st0pp3r/awesome-detection-engineer

# Awesome Detection Engineer [](https://awesome.re) [](https://github.com/st0pp3r/Awesome-Detection-Engineer/actions/workflows/url_check.yml) [](https://github.com/st0pp3r/Awesome-Detection-Engineer/actions/workflows/create_bookmarks.yml)[](https://github.com/st0pp3r/awesome-detection-engineer/actions/workflows/spell_check.yml) 检测工程师的在线资源。包括检测规则、检测逻辑、攻击样本、检测测试与模拟工具、日志配置与最佳实践、事件日志参考、资源、实验室、数据操作在线工具、博客、时事通讯、精选读物、书籍、培训、播客、视频和 Twitter/X 账号。 本仓库生成了一个书签文件，方便导入您的浏览器。 资源尽可能针对检测工程师的角色量身定制，而非一般的网络安全领域。 **欢迎贡献！** ## 目录 - [检测规则](#detection-rules) - 包含检测规则的在线数据库。 - [检测逻辑](#detection-logic) - 包含检测逻辑的资源。 - [攻击样本](#attack-samples) - 攻击样本，用于重放攻击和测试检测逻辑。 - [检测测试与模拟工具](#detection-tests-and-emulation-tools) - 用于测试检测逻辑和模拟攻击的工具与测试。 - [日志配置与最佳实践](#logging-configuration-and-best-practices) - 配置和优化日志记录的指南。 - [事件日志参考](#event-log-references) - 供应商关于事件日志的文档和参考资料。 - [资源](#resources) - 对检测工程师有用的资源。 - [实验室](#labs) - 检测工程师专用的实验室。 - [数据操作在线工具](#data-manipulation-online-tools) - 检测工程师日常使用的有用在线工具。 - [博客](#blogs) - 定期发布检测工程相关内容的博客。 - [时事通讯](#newsletters) - 提供检测工程更新的时事通讯。 - [精选读物](#good-reads) - 与检测工程相关的值得关注的博客文章。 - [书籍](#books) - 关于检测工程的书籍。 - [培训](#trainings) - 专注于检测工程的可用培训。 - [播客](#podcasts) - 专注于检测工程的播客。 - [视频](#videos) - 专注于检测工程的视频。 - [会议](#Conferences) - 专注于检测工程的会议。 - [Twitter/X](#twitterx) - 相关的 Twitter/X 账号。 - [其他资源聚合项目](#other-resource-aggregator-projects) - 类似的资源聚合项目。 ### 检测规则 - [Sigma Rules](https://github.com/SigmaHQ/sigma) - 来自 SIGMA HQ 的大量检测规则集合。 - [Elastic Rules](https://www.elastic.co/guide/en/security/current/prebuilt-rules.html)、[Elastic Detection Rules Explorer](https://elastic.github.io/detection-rules-explorer) 或 [Elastic Rules GitHub Repository](https://github.com/elastic/detection-rules/tree/main/rules)- Elastic 的检测规则。 - [Elastic Security for Endpoint Rules](https://github.com/elastic/protections-artifacts/tree/main)- Elastic 的 Security for Endpoint 检测规则。 - [Splunk Rules](https://research.splunk.com/detections/) 和 [Splunk Rules GitHub Repository](https://github.com/splunk/security_content/tree/develop/detections) - Splunk 的检测规则。 - [Sentinel Detections](https://github.com/Azure/Azure-Sentinel/tree/master/Detections) 和 [Sentinel Solution Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions)- Sentinel 的 KQL 检测查询集合。 - [FortiSIEM Rules](https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_2/rules/rule_descriptions.htm) - FortiSIEM 的检测规则。 - [LogPoint Rules](https://docs.logpoint.com/docs/alert-rules/en/latest/index.html) - LogPoint 的告警规则。 - [Datadog Detections](https://docs.datadoghq.com/security/default_rules/#all) - Datadog 的检测规则集合。 - [Wazuh Ruleset](https://github.com/wazuh/wazuh/tree/master/ruleset) - Wazuh 规则集仓库。 - [Sigma Rules | mdecrevoisier](https://github.com/mdecrevoisier/SIGMA-detection-rules) - Sigma 规则集合。 - [Sigma Rules | Yamato Security](https://github.com/Yamato-Security/hayabusa-rules/tree/main/sigma) - Sigma 规则集合。 - [Sigma Rules | tsale](https://github.com/tsale/Sigma_rules/tree/main) - Sigma 规则集合。 - [Sigma Rules | JoeSecurity](https://github.com/joesecurity/sigma-rules/tree/master/rules) - Sigma 规则集合。 - [Sigma Rules Threat Hunting Keywords | mthcht](https://github.com/mthcht/ThreatHunting-Keywords-sigma-rules/tree/main/sigma_rules/offensive_tools) - Sigma 规则集合。 - [Sigma Rules | mbabinski](https://github.com/mbabinski/Sigma-Rules/tree/main) - Sigma 规则集合。 - [Sigma Rules | Inovasys-CS](https://github.com/Inovasys-CS/EDI/tree/main) - Sigma 规则集合。 - [Sigma Rules | RussianPanda95](https://github.com/RussianPanda95/Sigma-Rules) - Sigma 规则集合。 - [KQL Queries | FalconForce](https://github.com/FalconForceTeam/FalconFriday/tree/master) - KQL 查询集合。 - [KQL Queries | SecurityAura](https://github.com/SecurityAura/DE-TH-Aura) - KQL 查询集合。 - [KQL Queries for Sentinel | reprise99](https://github.com/reprise99/Sentinel-Queries) - KQL 查询集合。 - [KQL Queries | Cyb3r Monk](https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/tree/main) - KQL 查询集合。 - [KQL Queries for DefenderATP | 0xAnalyst](https://github.com/0xAnalyst/DefenderATPQueries) - KQL 查询集合。 - [KQL Queries | Bert-JanP](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tree/main) - KQL 查询集合。 - [KQL Queries | SlimKQL](https://github.com/SlimKQL/Hunting-Queries-Detection-Rules) - KQL 查询集合。 - [KQL Queries | cyb3rmik3](https://github.com/cyb3rmik3/KQL-threat-hunting-queries) - KQL 查询集合。 - [KQL Search](https://www.kqlsearch.com/) - 来自各个 GitHub 仓库的 KQL 查询集合。 - [Rulehound](https://rulehound.com/rules) - 检测规则搜索引擎。 - [DetectionCode](https://detectioncode.com/) - 检测规则搜索引擎。 - [Attack Rule Map](https://attackrulemap.com/) - 开源检测规则映射。 - [MITRE Cyber Analytics Repository (CAR)](https://car.mitre.org/) 和 [MITRE Cyber Analytics Repository (CAR) Coverage Comparison](https://car.mitre.org/coverage/) - MITRE Cyber Analytics Repository (CAR) 是一个基于 MITRE ATT&CK 框架的分析知识库。 - [Google Cloud Platform (GCP) Community Security Analytics](https://github.com/GoogleCloudPlatform/security-analytics) - 用于监控 Google Cloud 内部云活动的安全分析。 - [Anvilogic Detection Armory](https://github.com/anvilogic-forge/armory/tree/main/detections) - 来自 Anvilogic Platform Armory 的公开版检测规则。 - [Chronicle (GCP) Rules](https://github.com/chronicle/detection-rules) - 为 Chronicle Platform 编写的检测规则。 - [SOC Prime](https://socprime.com/) - 涵盖免费和付费检测规则的优质集合（需注册）。 - [SnapAttack](https://snapattack.com/) - 涵盖免费和付费检测规则的集合（需注册）。 ### 检测逻辑 - [Active Directory Detection Logic | Picus](https://www.picussecurity.com/hubfs/Threat%20Readiness%20-%20Active%20Directory%20Ebook%20-%20Q123/Picus-The-Complete-Active-Directory-Security-Handbook.pdf) - 包含 Active Directory 攻击描述和检测建议的手册。 - [Antivirus Cheatsheet | Nextron Systems](https://www.nextron-systems.com/?s=antivirus) - 来自 Nextron 的防病毒关键词和检测逻辑。 - [Detecting the Elusive Active Directory Threat Hunting](https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf) - 包含 Active Directory 攻击检测逻辑的 Bsides 演示文稿。 - [Awesome Lists | mthcht](https://github.com/mthcht/awesome-lists/tree/main/Lists) - 包含可用于实现检测逻辑的各种工具的关键词、路径。 - [Active Directory Security (adsecurity.org)](https://adsecurity.org/?page_id=4031) - 专门介绍 Active Directory 安全的页面。包含攻击描述和检测建议。 - [Tool Analysis Results Sheet | jpcertcc](https://jpcertcc.github.io/ToolAnalysisResultSheet) - 在 Windows 上执行 49 种工具后记录的日志检查结果。 - [Offensive Kerberos Techniques for Detection Engineering | Noah](https://medium.com/@noah_h/offensive-kerberos-techniques-for-detection-engineering-16a81483f676) ### 攻击样本 - [EVTX Attack Samples](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) - 事件查看器攻击样本。 - [EVTX to MITRE Attack](https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack) - EVTX 格式的 IOC。 - [Security Datasets](https://github.com/OTRF/Security-Datasets/tree/master/datasets) - 来自不同平台的恶意和良性指标数据集。 - [Mordor Dataset](https://github.com/UraSecTeam/mordor) - 模拟对抗技术后生成的预录安全事件。 - [Attack Data | Splunk](https://github.com/splunk/attack_data) 包含各种攻击数据集的仓库 - [Secrepo](https://secrepo.com/) - 各种类型安全相关数据的样本。 - [PCAP-ATTACK | sbousseaden](https://github.com/sbousseaden/PCAP-ATTACK) - 映射到相关攻击战术的 PCAP 捕获文件。 - [malware-traffic-analysis.net](https://malware-traffic-analysis.net/) - 分享数据包捕获 文件和恶意软件样本的网站。 - [NetreSec PCAPs](https://www.netresec.com/?page=PcapFiles) - 公共数据包捕获仓库列表。 ### 检测测试与模拟工具 - [HackingTheCloud](https://hackingthe.cloud) - 云利用攻击/战术/技术的百科全书。 - [Atomic Red Team | Red Canary](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) - 映射到 MITRE ATT&CK 框架的测试。 - [Stratus Red Team | DataDog](https://github.com/DataDog/stratus-red-team) - 类似于 Red Team Atomics，但针对云端环境。 - [MalwLess Simulation Tool (MST)](https://github.com/n0dec/MalwLess) - 允许您模拟系统受损或攻击行为而无需运行进程的开源工具。 - [LOLBAS Project](https://lolbas-project.github.io/) - 可用于 Living Off The Land 技术的二进制文件、脚本和库。包含可用于测试 TTP 的命令。 - [LOLOL Farm](https://lolol.farm/)- 丰富的 Living Off The Land 资源集合。包含可用于测试 TTP 的命令。 - [MITRE Caldera](https://caldera.mitre.org/) - 由 MITRE 开发的对手模拟框架。 - [Active Directory Attack Tests | Picus](https://www.picussecurity.com/hubfs/Threat%20Readiness%20-%20Active%20Directory%20Ebook%20-%20Q123/Picus-The-Complete-Active-Directory-Security-Handbook.pdf) - 包含 Active Directory 攻击测试的手册。 - [Network Flight Simulator](https://github.com/alphasoc/flightsim#network-flight-simulator) - 用于生成恶意网络流量的轻量级实用程序。 - [APT Simulator](https://github.com/NextronSystems/APTSimulator#apt-simulator) - Windows 批处理脚本，使用一组工具和输出文件使系统看起来像已被入侵。 - [Infection Monkey](https://github.com/guardicore/monkey#infection-monkey) - 开源对手模拟平台。 - [rtt.secdude.de](https://rtt.secdude.de/) - 包含映射到 MITRE ATT&CK 命令的不错页面。 - [Network Flight Simulator](https://github.com/alphasoc/flightsim) - Flightsim 是一个用于生成恶意网络流量的轻量级实用程序。 ### 日志配置与最佳实践 - [OWASP Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html) - [Microsoft Monitoring Active Directory](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise) - [Microsoft Windows Audit Policy Recommendations](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations) - [Malware Archaeology Cheatsheets for Windows](https://www.malwarearchaeology.com/cheat-sheets) - [Auditd Logging Configuration | Neo23x0](https://github.com/Neo23x0/auditd/blob/master/audit.rules) - [Sysmon Configuration | SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config) - [Sysmon Configuration | Olaf Hartong](https://github.com/olafhartong/sysmon-modular) - [KQL Query for Validating your Windows Audit Policy](https://blog.nviso.eu/2024/09/05/validate-your-windows-audit-policy-configuration-with-kql/) - [Apache Logging Configuration](https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#logformat) - [NGINX Configuring Access Log](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/#setting-up-the-access-log) ### 事件日志参考 - [HackTheLogs](https://www.hackthelogs.com/) - [Eventlog Compendium](https://eventlog-compendium.streamlit.app/) - Eventlog Compendium 是理解 Windows Event Logs 的首选资源。 - [Windows Event IDs and Audit Policies](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-audit-policy-settings) - [Windows Security Log Event IDs Encyclopedia](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j) - [Windows Logon Types](https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types) - [Windows Logon Failure Codes](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625) - [Azure SigninLogs Schema](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs) - [Azure SigninLogs Risk Detection](https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0) - [AADSTS Error Codes](https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes) - [Microsoft Errors Search](https://login.microsoftonline.com/error) - [Microsoft Entra authentication and authorization error codes](https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes) - [Microsoft Defender Event IDs](https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus) - [Microsoft Defender for Cloud Alert References](https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference) - [Microsoft Defender for Identity Alert References](https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview) - [Microsoft Defender XDR Schemas](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-schema-tables) - [Microsoft DNS Debug Event IDs](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#dns-logging-and-diagnostics-1) - [Sysmon Event IDs](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events) - [Cisco ASA Event IDs](https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html) - [Palo Alto PAN-OS Log Fields](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions) - [Palo Alto PAN-OS Threat Categories](https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/threat-signature-categories) - [Palo Alto PAN-OS Applications](https://applipedia.paloaltonetworks.com/) - [FortiGate FortiOS Log Types and Subtypes](https://docs.fortinet.com/document/fortigate/7.6.1/fortios-log-message-reference/160372/list-of-log-types-and-subtypes) - [FortiGate FortiOS Log Fields](https://docs.fortinet.com/document/fortigate/7.6.1/fortios-log-message-reference/357866/log-message-fields) - [FortiGate FortiGuard](https://www.fortiguard.com/encyclopedia?type=ips) - [GCP Threat Detection Findings](https://cloud.google.com/security-command-center/docs/concepts-security-sources#threats) - [GuardDuty Finding Types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) - [Barracuda Firewall Log Files Structure and Log Fields](https://campus.barracuda.com/product/cloudgenfirewall/doc/172623663/available-log-files-and-structure) - [Barracuda Web Security Gateway Log Fields](https://campus.barracuda.com/product/websecuritygateway/doc/168742383/syslog-and-the-barracuda-web-security-gateway/) - [Barracuda Web Application Firewall Log Format](https://campus.barracuda.com/product/webapplicationfirewall/doc/168312817/log-formats) 和 [Barracuda Web Application Firewall Log Formats](https://campus.barracuda.com/product/webapplicationfirewall/doc/168312823/exporting-log-formats) - [Check Point Firewall Log Fields](https://support.checkpoint.com/results/sk/sk144192) - [Cisco Umbrella Proxy Log Format](https://docs.umbrella.com/deployment-umbrella/docs/proxy-log-formats)、[Cisco Umbrella DNS Log Format](https://docs.umbrella.com/deployment-umbrella/docs/dns-log-formats) 和 [Cisco Umbrella Content Categories](https://docs.umbrella.com/deployment-umbrella/docs/new-content-category-definitions) - [Cisco WSA Access Log Fields](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010111.html#con_1679851) 和 [Cisco WSA Filtering Categories](https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/datasheet_C78-718442.html) - [Cisco ESA Log Types](https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-0/user_guide/b_ESA_Admin_Guide_15-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html) - [Juniper Junos OS Log Fields](https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/topic-map/system-logging-for-a-security-device.html) - [Imperva Log Fields](https://docs.imperva.com/bundle/cloud-application-security/page/more/log-file-structure.htm) 和 [Imperva Event Types](https://docs.imperva.com/bundle/v15.3-waf-system-events-reference-guide/page/63179.htm) - [Squid Log Fields and Log Types](https://wiki.squid-cache.org/SquidFaq/SquidLogs) 和 [Squid Log Format](https://wiki.squid-cache.org/Features/LogFormat) - [Suricata Log Format](https://docs.suricata.io/en/latest/output/eve/eve-json-format.html) - [ZScaler Web Log Format](https://help.zscaler.com/zia/nss-feed-output-format-web-logs)、[ZScaler Firewall Log Format](https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs)、[ZScaler DNS Log Format](https://help.zscaler.com/zia/nss-feed-output-format-dns-logs) 和 [ZScaler URL Categories](https://help.zscaler.com/zia/about-url-categories)。 - [Broadcom Edge Secure Web Gateway (Bluecoat) Access Log Format](https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-4/getting-started/page-help-administration/page-help-logging/log-formats.html) 和 [Broadcom Edge Secure Web Gateway (Bluecoat) Categories](https://sitereview.bluecoat.com/#/category-descriptions) - [Broadcom Endpoint Protection Manager Log Format](https://knowledge.broadcom.com/external/article/155205/external-logging-settings-and-log-event.html) - [SonicWall SonicOS Log Events Documentation](https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-4-log-events-reference-guide.pdf) - [WatchGuard Fireware OS Log Format](https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/12_11_Log-Catalog.pdf) - [Sophos Firewall Log Documentation](https://docs.sophos.com/nsg/sophos-firewall/19.5/PDF/SF-syslog-guide-19.5.pdf) - [Sophos Central Admin Events](https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/LogsReports/Logs/Events/EventTypes/index.html#runtime-detections) - [Apache Custom Log Format](https://httpd.apache.org/docs/2.4/mod/mod_log_config.html) - [IIS Log File Format](https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807(v=vs.90)) - [NGINX Access Log Format](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log) - [GitHub Event IDs](https://docs.github.com/en/enterprise-server@3.18/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise) ### 资源 - [MITRE ATT&CK®](https://attack.mitre.org/) - 对手战术和技术的 MITRE ATT&CK 知识库。 - [DeTT&CT](https://github.com/rabobank-cdc/DeTTECT/) - DeTT&CT 旨在帮助蓝队使用 ATT&CK 对数据日志源质量、可见性覆盖范围、检测覆盖范围和威胁行为体行为进行评分和比较。 - [MITRE D3fend](https://d3fend.mitre.org/) - 网络安全对策知识库。 - [Zen of Security Rules | Justin Ibarra](https://br0k3nlab.com/resources/zen-of-security-rules/) - 开发检测规则的 19 条规则。 - [Uncoder IO](https://uncoder.io/) - 检测逻辑查询转换器。 - [Detection Studio](https://detection.studio/) - Sigma 到 SIEM 查询转换器。 - [Alerting and Detection Strategies (ADS) Framework | Palantir](https://github.com/palantir/alerting-detection-strategy-framework#alerting-and-detection-strategies-framework)- 一种设计和记录有效检测方法的结构化方法。 - [Detection Engineering Maturity Matrix | Kyle Bailey](https://detectionengineering.io/) - 旨在帮助社区更好地衡量其检测功能的能力和成熟度。 - [Detection Engineering Maturity (DML) Model | Ryan Stillions](https://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html) - 用于评估组织检测工程能力和成熟度级别的工具。 - [MaGMa Use Case Framework](https://www.betaalvereniging.nl/wp-content/uploads/FI-ISAC-use-case-framework-verkorte-versie.pdf) - 定义和管理威胁检测用例的方法论。 - [Detection Engineering Cheatsheet | Florian Roth](https://x.com/cyb3rops/status/1592879894396293121) - 用于确定检测开发优先级的速查表。 - [Microsoft Azure Security Control Mappings to MITRE ATT&CK](https://center-for-threat-informed-defense.github.io/security-stack-mappings/Azure/README.html) - 各种 Azure 安全控制产品到 MITRE ATT&CK 的映射覆盖范围。 - [Detection Practices | ncsc](https://www.ncsc.gov.uk/collection/building-a-security-operations-centre/detection/detection-practices) - 关于构建检测流程的一般指南。 - [EDR Telemetry | tsale](https://github.com/tsale/EDR-Telemetry/tree/main) - 不同 EDR 的遥测比较和遥测生成器。 - [Threat Intel Reports](https://mthcht.github.io/ThreatIntel-Reports/) - 可作为用例创建灵感的威胁情报报告。 - [xCyclopedia](https://github.com/strontic/xcyclopedia) - xCyclopedia 项目旨在记录典型操作系统上驻留的所有可执行二进制文件（以及最终的脚本）。 - [AD Detection Engineering Notes](https://vincent03dinh.wordpress.com/2025/04/24/active-directory-detection-engineering-notes/) - [Adversarial Detection Engineering Framework](https://github.com/NikolasBielski/Adversarial-Detection-Engineering-Framework) - 对抗性检测工程 (ADE) 是关于检测规则中漏报 的推理学科。 ### 实验室 - [Splunk Attack Range](https://github.com/splunk/attack_range) - [PurpleLab](https://github.com/Krook9d/PurpleLab) - [BlueTeam.Lab](https://github.com/op7ic/BlueTeam.Lab) - [Detection LAB](https://github.com/clong/DetectionLab/) - [Constructing Defense](https://course.constructingdefense.com/constructing-defense) ### 数据操作在线工具 - [Regex101](https://regex101.com/) - Regex 测试。 - [Regexr](https://regexr.com/) - Regex 测试。 - [CyberChef](https://gchq.github.io/CyberChef/) - 多种数据操作工具、解码器、解密器。 - [JSON Formatter](https://jsonformatter.curiousconcept.com/#) - JSON 美化器。 - [JSONCrack](https://jsoncrack.com/editor) - JSON, YML, CSV, XML 编辑器。 - [JSONing](https://jsoning.com/) - 多种 JSON 工具。 - [Grok Debugger](https://grokdebugger.com/) - 文本操作（去除重复、前缀、后缀、字数统计等）。 - [Text Mechanic](https://textmechanic.com/) - 文本操作（去除重复、前缀、后缀、字数统计等）。 - [Text Fixer](https://www.textfixer.com/) - 文本操作（去除重复、前缀、后缀、字数统计等）。 - [Hash Calculator](https://md5calc.com/hash) - 哈希计算器和其他工具。 - [Free Formatter](https://www.freeformatter.com/xml-formatter.html) - XML, JSON, HTML 格式化器。 - [Diff Checker](https://www.diffchecker.com/) - 差异比较。 - [CSVJSON](https://csvjson.com/csv2json) - CSV 转 JSON 转换器，反之亦然。 - [ChatGPT](https://chatgpt.com/) - 可用于转换数据。 ### 博客 - [FalconForce Blog](https://falconforce.nl/blogs/) - [Red Canary Blog](https://redcanary.com/blog) 和 [Red Canary Blog Threat Detection Category](https://redcanary.com/blog/?topic=threat-detection) - [Elastic Security Labs Blog](https://www.elastic.co/security-labs) 和 [Elastic Security Labs Blog Detection Engineering Category](https://www.elastic.co/security-labs/topics/detection-engineering)。还有 [Samir Bousseaden](https://www.elastic.co/security-labs/author/samir-bousseaden) 的所有内容。 - [SpecterOps Blog](https://specterops.io/blog) 和 [SpecterOps on Detection series | Jared Atkinson](https://posts.specterops.io/on-detection/home) - [Detect.fyi](https://detect.fyi/) - 优质检测工程文章合集。 - [Detections.xyz](https://detections.xyz/) - 优质检测工程文章合集。 - [Alex Teixeira on Medium](https://ateixei.medium.com/) - 经常撰写有关检测工程主题的文章。 - [Detection at Scale](https://www.detectionatscale.com/) - 优质检测工程文章合集。 ### 时事通讯 - [Detection Engineering Weekly](https://www.detectionengineering.net/) - 每周包含检测相关在线资源的时事通讯。 ### 精选读物 - [Prioritizing Detection Engineering | Ryan McGeehan](https://medium.com/starting-up-security/prioritizing-detection-engineering-b60b46d55051) - [About Detection Engineering | Florian Roth](https://cyb3rops.medium.com/about-detection-engineering-44d39e0755f0) - [Detection Development Lifecycle | Haider Dost](https://medium.com/snowflake/detection-development-lifecycle-af166fffb3bc) - [Elastic releases the Detection Engineering Behavior Maturity Model](https://www.elastic.co/security-labs/elastic-releases-debmm) - [Threat Detection Maturity Framework | Haider Dost](https://medium.com/snowflake/threat-detection-maturity-framework-23bbb74db2bc) - [Compound Probability: You Don’t Need 100% Coverage to Win](https://medium.com/@vanvleet/compound-probability-you-dont-need-100-coverage-to-win-a2e650da21a4) - [Where should I place my detections? | walaakabbani](https://socinpurple.com/2023/11/25/where-i-should-place-my-detections/) - [My 2025 Detection Philosophy and the Pursuit of Immutable Artifacts | Koifsec](https://detect.fyi/if-a-log-falls-in-the-siem-does-it-generate-an-alert-my-2025-detection-philosophy-5751c1a0ee56) - [SOC Visibility | walaakabbani](https://socinpurple.com/2023/07/08/soc-visibility-part-1/) - [What Makes a “Good” Detection? | The Cybersec Café](https://infosecwriteups.com/what-makes-a-good-detection-44417b6ef3de) - [Lessons Learned in Detection Engineering | Ryan McGeehan](https://medium.com/starting-up-security/lessons-learned-in-detection-engineering-304aec709856) - [Alerting and Detection Strategy Framework | Palantir](https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2) - [DeTT&CT : Mapping detection to MITRE ATT&CK | Renaud Frère](https://blog.nviso.eu/2022/03/09/dettct-mapping-detection-to-mitre-attck/) - [DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™](https://www.mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack) - [Distributed Security Alerting](https://slack.engineering/distributed-security-alerting/) - [Deploying Detections at Scale — Part 0x01 use-case format and automated validation | Gijs Hollestelle](https://medium.com/falconforce/deploying-detections-at-scale-part-0x01-use-case-format-and-automated-validation-7bc76bea0f43) - [From soup to nuts: Building a Detection-as-Code pipeline](https://medium.com/threatpunter/from-soup-to-nuts-building-a-detection-as-code-pipeline-28945015fc38) - [Can We Have “Detection as Code”? | Anton Chuvakin](https://medium.com/anton-on-security/can-we-have-detection-as-code-96f869cfdc79) - [Automating Detection-as-Code | John Tuckner](https://www.tines.com/blog/automating-detection-as-code/) - [How to prioritize a Detection Backlog? | Alex Teixeira](https://detect.fyi/how-to-prioritize-a-detection-backlog-84a16d4cc7ae) - [Prioritization of the Detection Engineering Backlog | Joshua Prager & Emily Leidy](https://posts.specterops.io/prioritization-of-the-detection-engineering-backlog-dcb18a896981) - [Pyramid of Pain](https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html) - [Atomic and Stateful Detection Rules](https://blog.ecapuano.com/p/atomic-and-stateful-detection-rules) - [Detection-as-Code Testing](https://kyle-bailey.medium.com/detection-as-code-testing-c03b0eea7fb8) - [Can We Stop Documenting Our Detections?](https://detect.fyi/can-we-stop-documenting-our-detections-ded2201ec09b) - [Rethinking Alert Severity: A Formula for Consistent Scoring](https://medium.com/@silaspotter17/rethinking-alert-severity-a-formula-for-consistent-scoring-abbcb60e42ac) - [Why is no one talking about maintenance in detection engineering? | Agapios Tsolakis](https://falconforce.nl/why-is-no-one-talking-about-maintenance-in-detection-engineering/) - [Detection as Code | Panagiotis Gkatziroulis](https://purpleteamsec.substack.com/p/detection-as-code) - [On Confidence | Richard Ackroyd](https://medium.com/@rfackroyd/on-confidence-fd5dc954aa77) - [Introducing the DRAPE Index: How to measure (in)success in a Threat Detection practice? | Alex Teixeira](https://detect.fyi/introducing-the-drape-index-how-to-measure-in-success-in-a-threat-detection-practice-154fd977f731) - [How