A centralized repository for building, governing, validating, and reporting on a modern detection engineering program.
This repository serves as a one-stop location for:
- detection engineering strategy and program documentation
- executive proposal and maturity reporting
- detection-as-code content for Microsoft Sentinel
- ATT&CK and Cyber Kill Chain coverage tracking
- validation, tuning, and quality standards
- workflow automation and CI/CD foundations
- SOC workflow alignment and continuous improvement
Detection engineering is more than writing alert logic. A mature program requires structure, governance, testing, reporting, and a repeatable process for turning threat hypotheses into reliable security analytics.
This repository is organized to support leadership, detection engineers, and SOC/IR stakeholders from a single location.
Start here for program intent, maturity, and reporting:
- Executive Documents
- Program Charter
- Roadmap
- Mission
- Scope
- Maturity Model
- Metrics Catalog
- Quarterly Program Review Template
- Annual Roadmap Review
- Gap Analysis
Start here for content development, standards, and rule management:
- Sentinel Detections
- Governance Standards
- Operating Model
- Detection Lifecycle
- Intake Workflow
- QA and Validation Standard
- Tuning Standard
- Detection Rule Template
- Validation Checklist
- Detection Tracking Matrix
Start here for triage support, process context, escalation guidance, and coverage visibility:
- Triage Guides
- Priority Starter Triage Guides
- SOC and Incident Response Alignment
- Alert Escalation Guidance
- Detection Feedback Loop
- Exception Management
- Change Control
- Coverage
- Visuals
This repository supports the full detection engineering lifecycle:
- Define strategy and governance
- Intake and prioritize detection opportunities
- Build and maintain detections as code
- Validate detections against real or simulated activity
- Tune detections to improve fidelity and reduce noise
- Deploy content through controlled workflows
- Measure coverage, quality, and program maturity
- Report value to SOC leadership and executive stakeholders
This repository includes executive and program-level documentation to support leadership visibility, roadmap planning, and detection engineering program maturity.
docs/00_executive/— executive summary, proposal, charter, roadmapdocs/01_strategy/— mission, scope, operating model, maturity modeldocs/02_process/— detection lifecycle, intake, QA, tuning, exceptions, change controldocs/03_visuals/— diagrams and charts for leadership and engineeringdocs/04_reporting/— metrics catalog, quarterly reviews, gap analysis
governance/— naming, severity, lifecycle, tagging, and analytic quality standards
detections/sentinel/— Microsoft Sentinel detection contentdetections/mappings/— ATT&CK and Cyber Kill Chain mappingsdetections/sigma/— Sigma content when applicable
content/templates/— templates for detections, requests, triage guides, and validationcontent/runbooks/— analyst and engineering operating guidescontent/playbooks/— automation and response contentcontent/workbooks/— workbook-related content and standards
coverage/— ATT&CK and Cyber Kill Chain coverage data, summaries, and gap trackingdashboards/— Sentinel workbooks and executive metrics content
automation/— scripts, schemas, deployment helpers, reporting supporttests/— validation references, sample logs, and testing support.github/workflows/— GitHub Actions for validation and deployment
This repository is currently centered on Microsoft Sentinel detection engineering, while also being structured to expand into a broader multi-platform detection engineering program.
Planned future growth includes:
- Splunk detection engineering content
- standardized cross-platform detection metadata
- shared governance and lifecycle standards across tools
- common reporting and maturity tracking for multiple security platforms
Each detection should move through a controlled lifecycle:
experimentaltestingproductiondeprecated
This lifecycle helps ensure detections are:
- documented
- reviewed
- validated
- tuned
- maintained over time
More detail is maintained in:
docs/02_process/detection-lifecycle.mdgovernance/lifecycle-standard.md
Each detection should include, where applicable:
- title
- unique identifier
- description
- author
- created and modified dates
- platform
- data sources
- ATT&CK tactic and technique mapping
- Cyber Kill Chain phase
- severity
- query or logic
- false-positive considerations
- triage guidance
- validation notes
- lifecycle state
- owner
Templates and guidance are located in:
content/templates/detection-rule-template.ymlcontent/templates/rule-request-template.mdcontent/templates/triage-guide-template.mdcontent/templates/validation-checklist.md
This repository supports executive and leadership visibility by providing:
- a formal detection engineering proposal
- maturity model documentation
- ATT&CK coverage tracking
- gap analysis
- program visuals and workflow diagrams
- reporting structures for quarterly and annual review
Key leadership outcomes include:
- improved visibility into detection coverage
- measurable program maturity
- better prioritization of detection engineering efforts
- reduced analyst burden through more structured tuning and triage
- stronger alignment between SOC operations and engineering
This repository provides strategy, executive summaries, maturity reporting, and measurable program outcomes.
This repository provides standards, templates, detection content, mappings, validation guidance, and workflow structure.
This repository provides triage support, workflow alignment, coverage context, and a path for alert feedback and tuning.
The Sentinel portion of this repository is intended to support:
- ATT&CK-aligned detections
- lifecycle-based analytic management
- rule tuning and validation
- workbook/reporting alignment
- future CI/CD-driven deployment
This creates a foundation for moving from isolated analytic rules to a full Sentinel detection engineering program.
Coverage tracking is maintained to help answer:
- which ATT&CK techniques are covered
- where detection gaps remain
- which tactics have the strongest content support
- where new engineering effort should be prioritized
- how the program is maturing over time
Coverage artifacts are maintained under:
coverage/mitre/coverage/cyber-kill-chain/
All content should be managed through version control and reviewed before promotion.
Recommended contribution flow:
- Submit a request, change, or new detection
- Review for metadata completeness and quality
- Validate logic and mapping
- Document tuning and operational considerations
- Merge through pull request review
- Promote through lifecycle stages
Supporting files:
CONTRIBUTING.md.github/PULL_REQUEST_TEMPLATE.md.github/ISSUE_TEMPLATE/
- normalize all existing Sentinel detections into a common schema
- standardize tactic folder naming
- expand ATT&CK and Cyber Kill Chain mappings
- add triage guides and validation evidence
- improve executive and operational reporting
- strengthen GitHub Actions validation
- add deployment automation for Sentinel content
- expand coverage reporting
- build out workbook and dashboard structure
- expand into Splunk detection engineering
- support cross-platform detection standards
- mature into a full engineering-driven security content program
Start here:
docs/00_executive/docs/01_strategy/docs/04_reporting/
Start here:
detections/sentinel/content/templates/governance/tests/
Start here:
docs/02_process/content/templates/triage-guide-template.mdcoverage/
This repository is actively being developed into a full detection engineering platform that combines:
- proposal and program strategy
- detection-as-code
- governance standards
- testing and tuning workflows
- executive reporting
- platform expansion planning
This repository is licensed under the MIT License. See LICENSE.