A curated list of tools and resources for Threat Detection Engineers.
- Concepts & Frameworks
- Detection Content & Signatures
- Logging, Monitoring & Data Sources
- General Resources
- Blog Archive
- MITRE ATT&CK - The foundational framework of adversary tactics, techniques, and procedures based on real-world observations.
- Alerting and Detection Strategies (ADS) Framework | Palantir - A blueprint for creating and documenting effective detection content.
- Detection Engineering Maturity Matrix | Kyle Bailey - A detailed matrix that serves as a tool to measure the overall maturity of an organization's Detection Engineering program.
- Detection Maturity Level (DML) Model | Ryan Stillions - Defines and describes 8 different levels of an organization's threat detection program maturity.
- The Pyramid of Pain | David J Bianco - A model used to describe various categorizations of indicator's of compromise and their level of effectiveness in detecting threat actors.
- Cyber Kill Chain | Lockheed Martin - Lockheed Martin's framework that outlines the 7 stages commonly observed in a cyber attack.
- MaGMa (Management, Growth and Metrics & Assessment) Use Case Defintion Model - A business-centric approach for defining threat detection use cases.
- Synthetic Adversarial Log Objects (SALO) | Splunk - Synthetic Adversarial Log Objects (SALO) is a framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.
- MITRE Cyber Analytics Repository (CAR) - MITRE's well-maintained repository of detection content.
- CAR Coverage Comparision - A matrix of MITRE ATT&CK technique IDs and links to available Splunk Security Content, Elastic detection rules, Sigma rules, and CAR content.
- Sigma Rules - Sigma's repository of turnkey detection content. Content can be converted for use with most SIEMs.
- Uncoder Rule Converter - A tool that can convert detection content for use with most SIEMs.
- Splunk Security Content - Splunk's open-source and frequently updated detection content that can be tweaked for use in other tools.
- Elastic Detection Rules - Elastic's detection rules written natively for the Elastic SIEM. Can easily be converted for use by other SIEMs using Uncoder.
- Elastic Endpoint Behavioral Rules - Elastic's endpoint behavioral (prevention) rules written in EQL, natively for the Elastic endpoint agent.
- Elastic Yara Signatures - Elastic's YARA signatures, which run on the Elastic endpoint agent.
- Elastic Endpoint Ransomware Artifact - Elastic's ranswomware artifact, which runs on the Elastic endpoint agent.
- Chronicle (GCP) Detection Rules - Chronicle's detection rules written natively for the the Chronicle Platform.
- Exabeam Content Library - Exabeam's out of the box detection content compatible with the Exabeam Common Information Model.
- AWS GuardDuty Findings - A list of all AWS GuardDuty Findings, their descriptions, and associated data sources.
- GCP Security Command Center Findings - A list of all GCP Security Command Center Findings, their descriptions, and associated data sources.
- Azure Defender for Cloud Security Alerts - A list of all Azure Security for Cloud Alerts, their descriptions, and associated data sources.
- Center for Threat Informed Defense Security Stack Mappings - Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework.
- Detection Engineering with Splunk - A GitHub repo dedicated to sharing detection analytics in SPL.
- Google Cloud Security Analytics - This repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud.
- KQL Advanced Hunting Queries & Analytics Rules - A list of endpoint detections and hunting queries for Microsoft Defender for Endpoint, Defender For Identity, and Defender For Cloud Apps.
- Windows Logging Cheatsheets - Multiple cheatsheets outlined recommendations for Windows Event logging at various levels of granularity.
- Linux auditd Detection Ruleset - Linux auditd ruleset that produces telemetry required for threat detection use cases.
- MITRE ATT&CK Data Sources Blog Post - MITRE describes various data sources and how they relate to the TTPs found in the MITRE ATT&CK framework.
- MITRE ATT&CK Data Sources List - Data source objects added to MITRE ATT&CK as part of v10.
- Splunk Common Information Model (CIM) - Splunk's proprietary model used as a framework for normalizing security data.
- Elastic Common Schema - Elastic's proprietary model used as a framework for normalizing security data.
- Exabeam Common Information Model - Exabeam's proprietary model used as a framework for normalizing security data.
- Open Cybersecurity Schema Framework (OCSF) - An opensource security data source and event schema.
- Loghub - Opensource and freely available security data sources for research and testing.
- Elastalert | Yelp - ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
- Matano - Open source cloud-native security lake platform (SIEM alternative) for threat hunting, Python detections-as-code, and incident response on AWS 🦀.
- ATT&CK Navigator | MITRE - MITRE's open-source tool that can be used to track detection coverage, visibility, and other efforts and their relationship to the ATT&CK framework.
- Detection Engineering Weekly | Zack Allen - A newsletter dedicated to news and how-tos for Detection Engineering.
- Detection Engineering Twitter List | Zack Allen - A Twitter list of Detection Engineering thought leaders.
- DETT&CT: MAPPING YOUR BLUE TEAM TO MITRE ATT&CK™
- Awesome Kubernetes (K8s) Threat Detection - Another Awesome List dedicated to Kubernetes (K8s) threat detection.
- Living Off the Living Off the Land - A collection of resources for thriving off the land.
- Table stakes for Detection Engineering | Zack Allen
- Building the Threat Detection Ecosystem at Brex | Julie Agnes Sparks
- Leveraging the Apple ESF for Behavioral Detections | Jaron Bradley, Matt Benyo
- CI/CD Detection Engineering: Dockerizing for Scale, Part 4 | Splunk Research Team
- Capturing Detection Ideas to Improve Their Impact | Florian Roth
- About Detection Engineering | Florian Roth
- How to Write an Actionable Alert | Daniel Wyleczuk-Stern
- Democratizing Security Detection | Palantir
- Detection-as-Code — Testing | Kyle Bailey
- Practical Detection-as-Code | Brendan Chamberlain
- Simple Anomaly Detection Using Plain SQL | Haki Benita
- Detection Engineering: Defending Networks with Purpose | Peter Di Giorgio
- Detection Engineering using Apple's Endpoint Security Framework | Richie Cyrus
- So, You Want to Be a Detection Engineer? | Josh Day
- CI/CD Detection Engineering: Splunk's Security Content, Part 1 Splunk's Attack Range, Part 2 Failing, Part 3 | José Enrique Hernandez - A three part blog series loosely describing how to deploy detection as code in a Splunk environment using the Splunk Security Research team's Security Content.
- Behind the Scenes with Red Canary's Detection Engineering Team | Kyle Rainey
- A SOCless Detection Team at Netflix
- The Four Types of Threat Detection | Sergio Caltagirone, Robert Lee
- Lessons Learned in Detection Engineering | Ryan McGeehan - A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.