Registry Disable System Restore 
+title: Registry Disable System Restore
 id: 5de03871-5d46-4539-a82d-3aa992a69a83
 description: Detects the modification of the registry to disable a system restore on the computer
 author: frack113
@@ -16,7 +16,7 @@ detection:
         TargetObject|startswith:
             - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
             - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
-        TargetObject|endswith: 
+        TargetObject|endswith:
             - DisableConfig
             - DisableSR
         Details: 'DWORD (0x00000001)'
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml
index 6650516d9..a909be4db 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml
index 7b61cd8de..662f9fc61 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml
@@ -20,4 +20,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml
index 2124509d3..c5ba55814 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml
@@ -21,4 +21,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml
index 5904adb45..795d40504 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml
@@ -26,4 +26,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1562.001
\ No newline at end of file
+    - attack.t1562.001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml
index 032cf6788..51e4a9cbb 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml
@@ -33,4 +33,4 @@ level: medium
 tags:
     - attack.defense_evasion
     - attack.t1140
-    - attack.t1112
\ No newline at end of file
+    - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_etw_disabled.yml
index 582540079..8998260f8 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_etw_disabled.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_etw_disabled.yml
@@ -20,7 +20,7 @@ logsource:
   category: registry_set
 detection:
   selection:
-    EventType: SetValue 
+    EventType: SetValue
     TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
     Details: 'DWORD (0x00000000)'
   condition: selection
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml
index 09fff0992..234f9e934 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml
@@ -20,4 +20,4 @@ falsepositives:
     - Unknown
 level: high
 tags:
-    - attack.defense_evasion
\ No newline at end of file
+    - attack.defense_evasion
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_hide_file.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_hide_file.yml
index d50a1a9ac..802c974d4 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_hide_file.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_hide_file.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         EventType: Setvalue
-        TargetObject: 
+        TargetObject:
             - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
             - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
         Details: 'DWORD (0x00000000)'
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_adwind.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_adwind.yml
index 1b29771e1..58d584ebe 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_adwind.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_adwind.yml
@@ -24,4 +24,4 @@ level: high
 tags:
     - attack.execution
     - attack.t1059.005
-    - attack.t1059.007
\ No newline at end of file
+    - attack.t1059.007
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml
index 9931e5066..e60190616 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml
@@ -24,4 +24,4 @@ level: high
 tags:
     - attack.execution
     - attack.t1112
-    - attack.t1047
\ No newline at end of file
+    - attack.t1047
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml
index 6413434c0..1eeafb49b 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml
@@ -14,13 +14,13 @@ detection:
     selection_word:
         EventType: SetValue
         TargetObject|endswith: \Word\Security\AllowDDE
-        Details: 
+        Details:
             - DWORD (0x00000001)
             - DWORD (0x00000002)
     selection_excel:
         EventType: SetValue
         TargetObject|endswith:
-            - \Excel\Security\DisableDDEServerLaunch    
+            - \Excel\Security\DisableDDEServerLaunch
             - \Excel\Security\DisableDDEServerLookup
         Details: DWORD (0x00000000)
     condition: 1 of selection_*
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_security.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_security.yml
index fe5e28dba..99d7d1373 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_security.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_security.yml
@@ -25,4 +25,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1112
\ No newline at end of file
+    - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml
index d3c9a0508..56529d43a 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml
@@ -39,4 +39,4 @@ falsepositives:
 level: medium
 tags:
     - attack.t1137.006
-    - attack.persistence
\ No newline at end of file
+    - attack.persistence
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml
index b4be180c9..f53c64428 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml
@@ -12,7 +12,7 @@ logsource:
     product: windows
 detection:
     selection_registry:
-        EventType: SetValue 
+        EventType: SetValue
         TargetObject: 'HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level'
         Details|contains: '0x00000001'
     condition: selection_registry
@@ -24,4 +24,4 @@ tags:
     - attack.command_and_control
     - attack.t1137
     - attack.t1008
-    - attack.t1546
\ No newline at end of file
+    - attack.t1546
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml
index 4570449f0..28e73bac8 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml
@@ -12,17 +12,17 @@ logsource:
   category: registry_set
 detection:
   selection1:
-    EventType: SetValue 
-    TargetObject|contains: 
+    EventType: SetValue
+    TargetObject|contains:
       - 'Software\Microsoft\Office\'
       - '\Outlook\Today\'
   selectionStamp:
     TargetObject|endswith: Stamp
-    Details: DWORD (0x00000001) 
+    Details: DWORD (0x00000001)
   selectionUserDefined:
     TargetObject|endswith: UserDefinedUrl
   filter_office:
-    Image|startswith: 
+    Image|startswith:
       - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
       - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
     Image|endswith: '\OfficeClickToRun.exe'
@@ -34,4 +34,4 @@ falsepositives:
 level: high
 tags:
   - attack.persistence
-  - attack.t1112
\ No newline at end of file
+  - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml
index 3b9382b7a..2259b03b3 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml
@@ -13,13 +13,13 @@ logsource:
   category: registry_set
 detection:
   selection_1:
-    EventType: SetValue 
-    TargetObject|contains: 
+    EventType: SetValue
+    TargetObject|contains:
       - '\Software\Microsoft\Office\'
       - '\Outlook\WebView\'
     TargetObject|endswith: '\URL'
   selection_2:
-    TargetObject|contains: 
+    TargetObject|contains:
       - '\Calendar\'
       - '\Inbox\'
   condition: all of selection_*
@@ -30,4 +30,4 @@ falsepositives:
 level: high
 tags:
   - attack.persistence
-  - attack.t1112
\ No newline at end of file
+  - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml
index 6189ac57e..cf29c6049 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml
@@ -75,4 +75,4 @@ falsepositives:
 level: medium
 tags:
     - attack.persistence
-    - attack.t1546.015
\ No newline at end of file
+    - attack.t1546.015
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml
index c78cb893c..ee8d5ae3b 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml
@@ -12,16 +12,16 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue 
+        EventType: SetValue
         TargetObject|contains: '\Services\'
         TargetObject|endswith: '\ImagePath'
         Details|contains:
           - 'powershell'
           - 'pwsh'
     condition: selection
-falsepositives: 
+falsepositives:
  - Unknown
 level: high
 tags:
     - attack.execution
-    - attack.t1569.002
\ No newline at end of file
+    - attack.t1569.002
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml
index 7f11c554f..6c846c75f 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml
@@ -12,8 +12,8 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue 
-        TargetObject|endswith: 
+        EventType: SetValue
+        TargetObject|endswith:
             - SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\EnableModuleLogging
             - SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging
             - SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml
index 3b0815014..56e8fcc17 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml
@@ -12,7 +12,7 @@ logsource:
   product: windows
 detection:
   selection:
-    EventType: SetValue 
+    EventType: SetValue
     TargetObject|endswith:
       - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
       - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml
index fa8a24b10..49dd2dc2a 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml
@@ -15,7 +15,7 @@ logsource:
   product: windows
 detection:
   selection_reg:
-    EventType: SetValue 
+    EventType: SetValue
     TargetObject|contains:
       - '\services\TermService\Parameters\ServiceDll'
       - '\Control\Terminal Server\fSingleSessionPerUser'
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
index 83eb3a245..9ec39e727 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
@@ -20,7 +20,7 @@ detection:
         TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
         Details|endswith: '.scr'
     filter:
-        Details|contains: 
+        Details|contains:
         - 'C:\Windows\System32\'
         - 'C:\Windows\SysWOW64\'
     condition: selection and registry and not filter
@@ -29,4 +29,4 @@ falsepositives:
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1218.011
\ No newline at end of file
+    - attack.t1218.011
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml
index 92260f1e8..d2b5fa074 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml
@@ -27,4 +27,4 @@ falsepositives:
 level: medium
 tags:
   - attack.persistence
-  - attack.t1546.011
\ No newline at end of file
+  - attack.t1546.011
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml
index 2f1f92be5..8766c4a55 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml
@@ -12,8 +12,8 @@ logsource:
     category: registry_set
     product: windows
 detection:
-    selection:   
-        EventType: SetValue 
+    selection:
+        EventType: SetValue
         TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
         Details|contains: 'MonitorProcess'
     condition: selection
@@ -22,4 +22,4 @@ falsepositives:
 level: high
 tags:
     - attack.persistence
-    - attack.t1546.012
\ No newline at end of file
+    - attack.t1546.012
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml
