Detection Work

Public examples of what I build. Most of the real stuff lives behind a classification boundary — this is the sanitized subset worth sharing.

GitHub

Splunk Detection Content — Sanitized Examples ↗

A growing collection of sanitized Splunk SPL correlation searches from SOC work, organized by MITRE ATT&CK tactic. Includes search logic, relevant log sources, and tuning notes for each detection.

github.com/mabenml/detection-rules →

What I Build

  • Splunk SPL correlation searches mapped to ATT&CK tactics and techniques
  • PowerShell automation for incident response acceleration
  • SOC dashboards for threat visibility and analyst workflow
  • Detection coverage gap analysis aligned to priority threat actor TTPs
  • Log source onboarding playbooks for new data sources
  • Sigma rules for cross-SIEM portability

Detection Philosophy

Good detection isn't about having the most alerts — it's about having the right ones. I build detections starting from adversary behavior (ATT&CK TTPs, threat intel), work backward to the log sources that would capture it, and tune aggressively to keep analyst signal-to-noise ratios high.

A detection that fires constantly and gets ignored is worse than no detection at all.

I write about the technical details on the blog — SPL walkthroughs, ATT&CK coverage analysis, and threat hunting methodology.