Maspital

Thanks for the hint! When i looked at the report of my operations, I found this: ``` "skipped_abilities": [ { "jdcctr": [ { "reason": "Executor not available", "reason_id": 1, "ability_id":...

Yes, I'm using a modified version of `sigma_event_logs.all` (because winlogbeat likes to name stuff differently). Changing SIGMA rules themselves even slightly is something I would like to avoid because I...

That looks great! Assuming knowledge of Sigma rules in general, this is nice and understandable in my opinion. So this would work for whatever field may be defined within the...

Any news regarding this? :) @alexkornitzer

Seems to work nicely, at least for the things I tested :+1: I will try it out in more detail tomorrow

I'm sure I didn't test for everything, but so far everything did what it was supposed to do. Two more things: - can the filter handle negated input? Might be...