Awesome Detection Engineering

A curated list of tools and resources for Threat Detection Engineers.

Contents

• Concepts & Frameworks
• Signatures & Content
• Logging, Monitoring & Data Sources
• General Resources
• Blog Archive

Concepts & Frameworks

• MITRE ATT&CK - The foundational framework of adversary tactics, techniques, and procedures based on real-world observations.
• Alerting and Detection Strategies (ADS) Framework | Palantir - A blueprint for creating and documenting effective detection content.
• Detection Engineering Maturity Matrix | Kyle Bailey - A detailed matrix that serves as a tool to measure the overall maturity of an organization's Detection Engineering program.
• Detection Maturity Level (DML) Model | Ryan Stillions - Defines and describes 8 different levels of an organization's threat detection program maturity.
• The Pyramid of Pain | David J Bianco - A model used to describe various categorizations of indicator's of compromise and their level of effectiveness in detecting threat actors.
• Cyber Kill Chain | Lockheed Martin - Lockheed Martin's framework that outlines the 7 stages commonly observed in a cyber attack.
• MaGMa (Management, Growth and Metrics & Assessment) Use Case Defintion Model - A business-centric approach for defining threat detection use cases.

Detection Content & Signatures

• MITRE Cyber Analytics Repository (CAR) - MITRE's well-maintained repository of detection content.
• CAR Coverage Comparision - A matrix of MITRE ATT&CK technique IDs and links to available Splunk Security Content, Elastic detection rules, Sigma rules, and CAR content.
• Sigma Rules - Sigma's repository of turnkey detection content. Content can be converted for use with most SIEMs.
• Uncoder Rule Converter - A tool that can convert detection content for use with most SIEMs.
• Splunk Security Content - Splunk's open-source and frequently updated detection content that can be tweaked for use in other tools.
• Elastic Detection Rules - Elastic's detection rules written natively for the Elastic SIEM. Can easily be converted for use by other SIEMs using Uncoder.
• AWS GuardDuty Findings - A list of all AWS GuardDuty Findings, their descriptions, and associated data sources.
• GCP Security Command Center Findings - A list of all GCP Security Command Center Findings, their descriptions, and associated data sources.
• Azure Defender for Cloud Security Alerts - A list of all Azure Security for Cloud Alerts, their descriptions, and associated data sources.
• Center for Threat Informed Defense Security Stack Mappings - Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework.

Logging, Monitoring & Data Sources

• Windows Logging Cheatsheets - Multiple cheatsheets outlined recommendations for Windows Event logging at various levels of granularity.
• Linux auditd Detection Ruleset - Linux auditd ruleset that produces telemetry required for threat detection use cases.
• MITRE ATT&CK Data Sources Blog Post - MITRE describes various data sources and how they relate to the TTPs found in the MITRE ATT&CK framework.
• MITRE ATT&CK Data Sources List - Data source objects added to MITRE ATT&CK as part of v10.
• Splunk Common Information Model (CIM) - Splunk's proprietary model used as a framework for normalizing security data.
• Elastic Common Schema - Elastic's proprietary model used as a framework for normalizing security data.
• Open Cybersecurity Schema Framework (OCSF) - An opensource security data source and event schema.
• Loghub - opensource and freely available security data sources for research and testing.

General Resources

• ATT&CK Navigator - MITRE's open-source tool that can be used to track detection coverage, visibility, and other efforts and their relationship to the ATT&CK framework.
• Detection Engineering Twitter List - A Twitter list of Detection Engineers.
• DETT&CT: MAPPING YOUR BLUE TEAM TO MITRE ATT&CK™

Blog Archive

2022

• CI/CD Detection Engineering: Dockerizing for Scale, Part 4 | Splunk Research Team
• Capturing Detection Ideas to Improve Their Impact | Florian Roth
• About Detection Engineering | Florian Roth
• How to Write an Actionable Alert | Daniel Wyleczuk-Stern
• Democratizing Security Detection | Palantir

2021

• Detection-as-Code — Testing | Kyle Bailey
• Practical Detection-as-Code | Brendan Chamberlain
• Simple Anomaly Detection Using Plain SQL | Haki Benita

2020

• Detection Engineering using Apple’s Endpoint Security Framework | Richie Cyrus
• So, You Want to Be a Detection Engineer? | Josh Day

Older

• CI/CD Detection Engineering: Splunk's Security Content, Part 1 Splunk's Attack Range, Part 2 Failing, Part 3 | José Enrique Hernandez - A three part blog series loosely describing how to deploy detection as code in a Splunk environment using the Splunk Security Research team's Security Content.
• Behind the Scenes with Red Canary’s Detection Engineering Team | Kyle Rainey
• A SOCless Detection Team at Netflix
• The Four Types of Threat Detection | Sergio Caltagirone, Robert Lee
• Lessons Learned in Detection Engineering | Ryan McGeehan - A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.