Uncategorized

• Uncategorized

  • Detect.fyi - Collection of good detection engineering articles.
  • My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts | Koifsec
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • Detect.fyi - Collection of good detection engineering articles.
  • Detection Studio - Sigma to SIEM query converter.
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • Alerting and Detection Strategy Framework | Palantir
  • Detect.fyi - Collection of good detection engineering articles.
  • My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts | Koifsec
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Can We Stop Documenting Our Detections?
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • What Makes a “Good” Detection? | The Cybersec Café
  • Microsoft Monitoring Active Directory
  • OWASP Cheatsheet
  • Microsoft Windows Audit Policy Recommendations
  • Malware Archaeology Cheatsheets for Windows
  • Auditd Logging Configuration | Neo23x0
  • Sigma Rules - Huge collection of detection rules from SIGMA HQ.
  • Splunk Rules - Splunk's detection rules.
  • Elastic Rules - rules-explorer) or [Elastic Rules GitHub Repository](https://github.com/elastic/detection-rules/tree/main/rules)- Elastic's detection rules.
  • Elastic Security for Endpoint Rules - Elastic's Security for Endpoint detection rules.
  • Sentinel Detections - Sentinel/tree/master/Solutions)- Collection of KQL detection queries for Sentinel.
  • FortiSIEM Rules - FortiSIEM's detection rules.
  • LogPoint Rules - LogPoint's alert rules.
  • Panther Detections - Collection of detection rules by Panther.
  • Datadog Detections - Collection of detection rules by Datadog.
  • Wazuh Ruleset - Wazuh ruleset repository.
  • Sigma Rules - Huge collection of detection rules from SIGMA HQ.
  • Elastic Rules - rules-explorer) or [Elastic Rules GitHub Repository](https://github.com/elastic/detection-rules/tree/main/rules)- Elastic's detection rules.
  • Elastic Security for Endpoint Rules - Elastic's Security for Endpoint detection rules.
  • Splunk Rules - Splunk's detection rules.
  • Sentinel Detections - Sentinel/tree/master/Solutions)- Collection of KQL detection queries for Sentinel.
  • FortiSIEM Rules - FortiSIEM's detection rules.
  • LogPoint Rules - LogPoint's alert rules.
  • Panther Detections - Collection of detection rules by Panther.
  • Datadog Detections - Collection of detection rules by Datadog.
  • Wazuh Ruleset - Wazuh ruleset repository.
  • Sigma Rules | The DFIR Report - Collection of sigma rules.
  • Sigma Rules | The DFIR Report - Collection of sigma rules.
  • Sigma Rules | mdecrevoisier - Collection of sigma rules.
  • Sigma Rules | Yamato Security - Collection of sigma rules.
  • Sigma Rules | tsale - Collection of sigma rules.
  • Sigma Rules | JoeSecurity - Collection of sigma rules.
  • Sigma Rules | mdecrevoisier - Collection of sigma rules.
  • Sigma Rules | Yamato Security - Collection of sigma rules.
  • Sigma Rules | tsale - Collection of sigma rules.
  • Sigma Rules | JoeSecurity - Collection of sigma rules.
  • Sigma Rules Threat Hunting Keywords | mthcht - Collection of sigma rules.
  • Sigma Rules | mbabinski - Collection of sigma rules.
  • Sigma Rules | Inovasys-CS - Collection of sigma rules.
  • KQL Queries | FalconForce - Collection of KQL queries.
  • KQL Queries | SecurityAura - Collection of KQL queries.
  • KQL Queries for Sentinel | reprise99 - Collection of KQL queries.
  • KQL Queries | Cyb3r Monk - Collection of KQL queries.
  • Sigma Rules Threat Hunting Keywords | mthcht - Collection of sigma rules.
  • Sigma Rules | mbabinski - Collection of sigma rules.
  • Sigma Rules | Inovasys-CS - Collection of sigma rules.
  • KQL Queries | FalconForce - Collection of KQL queries.
  • KQL Queries | SecurityAura - Collection of KQL queries.
