yugoslavskiy

I'll work out 63.

I'll work out: - 3: T1027: Obfuscated Files or Information - 14: T1049: System Network Connections Discovery - 28: T1083: File and Directory Discovery - 41: T1518.001: Security Software Discovery...

Hello @defensivedepth , @neu5ron! My two cents: (correct me if I am wrong) the main reason for having the logsources is the simplicity for rule developers via adding a layer...

Hey @neu5ron ! Thanks for such a detailed answer! As you said, there are many tricky things like collecting `smb` events from endpoints AND from network traffic analyzers. The borders...

I'll work out: - 4: T1027: Obfuscated Files or Information - 8: T1049: System Network Connections Discovery - 18: T1083: File and Directory Discovery - 26: T1518.001: Security Software Discovery

@tas-kmanager: > 43, 48, 50 > > I have some questions on both 48 and 50: > > * Page 48 is relying on chain of 2 events (event 1...

> Follow up question for 48. I do have a rule that looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege, do you...

> 38 seems to intend that you use it with the results of 37 - I don't believe that is something supported by sigma, but I'm open to suggestions on...

> apologies if my subsequent PRs aren't done right, I haven't collaborated in Github before! Hello @OpalSec! That's totally fine, no worries (: That's the whole point of the sprint...

Hello @esebese , @caliskanfurkan, @svch0stz , @Vasilisa-L , @uncleAntik ! Friendly reminder — please create one Pull Request per Sigma rule. The target branch for Pull Requests is `oscd`. Thank...