Detection Engineering Tools
Detection engineering and detection-as-code platforms for authoring, managing, testing, translating, sharing, and deploying detection rules and content (Sigma, YARA, Suricata, SIEM/EDR correlation rules) across the SOC. Includes detection rule repositories, generators, converters, and rule-management tooling.
Browse 188 detection engineering tools
FEATURED
USE CASES
A minimal library to generate YARA rules from JAVA with maven support.
A collection of Yara rules for detecting malware evasion techniques
Automate the process of writing YARA rules based on executable code within malware.
FireEye Mandiant SunBurst Countermeasures: freely available rules for detecting malicious files and activity
A set of rules for detecting threats in various formats, including Snort, Yara, ClamAV, and HXIOC.
A repository of officially managed detection rules for the Falco runtime security monitoring system that identifies threats, abnormal behaviors, and compliance violations through syscall and container event analysis.
A testing tool that generates suspect actions to validate and test Falco runtime security monitoring rulesets.
A collection of YARA rules for Windows, Linux, and Other threats.
Provides indicators of compromise (IOCs) to combat malware with Yara and Snort rules.
A library of event-based analytics written in EQL to detect adversary behaviors identified in MITRE ATT&CK, providing detection rules for the Elastic Stack.
Signature-based YARA rules for detecting and preventing threats within Linux, Windows, and macOS systems.
OCaml bindings to the YARA scanning engine for integrating YARA scanning capabilities into OCaml projects
Dorothy is a tool to test monitoring and detection capabilities for Okta environments, with modules mapped to MITRE ATT&CK® tactics.
Home for rules used by Elastic Security with code for unit testing, Kibana integration, and Red Team Automation.
A set of interrelated detection rules for improving detection and hunting visibility and context
Repository for detection content with various types of rules and payloads.
YaraHunter scans container images, running Docker containers, and filesystems using YARA rules to detect malware indicators and signs of compromise.
Scan files with Yara, match findings to VirusTotal comments.
Collection of YARA signatures from recent malware research.
A tool that generates Yara rules for strings and their XOR encoded versions, as well as base64-encoded variations with different padding possibilities.
Powerful tool for searching and hunting through Windows forensic artefacts with support for Sigma detection rules and custom Chainsaw detection rules.
A collection of Yara rules for the Burp Yara-Scanner extension that helps identify malicious software and infected web pages during web application security assessments.
HAWK is a multi-cloud antivirus scanning API that uses CLAMAV and YARA engines to detect malware in AWS S3, Azure Blob Storage, and GCP Cloud Storage objects.
A tool that generates pseudo-malicious files to trigger YARA rules.