  • KQL Queries for DefenderATP | 0xAnalyst - Collection of KQL queries.
  • KQL Queries | Bert-JanP - Collection of KQL queries.
  • KQL Queries for Sentinel | reprise99 - Collection of KQL queries.
  • KQL Queries | Cyb3r Monk - Collection of KQL queries.
  • KQL Queries | SlimKQL - Collection of KQL queries.
  • KQL Queries | cyb3rmik3 - Collection of KQL queries.
  • KQL Search - Collection of KQL queries from various GitHub repositories.
  • DetectionCode - Detection rules search engine.
  • Attack Rule Map - Mapping of open-source detection rules.
  • MITRE Cyber Analytics Repository (CAR) - The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics based on the MITRE ATT&CK framework.
  • Google Cloud Platform (GCP) Community Security Analytics - Security analytics to monitor cloud activity within Google Cloud.
  • Anvilogic Detection Armory - Public versions of the detections from the Anvilogic Platform Armory.
  • Chronicle (GCP) Rules - Detection rules written for the Chronicle Platform.
  • KQL Queries for DefenderATP | 0xAnalyst - Collection of KQL queries.
  • KQL Queries | Bert-JanP - Collection of KQL queries.
  • KQL Queries | SlimKQL - Collection of KQL queries.
  • KQL Queries | cyb3rmik3 - Collection of KQL queries.
  • KQL Search - Collection of KQL queries from various GitHub repositories.
  • DetectionCode - Detection rules search engine.
  • Attack Rule Map - Mapping of open-source detection rules.
  • MITRE Cyber Analytics Repository (CAR) - The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics based on the MITRE ATT&CK framework.
  • Google Cloud Platform (GCP) Community Security Analytics - Security analytics to monitor cloud activity within Google Cloud.
  • Anvilogic Detection Armory - Public versions of the detections from the Anvilogic Platform Armory.
  • Chronicle (GCP) Rules - Detection rules written for the Chronicle Platform.
  • SOC Prime - Great collection of free and paid detection rules (requires registration).
  • SOC Prime - Great collection of free and paid detection rules (requires registration).
  • SnapAttack - Collection of free and paid detection rules (requires registration).
  • SnapAttack - Collection of free and paid detection rules (requires registration).
  • Detecting the Elusive Active Directory Threat Hunting - Bsides presentation that includes detection logic for active directory attacks.
  • Antivirus Cheatsheet | Nextron Systems - Antivirus keywords and detection logic from Nextron.
  • Awesome Lists | mthcht - Includes keywords, paths from various tools that can be used to implement detection logic.
  • Active Directory Security (adsecurity.org) - Page dedicated to Active Directory security. Includes attack descriptions and detection recommendations.
  • Detecting the Elusive Active Directory Threat Hunting - Bsides presentation that includes detection logic for active directory attacks.
  • Antivirus Cheatsheet | Nextron Systems - Antivirus keywords and detection logic from Nextron.
  • Awesome Lists | mthcht - Includes keywords, paths from various tools that can be used to implement detection logic.
  • Active Directory Security (adsecurity.org) - Page dedicated to Active Directory security. Includes attack descriptions and detection recommendations.
  • Offensive Kerberos Techniques for Detection Engineering | Noah
  • EVTX Attack Samples - Event viewer attack samples.
  • Offensive Kerberos Techniques for Detection Engineering | Noah
  • EVTX Attack Samples - Event viewer attack samples.
  • EVTX to MITRE Attack - IOCs in EVTX format.
  • Security Datasets - Datasets of malicious and benign indicators, from different platforms.
  • Mordor Dataset - Pre-recorded security events generated after simulating adversarial techniques.
  • Attack Data | Splunk
  • EVTX to MITRE Attack - IOCs in EVTX format.
  • Security Datasets - Datasets of malicious and benign indicators, from different platforms.
  • Mordor Dataset - Pre-recorded security events generated after simulating adversarial techniques.
  • PCAP-ATTACK | sbousseaden - PCAP captures mapped to the relevant attack tactic.
