Welcome to my detection engineering & threat hunting lab — a living portfolio that documents my journey from on-prem to cloud-native detection engineering and threat hunting.
This repo showcases my work in:
- 📦 Detection rule creation (Sigma, YARA, Suricata)
- 🐍 Python automation for threat detection & enrichment
- ⚙️ Cortex XSOAR playbook development
- ☁️ Cloud-native threat detection and response
- 🧪 Real-world threat simulation and hunting
Each project is built, tested, and documented as part of my transition into a Cloud Threat Detection Engineer role.
| Folder | Description |
|---|---|
detection-engineering/ |
Detection rules, methodologies, and documentation |
└─documentation/ |
Methodology guides and templates |
└─sigma-rules/ |
Sigma detection rules for various platforms |
└─suricata-rules/ |
Suricata network detection rules |
└─yara-rules/ |
YARA rules for file/memory detection |
└─kql/ |
KQL detections and snippets |
automation/ |
Scripts, playbooks, and CI/CD configurations |
└─scripts/ |
Python scripts for security automation |
└─playbooks/ |
Automation playbook definitions |
└─ci-cd/ |
CI/CD pipeline configurations |
cloud-security/ |
Cloud-native security detection and response |
└─aws/ |
AWS-specific detection rules and tools |
└─azure/ |
Azure-specific detection rules and tools |
└─gcp/ |
GCP-specific detection rules and tools |
└─runtime/ |
Runtime security tools and configurations |
packet-analysis/ |
Network packet analysis tools and methods |
└─wireshark/ |
Wireshark profiles and configurations |
└─zeek/ |
Zeek scripts and log analysis |
└─pcaps/ |
PCAP analysis methodologies (no actual PCAPs) |
└─stratoshark/ |
Cloud-native packet analysis |
resources/ |
Learning resources used/worth mentioning |
threat-hunting/ |
Threat hunting reports, methodologies, and templates |
└─hunt-reports/ |
Documented threat hunting exercises |
└─methodologies/ |
Hunting methodologies and frameworks |
└─templates/ |
Templates for hunt planning and reporting |
xsoar-playbooks/ |
Cortex XSOAR playbooks for automation and response |
- Suspicious PowerShell Download - Script Block Logging - Detects System.Net.WebClient downloads via Script Block Logging
- Suspicious PowerShell Download - Classic Event Logs - Similar detection for classic PowerShell logs
- Email Auto Forwarding Global Rule Detection - Detects auto-forwarding or redirect rules across all mailboxes.
- Email Auto Forwarding User-Specific Rule Detection - Detects if a specific user created forwarding or redirect rules.
- Detection Rule Template - Standardized template for documenting detection rules
- Hunt Report Template - Template for documenting threat hunting exercises
- XSOAR Playbook Template - Template for documenting Cortex XSOAR playbooks
- Wireshark Security Profiles - Custom Wireshark profiles optimized for security analysis
- Detection-as-Code (Sigma, YAML, Panther-style CI/CD)
- Threat Hunting (Zeek, Suricata, JA3/JA4+, DNS tunneling, C2 detection)
- Cloud-native detection (AWS CloudTrail, Azure Sign-In logs)
- Python automation for detection logic
- Security Orchestration (Cortex XSOAR)
- Network packet analysis and forensics
The work in this repository leverages my professional background as:
- Cyber Security Analyst at Universiteit Antwerpen (2022-present)
- Security System Administrator at AP Hogeschool (2017-2022)
- ICT System Engineer specializing in various IT fields (2007-2014)
My career transition builds on strong foundations in Threat Hunting, Network Engineering, Endpoint Security Management, and Threat Detection.
- GitHub: zoerab
- LinkedIn: Zoerab Tchahkiev
Licensed under MIT License