detections

Detections

This directory contains detection content managed as code.

Structure

Sentinel

• Sentinel Folder

Microsoft Sentinel detections are organized by ATT&CK tactic-aligned folders.

Sigma

• Sigma Folder

Reserved for Sigma content where applicable.

Mappings

• Mappings Folder

Used for ATT&CK and Cyber Kill Chain mapping artifacts.

Detection Expectations

Detection content should follow repository standards for:

• naming
• lifecycle
• severity
• tagging
• metadata quality
• folder placement

See:

• Governance
• Detection Rule Template
• QA and Validation Standard

Lifecycle

Detections should use one of the following lifecycle values:

• experimental
• testing
• production
• deprecated

See:

• Lifecycle Standard
• Detection Lifecycle

Related Content

• Triage Guides
• Detection Tracking Matrix
• Coverage
• Governance

Goal

The goal of this directory is to manage detection content as structured, governed, and maintainable engineering artifacts.