index 0f3f90a4a..9ea9cab65 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml
@@ -12,7 +12,7 @@ logsource:
   product: windows
 detection:
   selection:
-    EventType: SetValue 
+    EventType: SetValue
     TargetObject|contains|all:
       - '\Control\Print\Environments\Windows x64\Drivers'
       - '\Manufacturer'
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml
index 79344ac32..78ee2c84b 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml
@@ -12,7 +12,7 @@ logsource:
   product: windows
 detection:
   selection:
-    EventType: SetValue 
+    EventType: SetValue
     TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
   selection2:
     - Details|startswith:
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml
index d27416050..8ba227bf9 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml
@@ -12,8 +12,8 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue 
-        TargetObject|contains: 
+        EventType: SetValue
+        TargetObject|contains:
             - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
             - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
     selection2:
@@ -37,4 +37,4 @@ falsepositives:
 level: high
 tags:
     - attack.persistence
-    - attack.t1547.001
\ No newline at end of file
+    - attack.t1547.001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
index 9162c9c78..85ae7d16b 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
@@ -33,4 +33,4 @@ level: high
 tags:
   - attack.persistence
   - attack.t1053
-  - attack.t1053.005
\ No newline at end of file
+  - attack.t1053.005
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml
index 25cfce045..789a3aa28 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml
@@ -13,7 +13,7 @@ logsource:
   definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
 detection:
   selection:
-    EventType: SetValue 
+    EventType: SetValue
     TargetObject|contains|all:
       - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
       - '\Command'
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml
index 721920621..afe535a74 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml
@@ -1,7 +1,7 @@
-title: Set TimeProviders DllName 
+title: Set TimeProviders DllName
 id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85
 status: experimental
-description: | 
+description: |
   Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
 author: frack113
 date: 2022/06/19
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml
index a8577c8f6..5e2375aec 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml
@@ -23,4 +23,4 @@ tags:
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1548.002
-    - car.2019-04-001
\ No newline at end of file
+    - car.2019-04-001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml
index bb3268bd4..54db03819 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml
@@ -13,10 +13,10 @@ logsource:
     product: windows
 detection:
     selection1:
-        EventType: SetValue 
+        EventType: SetValue
         TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand
     selection2:
-        EventType: SetValue 
+        EventType: SetValue
         TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue
         Details|contains: '-1???\Software\Classes\'
     condition: 1 of selection*
@@ -27,4 +27,4 @@ tags:
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1548.002
-    - car.2019-04-001
\ No newline at end of file
+    - car.2019-04-001
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml
index 120ef0e9b..ce1971cee 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml
@@ -24,4 +24,4 @@ level: high
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
-    - attack.t1548.002
\ No newline at end of file
+    - attack.t1548.002
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml
index 3aab4807b..75c9b9cbc 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml
@@ -22,4 +22,4 @@ level: high
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
-    - attack.t1548.002
\ No newline at end of file
+    - attack.t1548.002
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml
index 049dc3869..d91b013db 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml
@@ -12,9 +12,9 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue 
+        EventType: SetValue
         TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
-        Details|contains: 
+        Details|contains:
             - 'vbscript'
             - 'jscript'
             - 'mshtml'
@@ -23,7 +23,7 @@ detection:
             - 'CreateObject'
             - 'RegRead'
             - 'window.close'
-    filter: 
+    filter:
         TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
     filter_dotnet:
         Image|endswith: '\msiexec.exe'
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml
index 01fec3174..836d1b238 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml
@@ -14,14 +14,14 @@ logsource:
     product: windows
 detection:
     selection:
-        EventType: SetValue 
+        EventType: SetValue
         TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
     filter:
         Details: '%CommonProgramFiles%\System\wab32.dll'
     condition: selection and not filter
-falsepositives: 
+falsepositives:
  - Unknown
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1218
\ No newline at end of file
+    - attack.t1218
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml
index b04bafc12..8a185fbcd 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml
@@ -15,11 +15,11 @@ detection:
     selection:
         EventType: SetValue
         TargetObject|endswith: 'WDigest\UseLogonCredential'
-        Details: DWORD (0x00000001) 
+        Details: DWORD (0x00000001)
     condition: selection
 falsepositives:
     - Unknown
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1112
\ No newline at end of file
+    - attack.t1112
diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml
index 5a01a196f..b4e6a8bfc 100644
--- a/src/main/resources/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml
+++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml
@@ -23,4 +23,4 @@ falsepositives:
 level: high
 tags:
   - attack.persistence
-  - attack.t1547.004
\ No newline at end of file
+  - attack.t1547.004
diff --git a/src/main/resources/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/src/main/resources/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
index 0eabbe262..6363f977e 100644
--- a/src/main/resources/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
+++ b/src/main/resources/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
@@ -21,6 +21,6 @@ detection:
       SourceImage|endswith: '\powershell.exe'
       TargetImage|endswith: '\lsass.exe'
     condition: selection
-falsepositives: 
+falsepositives:
  - Unknown
 level: high
diff --git a/src/main/resources/rules/windows/sysmon/sysmon_config_modification.yml b/src/main/resources/rules/windows/sysmon/sysmon_config_modification.yml
index ff88c034d..245de30dc 100644
--- a/src/main/resources/rules/windows/sysmon/sysmon_config_modification.yml
+++ b/src/main/resources/rules/windows/sysmon/sysmon_config_modification.yml
@@ -19,6 +19,6 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate administrative action
-level: medium 
+level: medium
 tags:
     - attack.defense_evasion
diff --git a/src/main/resources/rules/windows/sysmon/sysmon_config_modification_status.yml b/src/main/resources/rules/windows/sysmon/sysmon_config_modification_status.yml
index b04c00a2d..23b8e7ad6 100644
--- a/src/main/resources/rules/windows/sysmon/sysmon_config_modification_status.yml
+++ b/src/main/resources/rules/windows/sysmon/sysmon_config_modification_status.yml
@@ -22,4 +22,4 @@ detection:
     condition: selection_stop or selection_conf
 falsepositives:
     - Legitimate administrative action
-level: high  
+level: high
diff --git a/src/main/resources/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/src/main/resources/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
index 9a22b547a..b76473c60 100644
--- a/src/main/resources/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
+++ b/src/main/resources/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
@@ -15,15 +15,15 @@ logsource:
     product: windows
     service: sysmon
 detection:
-    selection_one: 
+    selection_one:
         EventID: 11
         Image: System
         TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
-    selection_two: 
+    selection_two:
         EventID: 7
         Image|endswith: '\Internet Explorer\iexplore.exe'
         ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
     condition: selection_one or selection_two
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/src/main/resources/rules/windows/sysmon/sysmon_process_hollowing.yml b/src/main/resources/rules/windows/sysmon/sysmon_process_hollowing.yml
index 768c43705..200c5367f 100644
--- a/src/main/resources/rules/windows/sysmon/sysmon_process_hollowing.yml
+++ b/src/main/resources/rules/windows/sysmon/sysmon_process_hollowing.yml
@@ -6,7 +6,7 @@ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
 date: 2022/01/25
 modified: 2022/02/01
 references:
-  - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 
+  - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
   - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
 tags:
     - attack.process_injection
@@ -18,7 +18,7 @@ detection:
     selection:
         Type: Image is replaced
     filters:
-        Image|contains: 
+        Image|contains:
             - ':\Program Files\'
             - ':\Program Files (x86)'
         Image|endswith:
diff --git a/src/main/resources/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/src/main/resources/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
index cd3dcfc43..005ea8e98 100644
--- a/src/main/resources/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
+++ b/src/main/resources/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
@@ -41,4 +41,4 @@ falsepositives:
 level: high
 tags:
     - attack.execution
-    - attack.t1059.005
\ No newline at end of file
+    - attack.t1059.005
diff --git a/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsClientUtils.java b/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsClientUtils.java
index 8e4912f40..ecb64090e 100644
--- a/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsClientUtils.java
+++ b/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsClientUtils.java
@@ -11,11 +11,11 @@
 import org.opensearch.client.Response;
 import org.opensearch.cluster.ClusterModule;
 import org.opensearch.cluster.metadata.MappingMetadata;
-import org.opensearch.common.xcontent.XContentParserUtils;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.DeprecationHandler;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.XContentParser;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.index.mapper.MapperService;
 import org.opensearch.test.rest.OpenSearchRestTestCase;
 
