From f4703ccc17a0fb90ab4b923bc74cb69d62bca979 Mon Sep 17 00:00:00 2001
From: jshlbrd <jliburdi@brex.com>
Date: Tue, 7 Mar 2023 18:10:08 -0800
Subject: [PATCH 01/10] docs: add substation

---
 README.html | 1 +
 README.md   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/README.html b/README.html
index 3e3816f..022909b 100644
--- a/README.html
+++ b/README.html
@@ -90,6 +90,7 @@
 <li><a href="https://github.com/airbnb/streamalert">StreamAlert</a> - A serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define</li>
 <li><a href="https://github.com/matanolabs/matano">Matano</a>: An open source security lake platform (SIEM alternative) for threat hunting, detection and response on AWS. Matano lets you write advanced detections as code (using python) to correlate and alert on threats in realtime.</li>
 <li><a href="https://github.com/Shuffle/Shuffle">Shuffle</a>: A general purpose security automation platform.</li>
+<li><a href="https://github.com/brexhq/substation">Substation</a> - A cloud native data pipeline and transformation toolkit for security teams.</li>
 </ul>
 <h3 id="endpoint-monitoring">Endpoint Monitoring</h3>
 <ul>
diff --git a/README.md b/README.md
index 22fecdb..13f0f27 100644
--- a/README.md
+++ b/README.md
@@ -84,6 +84,7 @@
 - [StreamAlert](https://github.com/airbnb/streamalert) - A serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define
 - [Matano](https://github.com/matanolabs/matano): An open source security lake platform (SIEM alternative) for threat hunting, detection and response on AWS. Matano lets you write advanced detections as code (using python) to correlate and alert on threats in realtime.
 - [Shuffle](https://github.com/Shuffle/Shuffle): A general purpose security automation platform.
+- [Substation](https://github.com/brexhq/substation) - A cloud native data pipeline and transformation toolkit for security teams.
 
 ### Endpoint Monitoring
 

From e8db7d027bf9d19589bd32132e476974d3f44e23 Mon Sep 17 00:00:00 2001
From: Grace Nguyen <42276283+gracenng@users.noreply.github.com>
Date: Wed, 8 Mar 2023 14:58:18 -0800
Subject: [PATCH 02/10] Fix dead Research paper link

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c91332e..97c4a2a 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@
     - [DNS](#dns)
     - [Fingerprinting](#fingerprinting)
     - [Data Science](#data-science)
-    - [Research Papers](research-papers)
+    - [Research Papers](#research-papers)
     - [Blogs](#blogs)
     - [Related Awesome Lists](#related-awesome-lists)
   - 🎙️ [Podcasts](#podcasts)

From 4218dbae7dcf0d4a147f441cd1521aa823a49816 Mon Sep 17 00:00:00 2001
From: James Spiteri <james.spiteri@gmail.com>
Date: Fri, 10 Mar 2023 15:26:53 -0700
Subject: [PATCH 03/10] Add oh my malware event datasets

---
 README.html | 1 +
 README.md   | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/README.html b/README.html
index 3e3816f..d8ec9b8 100644
--- a/README.html
+++ b/README.html
@@ -161,6 +161,7 @@
 <li><a href="https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES">EVTX-ATTACK-SAMPLES</a> - A repo of Windows event samples (EVTX) associated with ATT&amp;CK techniques (<a href="https://docs.google.com/spreadsheets/d/12V5T9j6Fi3JSmMpAsMwovnWqRFKzzI9l2iXS5dEsnrs/edit#gid=164587082">EVTX-ATT&CK Sheet</a>).</li>
 <li><a href="http://log-sharing.dreamhosters.com">Public Security Log Sharing Site</a></li>
 <li><a href="https://github.com/splunk/attack_data">attack_data</a> - A repository of curated datasets from various attacks.</li>
+<li><a href="https://github.com/jamesspi/ohmymalware/tree/main/Event%20Data">Oh My Malware - Event Data</a> - A repository of malware datasets and alerts generated and used during episodes published on <a href="ohmymalware.com">ohmymalware.com</a>.</li>
 </ul>
 <h2 id="resources">Resources</h2>
 <ul>
diff --git a/README.md b/README.md
index c91332e..81698b2 100644
--- a/README.md
+++ b/README.md
@@ -156,6 +156,8 @@
 - [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) - A repo of Windows event samples (EVTX) associated with ATT&CK techniques ([EVTX-ATT&CK Sheet](https://docs.google.com/spreadsheets/d/12V5T9j6Fi3JSmMpAsMwovnWqRFKzzI9l2iXS5dEsnrs/edit#gid=164587082)).
 - [Public Security Log Sharing Site](http://log-sharing.dreamhosters.com)
 - [attack_data](https://github.com/splunk/attack_data) - A repository of curated datasets from various attacks.
+- [Oh My Malware - Event Data](https://github.com/jamesspi/ohmymalware/tree/main/Event%20Data) - A repository of malware datasets and alerts generated and used during episodes published on ohmymalware.com.</li>
+
 
