Security Detection Rules
Open-source repositories containing detection logic and behavioral patterns to identify malicious activity across infrastructure.
Security Detection Rules
Find the best repos with AI.We'll search the best matching repositories with AI.
- jpcertcc/logontracer
JPCERTCC/LogonTracer
3,136View on GitHubLogonTracer is a security auditing tool designed for logon analysis and forensic log auditing. It functions as a dockerized security auditor that utilizes a security event graph database to map account names and network addresses, allowing for the visualization of complex system compromise patterns and authentication paths. The system features a Sigma detection engine that scans imported event logs against standardized rule sets to identify known malicious activity. It also includes an anomalous behavior detector that applies statistical analysis, graph algorithms, and hidden Markov models to
LogonTracer is a specialized security auditing and forensic tool that provides log ingestion, Sigma-based rule detection, and behavioral analysis, making it a focused threat detection engine for Windows authentication logs.
PythonLog IngestionSigma Rule MatchingThreat - wazuh/wazuh
wazuh/wazuh
14,779View on GitHubWazuh is an integrated security platform that combines endpoint detection and response, security information and event management, and cloud workload protection. It functions as a centralized system for collecting telemetry, aggregating logs, and correlating events across distributed infrastructure to maintain security and integrity. The platform distinguishes itself through its active response orchestration, which allows for the automated execution of scripts on remote endpoints to neutralize threats in real time. It provides deep visibility into system activity through file integrity monito
Wazuh is a comprehensive security platform that functions as a SIEM and threat detection engine, providing log ingestion, real-time alerting, threat intelligence, and automated response capabilities in a unified interface.
CAutomated Incident Response WorkflowsSecurity Information Management - elastic/detection-rules
elastic/detection-rules
2,508View on GitHubThis project is a detection-as-code framework providing a library of security monitoring rules and predefined detection content for Elasticsearch data indices. It serves as a threat detection rule library designed to identify malicious activity and attack patterns across diverse data streams in cloud and on-premises environments. The framework implements a detection engineering workflow where rules are defined in YAML and managed as versioned code. It includes a set of command-line utilities for automated rule deployment, metadata searching, and template generation, supported by a Python-base
This repository provides a comprehensive detection-as-code framework and rule library for identifying malicious behavior, serving as a core component for threat detection engines even though it functions as a rule repository rather than a full-stack SIEM platform.
PythonDetection-as-Code FrameworksThreat Intelligence - crowdsecurity/crowdsec
crowdsecurity/crowdsec
12,574View on GitHubCrowdSec is a collaborative, distributed security engine designed for threat detection and infrastructure protection. It functions as an intrusion detection system that parses logs and network traffic to identify malicious patterns, utilizing a bucket-based threshold detection model to aggregate events and trigger alerts. The platform is built on a modular architecture that includes a centralized local API server for managing security signals and a relational database for persistent storage of remediation decisions. What distinguishes the project is its decoupled enforcement model, which offl
CrowdSec is a powerful threat detection engine that parses logs and network traffic to trigger alerts and automated responses, fitting the core requirements of a security detection framework even though it focuses more on intrusion prevention than full-scale SIEM log analytics.
GoThreat Intelligence PlatformsSecurity Detection LogicThreat Notification Systems - defectdojo/django-defectdojo
DefectDojo/django-DefectDojo
4,528View on GitHubDefectDojo is a vulnerability management system and application security orchestration tool. It serves as a centralized platform for importing, deduplicating, and tracking security findings from multiple scanners and tools to manage an organization's overall security posture. The system distinguishes itself by aggregating findings from various security tools into a single report and normalizing that data to prioritize remediation. It provides specific workflows for vulnerability triage and deduplication to reduce noise and redundant manual work across the software development lifecycle. The
DefectDojo is a vulnerability management and orchestration platform for tracking security findings from scanners, rather than a SIEM or threat detection engine designed to ingest logs and alert on malicious behavior in real-time.
HTMLSecurity OrchestrationSecurity Metrics DashboardsSecurity Orchestration - falcosecurity/falco
falcosecurity/falco
8,670View on GitHubFalco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments
Falco is a specialized runtime security and threat detection engine that excels at real-time kernel-level monitoring and rule-based alerting, though it functions as a focused detection component rather than a full-stack SIEM with built-in long-term log storage and visualization.
C++Security Information Management
