Awesome Detection Engineering

A curated list of tools and resources for Threat Detection Engineers.

Contents

• Concepts & Frameworks
• Detection Content & Signatures
• Logging, Monitoring & Data Sources
• General Resources

Concepts & Frameworks

• MITRE ATT&CK - The foundational framework of adversary tactics, techniques, and procedures based on real-world observations.
• Alerting and Detection Strategies (ADS) Framework | Palantir - A blueprint for creating and documenting effective detection content.
• Detection Engineering Maturity Matrix | Kyle Bailey - A detailed matrix that serves as a tool to measure the overall maturity of an organization's Detection Engineering program.
• Detection Maturity Level (DML) Model | Ryan Stillions - Defines and describes 8 different levels of an organization's threat detection program maturity.
• The Pyramid of Pain | David J Bianco - A model used to describe various categorizations of indicator's of compromise and their level of effectiveness in detecting threat actors.
• Cyber Kill Chain | Lockheed Martin - Lockheed Martin's framework that outlines the 7 stages commonly observed in a cyber attack.
• MaGMa (Management, Growth and Metrics & Assessment) Use Case Defintion Model - A business-centric approach for defining threat detection use cases.
• Synthetic Adversarial Log Objects (SALO) | Splunk - Synthetic Adversarial Log Objects (SALO) is a framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.
• The Zen of Security Rules | Justin Ibarra - Outlines 19 aphorisms that serve as universal principles for the creation of high quality detection content.

Detection Content & Signatures

• MITRE Cyber Analytics Repository (CAR) - MITRE's well-maintained repository of detection content.
• CAR Coverage Comparision - A matrix of MITRE ATT&CK technique IDs and links to available Splunk Security Content, Elastic detection rules, Sigma rules, and CAR content.
• Sigma Rules - Sigma's repository of turnkey detection content. Content can be converted for use with most SIEMs.
• Sigma rule converter - An opensource tool that can convert detection content for use with most SIEMs.
• Splunk Security Content - Splunk's open-source and frequently updated detection content that can be tweaked for use in other tools.
• Elastic Detection Rules - Elastic's detection rules written natively for the Elastic SIEM. Can easily be converted for use by other SIEMs using Uncoder.
• Elastic Endpoint Behavioral Rules - Elastic's endpoint behavioral (prevention) rules written in EQL, natively for the Elastic endpoint agent.
• Elastic Yara Signatures - Elastic's YARA signatures, which run on the Elastic endpoint agent.
• Elastic Endpoint Ransomware Artifact - Elastic's ranswomware artifact, which runs on the Elastic endpoint agent.
• Chronicle (GCP) Detection Rules - Chronicle's detection rules written natively for the the Chronicle Platform.
• Exabeam Content Library - Exabeam's out of the box detection content compatible with the Exabeam Common Information Model.
• Panther Labs Detection Rules - Panther Lab's native detection rules.
• AWS GuardDuty Findings - A list of all AWS GuardDuty Findings, their descriptions, and associated data sources.
• GCP Security Command Center Findings - A list of all GCP Security Command Center Findings, their descriptions, and associated data sources.
• Azure Defender for Cloud Security Alerts - A list of all Azure Security for Cloud Alerts, their descriptions, and associated data sources.
• Center for Threat Informed Defense Security Stack Mappings - Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework.
• Detection Engineering with Splunk - A GitHub repo dedicated to sharing detection analytics in SPL.
• Google Cloud Security Analytics - This repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud.
• KQL Advanced Hunting Queries & Analytics Rules - A list of endpoint detections and hunting queries for Microsoft Defender for Endpoint, Defender For Identity, and Defender For Cloud Apps.

Logging, Monitoring & Data Sources

• Windows Logging Cheatsheets - Multiple cheatsheets outlined recommendations for Windows Event logging at various levels of granularity.
• Linux auditd Detection Ruleset - Linux auditd ruleset that produces telemetry required for threat detection use cases.
• MITRE ATT&CK Data Sources Blog Post - MITRE describes various data sources and how they relate to the TTPs found in the MITRE ATT&CK framework.
• MITRE ATT&CK Data Sources List - Data source objects added to MITRE ATT&CK as part of v10.
• Splunk Common Information Model (CIM) - Splunk's proprietary model used as a framework for normalizing security data.
• Elastic Common Schema - Elastic's proprietary model used as a framework for normalizing security data.
• Exabeam Common Information Model - Exabeam's proprietary model used as a framework for normalizing security data.
• Open Cybersecurity Schema Framework (OCSF) - An opensource security data source and event schema.
• Loghub - Opensource and freely available security data sources for research and testing.
• Elastalert | Yelp - ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
• Matano - Open source cloud-native security lake platform (SIEM alternative) for threat hunting, Python detections-as-code, and incident response on AWS 🦀.

General Resources

• ATT&CK Navigator | MITRE - MITRE's open-source tool that can be used to track detection coverage, visibility, and other efforts and their relationship to the ATT&CK framework.
• Detection Engineering Weekly | Zack Allen - A newsletter dedicated to news and how-tos for Detection Engineering.
• Detection Engineering Twitter List | Zack Allen - A Twitter list of Detection Engineering thought leaders.
• DETT&CT: MAPPING YOUR BLUE TEAM TO MITRE ATT&CK™ - Outlines a methodology measuring security data visibility and detection coverage against the MITRE ATT&CK framework.
• Awesome Kubernetes (K8s) Threat Detection - Another Awesome List dedicated to Kubernetes (K8s) threat detection.
• Detection and Response Pipeline - A list of tools for each component of a detection and response pipeline which includes real-world examples.
• Living Off the Living Off the Land - A collection of resources for thriving off the land.
• Detection at Scale Podcast | Jack Naglieri - A detection engineering-focused podcast featuring many thought leaders in the specialization.
• Cloud Threat Landscape | Wiz - A cloud detection engineering-focused database, that lists threat actors known to have compromised cloud environments, the tools and techniques in their arsenal, and the technologies they prefer to target.