Awesome Detection Engineering

Concepts & Frameworks

Alerting and Detection Strategies (ADS) Framework | Palantir 854 updated 6mo ago

A blueprint for creating and documenting effective detection content.

Synthetic Adversarial Log Objects (SALO) | Splunk 88 updated 2y ago

Synthetic Adversarial Log Objects (SALO) is a framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.

Detection Content & Signatures

Sigma Rules 10.2k updated 6d ago

Sigma's repository of turnkey detection content. Content can be converted for use with most SIEMs.

Splunk Security Content 1.6k updated yesterday

Splunk's open-source and frequently updated detection content that can be tweaked for use in other tools.

Chronicle (GCP) Detection Rules 480 updated 3mo ago

Chronicle's detection rules written natively for the the Chronicle Platform.

Exabeam Content Library 28 updated 9d ago

Exabeam's out of the box detection content compatible with the Exabeam Common Information Model.

Anvilogic Detection Armory 116 updated 6mo ago

Anvilogic's opensource and publicly available detection content.

Center for Threat Informed Defense Security Stack Mappings 387 (archived)

Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework.

Detection Engineering with Splunk 68 updated 1y ago

A GitHub repo dedicated to sharing detection analytics in SPL.

Google Cloud Security Analytics 366 (archived)

This repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud.

KQL Advanced Hunting Queries & Analytics Rules 1.7k updated 2d ago

A list of endpoint detections and hunting queries for Microsoft Defender for Endpoint, Defender For Identity, and Defender For Cloud Apps.

Sigma2KQL 1 updated 3d ago

A repository of all SIGMA rules converted to KQL that runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository.

TerraSigma 2 updated yesterday

A repository of all SIGMA rules converted to Microsoft Sentinel Terraform Scheduled analytic resources. The repository runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository. Proper entity mapping is completed for the rules to ensure the repo is plug-and-play.

rules

Elastic Detection Rules 2.5k updated yesterday

Elastic's detection rules written natively for the Elastic SIEM. Can easily be converted for use by other SIEMs using Uncoder.

Panther Labs Detection Rules 441 updated yesterday

Panther Lab's native detection rules.

ransomware/artifact.lua

Elastic Endpoint Ransomware Artifact 1.4k updated 9d ago

Elastic's ranswomware artifact, which runs on the Elastic endpoint agent.

Logging, Monitoring & Data Sources

Linux auditd Detection Ruleset 1.8k updated 3mo ago

Linux auditd ruleset that produces telemetry required for threat detection use cases.

Exabeam Common Information Model 10 updated 2d ago

Exabeam's proprietary model used as a framework for normalizing security data.

Loghub 2.6k updated 2d ago

Opensource and freely available security data sources for research and testing.

Elastalert | Yelp 8.0k updated 1y ago

ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.

Matano 1.7k updated 1y ago

Open source cloud-native security lake platform (SIEM alternative) for threat hunting, Python detections-as-code, and incident response on AWS .

General Resources

Awesome Kubernetes (K8s) Threat Detection 406 updated 2y ago

Another Awesome List dedicated to Kubernetes (K8s) threat detection.

Detection and Response Pipeline 291 updated 2y ago

A list of tools for each component of a detection and response pipeline which includes real-world examples.

Splunk ES Correlation Searches Best Practices | OpsTune 291 updated 2y ago

A highly detailed guide to producing high quality detection content in the Splunk Enterprise Security app.

Detection Engineering