This repository is used to manage detection engineering content as code. Contributions should improve detection quality, coverage, governance, reporting, or operational maturity.
Examples of accepted contributions:
- New Sentinel detections
- Detection tuning improvements
- ATT&CK or Cyber Kill Chain mapping updates
- Triage guides and runbooks
- Validation datasets and test logic
- Governance documentation updates
- Executive reporting and coverage artifacts
Every pull request should include:
- A clear summary of the change
- Reason for the change
- Affected data source(s)
- ATT&CK mapping if detection content is changed
- Validation or test notes
- Tuning considerations if applicable
- Screenshots or workbook updates if visual content is changed