A hands-on repository for implementing Detection as Code. This repo demonstrates building, testing, and deploying security detections using a CI/CD pipeline, making detection engineering repeatable, reliable, and automated.
- Detection as Code: Treat your detection rules like software, with version control and automated testing.
- CI/CD Pipeline: Automate validation, testing, and deployment of detection rules.
- Detection Rules: Ready-to-use templates for common attack patterns and suspicious behaviours.
- Testing Frameworks: Simulate events and validate detection logic before deployment.
- Observability Integration: Connect detections to SIEMs, log pipelines, and monitoring platforms.
- Workflow Best Practices: Guidance for scalable and maintainable detection engineering.
-
Clone the repository
git clone https://github.com/jaamaal/detection-lab.git cd detection-lab -
Install Dependencies (Include instructions for Python, Node.js, or any runtime required.)
-
Run Examples
python examples/test_detection.py
-
Add Your Own Detections Follow the templates in
/rulesto create new detection logic.
- Write detection rules as code.
- Commit changes to the repository.
- CI/CD pipeline automatically runs tests and validation.
- Deploy tested detections to your monitoring or SIEM environment.
- Monitor alerts and iterate on rules as needed.
We welcome contributions! To contribute:
- Fork the repo
- Create a feature branch (
git checkout -b feature-name) - Submit a pull request with a clear description and test coverage
This project is licensed under the MIT License. See the LICENSE file for details.