awesome-detection-engineering

Detection frameworks

A curated list of resources and frameworks for designing, implementing, and optimizing detection controls in cybersecurity defense programs

Detection Engineering is a tactical function of a cybersecurity defense program that involves the design, implementation, and operation of detective controls with the goal of proactively identifying malicious or unauthorized activity before it negatively impacts an individual or an organization.

GitHub

869 stars
28 watching
79 forks
last commit: 3 months ago
Linked from 1 awesome list

awesomeawesome-listcybersecuritydetection-engineeringmitresplunkthreat-detection

Awesome Detection Engineering / Concepts & Frameworks

MITRE ATT&CK The foundational framework of adversary tactics, techniques, and procedures based on real-world observations
Alerting and Detection Strategies (ADS) Framework | Palantir 703 about 3 years ago A blueprint for creating and documenting effective detection content
Detection Engineering Maturity Matrix | Kyle Bailey A detailed matrix that serves as a tool to measure the overall maturity of an organization's Detection Engineering program
Detection Maturity Level (DML) Model | Ryan Stillions Defines and describes 8 different levels of an organization's threat detection program maturity
The Pyramid of Pain | David J Bianco A model used to describe various categorizations of indicator's of compromise and their level of effectiveness in detecting threat actors
Cyber Kill Chain | Lockheed Martin Lockheed Martin's framework that outlines the 7 stages commonly observed in a cyber attack
MaGMa (Management, Growth and Metrics & Assessment) Use Case Defintion Model A business-centric approach for defining threat detection use cases
Synthetic Adversarial Log Objects (SALO) | Splunk 77 11 months ago Synthetic Adversarial Log Objects (SALO) is a framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event
The Zen of Security Rules | Justin Ibarra Outlines 19 aphorisms that serve as universal principles for the creation of high quality detection content
Blue-team-as-Code - the Spiral of Joy | Den Iuzvyk, Oleg Kolesnikov Blue-Team-as-Code: Lessons From Real-world Red Team Detection Automation Using Logs
Detection Development Lifecycle | Haider Dost et al. Snowflake’s implementation of the Detection Development Lifecycle
Threat Detection Maturity Framework | Haider Dost of Snowflake A maturity matrix to measure the success of your threat detection program
Elastic's Detection Engineering Behavior Maturity Model Elastic's qualitative and quantitative approach to measuring threat detection program maturity
Prioritizing Detection Engineering | Ryan McGeehan A longtime detection engineer outlines how a detection engineering program should be built from the ground up

Awesome Detection Engineering / Detection Content & Signatures

MITRE Cyber Analytics Repository (CAR) MITRE's well-maintained repository of detection content
CAR Coverage Comparision A matrix of MITRE ATT&CK technique IDs and links to available Splunk Security Content, Elastic detection rules, Sigma rules, and CAR content
Sigma Rules 8,490 5 days ago Sigma's repository of turnkey detection content. Content can be converted for use with most SIEMs
Sigma rule converter An opensource tool that can convert detection content for use with most SIEMs
Splunk Security Content 1,319 4 days ago Splunk's open-source and frequently updated detection content that can be tweaked for use in other tools
Elastic Detection Rules 1,990 8 days ago Elastic's detection rules written natively for the Elastic SIEM. Can easily be converted for use by other SIEMs using Uncoder
Elastic Endpoint Behavioral Rules 1,074 9 days ago Elastic's endpoint behavioral (prevention) rules written in EQL, natively for the Elastic endpoint agent
Elastic Yara Signatures 1,074 9 days ago Elastic's YARA signatures, which run on the Elastic endpoint agent
Elastic Endpoint Ransomware Artifact 1,074 9 days ago Elastic's ranswomware artifact, which runs on the Elastic endpoint agent
Chronicle (GCP) Detection Rules 326 2 months ago Chronicle's detection rules written natively for the the Chronicle Platform
Exabeam Content Library 17 9 days ago Exabeam's out of the box detection content compatible with the Exabeam Common Information Model
Panther Labs Detection Rules 346 4 days ago Panther Lab's native detection rules
Anvilogic Detection Armory 88 8 days ago Anvilogic's opensource and publicly available detection content
AWS GuardDuty Findings A list of all AWS GuardDuty Findings, their descriptions, and associated data sources
GCP Security Command Center Findings A list of all GCP Security Command Center Findings, their descriptions, and associated data sources
Azure Defender for Cloud Security Alerts A list of all Azure Security for Cloud Alerts, their descriptions, and associated data sources
Center for Threat Informed Defense Security Stack Mappings 379 9 months ago Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework
Detection Engineering with Splunk 58 8 months ago A GitHub repo dedicated to sharing detection analytics in SPL
Google Cloud Security Analytics 327 6 months ago This repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud
KQL Advanced Hunting Queries & Analytics Rules 1,292 10 days ago A list of endpoint detections and hunting queries for Microsoft Defender for Endpoint, Defender For Identity, and Defender For Cloud Apps

Awesome Detection Engineering / Logging, Monitoring & Data Sources

Windows Logging Cheatsheets Multiple cheatsheets outlined recommendations for Windows Event logging at various levels of granularity
Linux auditd Detection Ruleset 1,517 2 months ago Linux auditd ruleset that produces telemetry required for threat detection use cases
MITRE ATT&CK Data Sources Blog Post MITRE describes various data sources and how they relate to the TTPs found in the MITRE ATT&CK framework
MITRE ATT&CK Data Sources List Data source objects added to MITRE ATT&CK as part of v10
Splunk Common Information Model (CIM) Splunk's proprietary model used as a framework for normalizing security data
Elastic Common Schema Elastic's proprietary model used as a framework for normalizing security data
Exabeam Common Information Model 8 9 days ago Exabeam's proprietary model used as a framework for normalizing security data
Open Cybersecurity Schema Framework (OCSF) An opensource security data source and event schema
Loghub 1,883 5 days ago Opensource and freely available security data sources for research and testing
Elastalert | Yelp 8,004 5 months ago ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch
Matano 1,482 5 months ago Open source cloud-native security lake platform (SIEM alternative) for threat hunting, Python detections-as-code, and incident response on AWS 🦀
Microsoft XDR Advanced Hunting Schema To help with multi-table queries, you can use the advanced hunting schema, which includes tables and columns with event information and details about devices, alerts, identities, and other entity types

Awesome Detection Engineering / General Resources

ATT&CK Navigator | MITRE MITRE's open-source tool that can be used to track detection coverage, visibility, and other efforts and their relationship to the ATT&CK framework
Detection Engineering Weekly | Zack Allen A newsletter dedicated to news and how-tos for Detection Engineering
Detection Engineering Twitter List | Zack Allen A Twitter list of Detection Engineering thought leaders
DETT&CT: MAPPING YOUR BLUE TEAM TO MITRE ATT&CK™ Outlines a methodology measuring security data visibility and detection coverage against the MITRE ATT&CK framework
Awesome Kubernetes (K8s) Threat Detection 368 over 1 year ago Another Awesome List dedicated to Kubernetes (K8s) threat detection
Detection and Response Pipeline 262 11 months ago A list of tools for each component of a detection and response pipeline which includes real-world examples
Living Off the Living Off the Land A collection of resources for thriving off the land
Detection at Scale Podcast | Jack Naglieri A detection engineering-focused podcast featuring many thought leaders in the specialization
Cloud Threat Landscape | Wiz A cloud detection engineering-focused database, that lists threat actors known to have compromised cloud environments, the tools and techniques in their arsenal, and the technologies they prefer to target
Splunk ES Correlation Searches Best Practices | OpsTune 268 11 months ago A highly detailed guide to producing high quality detection content in the Splunk Enterprise Security app

Backlinks from these awesome lists:

More related projects: