{"id":13454257,"url":"https://github.com/palantir/alerting-detection-strategy-framework","last_synced_at":"2026-01-31T02:32:39.194Z","repository":{"id":38859515,"uuid":"114705352","full_name":"palantir/alerting-detection-strategy-framework","owner":"palantir","description":"A framework for developing alerting and detection strategies for incident response.","archived":false,"fork":false,"pushed_at":"2021-12-17T01:13:47.000Z","size":26,"stargazers_count":753,"open_issues_count":1,"forks_count":127,"subscribers_count":304,"default_branch":"master","last_synced_at":"2025-06-15T01:39:58.431Z","etag":null,"topics":["octo-correct-managed"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/palantir.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-19T01:33:31.000Z","updated_at":"2025-06-13T05:50:50.000Z","dependencies_parsed_at":"2022-09-18T15:32:40.233Z","dependency_job_id":null,"html_url":"https://github.com/palantir/alerting-detection-strategy-framework","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/palantir/alerting-detection-strategy-framework","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/palantir%2Falerting-detection-strategy-framework","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/palantir%2Falerting-detection-strategy-framework/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/palantir%2Falerting-detection-strategy-framework/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/palantir%2Falerting-detection-strategy-framework/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/palantir","download_url":"https://codeload.github.com/palantir/alerting-detection-strategy-framework/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/palantir%2Falerting-detection-strategy-framework/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28927191,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T22:32:35.345Z","status":"online","status_checked_at":"2026-01-31T02:00:09.179Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["octo-correct-managed"],"created_at":"2024-07-31T08:00:52.295Z","updated_at":"2026-01-31T02:32:39.178Z","avatar_url":"https://github.com/palantir.png","language":null,"funding_links":[],"categories":["Threat Detection and Hunting","Others","Uncategorized","Concepts \u0026 Frameworks"],"sub_categories":["Resources","Uncategorized"],"readme":"# Alerting and Detection Strategies Framework\r\n\r\n## About This Repository\r\nThis is a public version of the [Alerting and Detection Strategy (ADS) framework we use on the Incident Response Team at Palantir](https://www.medium.com/@palantir). \r\n\r\nThis GitHub project provides the necessary building blocks for adopting this framework for organizations looking to improve the efficacy of their detection strategies. While there are operational security considerations around publicly acknowledging and documenting internal alerts, we hope these examples spur greater sharing and collaboration, inspire detection enhancements for other defenders, and ultimately increase the operational cost for attackers.\r\n\r\n## ADS Framework\r\nPrior to the development and adoption of the ADS framework, we faced major challenges with development of alerting strategies. There was a lack of rigor around the creation, development, and implementation of an alert, which led to sub-optimal alerts going to production without documentation or peer-review. Over time, some of these alerts gained a reputation of being low-quality, which led to fatigue, alerting apathy, or additional engineering time and resources.\r\n\r\nTo combat the issues and deficiencies previously noted, we developed an ADS Framework which is used for all alerting development. This is a natural language template which helps frame hypothesis generation, testing, and management of new ADS. \r\n\r\nThe ADS Framework has the following sections, each which must be completed prior to production implementation:\r\n\r\n* Goal\r\n* Categorization\r\n* Strategy Abstract\r\n* Technical Context\r\n* Blind Spots and Assumptions\r\n* False Positives\r\n* Validation\r\n* Priority\r\n* Response\r\n\r\nEach section is required to successfully deploy a new ADS, and guarantees that any given alert will have sufficient documentation, will be validated for durability, and reviewed prior to production deployment. \r\n\r\nEach production or draft alert is based on the ADS framework is stored in a durable, version-controlled, and centralized location (e.g. Wiki, GitHub entry, etc.) \r\n\r\n## Repository Layout\r\nThis repository is organized as follows:\r\n* [**ADS-Framework**](./ADS-Framework.md): The core ADS framework which is used internally at Palantir.\r\n* [**ADS-Examples**](./ADS-Examples/): ADS examples which have been generated in accordance to this framework. These represent human-readable alerting strategies which may be deployed to detect malicious or anomalous activity.\r\n\r\n### Using This Repository\r\n**Note**: We recommend that you spin up a lab environment before deploying any of these configurations, scripts, or subscriptions to a production environment.\r\n\r\n1. Download the repository and review the contents.\r\n2. Run a ADS hack week and try converting or generating several new alerts.\r\n3. Perform peer review of each new ADS and provide critical feedback. \r\n4. Start the process of converting legacy alerts into the ADS format.\r\n\r\n## Contributing\r\nContributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request. \r\n\r\n## License\r\nMIT License\r\n\r\nCopyright (c) 2017 Palantir Technologies Inc.\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy\r\nof this software and associated documentation files (the \"Software\"), to deal\r\nin the Software without restriction, including without limitation the rights\r\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\r\ncopies of the Software, and to permit persons to whom the Software is\r\nfurnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all\r\ncopies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\r\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\r\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\r\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\r\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\r\nSOFTWARE.\r\n\r\n## Further Reading and Acknowledgements\r\n\r\nWe would like to extend thanks to following for their contributions to the InfoSec community, or for assisting in the development of the ADS Framework:\r\n\r\n* [MITRE ATT\u0026CK Framework](https://attack.mitre.org/wiki/Main_Page)\r\n* [Red Canary Atomic Red Team Testing Framework](https://github.com/redcanaryco/atomic-red-team)\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpalantir%2Falerting-detection-strategy-framework","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpalantir%2Falerting-detection-strategy-framework","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpalantir%2Falerting-detection-strategy-framework/lists"}