A curated list of threat detection rule repositories and sharing communities.
This documentation is an effort to collect open source material that is useful for building basic threat detections. To have sophisticated detections, it often takes full time detection engineers, understanding of custom environments, etc. but everyone starts somewhere.
TODO: Add specifics on various detection rules & their functions for context (open source + vendor specific).
- Baseline OSQuery Configuration by Palantir
- OSQuery Defense Kit
- Panther's OOTB Detection Ruleset
- Sigma Rules
- Splunk Security Essentials Repository
- Awesome YARA Repo with Rules
There are many incredible articles that touch on threat detection engineering and creating robust rules. Here are some that we've collected.
- Lessons Learned in Detection Engineering
- Detection Spectrum & the Funnel of Fidelity
- Shifting from Detection 1.0 to 2.0
- Threat Hunting with Kubernetes Audit Logs
- An Alternative Way of Using MITRE ATT&CK for Threat Hunting and Detection
- A SOCless Detection Team at Netflix