Removed lists from log source section

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -2,7 +2,7 @@ title: Mimikatz Usage
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
     selection:
         EventLog:

rules/windows/builtin/win_av_relevant_match.yml

@@ -2,7 +2,7 @@ title: Relevant Anti-Virus Event
 description: This detection method points out highly relevant Antivirus events
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
     selection:
         EventLog: Application

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -3,7 +3,7 @@ description: One of the Windows Eventlogs has been cleared
 reference: https://twitter.com/deviouspolack/status/832535435960209408
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
     selection:
         EventLog: System

rules/windows/builtin/win_susp_failed_logon_reasons.yml

@@ -2,7 +2,7 @@ title: Account Tampering - Suspicious Failed Logon Reasons
 description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
     selection:
         EventLog: Security

rules/windows/builtin/win_susp_failed_logons_single_source.yml

@@ -2,7 +2,7 @@ title: Multiple Failed Logins with Different Accounts from Single Source System
 description: Detects suspicious failed logins with different user accounts from a single source system 
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
     selection:
         EventLog: Security
@@ -20,3 +20,5 @@ falsepositives:
     - Other multiuser systems like Citrix server farms
     - Workstations with frequently changing users 
 level: medium
+
+

rules/windows/builtin/win_susp_kerberos_manipulation.yml

@@ -2,7 +2,7 @@ title: Kerberos Manipulation
 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
     selection:
         EventLog: Security

rules/windows/builtin/win_susp_lsass_dump.yml

@@ -3,7 +3,7 @@ description: Detects process handle on LSASS process with certain access mask an
 status: experimental
 reference: https://twitter.com/jackcr/status/807385668833968128
 logsource:
-    - product: windows
+    product: windows
 detection:
     selection:
         EventLog: Security
@@ -15,3 +15,4 @@ detection:
 falsepositives:
     - Unkown
 level: high
+

rules/windows/builtin/win_susp_rc4_kerberos.yml

@@ -3,7 +3,7 @@ status: experimental
 reference: https://adsecurity.org/?p=3458
 description: Detects logons using RC4 encryption type
 logsource:
-    - product: windows
+    product: windows
 detection:
     selection:
         EventLog: Security

rules/windows/builtin/win_susp_security_eventlog_cleared.yml

@@ -2,7 +2,7 @@ title: Security Eventlog Cleared
 description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
     selection:
         EventLog: Security

rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

@@ -3,7 +3,7 @@ status: experimental
 description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)
 reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
     selection:
         - EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml

@@ -3,7 +3,7 @@ status: experimental
 description: Detects certain DLL loads when Mimikatz gets executed
 reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
     dllload1:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_password_dumper_lsass.yml

@@ -2,7 +2,7 @@ title: Password Dumper Remote Thread in LSASS
 description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundrets of events.
 author: Thomas Patzke
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_susp_driver_load.yml

@@ -2,7 +2,7 @@ title: Suspicious Driver Load from Temp
 description: Detetcs a driver load from a temporary directory
 author: Florian Roth
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_susp_mmc_source.yml

@@ -3,7 +3,7 @@ status: experimental
 description: Processes started by MMC could by a sign of lateral movement using MMC application COM object 
 reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml

@@ -2,7 +2,7 @@ title: Java running with Remote Debugging
 description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect
 author: Florian Roth
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_webshell_detection.yml

@@ -2,7 +2,7 @@ title: Webshell Detection With Command Line Keywords
 description: Detects certain command line parameters often used during reconnissaince activity via web shells
 author: Florian Roth
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_webshell_spawn.yml

@@ -3,7 +3,7 @@ status: experimental
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
 author: Thomas Patzke
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational