Skip to content

aring87/Detection-Engineering

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

155 Commits
.github
.github
 
 
content
content
 
 
coverage
coverage
 
 
detections
detections
 
 
docs
docs
 
 
governance
governance
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Detection Engineering

A centralized repository for building, governing, validating, and reporting on a modern detection engineering program.

Executive Docs Strategy Process Visuals Reporting Detections Governance Triage Guides

This repository serves as a one-stop location for:

  • detection engineering strategy and program documentation
  • executive proposal and maturity reporting
  • detection-as-code content for Microsoft Sentinel
  • governance, validation, tuning, and lifecycle standards
  • ATT&CK and Cyber Kill Chain coverage tracking
  • analyst triage guidance and operational support
  • future multi-platform expansion, including Splunk

Purpose

Detection engineering is more than writing alert logic. A mature program requires structure, governance, testing, reporting, and repeatable workflows that turn threat hypotheses into reliable, supportable analytics.

This repository is designed to support that full lifecycle.

Start Here

Leadership

Use these documents for program intent, operating model, roadmap, and reporting:

Detection Engineers

Use these resources to build, review, validate, and maintain detection content:

SOC / Incident Response

Use these resources for investigation, escalation, and operational alignment:

Repository Map

  • docs/ — executive artifacts, strategy, process, visuals, and reporting
  • detections/ — detection content managed as code
  • content/ — templates, triage guides, and reusable operational content
  • governance/ — naming, severity, lifecycle, tagging, and quality standards
  • coverage/ — ATT&CK and Cyber Kill Chain coverage tracking
  • automation/ — scripts, schemas, and deployment helpers
  • tests/ — validation support and testing references
  • .github/ — workflows, templates, and contribution support

Executive Documents

Core program artifacts are located in docs/executive/:

Current Focus

This repository is currently centered on Microsoft Sentinel detection engineering and is structured to mature into a broader, multi-platform detection engineering program over time.

Planned future growth includes:

  • expanded automation and validation workflows
  • stronger deployment and reporting pipelines
  • additional platform support such as Splunk
  • shared governance and reporting across security platforms

Detection Lifecycle

Detection content should move through a controlled lifecycle:

  • experimental
  • testing
  • production
  • deprecated

See:

Contribution Model

All content should be version controlled, reviewed, and validated before promotion.

Recommended flow:

  1. Submit a request or change
  2. Review metadata, mapping, and quality
  3. Validate logic and operational usefulness
  4. Document tuning or triage considerations
  5. Merge through pull request review
  6. Promote through lifecycle stages

See:

License

This repository is licensed under the MIT License. See LICENSE.

About

All things Detection Engineering from Proposal to Detection-as-Code repository for Microsoft Sentinel and eventually Splunk. YAML-based detection rules mapped to MITRE ATT&CK and Cyber Kill Chain stages, enriched with lifecycle tags and automated for CI/CD deployment.

Topics

detection detection-engineering microsoft-sentinel detection-as-code

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors