# Security Detection Rules > Search results for `write detection rules to spot suspicious activity` on awesome-repositories.com. 117 total matches; showing the first 50. Explore on the web: https://awesome-repositories.com/q/write-detection-rules-to-spot-suspicious-activity **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [this search on awesome-repositories.com](https://awesome-repositories.com/q/write-detection-rules-to-spot-suspicious-activity).** ## Results - [elastic/detection-rules](https://awesome-repositories.com/repository/elastic-detection-rules.md) (2,508 ⭐) — This project is a detection-as-code framework providing a library of security monitoring rules and predefined detection content for Elasticsearch data indices. It serves as a threat detection rule library designed to identify malicious activity and attack patterns across diverse data streams in cloud and on-premises environments. The framework implements a detection engineering workflow where rules are defined in YAML and managed as versioned code. It includes a set of command-line utilities for automated rule deployment, metadata searching, and template generation, supported by a Python-base - [crowdsecurity/crowdsec](https://awesome-repositories.com/repository/crowdsecurity-crowdsec.md) (12,574 ⭐) — CrowdSec is a collaborative, distributed security engine designed for threat detection and infrastructure protection. It functions as an intrusion detection system that parses logs and network traffic to identify malicious patterns, utilizing a bucket-based threshold detection model to aggregate events and trigger alerts. The platform is built on a modular architecture that includes a centralized local API server for managing security signals and a relational database for persistent storage of remediation decisions. What distinguishes the project is its decoupled enforcement model, which offl - [activiti/activiti](https://awesome-repositories.com/repository/activiti-activiti.md) (10,518 ⭐) — Activiti is a workflow engine designed to model, execute, and manage business processes using the BPMN 2.0 standard. It functions as a Java-based framework that embeds process orchestration directly into enterprise applications and microservices to coordinate sequences of tasks and human-centric interactions. The platform utilizes a persistent state machine to maintain the status of long-running workflows in a relational database, ensuring continuity across system restarts. It manages high-volume environments through optimistic concurrency control, which tracks versioning tokens to prevent da - [jaykali/maskphish](https://awesome-repositories.com/repository/jaykali-maskphish.md) (3,020 ⭐) — Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific exe - [mdecrevoisier/sigma-detection-rules](https://awesome-repositories.com/repository/mdecrevoisier-sigma-detection-rules.md) (437 ⭐) — SIGMA detection rules provides a free set of >350 advanced correlation rules to be used for suspicious hunting activities. - [projectdiscovery/nuclei-templates](https://awesome-repositories.com/repository/projectdiscovery-nuclei-templates.md) (12,518 ⭐) — Nuclei-templates is a security automation framework and vulnerability scanning library designed for the continuous assessment of distributed infrastructure. It functions as a collection of structured configuration files that define how to identify security flaws and misconfigurations across web applications and network services. The project utilizes a declarative domain-specific language to decouple detection logic from the underlying execution engine. This approach allows for the creation of modular, protocol-agnostic scanning rules that can be updated independently of the core software. By - [astral-sh/ruff](https://awesome-repositories.com/repository/astral-sh-ruff.md) (48,177 ⭐) — Ruff is a high-performance static analysis and code formatting tool designed for Python. Built in Rust, it functions as a comprehensive engine that scans source code to detect programming errors, security vulnerabilities, and deviations from established coding standards. By parsing source code into a structured tree representation, it provides both automated linting and style enforcement across entire projects. The tool distinguishes itself through its speed and deep integration into the development lifecycle. It utilizes parallelized file processing to maximize throughput on large codebases - [cockroachdb/cockroach](https://awesome-repositories.com/repository/cockroachdb-cockroach.md) (32,207 ⭐) — Cockroach is a distributed SQL database designed to scale horizontally across multiple nodes while maintaining strict ACID compliance and global data consistency. It functions as a relational database engine that automatically partitions data into ranges, rebalancing them across a cluster to accommodate growing storage and throughput requirements. By utilizing a distributed consensus protocol, the system ensures that all nodes agree on the order