🛡️ Detection Engineering Starter Pack

An opinionated list of essential resources for aspiring Detection Engineers.

The goal of this starter pack is to provide a curated selection of resources to help you get started in detection engineering without feeling overwhelmed. This list is based on personal experience with various detection technologies. Hope it helps! 🚀

💬 Join the Discord

Connect with others to discuss all things threat detection and security engineering.

🔍 Understanding Attacker Techniques

See how attackers achieve their goals.

MITRE ATT&CK - The #1 knowledge base of adversary tactics and techniques.
Top 10 ATT&CK Techniques - A customisable page to display the most common ATT&CK techniques.
Hacking the Cloud - A collection of resources for understanding cloud-focused attack techniques.
The DFIR Report - Real-world incidents analysed and described with a defender's mindset. A personal favourite.

📜 Getting to Know Detection Rules

Example repositories showcasing how detections are structured and applied.

Sigma - The generic detection signature format.
Splunk Detection Rules - A collection of detection rules for Splunk.
Elastic Detection Rules - A collection of detection rules for Elastic.
Detection Studio - Convert Sigma rules to other detection rule syntaxes.

🛠️ Trying It Out Yourself

Tools to play with that are either open source or have a free-tier element.

🔒 Endpoint Detection

Aurora - An agent that can run Sigma rules. Load up your Sigma rules, and create alerts from your event logs.
Velociraptor - A digital forensic and incident response tool that enhances your visibility into your endpoints.
Falco - A cloud-native runtime security tool to detect threats within containers.
Sysmon - A simple Windows system monitor.
Osquery - An operating system instrumentation framework.

🌐 Network Detection

Suricata - Detection rules designed to interrogate network traffic for suspicious activity.

📂 File Content Detection

YARA - Detection rules for identifying and classifying malware samples.

📊 SIEM (Security Information and Event Management)

Elastic Stack (ELK) - A suite of tools for search, logging, and analytics.
Wazuh - An open-source security monitoring platform.

⚙️ SOAR (Security Orchestration Automation and Response)

Tines - A no-code automation platform for security teams. Great for automating anything, quickly. Has a free tier.

🎭 Adversary Emulation

Adversary Emulation Library - A library of adversary emulation plans.
MITRE Caldera - An automated adversary emulation platform.
Stratus Red Team - A tool for adversary emulation in the cloud.
Atomic Red Team - A library of simple adversary emulation tests.
TTPForge - A tool for creating and managing TTPs.

🧬 Data Engineering

OCSF Schema - An open, vendor-neutral standard that defines a common, extensible schema for security events across multiple data formats.

📚 Useful Concepts

Detection Engineering Behavior Maturity Model - a structured approach for security teams to consistently mature their processes and behaviors from Elastic.
Alerting Detection Strategy (ADS) Framework - A simple framework for building detection strategies from Palantir.
Summiting the Pyramid - Building on the 'pyramid of pain', this work defines what it really means to have a robust detection.
Capability Abstraction - One of my favourite articles - 'Capability Abstraction' from SpecterOps. Explores similar concepts to the above 'summiting the pyramid' project.

🧪 Labs & Training

Blue Team Labs Online - A platform for hands-on blue team training.
ACE Responder - A realistic and immersive platform for existing cyber defenders and newcomers alike.

📖 Further Reading & Interesting Projects

A handpicked selection of materials that have inspired me.

Detections.ai - An AI-powered and community-driven platform to share & improve detection rules. Use invite code StarterPack.
ACEResponder - An X account sharing attacker techniques visually.
Detect FYI - A Medium publication focused solely on detection engineering.
Detection Engineering Weekly - A weekly newsletter on Detection Engineering.
EDR Telemetry - A resource that compares popular EDR tools with one another.
MITRE ATLAS - ATT&CK, but for AI.
Prioritizing Detection Engineering - A well-written piece from Ryan McGeehan on how to think about prioritising your detection engineering efforts.
How Google Does It - How Google does threat detection at massive scale.
Notable security vendor blogs for defenders:

🌟 Awesome Lists

If you are hungry for more resources, check out these awesome lists.

Awesome Kubernetes Threat Detection - A list of Kubernetes threat detection resources.
Awesome Threat Intel Blogs - A curated list of threat intelligence blogs and publications.
Awesome Detection Engineering - A curated list of detection engineering resources.
Awesome Threat Detection - A collection of threat detection resources.
Awesome Detection Engineer - A list of resources for detection engineers.
Blue Team Tools - A collection of tools for blue teamers.

rfackroyd/detection-engineering-starter-pack