diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml
new file mode 100644
index 000000000..5e42646de
--- /dev/null
+++ b/rules/generic/generic_brute_force.yml
@@ -0,0 +1,26 @@
+title: Brute Force
+description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
+references:
+    - None
+tags:
+    - attack.t1110
+author: Aleksandr Akhremchik, oscd.community
+date: 2019/10/25
+status: experimental
+logsource:
+    category: authentication
+detection:
+    selection:
+         action: failure
+    timeframe: 600s
+    condition: selection | count(category) by dst_ip > 30
+fields:
+    - src_ip
+    - dst_ip
+    - user
+falsepositives:
+    - Inventarization
+    - Penetration testing
+    - Vulnerability scanner
+    - Legitimate application
+level: medium
diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml
new file mode 100644
index 000000000..cd02b1595
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml
@@ -0,0 +1,33 @@
+title: Auditing configuration changes on linux host
+description: Detect changes if auditd configuration files
+    # Example config for this one (place it at the top of audit.rules)
+    # -w /etc/audit/ -p wa -k etc_modify_auditconfig
+    # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
+    # -w /etc/audisp/ -p wa -k etc_modify_audispconfig
+references:
+    - https://github.com/Neo23x0/auditd/blob/master/audit.rules
+    - self experience
+tags:
+    - attack.defense_evasion
+    - attack.t1054
+author: Mikhail Larin, oscd.community
+status: experimental
+date: 2019/10/25
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        key:
+          - 'etc_modify_auditconfig'
+          - 'etc_modify_libauditconfig'
+          - 'etc_modify_audispconfig'
+    condition: selection
+fields:
+    - exe
+    - comm
+    - key
+falsepositives:
+    - Legitimate administrative activity
+level: high
diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml
new file mode 100644
index 000000000..c9977f619
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml
@@ -0,0 +1,32 @@
+title: Logging configuration changes on linux host
+description: Detect changes of syslog daemons configuration files
+    # Example config for this one (place it at the top of audit.rules)
+    # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
+    # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
+    # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
+references:
+    - self experience
+tags:
+    - attack.defense_evasion
+    - attack.t1054
+author: Mikhail Larin, oscd.community
+status: experimental
+date: 2019/10/25
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        key:
+          - 'etc_modify_syslogconfig'
+          - 'etc_modify_rsyslogconfig'
+          - 'etc_modify_syslogngconfig'
+    condition: selection
+fields:
+    - exe
+    - comm
+    - key
+falsepositives:
+    - Legitimate administrative activity
+level: high
diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml
new file mode 100644
index 000000000..687d7ea8c
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml
@@ -0,0 +1,26 @@
+title: Narrator's Feedback-Hub Persistence
+description: Detects abusing Windows 10 Narrator's Feedback-Hub
+references:
+    - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
+tags:
+    - attack.persistence
+    - attack.t1060
+author: Dmitriy Lifanov, oscd.community
+status: experimental
+date: 2019/10/25
+modified: 2019/11/10
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    condition: 1 of them
+    selection1:
+        EventID: 12
+        EventType: DeleteValue
+        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
+    selection2:
+        EventID: 13
+        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
+falsepositives:
+    - unknown
+level: high
diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml
new file mode 100644
index 000000000..5194d4090
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml
@@ -0,0 +1,27 @@
+title: Regsvr32 network activity
+description: Detects network connections and DNS queries initiated by Regsvr32.exe
+references:
+    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1117
+author: Dmitriy Lifanov, oscd.community
+status: experimental
+date: 2019/10/25
+modified: 2019/11/10
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID:
+         - 3
+         - 22
+        Image|endswith: '\regsvr32.exe'
+    condition: selection
+falsepositives:
+    - unknown
+level: high