diff --git a/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java b/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java
index 8dbff6bb4..c47bc148b 100644
--- a/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java
+++ b/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java
@@ -35,7 +35,14 @@
 import org.opensearch.common.io.PathUtils;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentFactory;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.xcontent.DeprecationHandler;
+import org.opensearch.core.xcontent.MediaType;
+import org.opensearch.core.xcontent.MediaTypeRegistry;
+import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.core.xcontent.XContentParser;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.commons.alerting.model.ScheduledJob;
@@ -49,7 +56,7 @@
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.index.IndexSettings;
 import org.opensearch.index.mapper.MapperService;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.action.AlertDto;
 import org.opensearch.securityanalytics.action.CreateIndexMappingsRequest;
@@ -203,7 +210,7 @@ protected String createTestIndex(String index, String mapping, Settings settings
 
     protected String createTestIndex(RestClient client, String index, String mapping, Settings settings) throws IOException {
         Request request = new Request("PUT", "/" + index);
-        String entity = "{\"settings\": " + org.opensearch.common.Strings.toString(XContentType.JSON, settings);
+        String entity = "{\"settings\": " + Strings.toString(XContentType.JSON, settings);
         if (mapping != null) {
             entity = entity + ",\"mappings\" : {" + mapping + "}";
         }
@@ -252,7 +259,7 @@ protected Settings getCorrelationDefaultIndexSettings() {
 
