rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
652812eed0d0ae17376945242133acb706f9b01f
awesome-awesomeness/html/detectionengineering.html
rhetenor 5916c5c074 update lists
2025-07-18 22:22:32 +02:00

285 lines
15 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<h1 id="awesome-detection-engineering-awesome">Awesome Detection
Engineering <a href="https://awesome.re"><img
src="https://awesome.re/badge.svg" alt="Awesome" /></a></h1>
<p>Detection Engineering is a tactical function of a cybersecurity
defense program that involves the design, implementation, and operation
of detective controls with the goal of proactively identifying malicious
or unauthorized activity before it negatively impacts an individual or
an organization.</p>
<p>All contributions are welcome, please carefully review the <a
href="https://github.com/infosecB/awesome-detection-engineering/blob/main/contributing.md">contributing
guidelines</a> prior to submitting a pull request.</p>
<h2 id="contents">Contents</h2>
<ul>
<li><a href="#concepts--frameworks">Concepts &amp; Frameworks</a></li>
<li><a href="#detection-content--signatures">Detection Content &amp;
Signatures</a></li>
<li><a href="#logging-monitoring--data-sources">Logging, Monitoring
&amp; Data Sources</a></li>
<li><a href="#general-resources">General Resources</a></li>
</ul>
<h2 id="concepts-frameworks">Concepts &amp; Frameworks</h2>
<ul>
<li><a href="https://attack.mitre.org/">MITRE ATT&amp;CK</a> - The
foundational framework of adversary tactics, techniques, and procedures
based on real-world observations.</li>
<li><a
href="https://github.com/palantir/alerting-detection-strategy-framework">Alerting
and Detection Strategies (ADS) Framework | Palantir</a> - A blueprint
for creating and documenting effective detection content.</li>
<li><a href="https://detectionengineering.io">Detection Engineering
Maturity Matrix | Kyle Bailey</a> - A detailed matrix that serves as a
tool to measure the overall maturity of an organizations Detection
Engineering program.</li>
<li><a
href="http://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html">Detection
Maturity Level (DML) Model | Ryan Stillions</a> - Defines and describes
8 different levels of an organizations threat detection program
maturity.</li>
<li><a
href="http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html">The
Pyramid of Pain | David J Bianco</a> - A model used to describe various
categorizations of indicators of compromise and their level of
effectiveness in detecting threat actors.</li>
<li><a
href="https://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html">Cyber
Kill Chain | Lockheed Martin</a> - Lockheed Martins framework that
outlines the 7 stages commonly observed in a cyber attack.</li>
<li><a
href="https://www.betaalvereniging.nl/wp-content/uploads/FI-ISAC-use-case-framework-verkorte-versie.pdf">MaGMa
(Management, Growth and Metrics &amp; Assessment) Use Case Defintion
Model</a> - A business-centric approach for defining threat detection
use cases.</li>
<li><a href="https://github.com/splunk/salo">Synthetic Adversarial Log
Objects (SALO) | Splunk</a> - Synthetic Adversarial Log Objects (SALO)
is a framework for the generation of log events without the need for
infrastructure or actions to initiate the event that causes a log
event.</li>
<li><a href="https://br0k3nlab.com/resources/zen-of-security-rules/">The
Zen of Security Rules | Justin Ibarra</a> - Outlines 19 aphorisms that
serve as universal principles for the creation of high quality detection
content.</li>
<li><a href="https://sansorg.egnyte.com/dl/KTc16ldiqv">Blue-team-as-Code
- the Spiral of Joy | Den Iuzvyk, Oleg Kolesnikov</a> -
Blue-Team-as-Code: Lessons From Real-world Red Team Detection Automation
Using Logs.</li>
<li><a
href="https://medium.com/snowflake/detection-development-lifecycle-af166fffb3bc">Detection
Development Lifecycle | Haider Dost et al.</a> - Snowflakes
implementation of the Detection Development Lifecycle.</li>
<li><a
href="https://medium.com/snowflake/threat-detection-maturity-framework-23bbb74db2bc">Threat
Detection Maturity Framework | Haider Dost of Snowflake</a> - A maturity
matrix to measure the success of your threat detection program.</li>
<li><a
href="https://www.elastic.co/security-labs/elastic-releases-debmm">Elastics
Detection Engineering Behavior Maturity Model</a> - Elastics
qualitative and quantitative approach to measuring threat detection
program maturity.</li>
<li><a
href="https://medium.com/starting-up-security/prioritizing-detection-engineering-b60b46d55051">Prioritizing
Detection Engineering | Ryan McGeehan</a> - A longtime detection
engineer outlines how a detection engineering program should be built
from the ground up.</li>
<li><a
href="https://www.detectionengineering.net/s/field-manual">Detection
Engineering Field Manual | Zack Allen</a> - a series of posts exploring
the various foundational components of Detection Engineering.</li>
</ul>
<h2 id="detection-content-signatures">Detection Content &amp;
Signatures</h2>
<ul>
<li><a href="https://rulehound.com">Rulehound</a> - An index of publicly
available and open-source threat detection rulesets.</li>
<li><a href="https://car.mitre.org">MITRE Cyber Analytics Repository
(CAR)</a> - MITREs well-maintained repository of detection
content.</li>
<li><a href="https://car.mitre.org/coverage/">CAR Coverage
Comparision</a> - A matrix of MITRE ATT&amp;CK technique IDs and links
to available Splunk Security Content, Elastic detection rules, Sigma
rules, and CAR content.</li>
<li><a href="https://github.com/Neo23x0/sigma">Sigma Rules</a> - Sigmas
repository of turnkey detection content. Content can be converted for
use with most SIEMs.</li>
<li><a href="https://sigconverter.io/">Sigma rule converter</a> - An
opensource tool that can convert detection content for use with most
SIEMs.</li>
<li><a href="https://attackrulemap.com">AttackRuleMap</a> - Mapping of
open-source detection rules and atomic tests.</li>
<li><a href="https://github.com/splunk/security_content">Splunk Security
Content</a> - Splunks open-source and frequently updated detection
content that can be tweaked for use in other tools.</li>
<li><a
href="https://github.com/elastic/detection-rules/tree/main/rules">Elastic
Detection Rules</a> - Elastics detection rules written natively for the
Elastic SIEM. Can easily be converted for use by other SIEMs using
Uncoder.</li>
<li><a
href="https://github.com/elastic/protections-artifacts/tree/main/behavior/rules">Elastic
Endpoint Behavioral Rules</a> - Elastics endpoint behavioral
(prevention) rules written in EQL, natively for the Elastic endpoint
agent.</li>
<li><a
href="https://github.com/elastic/protections-artifacts/tree/main/yara/rules">Elastic
Yara Signatures</a> - Elastics YARA signatures, which run on the
Elastic endpoint agent.</li>
<li><a
href="https://github.com/elastic/protections-artifacts/tree/main/ransomware/artifact.lua">Elastic
Endpoint Ransomware Artifact</a> - Elastics ranswomware artifact, which
runs on the Elastic endpoint agent.</li>
<li><a href="https://github.com/chronicle/detection-rules">Chronicle
(GCP) Detection Rules</a> - Chronicles detection rules written natively
for the the Chronicle Platform.</li>
<li><a
href="https://github.com/ExabeamLabs/Content-Library-CIM2">Exabeam
Content Library</a> - Exabeams out of the box detection content
compatible with the Exabeam Common Information Model.</li>
<li><a
href="https://github.com/panther-labs/panther-analysis/tree/master/rules">Panther
Labs Detection Rules</a> - Panther Labs native detection rules.</li>
<li><a href="https://github.com/anvilogic-forge/armory">Anvilogic
Detection Armory</a> - Anvilogics opensource and publicly available
detection content.</li>
<li><a
href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html">AWS
GuardDuty Findings</a> - A list of all AWS GuardDuty Findings, their
descriptions, and associated data sources.</li>
<li><a
href="https://cloud.google.com/security-command-center/docs/concepts-security-sources#threats">GCP
Security Command Center Findings</a> - A list of all GCP Security
Command Center Findings, their descriptions, and associated data
sources.</li>
<li><a
href="https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference">Azure
Defender for Cloud Security Alerts</a> - A list of all Azure Security
for Cloud Alerts, their descriptions, and associated data sources.</li>
<li><a
href="https://github.com/center-for-threat-informed-defense/security-stack-mappings">Center
for Threat Informed Defense Security Stack Mappings</a> - Describes
cloud computing platforms (Azure, AWS) built-in detection capabilities
and their mapings to the MITRE ATT&amp;CK framework.</li>
<li><a
href="https://github.com/west-wind/Threat-Hunting-With-Splunk">Detection
Engineering with Splunk</a> - A GitHub repo dedicated to sharing
detection analytics in SPL.</li>
<li><a
href="https://github.com/GoogleCloudPlatform/security-analytics">Google
Cloud Security Analytics</a> - This repository serves as a
community-driven list of sample security analytics for auditing cloud
usage and for detecting threats to your data &amp; workloads in Google
Cloud.</li>
<li><a
href="https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules">KQL
Advanced Hunting Queries &amp; Analytics Rules</a> - A list of endpoint
detections and hunting queries for Microsoft Defender for Endpoint,
Defender For Identity, and Defender For Cloud Apps.</li>
<li><a href="https://detections-digest.rulecheck.io">Detections Digest |
Sergey Polzunov</a> - A newsletter that features updates from many
popular detection content sources listed here.</li>
</ul>
<h2 id="logging-monitoring-data-sources">Logging, Monitoring &amp; Data
Sources</h2>
<ul>
<li><a href="https://www.malwarearchaeology.com/cheat-sheets">Windows
Logging Cheatsheets</a> - Multiple cheatsheets outlined recommendations
for Windows Event logging at various levels of granularity.</li>
<li><a
href="https://github.com/Neo23x0/auditd/blob/master/audit.rules">Linux
auditd Detection Ruleset</a> - Linux auditd ruleset that produces
telemetry required for threat detection use cases.</li>
<li><a
href="https://medium.com/mitre-attack/defining-attack-data-sources-part-i-4c39e581454f">MITRE
ATT&amp;CK Data Sources Blog Post</a> - MITRE describes various data
sources and how they relate to the TTPs found in the MITRE ATT&amp;CK
framework.</li>
<li><a href="https://attack.mitre.org/datasources/">MITRE ATT&amp;CK
Data Sources List</a> - Data source objects added to MITRE ATT&amp;CK as
part of v10.</li>
<li><a
href="https://docs.splunk.com/Documentation/CIM/5.0.0/User/Overview">Splunk
Common Information Model (CIM)</a> - Splunks proprietary model used as
a framework for normalizing security data.</li>
<li><a
href="https://www.elastic.co/guide/en/ecs/current/ecs-getting-started.html">Elastic
Common Schema</a> - Elastics proprietary model used as a framework for
normalizing security data.</li>
<li><a href="https://github.com/ExabeamLabs/CIMLibrary">Exabeam Common
Information Model</a> - Exabeams proprietary model used as a framework
for normalizing security data.</li>
<li><a href="https://schema.ocsf.io/categories?extensions">Open
Cybersecurity Schema Framework (OCSF)</a> - An opensource security data
source and event schema.</li>
<li><a href="https://github.com/logpai/loghub">Loghub</a> - Opensource
and freely available security data sources for research and
testing.</li>
<li><a href="https://github.com/Yelp/elastalert">Elastalert | Yelp</a> -
ElastAlert is a simple framework for alerting on anomalies, spikes, or
other patterns of interest from data in Elasticsearch.</li>
<li><a href="https://github.com/matanolabs/matano">Matano</a> - Open
source cloud-native security lake platform (SIEM alternative) for threat
hunting, Python detections-as-code, and incident response on AWS
🦀.</li>
<li><a
href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-schema-tables">Microsoft
XDR Advanced Hunting Schema</a> To help with multi-table queries, you
can use the advanced hunting schema, which includes tables and columns
with event information and details about devices, alerts, identities,
and other entity types.</li>
</ul>
<h2 id="general-resources">General Resources</h2>
<ul>
<li><a
href="https://mitre-attack.github.io/attack-navigator/enterprise/">ATT&amp;CK
Navigator | MITRE</a> - MITREs open-source tool that can be used to
track detection coverage, visibility, and other efforts and their
relationship to the ATT&amp;CK framework.</li>
<li><a href="https://detectionengineering.net">Detection Engineering
Weekly | Zack Allen</a> - A newsletter dedicated to news and how-tos for
Detection Engineering.</li>
<li><a href="https://twitter.com/i/lists/1629936556298436608">Detection
Engineering Twitter List | Zack Allen</a> - A Twitter list of Detection
Engineering thought leaders.</li>
<li><a
href="https://www.mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack">DETT&amp;CT:
MAPPING YOUR BLUE TEAM TO MITRE ATT&amp;CK™</a> - Outlines a methodology
measuring security data visibility and detection coverage against the
MITRE ATT&amp;CK framework.</li>
<li><a
href="https://github.com/jatrost/awesome-kubernetes-threat-detection">Awesome
Kubernetes (K8s) Threat Detection</a> - Another Awesome List dedicated
to Kubernetes (K8s) threat detection.</li>
<li><a
href="https://github.com/0x4D31/detection-and-response-pipeline">Detection
and Response Pipeline</a> - A list of tools for each component of a
detection and response pipeline which includes real-world examples.</li>
<li><a href="https://lolol.farm">Living Off the Living Off the Land</a>
- A collection of resources for thriving off the land.</li>
<li><a
href="https://podcasts.apple.com/us/podcast/detection-at-scale/id1582584270">Detection
at Scale Podcast | Jack Naglieri</a> - A detection engineering-focused
podcast featuring many thought leaders in the specialization.</li>
<li><a href="https://threats.wiz.io/all-techniques">Cloud Threat
Landscape | Wiz</a> - A cloud detection engineering-focused database,
that lists threat actors known to have compromised cloud environments,
the tools and techniques in their arsenal, and the technologies they
prefer to target.</li>
<li><a
href="https://github.com/inodee/threathunting-spl/blob/master/Splunk%20ES%20Correlation%20Searches%20Best%20Practices%20v1.3.pdf">Splunk
ES Correlation Searches Best Practices | OpsTune</a> - A highly detailed
guide to producing high quality detection content in the Splunk
Enterprise Security app.</li>
<li><a
href="https://cloud.google.com/transform/how-google-does-it-modernizing-threat-detection">How
Google Does It: Making threat detection high-quality, scalable, and
modern | Anton Chuvakin, Tim Nguyen</a> - The team at Google highlights
5 key principles for building a high quality, scalable and modern threat
detection program.</li>
<li><a href="https://www.soc-labs.top/">SOCLabs</a> - A lab for blue
teamers and detection engineers, with real threat data and support for
popular SIEM query languages, enabling hands-on learning and practice in
detection rule writing and threat hunting.</li>
</ul>
<p><a
href="https://github.com/infosecB/awesome-detection-engineering">detectionengineering.md
Github</a></p>
Reference in New Issue View Git Blame Copy Permalink