Someone should map publicly available EVTX samples to Sigma rules. This would enable us to automatically test the correctness of generated queries.

Known security-related EVTX repositories:

• https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
• https://github.com/Cyb3rWard0g/mordor

Feel free to extend the list.

Mapping should be:

Sigma rule -> Repository/EVTX ( -> expected matched

Hi! I've recently become more interested in structured logging, and have looked into a few structured logging libraries.

You get amazing power when you dump the logs from all of your different systems and sources into a centralized log store, and can then view and analyze them as one whole.

What I've noticed though is that the various structured logging frameworks all save JSON log entries i

Values should be nicely documented in a markdown table in the readme, not just as yaml in values.yaml. This is the standard way of documenting helm charts in the default stable repo. Will make the chart more accessible to newcomers.

                key-file("/opt/syslog-ng/tls/server.key")
                cert-file("/opt/syslog-ng/tls/server.pem")

The default/tags.conf for following have 'session' enabled instead of 'communicate'. As per the Network_Sessions CIM, only DHCP and VPN traffic should be having tags - Network and Sessions. Pls review/validate and update the conf to the below in the next release [ same seen in version 6.1.1 - https://splunkbase.splunk.com/app/2757/]
https://docs.splunk.com/Documentation/CIM/4.12.0/User/NetworkS

What would you like to be added:

Docs example for ciphers array option

https://github.com/splunk/fluent-plugin-splunk-hec#ciphers-array

Why is this needed:

I am deploying SCK 1.3.0 charts and experimenting with security settings by hardening the sslVersions in server.conf & with HEC inputs.conf.