  • malware-traffic-analysis.net - Site for sharing packet capture (pcap) files and malware samples.
  • NetreSec PCAPs - List of public packet capture repositories.
  • Attack Data | Splunk
  • PCAP-ATTACK | sbousseaden - PCAP captures mapped to the relevant attack tactic.
  • APT Simulator - Windows batch script that uses a set of tools and output files to make a system look as if it was compromised.
  • malware-traffic-analysis.net - Site for sharing packet capture (pcap) files and malware samples.
  • NetreSec PCAPs - List of public packet capture repositories.
  • Infection Monkey - Open-source adversary emulation platform.
  • Atomic Red Team | Red Canary - Tests mapped to the MITRE ATT&CK framework.
  • rtt.secdude.de - Nice page that includes commands mapped to MITRE ATT&CK.
  • Stratus Red Team | DataDog - Similar to red team atomics but for cloud.
  • MalwLess Simulation Tool (MST) - Open source tool that allows you to simulate system compromise or attack behaviors without running processes.
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • LOLBAS Project - Binaries, scripts, and libraries that can be used for Living Off The Land techniques. Includes commands that can be run to test TTPs.
  • LOLOL Farm - A great collection of resources to thrive off the land. Includes commands that can be run to test TTPs.
  • MITRE Caldera - Adversary emulation framework by MITRE.
  • Pyramid of Pain
  • Active Directory Attack Tests | Picus - Handbook with active directory attack tests.
  • Network Flight Simulator - Lightweight utility used to generate malicious network traffic.
  • Atomic and Stateful Detection Rules
  • Detection-as-Code Testing
  • Automating Security Detection Engineering: A hands-on guide to implementing Detection as Code
  • Practical Threat Detection Engineering: A hands-on guide to planning, developing, and validating detection capabilities
  • TCM Security Detection Engineering for Beginners
  • LetsDefend Detection Engineering Path
  • SANS SEC555: Detection Engineering and SIEM Analytics
  • SANS SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring
  • Detection Challenging Paradigms | SpecterOps - Discussing various topics on threat detection.
  • Stratus Red Team | DataDog - Similar to red team atomics but for cloud.
  • MalwLess Simulation Tool (MST) - Open source tool that allows you to simulate system compromise or attack behaviors without running processes.
  • LOLBAS Project - Binaries, scripts, and libraries that can be used for Living Off The Land techniques. Includes commands that can be run to test TTPs.
  • LOLOL Farm - A great collection of resources to thrive off the land. Includes commands that can be run to test TTPs.
  • Atomic Red Team | Red Canary - Tests mapped to the MITRE ATT&CK framework.
  • MITRE Caldera - Adversary emulation framework by MITRE.
  • Network Flight Simulator - Lightweight utility used to generate malicious network traffic.
  • APT Simulator - Windows batch script that uses a set of tools and output files to make a system look as if it was compromised.
  • Infection Monkey - Open-source adversary emulation platform.
  • rtt.secdude.de - Nice page that includes commands mapped to MITRE ATT&CK.