     protected String createTestIndexWithMappingJson(RestClient client, String index, String mapping, Settings settings) throws IOException {
         Request request = new Request("PUT", "/" + index);
-        String entity = "{\"settings\": " + org.opensearch.common.Strings.toString(XContentType.JSON, settings);
+        String entity = "{\"settings\": " + Strings.toString(XContentType.JSON, settings);
         if (mapping != null) {
             entity = entity + ",\"mappings\" : " + mapping;
         }
@@ -276,7 +283,7 @@ protected void addCorrelationDoc(String index, String docId, List<String> fieldN
         }
         builder.endObject();
 
-        request.setJsonEntity(org.opensearch.common.Strings.toString(builder));
+        request.setJsonEntity(builder.toString());
         Response response = client().performRequest(request);
         assertEquals(request.getEndpoint() + ": failed", RestStatus.CREATED, RestStatus.fromCode(response.getStatusLine().getStatusCode()));
     }
@@ -297,7 +304,7 @@ protected Response searchCorrelationIndex(String index, CorrelationQueryBuilder
         request.addParameter("size", Integer.toString(resultSize));
         request.addParameter("explain", Boolean.toString(true));
         request.addParameter("search_type", "query_then_fetch");
-        request.setJsonEntity(org.opensearch.common.Strings.toString(builder));
+        request.setJsonEntity(builder.toString());
 
         Response response = client().performRequest(request);
         Assert.assertEquals("Search failed", RestStatus.OK, restStatus(response));
@@ -1332,7 +1339,7 @@ protected void wipeAllODFEIndices()  throws IOException {
 
         Response response = client().performRequest(new Request("GET", "/_cat/indices?format=json&expand_wildcards=all"));
 
-        XContentType xContentType = XContentType.fromMediaType(response.getEntity().getContentType().getValue());
+        MediaType xContentType = MediaTypeRegistry.fromMediaType(response.getEntity().getContentType().getValue());
         XContentParser parser = xContentType.xContent().createParser(
                 NamedXContentRegistry.EMPTY, DeprecationHandler.THROW_UNSUPPORTED_OPERATION,
                 response.getEntity().getContent()
diff --git a/src/test/java/org/opensearch/securityanalytics/TestHelpers.java b/src/test/java/org/opensearch/securityanalytics/TestHelpers.java
index db857eb9c..b8015e05c 100644
--- a/src/test/java/org/opensearch/securityanalytics/TestHelpers.java
+++ b/src/test/java/org/opensearch/securityanalytics/TestHelpers.java
@@ -6,7 +6,7 @@
 
 import com.carrotsearch.randomizedtesting.generators.RandomNumbers;
 import org.apache.lucene.tests.util.LuceneTestCase;
-import org.opensearch.common.bytes.BytesReference;
+import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.XContentType;
diff --git a/src/test/java/org/opensearch/securityanalytics/action/AckAlertsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/AckAlertsRequestTests.java
index e2fbbe030..643c5ea95 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/AckAlertsRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/AckAlertsRequestTests.java
@@ -6,7 +6,7 @@
 
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.test.OpenSearchTestCase;
 
 import java.io.IOException;
diff --git a/src/test/java/org/opensearch/securityanalytics/action/AckAlertsResponseTests.java b/src/test/java/org/opensearch/securityanalytics/action/AckAlertsResponseTests.java
index 48c441d3b..690555470 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/AckAlertsResponseTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/AckAlertsResponseTests.java
@@ -5,7 +5,7 @@
 package org.opensearch.securityanalytics.action;
 
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.commons.alerting.model.Alert;
 import org.opensearch.test.OpenSearchTestCase;
 
diff --git a/src/test/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequestTests.java
index a4beab5a4..1376386be 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequestTests.java
@@ -7,7 +7,7 @@
 
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.securityanalytics.action.CreateIndexMappingsRequest;
diff --git a/src/test/java/org/opensearch/securityanalytics/action/GetDetectorRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/GetDetectorRequestTests.java
index dbb720cf7..d3baba63c 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/GetDetectorRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/GetDetectorRequestTests.java
@@ -7,7 +7,7 @@
 
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.securityanalytics.action.GetDetectorRequest;
 import org.opensearch.test.OpenSearchTestCase;
 
diff --git a/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequestTests.java
index dc9753a06..a40962376 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequestTests.java
@@ -7,7 +7,7 @@
 
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.securityanalytics.action.GetIndexMappingsRequest;
diff --git a/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponseTests.java b/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponseTests.java
index dfc42b601..a0056652e 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponseTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponseTests.java
@@ -7,7 +7,7 @@
 
 import org.opensearch.cluster.metadata.MappingMetadata;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.index.mapper.MapperService;
 import org.opensearch.securityanalytics.action.GetIndexMappingsResponse;
 import org.opensearch.test.OpenSearchTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorRequestTests.java
index d1ed34947..10688bf98 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorRequestTests.java
@@ -9,7 +9,7 @@
 import org.junit.Assert;
 import org.opensearch.action.support.WriteRequest;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.securityanalytics.model.Detector;
 import org.opensearch.securityanalytics.model.DetectorInput;
diff --git a/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorResponseTests.java b/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorResponseTests.java
index 30df1ed5a..d47650411 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorResponseTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorResponseTests.java
@@ -6,9 +6,9 @@
 
 import org.junit.Assert;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.commons.alerting.model.CronSchedule;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig;
 import org.opensearch.securityanalytics.model.Detector;
 import org.opensearch.test.OpenSearchTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequestTests.java
index 80d6ad048..a4255e9a2 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequestTests.java
@@ -7,7 +7,7 @@
 
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.securityanalytics.action.UpdateIndexMappingsRequest;
diff --git a/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesRequestTests.java
index 02cc9d35c..64c9f38d1 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesRequestTests.java
@@ -10,8 +10,8 @@
 import org.junit.Assert;
 import org.opensearch.action.support.WriteRequest;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.rest.RestRequest;
diff --git a/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesResponseTests.java b/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesResponseTests.java
index 0066c1b70..9e121d183 100644
--- a/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesResponseTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesResponseTests.java
@@ -8,11 +8,11 @@
 import java.util.ArrayList;
 import java.util.List;
 import org.junit.Assert;
-import org.opensearch.common.bytes.BytesReference;
+import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.common.xcontent.XContentFactory;
-import org.opensearch.common.xcontent.XContentParserUtils;
+import org.opensearch.core.xcontent.XContentParserUtils;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.XContentParser;
diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java
index dacccb685..ae3ecbeda 100644
--- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java
@@ -10,7 +10,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.client.Client;
 import org.opensearch.commons.alerting.model.Alert;
 import org.opensearch.commons.alerting.model.CronSchedule;
@@ -18,7 +18,7 @@
 import org.opensearch.commons.alerting.model.DocumentLevelTrigger;
 import org.opensearch.commons.alerting.model.Monitor;
 import org.opensearch.commons.alerting.model.Table;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.script.Script;
 import org.opensearch.securityanalytics.action.AlertDto;
 import org.opensearch.securityanalytics.action.GetAlertsResponse;
diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java
index eb6ebd9c8..43b73815b 100644
--- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java
@@ -21,7 +21,7 @@
 import org.opensearch.client.Response;
 import org.opensearch.client.ResponseException;
 import org.opensearch.commons.alerting.model.action.Action;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/SecureAlertsRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/SecureAlertsRestApiIT.java
index dac0b62ad..cd96f4e8c 100644
--- a/src/test/java/org/opensearch/securityanalytics/alerts/SecureAlertsRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/alerts/SecureAlertsRestApiIT.java
@@ -18,7 +18,7 @@
 import org.opensearch.client.RestClient;
 import org.opensearch.commons.alerting.model.action.Action;
 import org.opensearch.commons.rest.SecureRestClientBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java
index 1a001311d..83fbb888c 100644
--- a/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java
@@ -7,7 +7,7 @@
 import org.junit.Assert;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/correlation/LuceneEngineIT.java b/src/test/java/org/opensearch/securityanalytics/correlation/LuceneEngineIT.java
index c411a9329..bec107c15 100644
--- a/src/test/java/org/opensearch/securityanalytics/correlation/LuceneEngineIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/correlation/LuceneEngineIT.java
@@ -65,7 +65,7 @@ public void testQuery() throws IOException {
                 .endObject()
                 .endObject();
 
-        String mapping = org.opensearch.common.Strings.toString(builder);
+        String mapping = builder.toString();
         createTestIndexWithMappingJson(client(), INDEX_NAME, mapping, getCorrelationDefaultIndexSettings());
 
         for (int idx = 0; idx < TEST_VECTORS.length; ++idx) {
diff --git a/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java b/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java
index 9a1875fed..28deaaff1 100644
--- a/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java
@@ -16,7 +16,7 @@
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
 import org.opensearch.client.ResponseException;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/findings/FindingServiceTests.java b/src/test/java/org/opensearch/securityanalytics/findings/FindingServiceTests.java
index 13231e732..232c9a221 100644
--- a/src/test/java/org/opensearch/securityanalytics/findings/FindingServiceTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/findings/FindingServiceTests.java
@@ -12,7 +12,7 @@
 import java.util.List;
 import java.util.Queue;
 import java.util.stream.Collectors;
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.client.Client;
 import org.opensearch.commons.alerting.model.CronSchedule;
 import org.opensearch.commons.alerting.model.DocLevelQuery;
@@ -20,7 +20,7 @@
 import org.opensearch.commons.alerting.model.FindingDocument;
 import org.opensearch.commons.alerting.model.FindingWithDocs;
 import org.opensearch.commons.alerting.model.Table;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.securityanalytics.action.FindingDto;
 import org.opensearch.securityanalytics.action.GetDetectorAction;
 import org.opensearch.securityanalytics.action.GetDetectorRequest;
diff --git a/src/test/java/org/opensearch/securityanalytics/findings/SecureFindingRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/findings/SecureFindingRestApiIT.java
index 26fce0efc..17b186679 100644
--- a/src/test/java/org/opensearch/securityanalytics/findings/SecureFindingRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/findings/SecureFindingRestApiIT.java
@@ -15,7 +15,7 @@
 import org.opensearch.client.ResponseException;
 import org.opensearch.client.RestClient;
 import org.opensearch.commons.rest.SecureRestClientBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java
index fc22c258f..847c2aa49 100644
--- a/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java
@@ -26,9 +26,9 @@
 import org.opensearch.client.Response;
 import org.opensearch.client.ResponseException;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.DeprecationHandler;
+import org.opensearch.core.xcontent.MediaTypeRegistry;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.search.SearchHit;
@@ -1402,10 +1402,10 @@ public void testCreateDNSMapping() throws IOException{
             try {
                 if (flatProperties.contains(path)) {
                     Request updateRequest = new Request("PUT", SecurityAnalyticsPlugin.MAPPER_BASE_URI);
-                    updateRequest.setJsonEntity(org.opensearch.common.Strings.toString(XContentFactory.jsonBuilder().map(Map.of(
+                    updateRequest.setJsonEntity(MediaTypeRegistry.JSON.contentBuilder().map(Map.of(
                             "index_name", INDEX_NAME,
                             "field", path,
-                            "alias", key))));
+                            "alias", key)).toString());
                     Response apiResponse = client().performRequest(updateRequest);
                     assertEquals(HttpStatus.SC_OK, apiResponse.getStatusLine().getStatusCode());
                 }
diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/MapperServiceTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/MapperServiceTests.java
index d04b74d06..92b697220 100644
--- a/src/test/java/org/opensearch/securityanalytics/mapper/MapperServiceTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/mapper/MapperServiceTests.java
@@ -6,7 +6,7 @@
 
 package org.opensearch.securityanalytics.mapper;
 
-import org.opensearch.action.ActionListener;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.action.admin.indices.mapping.get.GetMappingsRequest;
 import org.opensearch.action.admin.indices.mapping.get.GetMappingsResponse;
 import org.opensearch.action.support.master.AcknowledgedResponse;
diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/CreateIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/CreateIndexMappingsRequestTests.java
index f7cf63195..d07e29ca8 100644
--- a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/CreateIndexMappingsRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/CreateIndexMappingsRequestTests.java
@@ -7,7 +7,7 @@
 
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.securityanalytics.action.CreateIndexMappingsRequest;
diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsRequestTests.java
index 33c678f66..fe2a94423 100644
--- a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsRequestTests.java
@@ -7,7 +7,7 @@
 
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.securityanalytics.action.GetIndexMappingsRequest;
diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsResponseTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsResponseTests.java
index 5530aa37f..52de24f22 100644
--- a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsResponseTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsResponseTests.java
@@ -7,7 +7,7 @@
 
 import org.opensearch.cluster.metadata.MappingMetadata;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.index.mapper.MapperService;
 import org.opensearch.securityanalytics.action.GetIndexMappingsResponse;
 import org.opensearch.test.OpenSearchTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/UpdateIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/UpdateIndexMappingsRequestTests.java
index 593ae7556..4d228fd0e 100644
--- a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/UpdateIndexMappingsRequestTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/UpdateIndexMappingsRequestTests.java
@@ -7,7 +7,7 @@
 
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.securityanalytics.action.UpdateIndexMappingsRequest;
diff --git a/src/test/java/org/opensearch/securityanalytics/model/DetectorInputTests.java b/src/test/java/org/opensearch/securityanalytics/model/DetectorInputTests.java
index 8ba5a991a..e61ff96e3 100644
--- a/src/test/java/org/opensearch/securityanalytics/model/DetectorInputTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/model/DetectorInputTests.java
@@ -5,7 +5,7 @@
 package org.opensearch.securityanalytics.model;
 
 import org.junit.Assert;
-import org.opensearch.common.bytes.BytesReference;
+import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.XContentBuilder;
diff --git a/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java b/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java
index 995814953..e82911c1b 100644
--- a/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java
@@ -6,7 +6,7 @@
 
 import org.junit.Assert;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.commons.authuser.User;
 import org.opensearch.test.OpenSearchTestCase;
 
diff --git a/src/test/java/org/opensearch/securityanalytics/model/XContentTests.java b/src/test/java/org/opensearch/securityanalytics/model/XContentTests.java
index 6300740f7..578b29d45 100644
--- a/src/test/java/org/opensearch/securityanalytics/model/XContentTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/model/XContentTests.java
@@ -7,7 +7,8 @@
 import java.io.IOException;
 import java.util.List;
 import org.junit.Assert;
-import org.opensearch.common.bytes.BytesReference;
+import org.opensearch.core.common.bytes.BytesReference;
+import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.commons.authuser.User;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.test.OpenSearchTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/CustomLogTypeRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/CustomLogTypeRestApiIT.java
index d4f412589..d2316db23 100644
--- a/src/test/java/org/opensearch/securityanalytics/resthandler/CustomLogTypeRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/resthandler/CustomLogTypeRestApiIT.java
@@ -14,7 +14,7 @@
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
 import org.opensearch.client.ResponseException;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java
index 10e909b1c..fb110ed50 100644
--- a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java
@@ -29,7 +29,7 @@
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
 import org.opensearch.commons.alerting.model.Monitor.MonitorType;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java
index 2e27d7835..f3aed5f02 100644
--- a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java
@@ -17,12 +17,11 @@
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
-import org.opensearch.core.common.Strings;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.client.ResponseException;
-import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.commons.alerting.model.Monitor.MonitorType;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.core.xcontent.MediaTypeRegistry;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
@@ -895,10 +894,10 @@ public void testCreatingADetectorWithTimestampFieldAliasMapping() throws IOExcep
         assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode());
 
         Request updateRequest = new Request("PUT", SecurityAnalyticsPlugin.MAPPER_BASE_URI);
-        updateRequest.setJsonEntity(org.opensearch.common.Strings.toString(XContentFactory.jsonBuilder().map(Map.of(
+        updateRequest.setJsonEntity(MediaTypeRegistry.JSON.contentBuilder().map(Map.of(
                 "index_name", index,
                 "field", "time",
-                "alias", "timestamp"))));
+                "alias", "timestamp")).toString());
         Response apiResponse = client().performRequest(updateRequest);
         assertEquals(HttpStatus.SC_OK, apiResponse.getStatusLine().getStatusCode());
 
@@ -998,10 +997,11 @@ public void testCreatingADetectorWithTimestampFieldAliasMapping_verifyTimeRangeI
         assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode());
 
         Request updateRequest = new Request("PUT", SecurityAnalyticsPlugin.MAPPER_BASE_URI);
-        updateRequest.setJsonEntity(org.opensearch.common.Strings.toString(XContentFactory.jsonBuilder().map(Map.of(
+        updateRequest.setJsonEntity(MediaTypeRegistry.JSON.contentBuilder().map(Map.of(
                 "index_name", index,
                 "field", "time",
-                "alias", "timestamp"))));
+                "alias", "timestamp"))
+                .toString());
         Response apiResponse = client().performRequest(updateRequest);
         assertEquals(HttpStatus.SC_OK, apiResponse.getStatusLine().getStatusCode());
 
diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.java
index 62e4287c3..248bb8798 100644
--- a/src/test/java/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.java
@@ -10,7 +10,7 @@
 import org.junit.Assert;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java
index cfca3800a..a230d54c5 100644
--- a/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java
@@ -13,16 +13,11 @@
 import org.opensearch.client.Response;
 import org.opensearch.client.ResponseException;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
-import org.opensearch.common.xcontent.XContentFactory;
-import org.opensearch.common.xcontent.XContentParserUtils;
 import org.opensearch.common.xcontent.XContentType;
-import org.opensearch.commons.alerting.aggregation.bucketselectorext.BucketSelectorExtAggregationBuilder;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.XContentParser;
-import org.opensearch.core.xcontent.XContentParser.Token;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
-import org.opensearch.search.aggregations.AggregatorFactories;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
 import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig;
@@ -32,13 +27,11 @@
 import org.opensearch.securityanalytics.model.Rule;
 
