A comprehensive framework for Security Operations Center (SOC) use case development, detection engineering, implementation, and management.
This framework is designed to help security teams develop, implement, and maintain effective SOC use cases and detection rules. Whether you're building a new SOC or enhancing existing capabilities, this repository provides the guidance you need to be better at it.
- Background and Introduction - Introduction
- Detection Engineering Lifecycle - Complete Framework Methodology
- Planning Phase - Planning Methodology
- Development Phase A - Development Methodology & Technical Feasibilty
- Development Phase B - Development Methodology & Detection Code Engineering
- Development Phase C - Development Methodology & Response Engineering
- Delivery Phase - Delivery Methodology
- Improvement Phase - Improvement Methodology
- From Theory to Practice - Navigating the Hurdles of the Detection Engineering Framework
- Best Practices - Best Practices
- Tools and Templates -
The Detection Engineering Framework stands as a testament to the collective wisdom and expertise shared by the cybersecurity community. We extend our deepest gratitude to the organizations, researchers, and thought leaders whose pioneering work has laid the foundation for this comprehensive framework.
The development of this framework was develped during my position at Cisco as Cyber operations security architect and has been greatly influenced by the invaluable contributions from various Cisco colleagues, industry leaders, academic institutions, and security practitioners who have generously shared their insights, methodologies, and real-world experiences. Their dedication to advancing the field of cybersecurity and detection engineering has been instrumental in shaping the comprehensive approach presented in this framework.
We recognize that the strength of this Detection Engineering Framework comes not from a single source, but from the collaborative efforts of the entire cybersecurity ecosystem. Each reference and source listed below has contributed unique perspectives, proven methodologies, and practical insights that have been carefully integrated to create a holistic and actionable framework.
Our sincere appreciation goes to these organizations and researchers for their commitment to knowledge sharing and their continued efforts to elevate the standards of security operations and detection engineering practices worldwide.
I am very grateful to everyone who has contributed to this Framework during its inception!
- Frank Hassenrueck
- Assisted in co-writing technical core elements of this framework.
- Matrix Chau
- Provided valuable early feedback and assisted in co-writing the framework.
| 🏢 Organization/Source | 📝 Contribution | 🔗 Link |
|---|---|---|
| Provided foundational principles for detection engineering programs and operational excellence | How to improve security monitoring with detection engineering program | |
| 🛡️ IBM Security Intelligence | Contributed practical SIEM use case development methodologies | Quick Guide to SIEM Use Cases |
| 🏦 Betaalvereniging (Dutch Payment Association) | Offered comprehensive security framework structure and governance principles | MAGMA Safety Framework |
| 🏛️ MITRE Corporation | Supplied critical insights into cyber adversary behavior and attack characterization | Characterizing Effects of Cyber Adversary |
| 🎓 SANS Institute | Delivered extensive research on security operations and detection capabilities | SANS White Paper 39685 |
| 🔒 Correlated Security | Provided the SPEED framework methodology for systematic use case development | Introducing SPEED Use Case Framework v1.0 |
| 🖼️ Foren6 Security | Contributed visual framework representations and structural concepts | UC11 Framework Diagram |
The collaborative nature of cybersecurity research and the willingness of these organizations to share their knowledge publicly has been fundamental to the creation of this Detection Engineering Framework. Their contributions represent years of practical experience, research, and refinement in the field of security operations and detection engineering.
We encourage readers and practitioners to explore these original sources for deeper insights and to contribute back to the community through their own research, case studies, and practical implementations.
🚀 Seeking Active Contributors: This Detection Engineering Framework is designed to be a living document that evolves with the cybersecurity landscape. We actively welcome contributions, feedback, improvements, and real-world case studies from security practitioners, researchers, and organizations worldwide. Your expertise and experiences can help enhance this framework and benefit the entire security community.
"Standing on the shoulders of giants, we build upon the collective wisdom of the cybersecurity community to create stronger, more resilient defense mechanisms for organizations worldwide."
🔗 For the most current versions of these resources, please visit the original links provided above.
Detection Engineering Framework © 2021 by Kunal Hatode is licensed under Creative Commons Attribution 4.0 International