of operations, providing fault tolerance and continuous availability even in the event of hardware failures. The system distinguishes itself through - [chronicle/detection-rules](https://awesome-repositories.com/repository/chronicle-detection-rules.md) (502 ⭐) — This repository contains example YARA-L rules and dashboards for use within Google Security Operations (SecOps) - [lolbas-project/lolbas](https://awesome-repositories.com/repository/lolbas-project-lolbas.md) (8,323 ⭐) — LOLBAS is a curated database and knowledge base of signed Windows binaries that can be misused to bypass security restrictions and execute unauthorized code. It serves as a technical registry that maps trusted system files to their functional capabilities and the offensive tactics they enable. The project distinguishes itself by providing a capability-driven indexing system and a tactics registry that relates legitimate binary functionality to known security evasion techniques. It includes an association layer that links specific system binaries to attack patterns and tactical objectives, pro - [qax-os/excelize](https://awesome-repositories.com/repository/qax-os-excelize.md) (20,682 ⭐) — Excelize is a library for reading and writing spreadsheet files in the Office Open XML format. It provides a comprehensive suite of tools for programmatically creating, modifying, and analyzing workbooks, worksheets, and cell data, ensuring compatibility across various office software suites through structured XML serialization. The library distinguishes itself with a built-in formula calculation engine that evaluates complex mathematical and logical expressions directly against workbook data. It also features a memory-mapped streaming architecture, which allows for the efficient processing o - [firefly-iii/firefly-iii](https://awesome-repositories.com/repository/firefly-iii-firefly-iii.md) (22,431 ⭐) — Firefly III is a self-hosted personal finance management system built on a double-entry bookkeeping engine. It provides a comprehensive platform for tracking income, expenses, and account balances while maintaining financial integrity through structured accounting principles. Designed for private use, the system supports multi-user access, allowing independent financial administrations to coexist within a single installation. The platform distinguishes itself through extensive automation and integration capabilities. It features a robust REST JSON API and webhook system that enables programma - [delivr-to/detections](https://awesome-repositories.com/repository/delivr-to-detections.md) (75 ⭐) — A home for detection content developed by the delivr.to team - [dshukertjr/spot](https://awesome-repositories.com/repository/dshukertjr-spot.md) (369 ⭐) — Take a virtual journey around the world with Spot. - [gitleaks/gitleaks](https://awesome-repositories.com/repository/gitleaks-gitleaks.md) (24,973 ⭐) — Gitleaks is a security scanning engine designed to identify hardcoded credentials, API keys, and other sensitive information within version control systems and local file structures. It functions as a static analysis tool that automates the detection of secrets, helping to prevent the accidental exposure of sensitive data during the development lifecycle. The tool distinguishes itself through its ability to perform deep forensic analysis of git history, allowing users to audit entire project timelines or enforce security gates within continuous integration pipelines. It supports complex detec - [facebook/react](https://awesome-repositories.com/repository/facebook-react.md) (245,669 ⭐) — React is a JavaScript library for building user interfaces based on a component-driven architecture and unidirectional data flow. - [pg-spot-ops/pg-spot-operator](https://awesome-repositories.com/repository/pg-spot-ops-pg-spot-operator.md) (59 ⭐) — Stateful Postgres on cheap Spot VMs - [etcd-io/etcd](https://awesome-repositories.com/repository/etcd-io-etcd.md) (51,838 ⭐) — etcd is a distributed, strongly consistent key-value store designed to provide reliable storage for critical system metadata and coordination primitives. It functions as a distributed consensus engine, utilizing a replicated log and leader-based state machine to ensure that all nodes in a cluster maintain a synchronized view of data. By providing atomic operations and linearizable reads and writes, it serves as a foundational component for distributed systems requiring high availability and fault tolerance. The system distinguishes itself through its multi-version concurrency control, which e - [apache/incubator-spot](https://awesome-repositories.com/repository/apache-incubator-spot.md) (356 ⭐) — Mirror of Apache Spot - [pycqa/bandit](https://awesome-repositories.com/repository/pycqa-bandit.md) (8,092 ⭐) — Bandit is a static analysis security testing tool and vulnerability detection scanner for Python source code. It functions as a security-focused linter and static analyzer that identifies common vulnerabilities