Dan

If i copy after build&push threshold .config and scirius.rules from SciriusCE_1 to SciriusCE_2, SciriusCE_3 and etc, overwrite and build&push, threshold .config and scirius.rules at target SciriusCE_1 to SciriusCE_2, SciriusCE_3 and...

No, files, what i move from SciriusCE_1 overwrited by actual settings of SciriusCE_2 after build&push.

The last thing I did and visually it worked, exported all the rules_ * tables from sqlite3 SciriusCE_1 and import them (drop exist befor) to sqlite3 SciriusCE_2\3\4 etc, but looks...

Just tested it and works all good. There only 27 sysmon rules in that groups.

here my sysmon base rules: https://github.com/n00bsteam/SigmaWazuhRules/blob/main/sysmon_groups.xml

> Dude, do you have hash on filecreation? 11id no

> I've changed the logic to prefer any if_group setting defined in the ini config file. If an if_group setting does not exist for a Sigma logsource.product or logsource.service it...

But can you add logsource.category? And will be matched before logsource.service and logsource.product in if_sid?

Same issue with yandex smtp :(

> For Gmail you would need to turn on MFA and then create an app password, it didn't work with a normal password for me. If you have any issues...