Hello Berry!

Thank you.

All the contributed rules have been checked for deduplication with current content. That’s where the gap between the end of the first sprint (1 of November) and final PR to Sigma repo (6 of December) came from (:

Initially, we were doing the sync in an old-fashion way using bash/grep/etc.

Only on the very last steps, we’ve decided to upgrade Atomic Threat Coverage Elasticsearch index generation script [1] in the way to have detection logic in documents. This upgrade provided us with the ability to do lookups in Kibana [2] for some specific strings in Sigma rules and make sure there are no duplicates:

Most probably, that’s the most efficient way to do sync with existing rules for far.

[1] https://github.com/atc-project/atomic-threat-coverage/blob/master/scripts/es_index_export.py

[2] https://kibana.atomicthreatcoverage.com/goto/24751b3ef25bcea5711785915a879a06

(demo:password)