and architectural flaws without executing the program. The tool utilizes an abstract syntax tree to analyze code patterns and identifies risky function calls or insecure configurations. It employs a plugin-based rule engine to decouple scanning logic from individual security checks and supports configuration-driven filtering to exclude specific files or ignore certain warnings. The sy - [xou816/spot](https://awesome-repositories.com/repository/xou816-spot.md) (2,380 ⭐) — UNMAINTAINED! Please check out active forks - [arendst/tasmota](https://awesome-repositories.com/repository/arendst-tasmota.md) (24,502 ⭐) — Tasmota is a universal firmware platform for ESP8266 and ESP32 microcontrollers, designed to provide local control and management of smart home hardware. It functions as an event-driven automation controller that replaces proprietary factory firmware, allowing users to manage relays, sensors, and lighting systems without relying on external cloud services. The system is built on a modular driver architecture that enables dynamic hardware configuration and peripheral support through a web-based management interface. The platform distinguishes itself through a template-driven hardware mapping s - [trufflesecurity/trufflehog](https://awesome-repositories.com/repository/trufflesecurity-trufflehog.md) (24,630 ⭐) — Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platfor - [avelino/awesome-go](https://awesome-repositories.com/repository/avelino-awesome-go.md) (175,576 ⭐) — This project serves as a comprehensive language ecosystem index, functioning as a centralized, community-curated directory for the Go programming language. It organizes a vast landscape of software components, libraries, and development tools into a structured, navigable hierarchy, enabling developers to efficiently discover resources tailored to specific functional domains. The repository distinguishes itself through a decentralized contribution model, where community-driven updates ensure the index remains current with the rapidly evolving software landscape. Beyond simple resource listing, - [github/codeql](https://awesome-repositories.com/repository/github-codeql.md) (9,252 ⭐) — CodeQL is a semantic code analysis engine and vulnerability scanning tool that treats source code as data. It utilizes a static analysis query language to define complex patterns and security vulnerabilities within a code graph database. The system represents source code as a relational database, enabling the execution of structural queries and data flow analysis. This approach allows for the detection of security flaws and coding errors across large-scale repositories. The tool provides capabilities for automated code auditing, static analysis security testing, and custom vulnerability dete - [ngoomie/ublacklist-suspicious-downloads](https://awesome-repositories.com/repository/ngoomie-ublacklist-suspicious-downloads.md) (2 ⭐) — A uBlacklist filter list to remove websites offering suspicious downloads from appearing in search results. Meant to cover a wide variety of things, from those websites that mirror software only to add installers that include PUPs, to sites that offer downloads of lone DLLs that likely have… - [cube-js/cube](https://awesome-repositories.com/repository/cube-js-cube.md) (20,251 ⭐) — Cube is a semantic data layer that provides a unified framework for defining business metrics, dimensions, and relationships across diverse data sources. By acting as a headless business intelligence engine, it transforms raw data into a governed model that can be queried via SQL, REST, and GraphQL interfaces. This architecture ensures consistent data definitions and logic across all downstream analytical applications and reporting tools. The platform distinguishes itself through its integrated conversational AI capabilities, which allow users to explore data using natural language. It orches - [oisf/suricata](https://awesome-repositories.com/repository/oisf-suricata.md) (6,008 ⭐) — Suricata is an open-source network intrusion detection and prevention engine that analyzes live network traffic in real-time to identify and alert on malicious activity. It operates as a rule-based threat detection system, matching traffic against user-defined signatures to detect known attack patterns and policy violations, and can be placed inline to actively block malicious packets before they reach their target. The engine inspects a wide range of application-layer protocols including HTTP, DNS, TLS, SMB, and MQTT, and supports high-performance packet capture through specialized hardware a - [yara-rules/rules](https://awesome-repositories.com/repository/yara-rules-rules.md) (4,712 ⭐) — This project is a community-curated repository of YARA rules used to detect malware, webshells, and other malicious patterns in files. It serves as a dataset of signatures for identifying known malware families, software packers, and threat intelligence indicators. The collection