data science can boost your detection engineering maintenance and keep you from herding sheep | Agapios Tsolakis](https://medium.com/falconforce/how-data-science-can-boost-your-detection-engineering-maintenance-and-keep-you-from-herding-sheep-8713b7220776) ### 书籍 - [Automating Security Detection Engineering: A hands-on guide to implementing Detection as Code](https://www.packtpub.com/en-no/product/automating-security-detection-engineering-9781837636419) - [Practical Threat Detection Engineering: A hands-on guide to planning, developing, and validating detection capabilities](https://www.packtpub.com/en-sg/product/practical-threat-detection-engineering-9781801076715) - [Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware](https://link.springer.com/book/10.1007/978-1-4842-6193-4) ### 培训 - [XINTRA Attacking and Defending Azure & M365](https://www.xintra.org/courses/1-attacking-and-defending-azure-m365) - [Specter Ops Adversary Tactics: Detection](https://specterops.io/training/adversary-tactics-detection/) - [FalconForce Advanced Detection Engineering in the Enterprise training](https://falconforce.nl/services/training/advanced-detection-engineering-training/) - [TCM Security Detection Engineering for Beginners](https://academy.tcm-sec.com/p/detection-engineering-for-beginners) - [LetsDefend Detection Engineering Path](https://letsdefend.io/detection-engineering) - [SANS SEC555: Detection Engineering and SIEM Analytics](https://www.sans.org/cyber-security-courses/detection-engineering-siem-analytics/) - [SANS SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring](https://www.sans.org/cyber-security-courses/cybersecurity-engineering-advanced-threat-detection-monitoring/) ### 播客 - [Detection Challenging Paradigms | SpecterOps](https://creators.spotify.com/pod/show/dcppodcast) - 讨论威胁检测的各种话题。 - [Detection at Scale](https://podcasts.apple.com/us/podcast/detection-at-scale/id1582584270) - 讨论威胁态势和大量检测相关话题。 ### 视频 - [Atomics on a Friday](https://www.youtube.com/@atomicsonafriday/streams) - 讨论检测机会的 YouTube 系列。 - [Detection as Code: Detection Development Using CI/CD](https://www.youtube.com/watch?v=_JEvyem4ryg) - RSA 演讲。 - [Detection-as-code: Why it works and where to start (Kyle Bailey)](https://www.youtube.com/watch?v=VaZp7A6Q9zE) - BSides 演讲。 ### 会议 - [DEATHcon](https://deathcon.io/) - 专注于检测工程和威胁狩猎 (DEATH) 的会议。 ### Twitter/X - [@sigma_hq](https://x.com/sigma_hq) - [@cyb3rops](https://x.com/cyb3rops) - [@frack113](https://x.com/frack113) - [@nas_bench](https://x.com/nas_bench) - [@SBousseaden](https://x.com/SBousseaden) - [@ateixei](https://x.com/ateixei) - [@SecurityAura](https://x.com/SecurityAura) - [@Oddvarmoe](https://x.com/Oddvarmoe) - [@jaredcatkinson](https://x.com/jaredcatkinson) - [@olafhartong](https://x.com/olafhartong) -bohops](https://x.com/bohops) - [@nextronresearch](https://x.com/nextronresearch) - [Awesome Detection List](https://x.com/i/lists/952735755838738432) ### 其他资源聚合项目 - [Awesome Detection Engineering | infosecB](https://github.com/infosecB/awesome-detection-engineering) - [Awesome Threat Detection | 0x4D31](https://github.com/0x4D31/awesome-threat-detection) - [Detection Engineering Starter Pack | rfackroyd](https://github.com/rfackroyd/detection-engineering-starter-pack)

标签：AMSI绕过, Awesome, EDR, YARA, 云资产可视化, 后端开发, 后端开发, 威胁检测, 安全博客, 安全培训, 安全运营, 扫描框架, 攻击样本, 攻击模拟, 数据展示, 数据科学, 日志配置, 最佳实践, 检测规则, 系统管理, 红队, 网络安全, 网络资产发现, 脆弱性评估, 资源验证, 防御加固, 隐私保护, 驱动签名利用