Awesome Detection Engineer

Online resources for Detection Engineers. Detection rules, detection logic, attack samples, detection tests and emulation tools, logging configuration and best practices, event log references, resources, labs, data manipulation online tools, blogs, newsletters, good reads, books, trainings, podcasts, videos and twitter/x accounts. The repo generates a bookmark file for easy import to your browser.

Resources are tailored as much as possible to the role of the detection engineer and not the field of cyber security in general.

Contributions are welcome!

Contents

• Detection Rules - Online databases with detection rules.
• Detection Logic - Resources with detection logic.
• Attack Samples - Attack samples, useful for replaying attacks and testing detection logic.
• Detection Tests and Emulation Tools - Tools and tests for testing detection logic and emulating attacks.
• Logging Configuration and Best Practices - Guidelines on configuring and optimizing logging.
• Event Log References - Vendor documentation and references for event logs.
• Resources - Useful resources for detection engineers.
• Labs - Labs for detection engineers.
• Data Manipulation Online Tools - Useful online tools for detection engineer's day-to-day.
• Blogs - Blogs that regularly release detection engineering-related content.
• Newsletters - Newsletters with updates on detection engineering.
• Good Reads - Noteworthy blog posts related to detection engineering.
• Books - Books on detection engineering.
• Trainings - Available trainings focused on detection engineering.
• Podcasts - Podcasts focused on detection engineering.
• Videos - Videos focused on detection engineering.
• Conferences - Conferences focused on detection engineering.
• Twitter/X - Relevant Twitter/X accounts.

Detection Rules

• Sigma Rules - Huge collection of detection rules from SIGMA HQ.
• Elastic Rules, Elastic Detection Rules Explorer or Elastic Rules GitHub Repository- Elastic's detection rules.
• Elastic Security for Endpoint Rules- Elastic's Security for Endpoint detection rules.
• Splunk Rules and Splunk Rules GitHub Repository - Splunk's detection rules.
• Sentinel Detections and Sentinel Solution Rules- Collection of KQL detection queries for Sentinel.
• FortiSIEM Rules - FortiSIEM's detection rules.
• LogPoint Rules - LogPoint's alert rules.
• Panther Detections - Collection of detection rules by Panther.
• Datadog Detections - Collection of detection rules by Datadog.
• Wazuh Ruleset - Wazuh ruleset repository.
• Sigma Rules | The DFIR Report - Collection of sigma rules.
• Sigma Rules | mdecrevoisier - Collection of sigma rules.
• Sigma Rules | Yamato Security - Collection of sigma rules.
• Sigma Rules | tsale - Collection of sigma rules.
• Sigma Rules | JoeSecurity - Collection of sigma rules.
• Sigma Rules Threat Hunting Keywords | mthcht - Collection of sigma rules.
• Sigma Rules | mbabinski - Collection of sigma rules.
• Sigma Rules | Inovasys-CS - Collection of sigma rules.
• Sigma Rules | RussianPanda95 - Collection of sigma rules.
• KQL Queries | FalconForce - Collection of KQL queries.
• KQL Queries | SecurityAura - Collection of KQL queries.
• KQL Queries for Sentinel | reprise99 - Collection of KQL queries.
• KQL Queries | Cyb3r Monk - Collection of KQL queries.
• KQL Queries for DefenderATP | 0xAnalyst - Collection of KQL queries.
• KQL Queries | Bert-JanP - Collection of KQL queries.
• KQL Queries | SlimKQL - Collection of KQL queries.
• KQL Queries | cyb3rmik3 - Collection of KQL queries.
• KQL Search - Collection of KQL queries from various GitHub repositories.
• DetectionCode - Detection rules search engine.
• Attack Rule Map - Mapping of open-source detection rules.
• MITRE Cyber Analytics Repository (CAR) and MITRE Cyber Analytics Repository (CAR) Coverage Comparison - The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics based on the MITRE ATT&CK framework.
• Google Cloud Platform (GCP) Community Security Analytics - Security analytics to monitor cloud activity within Google Cloud.
• Anvilogic Detection Armory - Public versions of the detections from the Anvilogic Platform Armory.
• Chronicle (GCP) Rules - Detection rules written for the Chronicle Platform.
• SOC Prime - Great collection of free and paid detection rules (requires registration).
• SnapAttack - Collection of free and paid detection rules (requires registration).