  • OWASP Cheatsheet
  • Microsoft Monitoring Active Directory
  • Microsoft Windows Audit Policy Recommendations
  • Malware Archaeology Cheatsheets for Windows
  • Sysmon Configuration | Olaf Hartong
  • Auditd Logging Configuration | Neo23x0
  • Sysmon Configuration | SwiftOnSecurity
  • KQL Query for Validating your Windows Audit Policy
  • NGINX Configuring Access Log
  • Windows Event IDs and Audit Policies
  • Windows Security Log Event IDs Encyclopedia
  • Sysmon Event IDs
  • Cisco ASA Event IDs
  • Palo Alto PAN-OS Log Fields
  • Palo Alto PAN-OS Threat Categories
  • Palo Alto PAN-OS Applications
  • Sysmon Configuration | SwiftOnSecurity
  • Sysmon Configuration | Olaf Hartong
  • KQL Query for Validating your Windows Audit Policy
  • Apache Custom Log Format
  • NGINX Configuring Access Log
  • Windows Event IDs and Audit Policies
  • Windows Security Log Event IDs Encyclopedia
  • Sysmon Event IDs
  • Cisco ASA Event IDs
  • Palo Alto PAN-OS Log Fields
  • Palo Alto PAN-OS Threat Categories
  • Palo Alto PAN-OS Applications
  • FortiGate FortiOS Log Types and Subtypes
  • FortiGate FortiOS Log Fields
  • FortiGate FortiOS Log Types and Subtypes
  • FortiGate FortiOS Log Fields
  • FortiGate FortiGuard Encyclopedia
  • Microsoft Defender Event IDs
  • FortiGate FortiGuard Encyclopedia
  • Microsoft Defender Event IDs
  • Microsoft Defender for Cloud Alert References
  • Microsoft Defender for Identity Alert References
  • Microsoft Defender XDR Schemas
  • Microsoft DNS Debug Event IDs - logging-and-diagnostics-1)
  • Azure SigninLogs Schema
  • Azure SigninLogs Risk Detection
  • Microsoft Entra authentication and authorization error codes
  • GCP Threat Detection Findings
  • GuardDuty Finding Types
  • Microsoft Defender for Cloud Alert References
  • Microsoft Defender XDR Schemas
  • Detections.xyz - Collection of good detection engineering articles.
  • Alex Teixeira on Medium - Frequently writes about detection engineering topics.
  • Detection at Scale - Collection of good detection engineering articles.
  • Microsoft Defender for Identity Alert References
  • Detection Engineering Weekly - A newsletter with weekly detection related online sources.
  • Detections Digest - A newsletter with weekly updates on detection rules from GitHub repositories.
  • Prioritizing Detection Engineering | Ryan McGeehan
  • About Detection Engineering | Florian Roth
  • Detection Development Lifecycle | Haider Dost
  • Microsoft DNS Debug Event IDs - logging-and-diagnostics-1)
  • Azure SigninLogs Schema
  • Azure SigninLogs Risk Detection
  • AADSTS Error Codes
  • GCP Threat Detection Findings
  • GuardDuty Finding Types
  • Barracuda Firewall Log Files Structure and Log Fields
  • Barracuda Web Security Gateway Log Fields
  • Barracuda Web Application Firewall Log Format - log-formats)
  • Barracuda Web Application Firewall Log Format - log-formats)
  • Barracuda Firewall Log Files Structure and Log Fields
  • Barracuda Web Security Gateway Log Fields
  • Check Point Firewall Log Fields
  • Cisco Umbrella Proxy Log Format - umbrella/docs/dns-log-formats) and [Cisco Umbrella Content Categories](https://docs.umbrella.com/deployment-umbrella/docs/new-content-category-definitions)
  • Cisco WSA Access Log Fields - security-appliance/datasheet_C78-718442.html)
  • Cisco ESA Log Types
  • Juniper Junos OS Log Fields
  • Imperva Log Fields - waf-system-events-reference-guide/page/63179.htm)
  • Squid Log Fields and Log Types - cache.org/Features/LogFormat)
  • Suricata Log Format
  • Check Point Firewall Log Fields
  • Cisco ESA Log Types
  • Cisco Umbrella Proxy Log Format - umbrella/docs/dns-log-formats) and [Cisco Umbrella Content Categories](https://docs.umbrella.com/deployment-umbrella/docs/new-content-category-definitions)
  • Cisco WSA Access Log Fields - security-appliance/datasheet_C78-718442.html)
  • Juniper Junos OS Log Fields
  • Imperva Log Fields - waf-system-events-reference-guide/page/63179.htm)
  • Squid Log Fields and Log Types - cache.org/Features/LogFormat)
  • Suricata Log Format
  • ZScaler Web Log Format - feed-output-format-firewall-logs), [ZScaler DNS Log Format](https://help.zscaler.com/zia/nss-feed-output-format-dns-logs) and [ZScaler URL Categories](https://help.zscaler.com/zia/about-url-categories).
