This repository contains public detection notes and sanitized SPL examples. Do not open public issues with private logs, usernames, hostnames, internal domains, ticket numbers, or screenshots from a live environment.

For corrections or safety concerns, open an issue with:

• The detection file involved.
• The false-positive or coverage concern.
• A sanitized example using fake hostnames, usernames, and domains.

In scope:

• Unsafe query assumptions.
• Missing tuning context.
• Misleading ATT&CK mapping.
• Wording that could encourage overclaiming detection coverage.

Out of scope:

• Requests to analyze private logs in public.
• Environment-specific allowlists or internal detections that cannot be sanitized.