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.stream.Collectors;
-import org.opensearch.securityanalytics.rules.backend.OSQueryBackend.AggregationQueries;
 import org.opensearch.securityanalytics.rules.exceptions.SigmaError;
 
 import static org.opensearch.securityanalytics.TestHelpers.randomDetectorType;
@@ -150,7 +143,7 @@ public void testCreatingAggregationRule() throws SigmaError, IOException {
 
         List<SearchHit> hits = executeSearch(index, request);
 
-        XContentParser xcp = XContentFactory.xContent(XContentType.JSON)
+        XContentParser xcp = XContentType.JSON.xContent()
             .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE,  hits.get(0).getSourceAsString());
         Rule result = Rule.docParse(xcp, null, null);
 
diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/SecureDetectorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/SecureDetectorRestApiIT.java
index 1fba8adc0..b1f8fbfdf 100644
--- a/src/test/java/org/opensearch/securityanalytics/resthandler/SecureDetectorRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/resthandler/SecureDetectorRestApiIT.java
@@ -17,7 +17,7 @@
 import org.opensearch.client.RestClient;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.commons.rest.SecureRestClientBuilder;
-import org.opensearch.rest.RestStatus;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.SearchHit;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
 import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
diff --git a/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java b/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java
index 2013fdc29..4ede7891b 100644
--- a/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java
@@ -9,7 +9,7 @@
 import java.util.List;
 import org.junit.Test;
 import org.opensearch.common.io.stream.BytesStreamOutput;
-import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.securityanalytics.model.LogType;
 
 import static org.opensearch.test.OpenSearchTestCase.assertEquals;
diff --git a/src/test/resources/OSMapping/windows/mappings.json b/src/test/resources/OSMapping/windows/mappings.json
index 89c8035e6..eb841bdf3 100644
--- a/src/test/resources/OSMapping/windows/mappings.json
+++ b/src/test/resources/OSMapping/windows/mappings.json
@@ -5,4 +5,4 @@
       "path": "CommandLine"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/ad_ldap-sample.json b/src/test/resources/ad_ldap-sample.json
index 862522e99..3b89ca581 100644
--- a/src/test/resources/ad_ldap-sample.json
+++ b/src/test/resources/ad_ldap-sample.json
@@ -19,4 +19,4 @@
   "azure.signinlogs.properties.network_location_details": "1234",
   "azure.auditlogs.properties.activity_display_name": "1234",
   "creationTime": "2022-12-27T20:29:31.734Z"
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/azure-sample.json b/src/test/resources/azure-sample.json
index ab69da0b4..bccf2cf40 100644
--- a/src/test/resources/azure-sample.json
+++ b/src/test/resources/azure-sample.json
@@ -24,4 +24,4 @@
   "azure.auditlogs.props.logged_by_service": "111",
   "properties_message": "111",
   "creationTime": "2022-12-27T20:29:31.734Z"
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/dns-sample.json b/src/test/resources/dns-sample.json
index 84fd0d88f..4d37107c1 100644
--- a/src/test/resources/dns-sample.json
+++ b/src/test/resources/dns-sample.json
@@ -23,4 +23,4 @@
   "firewall_rule_action": "ALERT",
   "firewall_rule_group_id": "rslvr-frg-000000000000000",
   "firewall_domain_list_id": "rslvr-fdl-0000000000000"
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/s3-sample.json b/src/test/resources/s3-sample.json
index 49669477b..440dcf184 100644
--- a/src/test/resources/s3-sample.json
+++ b/src/test/resources/s3-sample.json
@@ -11,4 +11,4 @@
   "aws-cloudtrail-event_source": "123",
   "aws-cloudtrail-event_name": "123",
   "eventTime": "123"
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/testMissingPath.json b/src/test/resources/testMissingPath.json
index c7e7cb51c..2149638cd 100644
--- a/src/test/resources/testMissingPath.json
+++ b/src/test/resources/testMissingPath.json
@@ -8,4 +8,4 @@
       "type": "alias"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/testMultipleAliasesWithSameName.json b/src/test/resources/testMultipleAliasesWithSameName.json
index b5f6a0f11..d24cfee4b 100644
--- a/src/test/resources/testMultipleAliasesWithSameName.json
+++ b/src/test/resources/testMultipleAliasesWithSameName.json
@@ -9,4 +9,4 @@
       "path": "netflow.event_data.DestinationPort"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/testValidAliasMappings.json b/src/test/resources/testValidAliasMappings.json
index 20aa70443..6f88c4d8b 100644
--- a/src/test/resources/testValidAliasMappings.json
+++ b/src/test/resources/testValidAliasMappings.json
@@ -17,4 +17,4 @@
       "path": "netflow.event_data.DestinationPort"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/testValidAliasMappingsSimple.json b/src/test/resources/testValidAliasMappingsSimple.json
index 0995ef54d..898a0094f 100644
--- a/src/test/resources/testValidAliasMappingsSimple.json
+++ b/src/test/resources/testValidAliasMappingsSimple.json
@@ -5,4 +5,4 @@
       "path": "netflow.event_data.SourceAddress"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/testValidAliasMappingsWithNestedType.json b/src/test/resources/testValidAliasMappingsWithNestedType.json
index efd159e60..d5c37276f 100644
--- a/src/test/resources/testValidAliasMappingsWithNestedType.json
+++ b/src/test/resources/testValidAliasMappingsWithNestedType.json
@@ -26,4 +26,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}