What kind of Sigma rules would you like to see

[jaegeral]

As we progress in the coverage of Sigma rules, I wonder what type of Sigma rules people already use or would like to see.

Is it very common to have (maybe in other projects in your teams) custom Sigma rules?
Do you have more forensic focus sigma rules?

[GenericUser450]

Kinda late to the party here, but since nobody responded and I've found these really valuable... here's my take.

When it comes to Sigma rules, anything that detects common threat actor tools and tactics is useful to me. This includes things such as Cobalt Strike and Metasploit detection, named pipes, lateral movement via WMI or PowerShell, Terminal Services brute forcing, and so on. I do a lot of Incident Response and thus these kinds of Sigma rules can be a huge time saver and give some great points to pivot off of before deep diving the data.