diff --git a/rules/linux/macos/macos_emond_launch_daemon.yml b/rules/linux/macos/file_event/macos_emond_launch_daemon.yml
similarity index 100%
rename from rules/linux/macos/macos_emond_launch_daemon.yml
rename to rules/linux/macos/file_event/macos_emond_launch_daemon.yml
diff --git a/rules/linux/macos/macos_startup_items.yml b/rules/linux/macos/file_event/macos_startup_items.yml
similarity index 100%
rename from rules/linux/macos/macos_startup_items.yml
rename to rules/linux/macos/file_event/macos_startup_items.yml
diff --git a/rules/linux/macos/macos_applescript.yml b/rules/linux/macos/process_creation/macos_applescript.yml
similarity index 100%
rename from rules/linux/macos/macos_applescript.yml
rename to rules/linux/macos/process_creation/macos_applescript.yml
diff --git a/rules/linux/macos/macos_base64_decode.yml b/rules/linux/macos/process_creation/macos_base64_decode.yml
similarity index 100%
rename from rules/linux/macos/macos_base64_decode.yml
rename to rules/linux/macos/process_creation/macos_base64_decode.yml
diff --git a/rules/linux/macos/macos_binary_padding.yml b/rules/linux/macos/process_creation/macos_binary_padding.yml
similarity index 100%
rename from rules/linux/macos/macos_binary_padding.yml
rename to rules/linux/macos/process_creation/macos_binary_padding.yml
diff --git a/rules/linux/macos/macos_change_file_time_attr.yml b/rules/linux/macos/process_creation/macos_change_file_time_attr.yml
similarity index 100%
rename from rules/linux/macos/macos_change_file_time_attr.yml
rename to rules/linux/macos/process_creation/macos_change_file_time_attr.yml
diff --git a/rules/linux/macos/macos_clear_system_logs.yml b/rules/linux/macos/process_creation/macos_clear_system_logs.yml
similarity index 93%
rename from rules/linux/macos/macos_clear_system_logs.yml
rename to rules/linux/macos/process_creation/macos_clear_system_logs.yml
index 4df611653d9..0c554bba245 100644
--- a/rules/linux/macos/macos_clear_system_logs.yml
+++ b/rules/linux/macos/process_creation/macos_clear_system_logs.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects deletion of local audit logs
 author: remotephone, oscd.community
 date: 2020/10/11
-modified: 2021/08/14
+modified: 2021/11/11
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
 logsource:
@@ -16,7 +16,7 @@ detection:
     selection2:
         CommandLine|contains: '/var/log'
     selection3:
-        Commandline|contains|all:
+        CommandLine|contains|all:
             - '/Users/'
             - '/Library/Logs/'
     condition: selection1 and (selection2 or selection3)
diff --git a/rules/linux/macos/macos_create_account.yml b/rules/linux/macos/process_creation/macos_create_account.yml
similarity index 100%
rename from rules/linux/macos/macos_create_account.yml
rename to rules/linux/macos/process_creation/macos_create_account.yml
diff --git a/rules/linux/macos/macos_create_hidden_account.yml b/rules/linux/macos/process_creation/macos_create_hidden_account.yml
similarity index 100%
rename from rules/linux/macos/macos_create_hidden_account.yml
rename to rules/linux/macos/process_creation/macos_create_hidden_account.yml
diff --git a/rules/linux/macos/macos_creds_from_keychain.yml b/rules/linux/macos/process_creation/macos_creds_from_keychain.yml
similarity index 100%
rename from rules/linux/macos/macos_creds_from_keychain.yml
rename to rules/linux/macos/process_creation/macos_creds_from_keychain.yml
diff --git a/rules/linux/macos/macos_disable_security_tools.yml b/rules/linux/macos/process_creation/macos_disable_security_tools.yml
similarity index 100%
rename from rules/linux/macos/macos_disable_security_tools.yml
rename to rules/linux/macos/process_creation/macos_disable_security_tools.yml
diff --git a/rules/linux/macos/macos_file_and_directory_discovery.yml b/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml
similarity index 100%
rename from rules/linux/macos/macos_file_and_directory_discovery.yml
rename to rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml
diff --git a/rules/linux/macos/macos_find_cred_in_files.yml b/rules/linux/macos/process_creation/macos_find_cred_in_files.yml
similarity index 100%
rename from rules/linux/macos/macos_find_cred_in_files.yml
rename to rules/linux/macos/process_creation/macos_find_cred_in_files.yml
diff --git a/rules/linux/macos/macos_gui_input_capture.yml b/rules/linux/macos/process_creation/macos_gui_input_capture.yml
similarity index 92%
rename from rules/linux/macos/macos_gui_input_capture.yml
rename to rules/linux/macos/process_creation/macos_gui_input_capture.yml
index 22b42e1c41a..99a94a524ec 100644
--- a/rules/linux/macos/macos_gui_input_capture.yml
+++ b/rules/linux/macos/process_creation/macos_gui_input_capture.yml
@@ -4,6 +4,7 @@ status: experimental
 description: Detects attempts to use system dialog prompts to capture user credentials
 author: remotephone, oscd.community
 date: 2020/10/13
+modified: 2021/11/11
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md
     - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
@@ -15,13 +16,13 @@ detection:
         Image:
             - '/usr/sbin/osascript'
     selection2:
