fix: Use 'Provider Name' for windows eventlog log sources

rules/windows/builtin/win_audit_cve.yml

@@ -23,13 +23,13 @@ tags:
     - attack.t1499.004
 author: Florian Roth
 date: 2020/01/15
-modified: 2020/08/23
+modified: 2021/10/13
 logsource:
     product: windows
     service: application
 detection:
     selection:
-        Source: 'Microsoft-Windows-Audit-CVE'
+        Provider Name: 'Microsoft-Windows-Audit-CVE'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/builtin/win_event_log_cleared.yml

@@ -5,7 +5,7 @@ description: Checks for event id 1102 which indicates the security event log was
 references: 
   - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
 date: 2021/08/15
-modified: 2021/10/08
+modified: 2021/10/13
 author: Saw Winn Naung
 level: medium
 logsource:                     
@@ -17,7 +17,7 @@ tags:
 detection:
     selection:
         EventID: 1102
-        Source: Microsoft-Windows-Eventlog
+        Provider Name: Microsoft-Windows-Eventlog
     condition: selection
 fields:
     - SubjectLogonId

rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml

@@ -11,7 +11,7 @@ tags:
 status: experimental
 author: "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)"
 date: 2019/05/24
-modified: 2020/08/23
+modified: 2021/10/13
 logsource:
     product: windows
     service: system
@@ -20,7 +20,7 @@ detection:
         EventID:
             - 56
             - 50
-        Source: TermDD
+        Provider Name: TermDD
     condition: selection
 falsepositives:
     - Bad connections or network interruptions

rules/windows/builtin/win_software_atera_rmm_agent_install.yml

@@ -5,6 +5,7 @@ description: Detects successful installation of Atera Remote Monitoring & Manage
 references: 
   - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
 date: 2021/09/01
+modified: 2021/10/13
 author: Bhabesh Raj
 level: high
 logsource:                     
@@ -15,8 +16,8 @@ tags:
 detection:
     selection:
         EventID: 1033
-        Source: MsiInstaller
+        Provider Name: MsiInstaller
         Message|contains: AteraAgent
     condition: selection
 falsepositives:
-    - Legitimate Atera agent installation
+    - Legitimate Atera agent installation

rules/windows/builtin/win_susp_backup_delete.yml

@@ -7,6 +7,7 @@ references:
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
 date: 2017/05/12
+modified: 2021/10/13
 tags:
     - attack.defense_evasion
     - attack.t1107          # an old one
@@ -17,7 +18,7 @@ logsource:
 detection:
     selection:
         EventID: 524
-        Source: Microsoft-Windows-Backup
+        Provider Name: Microsoft-Windows-Backup
     condition: selection
 falsepositives:
     - Unknown

rules/windows/builtin/win_susp_dhcp_config.yml

@@ -7,6 +7,7 @@ references:
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
+modified: 2021/10/13
 author: Dimitrios Slamaris
 tags:
     - attack.defense_evasion
@@ -18,7 +19,7 @@ logsource:
 detection:
     selection:
         EventID: 1033
-        Source: Microsoft-Windows-DHCP-Server
+        Provider Name: Microsoft-Windows-DHCP-Server
     condition: selection
 falsepositives:
     - Unknown

rules/windows/builtin/win_susp_dhcp_config_failed.yml

@@ -7,7 +7,7 @@ references:
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
-modified: 2019/07/17
+modified: 2021/10/13
 tags:
     - attack.defense_evasion
     - attack.t1073           # an old one
@@ -22,7 +22,7 @@ detection:
             - 1031
             - 1032
             - 1034
-        Source: Microsoft-Windows-DHCP-Server
+        Provider Name: Microsoft-Windows-DHCP-Server
     condition: selection
 falsepositives:
     - Unknown

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -9,7 +9,7 @@ references:
     - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 author: Florian Roth
 date: 2017/01/10
-modified: 2021/10/08
+modified: 2021/10/13
 tags:
     - attack.defense_evasion
     - attack.t1070           # an old one
@@ -23,7 +23,7 @@ detection:
         EventID:
             - 517
             - 1102
-        Source: Microsoft-Windows-Eventlog
+        Provider Name: Microsoft-Windows-Eventlog
     condition: selection
 falsepositives:
     - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)

rules/windows/builtin/win_susp_msmpeng_crash.yml

@@ -8,6 +8,7 @@ tags:
     - attack.t1562.001
 status: experimental
 date: 2017/05/09
+modified: 2021/10/13
 references:
     - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
     - https://technet.microsoft.com/en-us/library/security/4022344
@@ -17,10 +18,10 @@ logsource:
     service: application
 detection:
     selection1:
-        Source: 'Application Error'
+        Provider Name: 'Application Error'
         EventID: 1000
     selection2:
-        Source: 'Windows Error Reporting'
+        Provider Name: 'Windows Error Reporting'
         EventID: 1001
     keywords:
         - 'MsMpEng.exe'

rules/windows/builtin/win_system_susp_eventlog_cleared.yml

@@ -11,7 +11,7 @@ references:
     - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 author: Florian Roth
 date: 2017/01/10
-modified: 2021/09/21
+modified: 2021/10/13
 tags:
     - attack.defense_evasion
     - attack.t1070           # an old one
@@ -23,7 +23,7 @@ logsource:
 detection:
     selection:
         EventID: 104
-        Source: Microsoft-Windows-Eventlog
+        Provider Name: Microsoft-Windows-Eventlog
     condition: selection
 falsepositives:
     - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)

rules/windows/builtin/win_volume_shadow_copy_mount.yml

@@ -3,6 +3,7 @@ id: f512acbf-e662-4903-843e-97ce4652b740
 description: Detects volume shadow copy mount
 status: experimental
 date: 2020/10/20
+modified: 2021/10/13
 author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
 tags:
     - attack.credential_access
@@ -14,10 +15,10 @@ logsource:
     service: system
 detection:
     selection: 
-        Source: Microsoft-Windows-Ntfs
+        Provider Name: Microsoft-Windows-Ntfs
         EventID: 98
         DeviceName|contains: HarddiskVolumeShadowCopy
     condition: selection
 falsepositives:
     - Legitimate use of volume shadow copy mounts (backups maybe).
-level: medium
+level: medium

rules/windows/builtin/win_vul_cve_2020_0688.yml

@@ -7,7 +7,7 @@ references:
     - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
 author: Florian Roth, wagga
 date: 2020/02/29
-modified: 2021/06/27
+modified: 2021/10/13
 tags:
     - attack.initial_access
     - attack.t1190
@@ -17,7 +17,7 @@ logsource:
 detection:
     selection1:
         EventID: 4
-        Source: MSExchange Control Panel
+        Provider Name: 'MSExchange Control Panel'
         Level: Error
     selection2:
         - '&__VIEWSTATE='

tools/config/winlogbeat-modules-enabled.yml

@@ -108,7 +108,7 @@ fieldmappings:
     EventID: event.code
     Channel: winlog.channel
     #Keywords: from "<System><Keywords>Value</Keywords></System><EventData>" is lost with winlogbeat exist in nxlog
-    provider name: winlog.provider_name
+    Provider Name: winlog.provider_name
     CallingProcessName: winlog.event_data.CallingProcessName
     ComputerName: winlog.ComputerName
     EventType: winlog.event_data.EventType