  • Broadcom Edge Secure Web Gateway (Bluecoat) Access Log Format - descriptions)
  • ZScaler Web Log Format - feed-output-format-firewall-logs), [ZScaler DNS Log Format](https://help.zscaler.com/zia/nss-feed-output-format-dns-logs) and [ZScaler URL Categories](https://help.zscaler.com/zia/about-url-categories).
  • Broadcom Endpoint Protection Manager Log Format
  • Broadcom Edge Secure Web Gateway (Bluecoat) Access Log Format - descriptions)
  • SonicWall SonicOS Log Events Documentation
  • WatchGuard Fireware OS Log Format
  • Sophos Firewall Log Documentation
  • Sophos Central Admin Events
  • Apache Custom Log Format
  • IIS Log File Format
  • NGINX Access Log Format
  • MITRE ATT&CK® - MITRE ATT&CK knowledge base of adversary tactics and techniques.
  • Broadcom Endpoint Protection Manager Log Format
  • SonicWall SonicOS Log Events Documentation
  • WatchGuard Fireware OS Log Format
  • Sophos Firewall Log Documentation
  • Sophos Central Admin Events
  • IIS Log File Format
  • NGINX Access Log Format
  • MITRE ATT&CK® - MITRE ATT&CK knowledge base of adversary tactics and techniques.
  • Zen of Security Rules | Justin Ibarra - 19 rules for developing detection rules.
  • Uncoder IO - Detection logic query converter.
  • MITRE D3fend - A knowledge of cybersecurity countermeasures.
  • Alerting and Detection Strategies (ADS) Framework | Palantir - A structured approach to designing and documenting effective detection methodologies.
  • Detection Engineering Maturity Matrix | Kyle Bailey - Aims to help the community better measure the capabilities and maturity of their detection function.
  • Detection Engineering Maturity (DML) Model | Ryan Stillions - A tool for assessing an organization’s detection engineering capabilities and maturity levels.
  • MaGMa Use Case Framework - Methodology for defining and managing threat detection use cases.
  • Detection Engineering Cheatsheet | Florian Roth - Cheatsheet for prioritizing detection development.
  • Microsoft Azure Security Control Mappings to MITRE ATT&CK - Coverage of various Azure security control products mappings to MITRE ATT&CK .
  • Detection Practices | ncsc - General guidelines on building detection processes.
  • Zen of Security Rules | Justin Ibarra - 19 rules for developing detection rules.
  • Uncoder IO - Detection logic query converter.
  • Alerting and Detection Strategies (ADS) Framework | Palantir - A structured approach to designing and documenting effective detection methodologies.
  • Detection Engineering Maturity Matrix | Kyle Bailey - Aims to help the community better measure the capabilities and maturity of their detection function.
  • MITRE D3fend - A knowledge of cybersecurity countermeasures.
  • Detection Engineering Maturity (DML) Model | Ryan Stillions - A tool for assessing an organization’s detection engineering capabilities and maturity levels.
  • MaGMa Use Case Framework - Methodology for defining and managing threat detection use cases.
  • Detection Engineering Cheatsheet | Florian Roth - Cheatsheet for prioritizing detection development.
  • Microsoft Azure Security Control Mappings to MITRE ATT&CK - Coverage of various Azure security control products mappings to MITRE ATT&CK .
  • Detection Practices | ncsc - General guidelines on building detection processes.
  • EDR Telemetry | tsale - Telemetry comparison and telemetry generator for different EDRs.
  • Threat Intel Reports - Threat Intel reports to be used as inspiration for use case creation.
  • EDR Telemetry | tsale - Telemetry comparison and telemetry generator for different EDRs.
  • Threat Intel Reports - Threat Intel reports to be used as inspiration for use case creation.
  • xCyclopedia - The xCyclopedia project attempts to document all executable binaries (and eventually scripts) that reside on a typical operating system.
  • Splunk Attack Range
  • PurpleLab
  • BlueTeam.Lab
  • xCyclopedia - The xCyclopedia project attempts to document all executable binaries (and eventually scripts) that reside on a typical operating system.
  • Splunk Attack Range
  • PurpleLab
  • Regex101 - Regex testing.