Detection Logic

• Active Directory Detection Logic | Picus - Handbook with active directory attack descriptions and detection recommendations.
• Antivirus Cheatsheet | Nextron Systems - Antivirus keywords and detection logic from Nextron.
• Detecting the Elusive Active Directory Threat Hunting - Bsides presentation that includes detection logic for active directory attacks.
• Awesome Lists | mthcht - Includes keywords, paths from various tools that can be used to implement detection logic.
• Active Directory Security (adsecurity.org) - Page dedicated to Active Directory security. Includes attack descriptions and detection recommendations.
• Tool Analysis Results Sheet | jpcertcc - Results of examining logs recorded in Windows upon execution of 49 tools.
• Offensive Kerberos Techniques for Detection Engineering | Noah

Attack Samples

• EVTX Attack Samples - Event viewer attack samples.
• EVTX to MITRE Attack - IOCs in EVTX format.
• Security Datasets - Datasets of malicious and benign indicators, from different platforms.
• Mordor Dataset - Pre-recorded security events generated after simulating adversarial techniques.
• Attack Data | Splunk A repository of datasets from various attacks
• Secrepo - Samples of various types of Security related data.
• PCAP-ATTACK | sbousseaden - PCAP captures mapped to the relevant attack tactic.
• malware-traffic-analysis.net - Site for sharing packet capture (pcap) files and malware samples.
• NetreSec PCAPs - List of public packet capture repositories.

Detection Tests and Emulation Tools

• Atomic Red Team | Red Canary - Tests mapped to the MITRE ATT&CK framework.
• Stratus Red Team | DataDog - Similar to red team atomics but for cloud.
• MalwLess Simulation Tool (MST) - Open source tool that allows you to simulate system compromise or attack behaviors without running processes.
• LOLBAS Project - Binaries, scripts, and libraries that can be used for Living Off The Land techniques. Includes commands that can be run to test TTPs.
• LOLOL Farm- A great collection of resources to thrive off the land. Includes commands that can be run to test TTPs.
• MITRE Caldera - Adversary emulation framework by MITRE.
• Active Directory Attack Tests | Picus - Handbook with active directory attack tests.
• Network Flight Simulator - Lightweight utility used to generate malicious network traffic.
• APT Simulator - Windows batch script that uses a set of tools and output files to make a system look as if it was compromised.
• Infection Monkey - Open-source adversary emulation platform.
• rtt.secdude.de - Nice page that includes commands mapped to MITRE ATT&CK.

Logging Configuration and Best Practices

• OWASP Cheatsheet
• Microsoft Monitoring Active Directory
• Microsoft Windows Audit Policy Recommendations
• Malware Archaeology Cheatsheets for Windows
• Auditd Logging Configuration | Neo23x0
• Sysmon Configuration | SwiftOnSecurity
• Sysmon Configuration | Olaf Hartong
• KQL Query for Validating your Windows Audit Policy
• Apache Logging Configuration
• NGINX Configuring Access Log

Event Log References

• Windows Event IDs and Audit Policies
• Windows Security Log Event IDs Encyclopedia
• Sysmon Event IDs
• Cisco ASA Event IDs
• Palo Alto PAN-OS Log Fields
• Palo Alto PAN-OS Threat Categories
• Palo Alto PAN-OS Applications
• FortiGate FortiOS Log Types and Subtypes
• FortiGate FortiOS Log Fields
• FortiGate FortiGuard Encyclopedia
• Microsoft Defender Event IDs
• Microsoft Defender for Cloud Alert References
• Microsoft Defender for Identity Alert References
• Microsoft Defender XDR Schemas
• Microsoft DNS Debug Event IDs
• Azure SigninLogs Schema
• Azure SigninLogs Risk Detection
• AADSTS Error Codes
• GCP Threat Detection Findings
• GuardDuty Finding Types
• Barracuda Firewall Log Files Structure and Log Fields
• Barracuda Web Security Gateway Log Fields
• Barracuda Web Application Firewall Log Format and Barracuda Web Application Firewall Log Formats
• Check Point Firewall Log Fields
• Cisco Umbrella Proxy Log Format, Cisco Umbrella DNS Log Format and Cisco Umbrella Content Categories
• Cisco WSA Access Log Fields and Cisco WSA Filtering Categories
• Cisco ESA Log Types
• Juniper Junos OS Log Fields
• Imperva Log Fields and Imperva Event Types
• Squid Log Fields and Log Types and Squid Log Format
• Suricata Log Format
• ZScaler Web Log Format, ZScaler Firewall Log Format, ZScaler DNS Log Format and ZScaler URL Categories.
• Broadcom Edge Secure Web Gateway (Bluecoat) Access Log Format and Broadcom Edge Secure Web Gateway (Bluecoat) Categories
• Broadcom Endpoint Protection Manager Log Format
• SonicWall SonicOS Log Events Documentation
• WatchGuard Fireware OS Log Format
• Sophos Firewall Log Documentation
• Sophos Central Admin Events
• Apache Custom Log Format
• IIS Log File Format
• NGINX Access Log Format

