awesome-detection-engineering

Palantir - A blueprint for creating and documenting effective detection content.

Den Iuzvyk, Oleg Kolesnikov - Blue-Team-as-Code: Lessons From Real-world Red Team Detection Automation Using Logs.

Lockheed Martin - Lockheed Martin's framework that outlines the 7 stages commonly observed in a cyber attack.

Haider Dost et al. - Snowflake’s implementation of the Detection Development Lifecycle.

Brendan Chamberlain - A community framework with four maturity levels across ten dimensions for assessing how organizations apply AI and LLMs across a detection engineering program, from foundations through the detection lifecycle.

Zack Allen - a series of posts exploring the various foundational components of Detection Engineering.

Anvilogic's opensource and publicly available detection content.

Mapping of open-source detection rules and atomic tests.

A list of all AWS GuardDuty Findings, their descriptions, and associated data sources.

A list of all Azure Security for Cloud Alerts, their descriptions, and associated data sources.

A matrix of MITRE ATT&CK technique IDs and links to available Splunk Security Content, Elastic detection rules, Sigma rules, and CAR content.

Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework.

MITRE - MITRE's open-source tool that can be used to track detection coverage, visibility, and other efforts and their relationship to the ATT&CK framework.

Another Awesome List dedicated to Kubernetes (K8s) threat detection.

Wiz - A cloud detection engineering-focused database, that lists threat actors known to have compromised cloud environments, the tools and techniques in their arsenal, and the technologies they prefer to target.

A list of tools for each component of a detection and response pipeline which includes real-world examples.

Jack Naglieri - A detection engineering-focused podcast featuring many thought leaders in the specialization.

Zack Allen - A Twitter list of Detection Engineering thought leaders.

Yelp - ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.

Elastic's proprietary model used as a framework for normalizing security data.

Exabeam's proprietary model used as a framework for normalizing security data.

Autonomous security agent for Linux with real-time threat detection and response via 38 eBPF hooks, 48 detectors, and 23 correlation rules.

Linux auditd ruleset that produces telemetry required for threat detection use cases.

Opensource and freely available security data sources for research and testing.