df00tech/mitre-attack-detections

# MITRE ATT&CK Detection Rules — KQL · SPL · EQL · Sigma (7 SIEMs)     Production-ready, MITRE ATT&CK–mapped detection rules for **7 SIEM platforms** — Microsoft Sentinel (KQL), Splunk (SPL), Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic, Google Chronicle (YARA-L), and CrowdStrike LogScale (CQL) — plus a **Sigma rule** for every technique. Each detection ships with data sources, required tables, false-positive guidance, confidence, and severity. Built and maintained by **[df00tech](https://df00tech.com/detections/)** — browse the full searchable library, ATT&CK matrix, and Pro purple-team packages at **[df00tech.com](https://df00tech.com/detections/)**. ## Quick start **Grab a Sigma rule** (portable across SIEMs via [sigma](https://github.com/SigmaHQ/sigma)): sigma/execution/T1059.001.yml **Grab a native query** — ready to paste into your SIEM: queries/kql/T1059.001.kql ← Microsoft Sentinel queries/spl/T1059.001.spl ← Splunk queries/elastic/T1059.001.eql ← Elastic Security queries/qradar/T1059.001.aql ← IBM QRadar queries/sumo-logic/T1059.001.txt ← Sumo Logic queries/chronicle/T1059.001.yaral← Google Chronicle queries/logscale/T1059.001.cql ← CrowdStrike LogScale **Browse the metadata** — full detection JSON organised by tactic in `detections//.json`. Files are named by MITRE ATT&CK ID (e.g. `T1059.001`) — use `grep`, GitHub search, or your file browser. ## Directory structure ├── sigma/ Sigma rules by tactic (728 .yml, portable to any SIEM) ├── queries/ Native query files, one dir per SIEM │ ├── kql/ spl/ elastic/ qradar/ sumo-logic/ chronicle/ logscale/ ├── detections/ Full detection JSON organised by ATT&CK tactic ├── scripts/ Generation tooling ├── LICENSE MIT └── CONTRIBUTING.md How to submit improvements ## Coverage — 728 detections across 14 tactics | Tactic | Detections | |--------|-----------| | Initial Access | 36 | | Execution | 62 | | Persistence | 133 | | Privilege Escalation | 112 | | Defense Evasion | 221 | | Credential Access | 77 | | Discovery | 50 | | Lateral Movement | 28 | | Collection | 43 | | Exfiltration | 20 | | Command and Control | 47 | | Impact | 34 | | Resource Development | 47 | | Reconnaissance | 45 | ## Detection JSON schema Each `detections//.json` contains: | Field | Description | |-------|-------------| | `id` / `name` / `parentId` | MITRE ATT&CK technique ID, name, parent | | `tacticIds` | MITRE tactic IDs | | `description` | What the technique does | | `kql`, `spl`, `elastic_eql`, `qradar_aql`, `sumo_logic`, `chronicle_yaral`, `crowdstrike_cql` | Per-platform query + metadata | | `references` / `mitreSources` / `lastUpdated` | Provenance | Each platform object includes `query`, `description`, `dataSources`, required tables/sources, `falsePositives`, `confidence`, and `severity`. ## Sigma rules The `sigma/` directory contains one auto-generated [Sigma](https://github.com/SigmaHQ/sigma) rule per technique, derived from the same detection logic. Convert them to any backend with `sigma convert` (sigma-cli). They're a starting point — review `logsource` and tune for your environment. ## Pro features (df00tech.com) This repo is the free tier. **[df00tech.com](https://df00tech.com/detections/pricing)** adds, for security teams: - **Response playbooks** — triage, containment, evidence collection - **Investigation & hunting queries** — forensic artifacts and tuning guidance - **Atomic Red Team tests** — validated commands with expected telemetry and cleanup - **Bulk export & API access** — all detections, all platforms See **[df00tech.com/detections/pricing](https://df00tech.com/detections/pricing)** — Pro £29/mo, MSP Pack £299/mo. ## License MIT — see [LICENSE](LICENSE). *Maintained by [df00tech.com](https://df00tech.com/detections/) — detection engineering for defenders.*