A chapter dedicated to different open-source detection rule sets, their formats, use cases, and detection logic. During Sigma rules analysis I always think also from the red team perspective asking myself: "What's the goal of a technique? How to generate a similar behavior? How to avoid generating this behavior?" Then after hands-on offsec research, new questions appear: "How to detect it? On what layers? What telemetry would be helpful, Is there any relation between available data sources? What about missing data sources? etc.?" Take your time and carefully analyze Sigma rules - a generic Signature Format for SIEM Systems and Protections Artifacts from Elastic and get a true hands-on purple teaming experience.