Awesome Detection Engineering

A curated list of tools and resources for Threat Detection Engineers.

Concepts & Frameworks

MITRE ATT&CK - The foundational framework of adversary tactics, techniques, and procedures based on real-world observations.
Alerting and Detection Strategies (ADS) Framework | Palantir - A blueprint for creating and documenting effective detection content.
Detection Engineering Maturity Matrix | Kyle Bailey - A detailed matrix that serves as a tool to measure the overall maturity of an organization's Detection Engineering program.
Detection Maturity Level (DML) Model | Ryan Stillions - Defines and describes 8 different levels of an organization's threat detection program maturity.
The Pyramid of Pain | David J Bianco - A model used to describe various categorizations of indicator's of compromise and their level of effectiveness in detecting threat actors.
Cyber Kill Chain | Lockheed Martin - Lockheed Martin's framework that outlines the 7 stages commonly observed in a cyber attack.
MaGMa (Management, Growth and Metrics & Assessment) Use Case Defintion Model - A business-centric approach for defining threat detection use cases.

MITRE Cyber Analytics Repository (CAR) - MITRE's well-maintained repository of detection content.
CAR Coverage Comparision - A matrix of MITRE ATT&CK technique IDs and links to available Splunk Security Content, Elastic detection rules, Sigma rules, and CAR content.
Sigma Rules - Sigma's repository of turnkey detection content. Content can be converted for use with most SIEMs.
Uncoder Rule Converter - A tool that can convert detection content for use with most SIEMs.
Splunk Security Content - Splunk's open-source and frequently updated detection content that can be tweaked for use in other tools.
Elastic Detection Rules - Elastic's detection rules written natively for the Elastic SIEM. Can easily be converted for use by other SIEMs using Uncoder.
AWS GuardDuty Findings - A list of all AWS GuardDuty Findings, their descriptions, and associated data sources.
GCP Security Command Center Findings - A list of all GCP Security Command Center Findings, their descriptions, and associated data sources.
Azure Defender for Cloud Security Alerts - A list of all Azure Security for Cloud Alerts, their descriptions, and associated data sources.
Center for Threat Informed Defense Security Stack Mappings - Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework.

Windows Logging Cheatsheets - Multiple cheatsheets outlined recommendations for Windows Event logging at various levels of granularity.
Linux auditd Detection Ruleset - Linux auditd ruleset that produces telemetry required for threat detection use cases.
MITRE ATT&CK Data Sources Blog Post - MITRE describes various data sources and how they relate to the TTPs found in the MITRE ATT&CK framework.
MITRE ATT&CK Data Sources List - Data source objects added to MITRE ATT&CK as part of v10.
Splunk Common Information Model (CIM) - Splunk's proprietary model used as a framework for normalizing security data.
Elastic Common Schema - Elastic's proprietary model used as a framework for normalizing security data.
Open Cybersecurity Schema Framework (OCSF) - An opensource security data source and event schema.
Loghub - opensource and freely available security data sources for research and testing.

ATT&CK Navigator - MITRE's open-source tool that can be used to track detection coverage, visibility, and other efforts and their relationship to the ATT&CK framework.
Detection Engineering Twitter List - A Twitter list of Detection Engineers.
DETT&CT: MAPPING YOUR BLUE TEAM TO MITRE ATT&CK™

CI/CD Detection Engineering: Splunk's Security Content, Part 1 Splunk's Attack Range, Part 2 Failing, Part 3 | José Enrique Hernandez - A three part blog series loosely describing how to deploy detection as code in a Splunk environment using the Splunk Security Research team's Security Content.
Behind the Scenes with Red Canary’s Detection Engineering Team | Kyle Rainey
A SOCless Detection Team at Netflix
The Four Types of Threat Detection | Sergio Caltagirone, Robert Lee
Lessons Learned in Detection Engineering | Ryan McGeehan - A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.