Center for Threat Informed Defense Security Stack Mappings

Sigma Rules

Main Sigma Rule Repository

Elastic Detection Rules

Detection Rules is the official repository for the rules used by Elastic Security's Detection Engine. It provides a comprehensive toolkit for security teams to develop, validate, test, and release detection logic in a structured, code-driven manner. This approach enables version control, automated testing, and streamlined integration with the Elastic SIEM. ## Key Features - **Rule Development & Management** — Python module for parsing, validating, and packaging detection rules from TOML files. - **Detections as Code (DaC)** — Full pipeline and CLI tools to manage rules with version control and automated workflows. - **Unit Testing Framework** — Integrated Python testing suite to validate rule logic and ensure reliability. - **Kibana Integration** — Library for API calls to Kibana and the Detection Engine for seamless rule deployment. - **KQL Validation** — Library for parsing and validating Kibana Query Language used in rule conditions. - **Threat Hunting Packages** — Dedicated directory for storing and managing threat hunting queries and packages. ## Philosophy The project embraces a Detections-as-Code philosophy, treating security rules as software artifacts to improve maintainability, collaboration, and automation in threat detection.

KQL Advanced Hunting Queries & Analytics Rules

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Splunk Security Content

Splunk Security Content