Skip to content
/ detection-engineering Public

This is a public repo for gaining knowledge and hands on experience for detection engineering fundamentals

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

TerminalsandCoffee/detection-engineering

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

222 Commits
.github/workflows
.github/workflows
 
 
detections
detections
 
 
development
development
 
 
metrics
metrics
 
 
setup
setup
 
 
theory
theory
 
 
.gitignore
.gitignore
 
 
BLOG_DRAFT.md
BLOG_DRAFT.md
 
 
README.md
README.md
 
 

Repository files navigation

Detection Engineering Fundamentals

A comprehensive repository for creating, managing, and validating security detection rules in TOML format, mapped to the MITRE ATT&CK framework.

Overview

This repository contains custom security detection rules designed to identify malicious activity across enterprise environments. Each detection is structured in TOML format and includes metadata, query logic, risk scoring, and MITRE ATT&CK framework mappings.

Detection Engineering is a critical component of Security Operations that:

  • Creates custom alerts for Incident Response teams
  • Develops unit tests to confirm working detections & capabilities
  • Bridges the gap between threat intelligence and actionable security monitoring

Repository Structure

detection-engineering/
├── detections/          # TOML-formatted detection rules
├── development/         # Python scripts for validation and conversion
├── metrics/             # Generated metrics, reports, and visualizations
├── theory/             # Documentation on detection engineering concepts
└── .github/workflows/   # GitHub Actions workflows (currently disabled)

Detection Format

Each detection rule is stored as a TOML file with the following structure:

[metadata]
creation_date = "YYYY/MM/DD"

[rule]
author = ["Author Name"]
description = "Detection description"
name = "Detection Name"
risk_score = 50
severity = "medium"
type = "query"
rule_id = "unique-uuid"
query = "your detection query here"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

Theory & Documentation

Explore detection engineering concepts in the theory/ directory:

Detection Requirements

  • Valid TOML syntax
  • All required fields present
  • Valid MITRE ATT&CK technique/tactic mappings
  • Unique rule_id (UUID format)
  • Descriptive name and description
  • Appropriate risk_score and severity

License

MIT License - see LICENSE file for details.

Resources

About

This is a public repo for gaining knowledge and hands on experience for detection engineering fundamentals

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages