The following is a compilation of various sources of detection mechanisms based on individual and community repositories.
| Resource | Description | Platform | Detection Frameworks | Keywords |
|---|---|---|---|---|
| Microsoft 365 Defender Hunting Queries | Open source projects and samples from Microsoft | Microsoft | ||
| Splunk Security Content | This project gives you access to our repository of Analytic Stories that are security guides the provide background on TTPs, mapped to the MITRE framework, the Lockheed Martin Kill Chain, and CIS controls. They include Splunk searches, machine-learning algorithms, and Splunk Phantom playbooks (where available)—all designed to work together to detect, investigate, and respond to threats. | Splunk | ||
| Detecting and Preventing Auto Forwarding and Phishing Attacks in Office 365 | LogRhythm blog on detecting O365 attacks. | LogRhythm | ||
| Blue Team Guide to Azure & Office 365 Monitoring | Splunk queries for Azure and Office 365 monitoring. | Splunk | ||
| Beating Pen Testers – RhythmWorld 2020 | RhythmWorld 2020 talk on detecting penetration testers via LogRhythm. | LogRhythm | ||
| Microsoft – Appendix L: Events to Monitor | The following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise. | Microsoft | ||
| Florian Roth’s Sigma Rules | Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. | – | ||
| Splunk Security Essentials | Welcome to the Splunk Security Essentials documentation site! Here you will find a variety of technical docs, along with guides, and a content list for the free Splunk app, Splunk Security Essentials. | Splunk | ||
| MITRE Cyber Analytics Repository | The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model. CAR defines a data model that is leveraged in its pseudocode representations, but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale. | – | ||
| SOC Prime | Threat Detection Marketplace | – | ||
| GoSplunk | Seach GoSplunk’s Query Repository | Splunk | ||
| PicusSecurity | We shared our detection and prevention content for FireEye Red Team Tool breach in Q4 2020 in this repo | Splunk | ||
| Cortex XDR Analytics Alert Reference | The Cortex XDR Analytics Alert Reference provides a description of every Cortex XDR Analytics Alert. Use this reference to understand what an alert means and what you should do about it. | Cortex XDR |
