A comprehensive framework for Security Operations Center (SOC) use case development, detection engineering, implementation, and management.
This framework is designed to help security teams develop, implement, and maintain effective SOC use cases and detection rules. Whether you're building a new SOC or enhancing existing capabilities, this repository provides the guidance you need to excel.
- Overview
- Core Framework
- Repository Structure
- Getting Started
- Contributors
- Acknowledgments & References
- License
The Detection Engineering Framework provides a structured, lifecycle-based approach to building and maintaining security detections. It encompasses:
- ✅ Comprehensive methodology for detection development
- ✅ Practical templates and tools for immediate use
- ✅ Best practices gathered from industry leaders
- ✅ Real-world guidance for overcoming implementation challenges
- ✅ Continuous improvement processes for detection optimization
| Phase | Document | Description |
|---|---|---|
| 🎯 Foundation | Background and Introduction | Introduction to detection engineering principles |
| 🔄 Lifecycle | Detection Engineering Lifecycle | Complete framework methodology and overview |
| 📋 Planning | Planning Phase | Strategic planning and use case identification |
| 🔧 Development | Development Phase A | Technical feasibility assessment |
| 💻 Development | Development Phase B | Detection code engineering and implementation |
| 🚨 Development | Development Phase C | Response engineering and playbook development |
| 🚀 Delivery | Delivery Phase | Production deployment methodology |
| 📈 Improvement | Improvement Phase | Continuous optimization and tuning |
| 🎓 Practical Guide | From Theory to Practice | Navigating real-world implementation challenges |
| ⭐ Standards | Best Practices | Industry best practices and recommendations |
| 🛠️ Resources | Tools and Templates | Practical templates and utilities |
Detection-Engineering-Framework/
│
├── 📄 README.md # This file - framework overview
├── 📄 Background-and-Introduction.md # Foundation and context
├── 📄 Detection-Engineering-Lifecycle.md # Complete lifecycle methodology
│
├── 🔵 Planning Phase
│ └── planning-phase.md # Use case planning and prioritization
│
├── 🟢 Development Phase
│ ├── development-phase-A.md # Technical feasibility
│ ├── development-phase-B.md # Detection engineering
│ └── development-phase-C.md # Response engineering
│
├── 🟡 Delivery Phase
│ └── delivery-phase.md # Production deployment
│
├── 🟣 Improvement Phase
│ └── improvement-phase.md # Optimization and tuning
│
├── 📚 Guides
│ ├── from-theory-to-practice.md # Practical implementation guide
│ └── best-practices.md # Best practices compilation
│
└── 🛠️ tools-and-templates/
├── README.md # Tools overview
└── templates/
└── use-case-requests/ # Use case request templates
├── README.md
├── use-case-request-template.md
├── google-forms-use-case-request-form.txt
├── microsoft-forms-use-case-request-form.txt
├── salesforce-use-case-request-form.txt
└── servicenow-use-case-request-form.txt
💡 New to Detection Engineering? Start with the Background and Introduction to understand core concepts.
-
📖 Read the Foundation
- Start with Background and Introduction
- Review the Detection Engineering Lifecycle
-
🔍 Understand the Phases
- Study each phase document sequentially
- Focus on phases relevant to your current needs
-
🛠️ Apply Practical Tools
- Explore the Tools and Templates directory
- Customize templates for your organization
-
📈 Implement Best Practices
- Review Best Practices
- Learn from From Theory to Practice
-
🔄 Iterate and Improve
- Follow the Improvement Phase guidance
- Continuously refine your detections
🙏 Deep appreciation to everyone who contributed to this framework's inception!
-
Kunal Hatode - Framework Author & Maintainer
- Primary framework architecture and development
- Cyber Operations Security Architect at Cisco
-
- Co-wrote technical core elements of the framework
- Provided subject matter expertise
-
- Provided valuable early feedback
- Assisted in co-writing framework components
📢 Call for Contributions: This framework is a living document that evolves with the cybersecurity landscape. We actively welcome:
- 🐛 Bug reports and corrections
- 💡 Enhancement suggestions
- 📝 Real-world case studies
- 🔧 Tool and template contributions
- 📚 Documentation improvements
- 🌐 Translations
To contribute: Submit a pull request or open an issue on the GitHub repository.
The Detection Engineering Framework stands as a testament to the collective wisdom and expertise shared by the cybersecurity community. We extend our deepest gratitude to the organizations, researchers, and thought leaders whose pioneering work has laid the foundation for this comprehensive framework.
This framework was developed during my position at Cisco as Cyber Operations Security Architect and has been greatly influenced by invaluable contributions from various Cisco colleagues, industry leaders, academic institutions, and security practitioners who have generously shared their insights, methodologies, and real-world experiences.
| Organization/Source | Contribution | Link |
|---|---|---|
| Oracle Cloud Security | Foundational principles for detection engineering programs and operational excellence | Detection Engineering Program |
| IBM Security Intelligence | Practical SIEM use case development methodologies | Quick Guide to SIEM Use Cases |
| Betaalvereniging | Comprehensive security framework structure and governance principles | MAGMA Safety Framework |
| MITRE Corporation | Critical insights into cyber adversary behavior and attack characterization | Characterizing Effects of Cyber Adversary |
| SANS Institute | Extensive research on security operations and detection capabilities | SANS White Paper 39685 |
| Correlated Security | SPEED framework methodology for systematic use case development | Introducing SPEED Use Case Framework v1.0 |
| Foren6 Security | Visual framework representations and structural concepts | UC11 Framework Diagram |
📖 For Further Reading: We encourage readers to explore these original sources for deeper insights and to contribute back to the community through their own research and implementations.
You are free to:
- ✅ Share — copy and redistribute the material
- ✅ Adapt — remix, transform, and build upon the material
Under the following terms:
- 📝 Attribution — You must give appropriate credit and indicate if changes were made
