frack113

@yugoslavskiy I have test redcanary with aurora since december. Result here : https://frack113.github.io/sigma_redcanaryco/ Think we can close this issues

 As you can see just start `msdt /id PCWDiagnostic /af \\DESKTOP-RPBS8AC\temp\file.tmp` make allready a lot of noise. PS alerts can be doubled as in my lab I use [aurora](https://www.nextron-systems.com/aurora/)...

Hi, I make a quick check tools Valid : 212 Invalid : 7 No Backend : 7 Valid backend name: ['ala', 'ala-rule', 'arcsight', 'arcsight-esm', 'carbonblack', 'chronicle', 'crowdstrike', 'csharp', 'devo', 'ee-outliers',...

> I don't think that this works. The `.pri` doesn't get loaded as a DLL but gets opened by the malicious DLL. I don't think it would appear as an...

Hello, it was an automatic conversion of hash fields to "lower OR upper". I modified the code to make it a option to activate.

Hi , Good catch `modified` must be update to 2022/09/18 `contains` can be change to `endswith` as the parttern is " *-stdin or *-stdout or *-stderr"

Thanks for the English fixes. for the [level](https://github.com/SigmaHQ/sigma/wiki/Specification#level) `low` should not be use for daily detection, there are `Notable event but rarely an incident` . You can run it periodically...

@YamatoSecurity what do you feel about my answer ?

I agree, that's why I don't use it in production. It is necessary to master the software park to know what can be important when there is an update session....

You can use `--ignore-backend-errors` or `-I` option