Awesome Detection Engineering [](https://awesome.re)

July 8, 2026 · View on GitHub

Detection Engineering is a tactical function of a cybersecurity defense program that involves the design, implementation, and operation of detective controls with the goal of proactively identifying malicious or unauthorized activity before it negatively impacts an individual or an organization.

All contributions are welcome, please carefully review the contributing guidelines prior to submitting a pull request.

Contents

Concepts & Frameworks

Detection Content & Signatures

  • Rulehound - An index of publicly available and open-source threat detection rulesets.
  • MITRE Cyber Analytics Repository (CAR) - MITRE's well-maintained repository of detection content.
  • CAR Coverage Comparision - A matrix of MITRE ATT&CK technique IDs and links to available Splunk Security Content, Elastic detection rules, Sigma rules, and CAR content.
  • Sigma Rules - Sigma's repository of turnkey detection content. Content can be converted for use with most SIEMs.
  • Sigma rule converter - An opensource tool that can convert detection content for use with most SIEMs.
  • AttackRuleMap - Mapping of open-source detection rules and atomic tests.
  • Splunk Security Content - Splunk's open-source and frequently updated detection content that can be tweaked for use in other tools.
  • Elastic Detection Rules - Elastic's detection rules written natively for the Elastic SIEM. Can easily be converted for use by other SIEMs using Uncoder.
  • Elastic Endpoint Behavioral Rules - Elastic's endpoint behavioral (prevention) rules written in EQL, natively for the Elastic endpoint agent.
  • Agent Threat Rules (ATR) - An open MIT detection-rule standard for AI-agent and MCP attacks (prompt injection, tool poisoning, context exfiltration), like Sigma or YARA for the agent layer, with OWASP LLM/Agentic and MITRE ATLAS mappings on each rule.
  • Elastic Yara Signatures - Elastic's YARA signatures, which run on the Elastic endpoint agent.
  • Elastic Endpoint Ransomware Artifact - Elastic's ranswomware artifact, which runs on the Elastic endpoint agent.
  • Chronicle (GCP) Detection Rules - Chronicle's detection rules written natively for the the Chronicle Platform.
  • Exabeam Content Library - Exabeam's out of the box detection content compatible with the Exabeam Common Information Model.
  • Panther Labs Detection Rules - Panther Lab's native detection rules.
  • Anvilogic Detection Armory - Anvilogic's opensource and publicly available detection content.
  • AWS GuardDuty Findings - A list of all AWS GuardDuty Findings, their descriptions, and associated data sources.
  • GCP Security Command Center Findings - A list of all GCP Security Command Center Findings, their descriptions, and associated data sources.
  • Azure Defender for Cloud Security Alerts - A list of all Azure Security for Cloud Alerts, their descriptions, and associated data sources.
  • Center for Threat Informed Defense Security Stack Mappings - Describes cloud computing platform's (Azure, AWS) built-in detection capabilities and their mapings to the MITRE ATT&CK framework.
  • Detection Engineering with Splunk - A GitHub repo dedicated to sharing detection analytics in SPL.
  • Google Cloud Security Analytics - This repository serves as a community-driven list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud.
  • KQL Advanced Hunting Queries & Analytics Rules - A list of endpoint detections and hunting queries for Microsoft Defender for Endpoint, Defender For Identity, and Defender For Cloud Apps.
  • Sigma2KQL - A repository of all SIGMA rules converted to KQL that runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository.
  • TerraSigma - A repository of all SIGMA rules converted to Microsoft Sentinel Terraform Scheduled analytic resources. The repository runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository. Proper entity mapping is completed for the rules to ensure the repo is plug-and-play.
  • Detections Digest | Sergey Polzunov - A newsletter that features updates from many popular detection content sources listed here.

Logging, Monitoring & Data Sources

  • Windows Logging Cheatsheets - Multiple cheatsheets outlined recommendations for Windows Event logging at various levels of granularity.
  • Linux auditd Detection Ruleset - Linux auditd ruleset that produces telemetry required for threat detection use cases.
  • MITRE ATT&CK Data Sources Blog Post - MITRE describes various data sources and how they relate to the TTPs found in the MITRE ATT&CK framework.
  • MITRE ATT&CK Data Sources List - Data source objects added to MITRE ATT&CK as part of v10.
  • Splunk Common Information Model (CIM) - Splunk's proprietary model used as a framework for normalizing security data.
  • Elastic Common Schema - Elastic's proprietary model used as a framework for normalizing security data.
  • Exabeam Common Information Model - Exabeam's proprietary model used as a framework for normalizing security data.
  • Open Cybersecurity Schema Framework (OCSF) - An opensource security data source and event schema.
  • osquery | Facebook - A SQL-powered operating system instrumentation, monitoring, and analytics framework that exposes OS data as relational tables for querying and detection.
  • Loghub - Opensource and freely available security data sources for research and testing.
  • Elastalert | Yelp - ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
  • Matano - Open source cloud-native security lake platform (SIEM alternative) for threat hunting, Python detections-as-code, and incident response on AWS 🦀.
  • Microsoft XDR Advanced Hunting Schema To help with multi-table queries, you can use the advanced hunting schema, which includes tables and columns with event information and details about devices, alerts, identities, and other entity types.
  • InnerWarden - Autonomous security agent for Linux with real-time threat detection and response via 38 eBPF hooks, 48 detectors, and 23 correlation rules.
  • Rustinel | Karib0u - Open-source endpoint detection engine for Windows and Linux that collects ETW/eBPF telemetry and evaluates Sigma, YARA, and IOC detections.

General Resources