Awesome Detection Engineering

Detection Engineering is a tactical function of a cybersecurity defense program that involves the design, implementation, and operation of detective controls with the goal of proactively identifying malicious or unauthorized activity before it negatively impacts an individual or an organization.All contributions are welcome, please carefully review the contributing guidelines prior to submitting a pull request.Contents

Detection Content & Signatures

Logging, Monitoring & Data Sources

General Resources

Concepts & Frameworks

MITRE ATT&CK - The foundational framework of adversary tactics, techniques, and procedures based on real-world observations.

Alerting and Detection Strategies (ADS) Framework | Palantir - A blueprint for creating and documenting effective detection content.

Detection Engineering Maturity Matrix | Kyle Bailey - A detailed matrix that serves as a tool to measure the overall maturity of an organization's Detection Engineering program.

Detection Maturity Level (DML) Model | Ryan Stillions - Defines and describes 8 different levels of an organization's threat detection program maturity.

The Pyramid of Pain | David J Bianco - A model used to describe various categorizations of indicator's of compromise and their level of effectiveness in detecting threat actors.

Cyber Kill Chain | Lockheed Martin - Lockheed Martin's framework that outlines the 7 stages commonly observed in a cyber attack.

MaGMa (Management, Growth and Metrics & Assessment) Use Case Defintion Model - A business-centric approach for defining threat detection use cases.

Synthetic Adversarial Log Objects (SALO) | Splunk - Synthetic Adversarial Log Objects (SALO) is a framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.

The Zen of Security Rules | Justin Ibarra - Outlines 19 aphorisms that serve as universal principles for the creation of high quality detection content.

Blue-team-as-Code - the Spiral of Joy | Den Iuzvyk, Oleg Kolesnikov - Blue-Team-as-Code: Lessons From Real-world Red Team Detection Automation Using Logs.

Detection Development Lifecycle | Haider Dost et al. - Snowflake’s implementation of the Detection Development Lifecycle.

Threat Detection Maturity Framework | Haider Dost of Snowflake - A maturity matrix to measure the success of your threat detection program.

Elastic's Detection Engineering Behavior Maturity Model - Elastic's qualitative and quantitative approach to measuring threat detection program maturity.

Prioritizing Detection Engineering | Ryan McGeehan - A longtime detection engineer outlines how a detection engineering program should be built from the ground up.

Detection Engineering Field Manual | Zack Allen - a series of posts exploring the various foundational components of Detection Engineering.

Open Threat Informed Detection Engineering aka OpenTide' - an all-in-one Detection Engineering Operations framework created and maintained by the European Commission to convert your CTI into an actionable detection coverage graph combining threat vectors with detection objectives, and manage your entire detection library from a central repository with a detection-as-code deployment system. The OpenTide format aims at measuring and expanding detection coverage, and its rule deployment engine is fully extensible and support multiple platforms in parallel (leveraging all the technology features and native query language). OpenTide works both within a single DE team as a main framework, and across SOC as a common format to facilitate data interexchange.

Detection Content & Signatures

Rulehound - An index of publicly available and open-source threat detection rulesets.

Awesome Detection Engineering

All contributions are welcome, please carefully review the contributing guidelines prior to submitting a pull request.

Concepts & Frameworks
Detection Content & Signatures
Logging, Monitoring & Data Sources
General Resources

Concepts & Frameworks

MITRE ATT&CK - The foundational framework of adversary tactics, techniques, and procedures based on real-world observations.
Alerting and Detection Strategies (ADS) Framework | Palantir - A blueprint for creating and documenting effective detection content.
Detection Engineering Maturity Matrix | Kyle Bailey - A detailed matrix that serves as a tool to measure the overall maturity of an organization's Detection Engineering program.
Detection Maturity Level (DML) Model | Ryan Stillions - Defines and describes 8 different levels of an organization's threat detection program maturity.
The Pyramid of Pain | David J Bianco - A model used to describe various categorizations of indicator's of compromise and their level of effectiveness in detecting threat actors.
Cyber Kill Chain | Lockheed Martin - Lockheed Martin's framework that outlines the 7 stages commonly observed in a cyber attack.
MaGMa (Management, Growth and Metrics & Assessment) Use Case Defintion Model - A business-centric approach for defining threat detection use cases.
Synthetic Adversarial Log Objects (SALO) | Splunk - Synthetic Adversarial Log Objects (SALO) is a framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.
The Zen of Security Rules | Justin Ibarra - Outlines 19 aphorisms that serve as universal principles for the creation of high quality detection content.
Blue-team-as-Code - the Spiral of Joy | Den Iuzvyk, Oleg Kolesnikov - Blue-Team-as-Code: Lessons From Real-world Red Team Detection Automation Using Logs.
Detection Development Lifecycle | Haider Dost et al. - Snowflake’s implementation of the Detection Development Lifecycle.
Threat Detection Maturity Framework | Haider Dost of Snowflake - A maturity matrix to measure the success of your threat detection program.
Elastic's Detection Engineering Behavior Maturity Model - Elastic's qualitative and quantitative approach to measuring threat detection program maturity.
Prioritizing Detection Engineering | Ryan McGeehan - A longtime detection engineer outlines how a detection engineering program should be built from the ground up.
Detection Engineering Field Manual | Zack Allen - a series of posts exploring the various foundational components of Detection Engineering.
Open Threat Informed Detection Engineering aka OpenTide' - an all-in-one Detection Engineering Operations framework created and maintained by the European Commission to convert your CTI into an actionable detection coverage graph combining threat vectors with detection objectives, and manage your entire detection library from a central repository with a detection-as-code deployment system. The OpenTide format aims at measuring and expanding detection coverage, and its rule deployment engine is fully extensible and support multiple platforms in parallel (leveraging all the technology features and native query language). OpenTide works both within a single DE team as a main framework, and across SOC as a common format to facilitate data interexchange.

Detection Content & Signatures

Rulehound - An index of publicly available and open-source threat detection rulesets.