Resources

• MITRE ATT&CK® - MITRE ATT&CK knowledge base of adversary tactics and techniques.
• DeTT&CT - DeTT&CT aims to assist blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviors.
• MITRE D3fend - A knowledge of cybersecurity countermeasures.
• Zen of Security Rules | Justin Ibarra - 19 rules for developing detection rules.
• Uncoder IO - Detection logic query converter.
• Detection Studio - Sigma to SIEM query converter.
• Alerting and Detection Strategies (ADS) Framework | Palantir- A structured approach to designing and documenting effective detection methodologies.
• Detection Engineering Maturity Matrix | Kyle Bailey - Aims to help the community better measure the capabilities and maturity of their detection function.
• Detection Engineering Maturity (DML) Model | Ryan Stillions - A tool for assessing an organization’s detection engineering capabilities and maturity levels.
• MaGMa Use Case Framework - Methodology for defining and managing threat detection use cases.
• Detection Engineering Cheatsheet | Florian Roth - Cheatsheet for prioritizing detection development.
• Microsoft Azure Security Control Mappings to MITRE ATT&CK - Coverage of various Azure security control products mappings to MITRE ATT&CK .
• Detection Practices | ncsc - General guidelines on building detection processes.
• EDR Telemetry | tsale - Telemetry comparison and telemetry generator for different EDRs.
• Threat Intel Reports - Threat Intel reports to be used as inspiration for use case creation.
• xCyclopedia - The xCyclopedia project attempts to document all executable binaries (and eventually scripts) that reside on a typical operating system.

Labs

• Splunk Attack Range
• PurpleLab
• BlueTeam.Lab
• Detection LAB
• Constructing Defense

Data Manipulation Online Tools

• Regex101 - Regex testing.
• Regexr - Regex testing.
• CyberChef - Multiple data manipulation tools, decoders, decryptors.
• JSON Formatter - JSON Beautifier.
• JSONCrack - JSON, YML, CSV, XML Editor.
• Grok Debugger - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
• Text Mechanic - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
• Text Fixer - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
• Hash Calculator - Hash calculator and other tools.
• Free Formatter - Formatter for XML, JSON, HTML.
• HTML Formatter - Formatter for HTML.
• Diff Checker - Diff comparison.
• CSVJSON - CSV to JSON converter and vice versa.
• ChatGPT - Can be used to transform data.

Blogs

• FalconForce Blog
• Red Canary Blog and Red Canary Blog Threat Detection Category
• Elastic Security Labs Blog and Elastic Security Labs Blog Detection Category. Also everything Samir Bousseaden.
• SpecterOps Blog and SpecterOps on Detection series | Jared Atkinson
• Detect.fyi - Collection of good detection engineering articles.
• Detections.xyz - Collection of good detection engineering articles.
• Alex Teixeira on Medium - Frequently writes about detection engineering topics.
• Detection at Scale - Collection of good detection engineering articles.

Newsletters

• Detection Engineering Weekly - A newsletter with weekly detection related online sources.
• Detections Digest - A newsletter with weekly updates on detection rules from GitHub repositories.

Good Reads

• Prioritizing Detection Engineering | Ryan McGeehan
• About Detection Engineering | Florian Roth
• Detection Development Lifecycle | Haider Dost
• Elastic releases the Detection Engineering Behavior Maturity Model
• Threat Detection Maturity Framework | Haider Dost
• Compound Probability: You Don’t Need 100% Coverage to Win
• Where should I place my detections? | walaakabbani
• SOC Visibility | walaakabbani
• What Makes a “Good” Detection? | The Cybersec Café
• Lessons Learned in Detection Engineering | Ryan McGeehan
• Alerting and Detection Strategy Framework | Palantir
• DeTT&CT : Mapping detection to MITRE ATT&CK | Renaud Frère
• DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™
• Distributed Security Alerting
• Deploying Detections at Scale — Part 0x01 use-case format and automated validation | Gijs Hollestelle
• From soup to nuts: Building a Detection-as-Code pipeline
• Can We Have “Detection as Code”? | Anton Chuvakin
• Automating Detection-as-Code | John Tuckner
• How to prioritize a Detection Backlog? | Alex Teixeira
• Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
• Pyramid of Pain
• Atomic and Stateful Detection Rules
• Detection-as-Code Testing

Books

• Automating Security Detection Engineering: A hands-on guide to implementing Detection as Code
• Practical Threat Detection Engineering: A hands-on guide to planning, developing, and validating detection capabilities
• Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

Trainings

• XINTRA Attacking and Defending Azure & M365
• Specter Ops Adversary Tactics: Detection
• FalconForce Advanced Detection Engineering in the Enterprise training
• TCM Security Detection Engineering for Beginners
• LetsDefend Detection Engineering Path
• SANS SEC555: Detection Engineering and SIEM Analytics
• SANS SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring

Podcasts

• Detection Challenging Paradigms | SpecterOps - Discussing various topics on threat detection.
• Detection at Scale - Discussing threat landscape and a lot detection related topics.

Videos

• Atomics on a Friday - YouTube series discussing detection opportunities.

Conferences

• DEATHcon - Conference focused on Detection Engineering and Threat Hunting (DEATH).

Twitter/X

• @sigma_hq
• @cyb3rops
• @frack113
• @nas_bench
• @SBousseaden
• @ateixei
• @SecurityAura
• @Oddvarmoe
• @jaredcatkinson
• @olafhartong
• @bohops
• @nextronresearch
• Awesome Detection List