Detection Engineering Resources

The following is a compilation of various sources of detection mechanisms based on individual and community repositories.

ResourceDescriptionPlatformDetection FrameworksKeywords
Microsoft 365 Defender Hunting QueriesOpen source projects and samples from Microsoft
Microsoft
Splunk Security ContentThis project gives you access to our repository of Analytic Stories that are security guides the provide background on TTPs, mapped to the MITRE framework, the Lockheed Martin Kill Chain, and CIS controls. They include Splunk searches, machine-learning algorithms, and Splunk Phantom playbooks (where available)—all designed to work together to detect, investigate, and respond to threats.
Splunk
Detecting and Preventing Auto Forwarding and Phishing Attacks in Office 365LogRhythm blog on detecting O365 attacks. 
LogRhythm
Blue Team Guide to Azure & Office 365 MonitoringSplunk queries for Azure and Office 365 monitoring. 
Splunk
Beating Pen Testers – RhythmWorld 2020RhythmWorld 2020 talk on detecting penetration testers via LogRhythm.
LogRhythm
Microsoft – Appendix L: Events to MonitorThe following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise. 
Microsoft
Florian Roth’s Sigma RulesSigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.
Splunk Security EssentialsWelcome to the Splunk Security Essentials documentation site! Here you will find a variety of technical docs, along with guides, and a content list for the free Splunk app, Splunk Security Essentials.
Splunk
MITRE Cyber Analytics RepositoryThe MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model. CAR defines a data model that is leveraged in its pseudocode representations, but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.
SOC PrimeThreat Detection Marketplace
GoSplunkSeach GoSplunk’s Query Repository
Splunk
PicusSecurityWe shared our detection and prevention content for FireEye Red Team Tool breach in Q4 2020 in this repo
Splunk
Cortex XDR Analytics Alert ReferenceThe Cortex XDR Analytics Alert Reference provides a description of every Cortex XDR Analytics Alert. Use this reference to understand what an alert means and what you should do about it.
Cortex XDR