Better naming conventions

[valoq]

trafficstars

There are currently a number of key strings that refer to the mitre attack guide, though in most cases there is little relation to the actual logs.

For example:

T1497_Virtualization_Sandbox_Evasion_System_Checks is used as key whenever virtual box applications are executed in /bin/local.

It also triggers for qemu when running on a Debian Bookwork VM, while the comment in the rules indicate it handles "qemu on macOS"

A different example is T1011_Exfiltration_Over_Other_Network_Medium, which is currently triggered every time a network socket file is created. While it may be correct that it could be used for exfiltration, it stands to reason that it will trigger a lot more often during normal operations.

I would suggest to remove the mitre naming convention completely and use more simple key strings, like "socket created" for the second example.

[Neo23x0]

I agree