-        Commandline|contains|all:
+        CommandLine|contains|all:
             - '-e'
             - 'display'
             - 'dialog'
             - 'answer'
     selection3:
-        Commandline|contains:
+        CommandLine|contains:
             - 'admin'
             - 'administrator'
             - 'authenticate'
diff --git a/rules/linux/macos/macos_local_account.yml b/rules/linux/macos/process_creation/macos_local_account.yml
similarity index 100%
rename from rules/linux/macos/macos_local_account.yml
rename to rules/linux/macos/process_creation/macos_local_account.yml
diff --git a/rules/linux/macos/macos_local_groups.yml b/rules/linux/macos/process_creation/macos_local_groups.yml
similarity index 100%
rename from rules/linux/macos/macos_local_groups.yml
rename to rules/linux/macos/process_creation/macos_local_groups.yml
diff --git a/rules/linux/macos/macos_network_service_scanning.yml b/rules/linux/macos/process_creation/macos_network_service_scanning.yml
similarity index 100%
rename from rules/linux/macos/macos_network_service_scanning.yml
rename to rules/linux/macos/process_creation/macos_network_service_scanning.yml
diff --git a/rules/linux/macos/macos_network_sniffing.yml b/rules/linux/macos/process_creation/macos_network_sniffing.yml
similarity index 100%
rename from rules/linux/macos/macos_network_sniffing.yml
rename to rules/linux/macos/process_creation/macos_network_sniffing.yml
diff --git a/rules/linux/macos/macos_remote_system_discovery.yml b/rules/linux/macos/process_creation/macos_remote_system_discovery.yml
similarity index 100%
rename from rules/linux/macos/macos_remote_system_discovery.yml
rename to rules/linux/macos/process_creation/macos_remote_system_discovery.yml
diff --git a/rules/linux/macos/macos_schedule_task_job_cron.yml b/rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml
similarity index 100%
rename from rules/linux/macos/macos_schedule_task_job_cron.yml
rename to rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml
diff --git a/rules/linux/macos/macos_screencapture.yml b/rules/linux/macos/process_creation/macos_screencapture.yml
similarity index 100%
rename from rules/linux/macos/macos_screencapture.yml
rename to rules/linux/macos/process_creation/macos_screencapture.yml
diff --git a/rules/linux/macos/macos_security_software_discovery.yml b/rules/linux/macos/process_creation/macos_security_software_discovery.yml
similarity index 100%
rename from rules/linux/macos/macos_security_software_discovery.yml
rename to rules/linux/macos/process_creation/macos_security_software_discovery.yml
diff --git a/rules/linux/macos/macos_split_file_into_pieces.yml b/rules/linux/macos/process_creation/macos_split_file_into_pieces.yml
similarity index 100%
rename from rules/linux/macos/macos_split_file_into_pieces.yml
rename to rules/linux/macos/process_creation/macos_split_file_into_pieces.yml
diff --git a/rules/linux/macos/macos_susp_histfile_operations.yml b/rules/linux/macos/process_creation/macos_susp_histfile_operations.yml
similarity index 100%
rename from rules/linux/macos/macos_susp_histfile_operations.yml
rename to rules/linux/macos/process_creation/macos_susp_histfile_operations.yml
diff --git a/rules/linux/macos/macos_suspicious_macos_firmware_activity.yml b/rules/linux/macos/process_creation/macos_suspicious_macos_firmware_activity.yml
similarity index 100%
rename from rules/linux/macos/macos_suspicious_macos_firmware_activity.yml
rename to rules/linux/macos/process_creation/macos_suspicious_macos_firmware_activity.yml
diff --git a/rules/linux/macos/macos_system_network_connections_discovery.yml b/rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml
similarity index 100%
rename from rules/linux/macos/macos_system_network_connections_discovery.yml
rename to rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml
diff --git a/rules/linux/macos/macos_system_network_discovery.yml b/rules/linux/macos/process_creation/macos_system_network_discovery.yml
similarity index 96%
rename from rules/linux/macos/macos_system_network_discovery.yml
rename to rules/linux/macos/process_creation/macos_system_network_discovery.yml
index 40b2f33d545..cc427817579 100644
--- a/rules/linux/macos/macos_system_network_discovery.yml
+++ b/rules/linux/macos/process_creation/macos_system_network_discovery.yml
@@ -20,7 +20,7 @@ detection:
             - '/usr/sbin/arp'
     selection2:
         Image: '/usr/bin/defaults'
-        Commandline|contains|all:
+        CommandLine|contains|all:
             - 'read'
             - '/Library/Preferences/com.apple.alf'
     condition: selection1 or selection2
diff --git a/rules/linux/macos/macos_system_shutdown_reboot.yml b/rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml
similarity index 100%
rename from rules/linux/macos/macos_system_shutdown_reboot.yml
rename to rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml
diff --git a/rules/linux/macos/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml
similarity index 100%
rename from rules/linux/macos/macos_xattr_gatekeeper_bypass.yml
rename to rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml