EzLucky

In playbook.yml, change line 19 from _**accelerate: true**_ to _**accelerate: false**_

Hello @thomaspatzke We can close the issue as I found a working pipeline. I don't know why I didn't try it before ... This pipeline is working (tested [here](https://sigconverter.io/#version=1.0.6&backend=splunk&format=default&pipeline=&rule=dGl0bGU6IFRlc3QKbG9nc291cmNlOgogICAgY2F0ZWdvcnk6IHByb2Nlc3NfY3JlYXRpb24KICAgIHByb2R1Y3Q6IHdpbmRvd3MgICAgCmRldGVjdGlvbjoKICAgIGtleXdvcmRzOgogICAgICAtIGEKICAgICAgLSBiCiAgICAgIC0gYwogICAgc2VsZWN0aW9uOgogICAgICAgIGFscmVhZHlfYV9maWVsZDogdGVzdAogICAgICAgIGFscmVhZHlfYV9maWVsZF9iaXN8Y29udGFpbnM6CiAgICAgICAgICAtIHRlc3QxCiAgICAgICAgICAtIHRlc3QyCiAgICBjb25kaXRpb246IGtleXdvcmRzIGFuZCBzZWxlY3Rpb24%3D&pipelineYml=bmFtZTogRGVmYXVsdCBmaWVsZCBuYW1lCnRyYW5zZm9ybWF0aW9uczoKICAtIGlkOiBmaWVsZF9tYXBwaW5nCiAgICB0eXBlOiBmaWVsZF9uYW1lX21hcHBpbmcKICAgIG1hcHBpbmc6CiAgICAgIG51bGw6CiAgICAgICAgLSBteV9maWVsZF9uYW1l)) :...

Take a look at https://github.com/Neo23x0/sysmon-config/

Yes, it would be great to have a Wizard API endpoint to handle both the rule and the notification, instead of what we are doing now : calling the wizard...

Level set to low as the rule is very generic. In a futur PR I will dev a more specific one related to backdoored command interpreter with a higher level

windash removed from "Capabilities Discovery - Linux" as discussed in #5773

@swachchhanda000 @phantinuss looking at `setgid` linux capabilities, it has almost the same impact as `setuid`. Would you prefer a second rule dedicated to setgid, so both rules can have their...

> > @swachchhanda000 @phantinuss looking at `setgid` linux capabilities, it has almost the same impact as `setuid`. Would you prefer a second rule dedicated to setgid, so both rules can...