Detection Engineering

A blueprint for creating and documenting effective detection content.

Synthetic Adversarial Log Objects (SALO) is a framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.

Agentic memory system that treats Sigma and YARA rules as first-class memory entities, with an LLM rule explainer, STIX 2.1 knowledge graph of CTI entities, and offline-first RAG to connect rules to the actors and techniques they detect. Python, MIT.

Sigma's repository of turnkey detection content. Content can be converted for use with most SIEMs.

Splunk's open-source and frequently updated detection content that can be tweaked for use in other tools.

Chronicle's detection rules written natively for the the Chronicle Platform.

Exabeam's out of the box detection content compatible with the Exabeam Common Information Model.

Anvilogic's opensource and publicly available detection content.

Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework.

A GitHub repo dedicated to sharing detection analytics in SPL.

This repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud.

A list of endpoint detections and hunting queries for Microsoft Defender for Endpoint, Defender For Identity, and Defender For Cloud Apps.

A repository of all SIGMA rules converted to KQL that runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository.

A repository of all SIGMA rules converted to Microsoft Sentinel Terraform Scheduled analytic resources. The repository runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository. Proper entity mapping is completed for the rules to ensure the repo is plug-and-play.

Linux auditd ruleset that produces telemetry required for threat detection use cases.

Exabeam's proprietary model used as a framework for normalizing security data.

Opensource and freely available security data sources for research and testing.

ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.

Open source cloud-native security lake platform (SIEM alternative) for threat hunting, Python detections-as-code, and incident response on AWS .

Autonomous security agent for Linux with real-time threat detection and response via 38 eBPF hooks, 48 detectors, and 23 correlation rules.

Another Awesome List dedicated to Kubernetes (K8s) threat detection.

A list of tools for each component of a detection and response pipeline which includes real-world examples.

A highly detailed guide to producing high quality detection content in the Splunk Enterprise Security app.