  • BlueTeam.Lab
  • Constructing Defense
  • Regexr - Regex testing.
  • CyberChef - Multiple data manipulation tools, decoders, decryptors.
  • JSON Formatter - JSON Beautifier.
  • JSONCrack - JSON, YML, CSV, XML Editor.
  • Grok Debugger - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
  • Text Mechanic - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
  • Constructing Defense
  • Regex101 - Regex testing.
  • Regexr - Regex testing.
  • CyberChef - Multiple data manipulation tools, decoders, decryptors.
  • JSON Formatter - JSON Beautifier.
  • JSONCrack - JSON, YML, CSV, XML Editor.
  • Grok Debugger - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
  • Text Mechanic - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
  • Text Fixer - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
  • Hash Calculator - Hash calculator and other tools.
  • Diff Checker - Diff comparison.
  • CSVJSON - CSV to JSON converter and vice versa.
  • ChatGPT - Can be used to transform data.
  • Text Fixer - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
  • Hash Calculator - Hash calculator and other tools.
  • Free Formatter - Formatter for XML, JSON, HTML.
  • HTML Formatter - Formatter for HTML.
  • FalconForce Blog
  • Elastic Security Labs Blog - labs/topics/detection-science). Also everything [Samir Bousseaden](https://www.elastic.co/security-labs/author/samir-bousseaden).
  • SpecterOps Blog - detection/home)
  • Detect.fyi - Collection of good detection engineering articles.
  • SOC Visibility | walaakabbani
  • What Makes a “Good” Detection? | The Cybersec Café
  • Lessons Learned in Detection Engineering | Ryan McGeehan
  • Can We Have “Detection as Code”? | Anton Chuvakin
  • Automating Detection-as-Code | John Tuckner
  • Practical Threat Detection Engineering: A hands-on guide to planning, developing, and validating detection capabilities
  • Free Formatter - Formatter for XML, JSON, HTML.
  • HTML Formatter - Formatter for HTML.
  • Diff Checker - Diff comparison.
  • CSVJSON - CSV to JSON converter and vice versa.
  • ChatGPT - Can be used to transform data.
  • FalconForce Blog
  • Elastic Security Labs Blog - labs/topics/detection-science). Also everything [Samir Bousseaden](https://www.elastic.co/security-labs/author/samir-bousseaden).
  • SpecterOps Blog - detection/home)
  • Detect.fyi - Collection of good detection engineering articles.
  • Detections.xyz - Collection of good detection engineering articles.
  • Alex Teixeira on Medium - Frequently writes about detection engineering topics.
  • Detection at Scale - Collection of good detection engineering articles.
  • Detection Engineering Weekly - A newsletter with weekly detection related online sources.
  • Detections Digest - A newsletter with weekly updates on detection rules from GitHub repositories.
  • Prioritizing Detection Engineering | Ryan McGeehan
  • About Detection Engineering | Florian Roth
  • Detection Development Lifecycle | Haider Dost
  • Elastic releases the Detection Engineering Behavior Maturity Model
  • Threat Detection Maturity Framework | Haider Dost
  • Compound Probability: You Don’t Need 100% Coverage to Win
  • Elastic releases the Detection Engineering Behavior Maturity Model
  • Threat Detection Maturity Framework | Haider Dost
  • Compound Probability: You Don’t Need 100% Coverage to Win
  • Where should I place my detections? | walaakabbani
  • Alerting and Detection Strategy Framework | Palantir
  • DeTT&CT : Mapping detection to MITRE ATT&CK | Renaud Frère
  • DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™
  • Distributed Security Alerting
  • Alerting and Detection Strategy Framework | Palantir
  • DeTT&CT : Mapping detection to MITRE ATT&CK | Renaud Frère
  • Where should I place my detections? | walaakabbani
  • SOC Visibility | walaakabbani
  • What Makes a “Good” Detection? | The Cybersec Café
  • Lessons Learned in Detection Engineering | Ryan McGeehan
  • DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™
  • Distributed Security Alerting
  • Deploying Detections at Scale — Part 0x01 use-case format and automated validation | Gijs Hollestelle
  • From soup to nuts: Building a Detection-as-Code pipeline
  • Can We Have “Detection as Code”? | Anton Chuvakin
  • Automating Detection-as-Code | John Tuckner
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Pyramid of Pain
  • Atomic and Stateful Detection Rules
  • @Oddvarmoe