provides specialized detection capabilities for identifying exploit kits and anti-analysis evasion techniques, such as anti-debugging and anti-virtualization methods. It also includes signatures for cryptographic algorithm detection and the identification of unauthorized remote administration tools on servers. The r - [kubescape/kubescape](https://awesome-repositories.com/repository/kubescape-kubescape.md) (11,489 ⭐) — Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor. The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Mo - [f/prompts.chat](https://awesome-repositories.com/repository/f-prompts-chat.md) (163,814 ⭐) — This platform serves as a centralized management system for organizing, refining, and versioning AI instructions and agent skills. It functions as a repository that enables users to store, categorize, and retrieve structured prompts, ensuring consistent performance across various artificial intelligence models. By integrating with the Model Context Protocol, the system allows external AI assistants and development environments to discover and access these instruction libraries directly. The platform distinguishes itself through its focus on prompt engineering and automated refinement, utilizi - [awslabs/aws-spot-labs](https://awesome-repositories.com/repository/awslabs-aws-spot-labs.md) (981 ⭐) — Collection of tools and code examples to demonstrate best practices in using Amazon EC2 Spot Instances. - [crytic/slither](https://awesome-repositories.com/repository/crytic-slither.md) (6,141 ⭐) - [espocrm/espocrm](https://awesome-repositories.com/repository/espocrm-espocrm.md) (2,799 ⭐) — EspoCRM is an open-source customer relationship management platform and SQL-based business application. It serves as a centralized web interface for tracking leads, opportunities, and contacts, providing a sales pipeline manager and a customizable business logic engine. The platform is distinguished by its ability to function as a custom business application builder, allowing for the creation of tailored entities and automated workflows. It integrates marketing automation tools for campaign coordination and a structured customer support ticketing system for case management. The system covers - [horsicq/detect-it-easy](https://awesome-repositories.com/repository/horsicq-detect-it-easy.md) (10,266 ⭐) — Detect-It-Easy is a binary file identifier and analysis toolkit designed to determine file formats, compilers, and packers. It functions as a binary file identifier that utilizes signature matching and heuristic analysis to identify executable and archive formats. The project includes a custom file signature engine and a scriptable rule system for defining and applying detection logic to identify specific binary patterns. It features specialized detectors for Android packages, such as APK and DEX files, and a malware packer detector to identify protections, obfuscators, and virus families. T - [synrc/active](https://awesome-repositories.com/repository/synrc-active.md) (67 ⭐) — ♾️ ACTIVE: Filesystem Activities - [ccfos/nightingale](https://awesome-repositories.com/repository/ccfos-nightingale.md) (13,108 ⭐) — Nightingale is a Prometheus-compatible monitoring and alerting platform designed to centralize telemetry management across multiple time-series databases. It functions as a multi-source alerting engine and metric data pipeline that ingests telemetry via remote write protocols and triggers alarms based on data from sources such as Prometheus, Elasticsearch, Loki, and ClickHouse. The system is distinguished by its automated alert healing system, which executes predefined scripts and RPC-based corrective actions when monitoring thresholds are breached. It supports distributed alert processing, a - [falcosecurity/falco](https://awesome-repositories.com/repository/falcosecurity-falco.md) (8,670 ⭐) — Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments - [eslint/eslint](https://awesome-repositories.com/repository/eslint-eslint.md) (27,349 ⭐) — This project is a static analysis engine designed to identify patterns, enforce coding standards, and automate code quality improvements in software projects. By parsing source code into structured abstract syntax trees, it enables deep programmatic inspection and the automated remediation of identified programming issues. The engine functions as a pluggable linting framework, allowing developers to extend its core capabilities through a modular architecture. Users can inject custom rules, parsers, and processors to support non-standard file formats or domain-specific logic. This extensibilit - [h3x2b/yara-rules](https://awesome-repositories.com/repository/h3x2b-yara-rules.md) (23 ⭐) — Yara rules for detecting malware - [virustotal/yara](https://awesome-repositories.com/repository/virustotal-yara.md) (9,420 ⭐) — YARA is a pattern matching engine and binary analysis tool used to identify and classify malware samples. It functions as a malware research framework that allows for the definition of file descriptions and detection rules to find indicators of compromise within binaries. The system enables the creation of custom detection rules using strings, wildcards, and regular expressions. These rules use boolean logic to match textual or binary patterns, allowing for the classification of files into specific malware families and the automation of threat intelligence. The engine utilizes Aho-Corasick s - [astral-sh/ty](https://awesome-repositories.com/repository/astral-sh-ty.md) (17,287 ⭐) — This project is a high-performance static type checker and comprehensive development toolkit for Python. It functions as a core analysis engine that identifies type inconsistencies and enforces code correctness, while simultaneously providing a language server implementation to deliver real-time diagnostics and intelligence directly within development environments. The tool distinguishes itself through a parallelized execution engine that maximizes performance across large-scale codebases and monorepo structures. It supports gradual type adoption, allowing developers to integrate type checkin - [doc-detective/doc-detective](https://awesome-repositories.com/repository/doc-detective-doc-detective.md) (125 ⭐) — Doc Detective is doc content testing framework that makes it easy to keep your docs accurate and up-to-date. You write tests, and Doc Detective runs them directly against your product to make sure your docs match your user experience. Whether it’s a UI-based process or a series of API calls, Doc… - [p4t12ick/sigma-rule-repository](https://awesome-repositories.com/repository/p4t12ick-sigma-rule-repository.md) (93 ⭐) — Sigma-Rule-Repository is a collection of detection rules in Sigma Format. In contrast to other Sigma repositories, this repository contains for every detection rule a testing documentation. The detection rules are sorted based on the Mitre ATT&CK Techniques. - [dyad-sh/dyad](https://awesome-repositories.com/repository/dyad-sh-dyad.md) (19,648 ⭐) — Dyad is a local, artificial intelligence-powered development environment designed to manage, edit, and scaffold full-stack software projects. It functions as an automated codebase manager and code editor that leverages language models to execute programming tasks, maintain project context, and apply targeted modifications directly to source files on a user's machine. The platform distinguishes itself through a model-agnostic architecture that allows for flexible integration with various language model runtimes. It provides specialized operational modes to optimize development speed and effici - [blakeblackshear/frigate](https://awesome-repositories.com/repository/blakeblackshear-frigate.md) (33,778 ⭐) — Frigate is a self-hosted network video recorder that functions as a private, local AI-powered vision engine. It manages video streams by performing real-time object detection, tracking, and classification directly on local hardware, ensuring that security monitoring and activity recording remain independent of cloud services. The system distinguishes itself through a modular, hardware-accelerated video pipeline that offloads intensive decoding and machine learning inference to dedicated GPUs, NPUs, or specialized accelerators like Coral TPUs and Hailo modules. It utilizes state-based object t - [dxa4481/trufflehog](https://awesome-repositories.com/repository/dxa4481-trufflehog.md) (26,790 ⭐) — TruffleHog is a secret scanning tool designed to identify leaked credentials and API keys across version control systems, cloud storage, and filesystems. It functions as a git secret detector that enumerates hidden commits and a cloud storage security auditor for inspecting container images and storage buckets. The project is distinguished by a credential verification engine that tests discovered secrets against service APIs to confirm they are active, which eliminates false positive alerts. It further analyzes these verified credentials to determine the specific access levels and resources t - [roblillack/spot](https://awesome-repositories.com/repository/roblillack-spot.md) (1,259 ⭐) — React-like desktop GUI toolkit for Go - [bloxstraplabs/bloxstrap](https://awesome-repositories.com/repository/bloxstraplabs-bloxstrap.md) (3,034 ⭐) — Bloxstrap is a custom game bootstrapper and configuration tool for Roblox. It replaces the standard launcher to enable advanced startup configurations, inject internal engine flags, and manage a specialized installation directory. The project provides a client mod manager that allows users to override local assets, such as sounds, textures, and fonts, and ensures these customizations persist across game updates. It includes a configuration utility to unlock hidden graphics settings and engine parameters, alongside a server tracker that identifies the geographic location of active game servers - [rauchg/spot](https://awesome-repositories.com/repository/rauchg-spot.md) (953 ⭐) — Tiny file search utility (bash)