[Rule Tuning] Fix invalid reference URLs

[brokensound77]

During some validation testing for another PR, I found a couple files with invalid URLs

diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
index 452ae6d7..47d6899d 100644
--- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
+++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
@@ -17,7 +17,7 @@ license = "Elastic License v2"
 name = "Potential Privacy Control Bypass via TCCDB Modification"
 references = [
     "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
-    "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db Modifier.sh",
+    "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
     "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8",
 ]
 risk_score = 47
diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml
index 5f3c0098..7cc05db8 100644
--- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml
+++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml
@@ -14,11 +14,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Persistence via Docker Shortcut Modification"
+note = "None"
 references = [
-    """
-    https://github.com/specterops/presentations/raw/master/Leo
-    Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
-    """,
+    "https://github.com/specterops/presentations/raw/master/LeoPitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf",
 ]
 risk_score = 47
 rule_id = "c81cefcb-82b9-4408-a533-3c3df549e62d"
@@ -37,13 +35,13 @@ event.category : file and event.action : modification and
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1543/"
 id = "T1543"
 name = "Create or Modify System Process"
-reference = "https://attack.mitre.org/techniques/T1543/"
 
 
 [rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0003/"
 id = "TA0003"
 name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
 
diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml
index d3e8050f..496f704d 100644
--- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml
+++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml
@@ -16,10 +16,7 @@ language = "eql"
 license = "Elastic License v2"
 name = "Finder Sync Plugin Registered and Enabled"
 references = [
-    """
-    https://github.com/specterops/presentations/raw/master/Leo
-    Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
-    """,
+    "https://github.com/specterops/presentations/raw/master/LeoPitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf",
 ]
 risk_score = 47
 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906"
diff --git a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
index 9f84e59b..1cdbdbd9 100644
--- a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
+++ b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
@@ -21,12 +21,13 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "linux_rare_kernel_module_arguments"
 name = "Anomalous Kernel Module Activity"
-references = ["references"]
 risk_score = 21
 rule_id = "37b0816d-af40-40b4-885f-bb162b3c88a9"
 severity = "low"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"]
 type = "machine_learning"
+
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
index f6494c24..b0e4b405 100644
--- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
+++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
@@ -15,7 +15,7 @@ language = "eql"
 license = "Elastic License v2"
 name = "Unusual Parent-Child Relationship"
 references = [
-    "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png",
+    "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png",
     "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/",
 ]
 risk_score = 47

Once #1029 merges, validation will check these URLs

[brokensound77]

I tested on Kibana and the spacing, to include newlines, is rendered properly as %20 and the links load, so it is not a huge deal. Good for consistency though

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[brokensound77]

open PR in review