  • @jaredcatkinson
  • @olafhartong
  • Deploying Detections at Scale — Part 0x01 use-case format and automated validation | Gijs Hollestelle
  • From soup to nuts: Building a Detection-as-Code pipeline
  • Awesome Detection List
  • Detection-as-Code Testing
  • Automating Security Detection Engineering: A hands-on guide to implementing Detection as Code
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • XINTRA Attacking and Defending Azure & M365
  • Specter Ops Adversary Tactics: Detection
  • FalconForce Advanced Detection Engineering in the Enterprise training
  • TCM Security Detection Engineering for Beginners
  • LetsDefend Detection Engineering Path
  • SANS SEC555: Detection Engineering and SIEM Analytics
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • XINTRA Attacking and Defending Azure & M365
  • Specter Ops Adversary Tactics: Detection
  • FalconForce Advanced Detection Engineering in the Enterprise training
  • Detection at Scale - Discussing threat landscape and a lot detection related topics.
  • Atomics on a Friday - YouTube series discussing detection opportunities.
  • @sigma_hq
  • @cyb3rops
  • @frack113
  • SANS SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring
  • Detection Challenging Paradigms | SpecterOps - Discussing various topics on threat detection.
  • @nas_bench
  • @SBousseaden
  • @SecurityAura
  • @Oddvarmoe
  • Detection at Scale - Discussing threat landscape and a lot detection related topics.
  • Atomics on a Friday - YouTube series discussing detection opportunities.
  • @nas_bench
  • @sigma_hq
  • @cyb3rops
  • @frack113
  • @SBousseaden
  • @SecurityAura
  • @jaredcatkinson
  • @olafhartong
  • Awesome Detection List
  • Rulehound - Detection rules search engine.
  • My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts | Koifsec
  • Active Directory Attack Tests | Picus - Handbook with active directory attack tests.
  • Detect.fyi - Collection of good detection engineering articles.
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • What Makes a “Good” Detection? | The Cybersec Café
  • Detect.fyi - Collection of good detection engineering articles.
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • Sigma Rules | RussianPanda95 - Collection of sigma rules.
  • Detect.fyi - Collection of good detection engineering articles.
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • Detection Challenging Paradigms | SpecterOps - Discussing various topics on threat detection.
  • @ateixei
  • Detect.fyi - Collection of good detection engineering articles.
  • My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts | Koifsec
  • What Makes a “Good” Detection? | The Cybersec Café
  • Windows Logon Types
  • Windows Logon Failure Codes
  • Microsoft Errors Search
  • Detect.fyi - Collection of good detection engineering articles.
  • My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts | Koifsec
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • @bohops
  • @nextronresearch
  • Eventlog Compendium - The Eventlog Compendium is the go-to resource for understanding Windows Event Logs.
  • Detect.fyi - Collection of good detection engineering articles.
  • My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts | Koifsec
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • DEATHcon - Conference focused on Detection Engineering and Threat Hunting (DEATH).
  • Detect.fyi - Collection of good detection engineering articles.
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • Detect.fyi - Collection of good detection engineering articles.
  • Detection as Code: Detection Development Using CI/CD - RSA Presentation.
  • Detection-as-code: Why it works and where to start (Kyle Bailey) - BSides presentation.
  • Detect.fyi - Collection of good detection engineering articles.
  • My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts | Koifsec
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
  • Detection LAB
  • Detect.fyi - Collection of good detection engineering articles.
  • My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts | Koifsec
  • What Makes a “Good” Detection? | The Cybersec Café
  • Alerting and Detection Strategy Framework | Palantir
  • How to prioritize a Detection Backlog? | Alex Teixeira
  • Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy
  • Can We Stop Documenting Our Detections?
  • Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware