Awesome Detection Engineering
A curated list of tools and resources for Threat Detection Engineers.
Contents
- Concepts & Frameworks
- Detection Content & Signatures
- Logging, Monitoring & Data Sources
- General Resources
Concepts & Frameworks
- MITRE ATT&CK - The foundational framework of adversary tactics, techniques, and procedures based on real-world observations.
- Alerting and Detection Strategies (ADS) Framework | Palantir - A blueprint for creating and documenting effective detection content.
- Detection Engineering Maturity Matrix | Kyle Bailey - A detailed matrix that serves as a tool to measure the overall maturity of an organization's Detection Engineering program.
- Detection Maturity Level (DML) Model | Ryan Stillions - Defines and describes 8 different levels of an organization's threat detection program maturity.
- The Pyramid of Pain | David J Bianco - A model used to describe various categorizations of indicator's of compromise and their level of effectiveness in detecting threat actors.
- Cyber Kill Chain | Lockheed Martin - Lockheed Martin's framework that outlines the 7 stages commonly observed in a cyber attack.
- MaGMa (Management, Growth and Metrics & Assessment) Use Case Defintion Model - A business-centric approach for defining threat detection use cases.
- Synthetic Adversarial Log Objects (SALO) | Splunk - Synthetic Adversarial Log Objects (SALO) is a framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.
- The Zen of Security Rules | Justin Ibarra - Outlines 19 aphorisms that serve as universal principles for the creation of high quality detection content.
Detection Content & Signatures
- MITRE Cyber Analytics Repository (CAR) - MITRE's well-maintained repository of detection content.
- CAR Coverage Comparision - A matrix of MITRE ATT&CK technique IDs and links to available Splunk Security Content, Elastic detection rules, Sigma rules, and CAR content.
- Sigma Rules - Sigma's repository of turnkey detection content. Content can be converted for use with most SIEMs.
- Sigma rule converter - An opensource tool that can convert detection content for use with most SIEMs.
- Splunk Security Content - Splunk's open-source and frequently updated detection content that can be tweaked for use in other tools.
- Elastic Detection Rules - Elastic's detection rules written natively for the Elastic SIEM. Can easily be converted for use by other SIEMs using Uncoder.
- Elastic Endpoint Behavioral Rules - Elastic's endpoint behavioral (prevention) rules written in EQL, natively for the Elastic endpoint agent.
- Elastic Yara Signatures - Elastic's YARA signatures, which run on the Elastic endpoint agent.
- Elastic Endpoint Ransomware Artifact - Elastic's ranswomware artifact, which runs on the Elastic endpoint agent.
- Chronicle (GCP) Detection Rules - Chronicle's detection rules written natively for the the Chronicle Platform.
- Exabeam Content Library - Exabeam's out of the box detection content compatible with the Exabeam Common Information Model.
- Panther Labs Detection Rules - Panther Lab's native detection rules.
- AWS GuardDuty Findings - A list of all AWS GuardDuty Findings, their descriptions, and associated data sources.
- GCP Security Command Center Findings - A list of all GCP Security Command Center Findings, their descriptions, and associated data sources.
- Azure Defender for Cloud Security Alerts - A list of all Azure Security for Cloud Alerts, their descriptions, and associated data sources.
- Center for Threat Informed Defense Security Stack Mappings - Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework.
- Detection Engineering with Splunk - A GitHub repo dedicated to sharing detection analytics in SPL.
- Google Cloud Security Analytics - This repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud.
- KQL Advanced Hunting Queries & Analytics Rules - A list of endpoint detections and hunting queries for Microsoft Defender for Endpoint, Defender For Identity, and Defender For Cloud Apps.
Logging, Monitoring & Data Sources
- Windows Logging Cheatsheets - Multiple cheatsheets outlined recommendations for Windows Event logging at various levels of granularity.
- Linux auditd Detection Ruleset - Linux auditd ruleset that produces telemetry required for threat detection use cases.
- MITRE ATT&CK Data Sources Blog Post - MITRE describes various data sources and how they relate to the TTPs found in the MITRE ATT&CK framework.
- MITRE ATT&CK Data Sources List - Data source objects added to MITRE ATT&CK as part of v10.
- Splunk Common Information Model (CIM) - Splunk's proprietary model used as a framework for normalizing security data.
- Elastic Common Schema - Elastic's proprietary model used as a framework for normalizing security data.
- Exabeam Common Information Model - Exabeam's proprietary model used as a framework for normalizing security data.
- Open Cybersecurity Schema Framework (OCSF) - An opensource security data source and event schema.
- Loghub - Opensource and freely available security data sources for research and testing.
- Elastalert | Yelp - ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
- Matano - Open source cloud-native security lake platform (SIEM alternative) for threat hunting, Python detections-as-code, and incident response on AWS 🦀.
General Resources
- ATT&CK Navigator | MITRE - MITRE's open-source tool that can be used to track detection coverage, visibility, and other efforts and their relationship to the ATT&CK framework.
- Detection Engineering Weekly | Zack Allen - A newsletter dedicated to news and how-tos for Detection Engineering.
- Detection Engineering Twitter List | Zack Allen - A Twitter list of Detection Engineering thought leaders.
- DETT&CT: MAPPING YOUR BLUE TEAM TO MITRE ATT&CK™ - Outlines a methodology measuring security data visibility and detection coverage against the MITRE ATT&CK framework.
- Awesome Kubernetes (K8s) Threat Detection - Another Awesome List dedicated to Kubernetes (K8s) threat detection.
- Detection and Response Pipeline - A list of tools for each component of a detection and response pipeline which includes real-world examples.
- Living Off the Living Off the Land - A collection of resources for thriving off the land.
- Detection at Scale Podcast | Jack Naglieri - A detection engineering-focused podcast featuring many thought leaders in the specialization.
- Cloud Threat Landscape | Wiz - A cloud detection engineering-focused database, that lists threat actors known to have compromised cloud environments, the tools and techniques in their arsenal, and the technologies they prefer to target.