 
 ## Resources

From 0512e1ed7b9179282f5cef89796bebe5ef5b3dd0 Mon Sep 17 00:00:00 2001
From: James Spiteri <james.spiteri@gmail.com>
Date: Fri, 10 Mar 2023 15:28:41 -0700
Subject: [PATCH 04/10] remove extra chars

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 81698b2..9223964 100644
--- a/README.md
+++ b/README.md
@@ -156,7 +156,7 @@
 - [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) - A repo of Windows event samples (EVTX) associated with ATT&CK techniques ([EVTX-ATT&CK Sheet](https://docs.google.com/spreadsheets/d/12V5T9j6Fi3JSmMpAsMwovnWqRFKzzI9l2iXS5dEsnrs/edit#gid=164587082)).
 - [Public Security Log Sharing Site](http://log-sharing.dreamhosters.com)
 - [attack_data](https://github.com/splunk/attack_data) - A repository of curated datasets from various attacks.
-- [Oh My Malware - Event Data](https://github.com/jamesspi/ohmymalware/tree/main/Event%20Data) - A repository of malware datasets and alerts generated and used during episodes published on ohmymalware.com.</li>
+- [Oh My Malware - Event Data](https://github.com/jamesspi/ohmymalware/tree/main/Event%20Data) - A repository of malware datasets and alerts generated and used during episodes published on ohmymalware.com.
 
 
 

From 2737509fc8f4f3c709f6d3fb2abeb561601b89af Mon Sep 17 00:00:00 2001
From: James Spiteri <james.spiteri@gmail.com>
Date: Fri, 10 Mar 2023 15:32:05 -0700
Subject: [PATCH 05/10] Add Oh My Malware Resource

---
 README.html | 1 +
 README.md   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/README.html b/README.html
index d8ec9b8..e1aca82 100644
--- a/README.html
+++ b/README.html
@@ -205,6 +205,7 @@
 <li>Detection as Code in Splunk <a href="https://www.splunk.com/en_us/blog/security/ci-cd-detection-engineering-splunk-security-content-part-1.html">Part 1, </a><a href="https://www.splunk.com/en_us/blog/security/ci-cd-detection-engineering-splunk-s-attack-range-part-2.html">Part 2, </a><a href="https://www.splunk.com/en_us/blog/security/ci-cd-detection-engineering-failing-part-3.html">and Part 3</a> - A multipart series describing how detection as code can be successfully deployed in a Splunk environment.</li>
 <li><a href="https://medium.com/starting-up-security/lessons-learned-in-detection-engineering-304aec709856">Lessons Learned in Detection Engineering</a> - A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.</li>
 <li><a href="https://ateixei.medium.com/a-research-driven-process-applied-to-threat-detection-engineering-inputs-1b7e6fe0412b">A Research-Driven process applied to Threat Detection Engineering Inputs</a>.</li>
+<li><a href="https://ohmymalware.com">A video series focused on malware execution and investigations using Elastic Security</a>.</li>
 </ul>
 <h3 id="frameworks">Frameworks</h3>
 <ul>
diff --git a/README.md b/README.md
index 9223964..34e81dc 100644
--- a/README.md
+++ b/README.md
@@ -203,6 +203,7 @@
 - [Lessons Learned in Detection Engineering](https://medium.com/starting-up-security/lessons-learned-in-detection-engineering-304aec709856) - A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.
 - [A Research-Driven process applied to Threat Detection Engineering Inputs](https://ateixei.medium.com/a-research-driven-process-applied-to-threat-detection-engineering-inputs-1b7e6fe0412b).
 - [Investigation Scenario](https://twitter.com/search?q=%23InvestigationPath%20from%3Achrissanders88&f=live) tweets by Chris Sanders
+- [Oh My Malware](https://ohmymalware.com)A video series focused on malware execution and investigations using Elastic Security.
 
 ### Frameworks
 

From bffa680ba4f8c76bcfa4898a8870315d24c91530 Mon Sep 17 00:00:00 2001
From: James Spiteri <james.spiteri@gmail.com>
Date: Fri, 10 Mar 2023 15:36:59 -0700
Subject: [PATCH 06/10] fix for pr

---
 README.html | 1 -
 README.md   | 1 -
 2 files changed, 2 deletions(-)

diff --git a/README.html b/README.html
index e1aca82..d2de789 100644
--- a/README.html
+++ b/README.html
@@ -161,7 +161,6 @@
 <li><a href="https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES">EVTX-ATTACK-SAMPLES</a> - A repo of Windows event samples (EVTX) associated with ATT&amp;CK techniques (<a href="https://docs.google.com/spreadsheets/d/12V5T9j6Fi3JSmMpAsMwovnWqRFKzzI9l2iXS5dEsnrs/edit#gid=164587082">EVTX-ATT&CK Sheet</a>).</li>
 <li><a href="http://log-sharing.dreamhosters.com">Public Security Log Sharing Site</a></li>
 <li><a href="https://github.com/splunk/attack_data">attack_data</a> - A repository of curated datasets from various attacks.</li>
-<li><a href="https://github.com/jamesspi/ohmymalware/tree/main/Event%20Data">Oh My Malware - Event Data</a> - A repository of malware datasets and alerts generated and used during episodes published on <a href="ohmymalware.com">ohmymalware.com</a>.</li>
 </ul>
 <h2 id="resources">Resources</h2>
 <ul>
diff --git a/README.md b/README.md
index 34e81dc..18668b1 100644
--- a/README.md
+++ b/README.md
@@ -156,7 +156,6 @@
 - [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) - A repo of Windows event samples (EVTX) associated with ATT&CK techniques ([EVTX-ATT&CK Sheet](https://docs.google.com/spreadsheets/d/12V5T9j6Fi3JSmMpAsMwovnWqRFKzzI9l2iXS5dEsnrs/edit#gid=164587082)).
 - [Public Security Log Sharing Site](http://log-sharing.dreamhosters.com)
 - [attack_data](https://github.com/splunk/attack_data) - A repository of curated datasets from various attacks.
-- [Oh My Malware - Event Data](https://github.com/jamesspi/ohmymalware/tree/main/Event%20Data) - A repository of malware datasets and alerts generated and used during episodes published on ohmymalware.com.
 
 
 

From 1d8ab79357c8c4903ec166e6f99aa30312c03f05 Mon Sep 17 00:00:00 2001
From: James Spiteri <james.spiteri@gmail.com>
Date: Fri, 10 Mar 2023 15:38:56 -0700
Subject: [PATCH 07/10] fix typo

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 18668b1..f0173c5 100644
--- a/README.md
+++ b/README.md
@@ -202,7 +202,7 @@
 - [Lessons Learned in Detection Engineering](https://medium.com/starting-up-security/lessons-learned-in-detection-engineering-304aec709856) - A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.
 - [A Research-Driven process applied to Threat Detection Engineering Inputs](https://ateixei.medium.com/a-research-driven-process-applied-to-threat-detection-engineering-inputs-1b7e6fe0412b).
 - [Investigation Scenario](https://twitter.com/search?q=%23InvestigationPath%20from%3Achrissanders88&f=live) tweets by Chris Sanders
-- [Oh My Malware](https://ohmymalware.com)A video series focused on malware execution and investigations using Elastic Security.
+- [Oh My Malware](https://ohmymalware.com) A video series focused on malware execution and investigations using Elastic Security.
 
 ### Frameworks
 

From f7587213c7f2a5a619c7019d2d4eb739171cb5df Mon Sep 17 00:00:00 2001
From: James Spiteri <james.spiteri@gmail.com>
Date: Fri, 10 Mar 2023 15:40:06 -0700
Subject: [PATCH 08/10] fix spacing

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f0173c5..2a5ab33 100644
--- a/README.md
+++ b/README.md
@@ -202,7 +202,7 @@
 - [Lessons Learned in Detection Engineering](https://medium.com/starting-up-security/lessons-learned-in-detection-engineering-304aec709856) - A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.
 - [A Research-Driven process applied to Threat Detection Engineering Inputs](https://ateixei.medium.com/a-research-driven-process-applied-to-threat-detection-engineering-inputs-1b7e6fe0412b).
 - [Investigation Scenario](https://twitter.com/search?q=%23InvestigationPath%20from%3Achrissanders88&f=live) tweets by Chris Sanders
-- [Oh My Malware](https://ohmymalware.com) A video series focused on malware execution and investigations using Elastic Security.
+- [Oh My Malware](https://ohmymalware.com) - A video series focused on malware execution and investigations using Elastic Security.
 
 ### Frameworks
 

From f5e0c47147e623157b8c74f0d8b7c4498fcb70d9 Mon Sep 17 00:00:00 2001
From: Josh Kamdjou <jkamdjou@gmail.com>
Date: Fri, 24 Mar 2023 12:47:21 -0400
Subject: [PATCH 09/10] Add Sublime / MQL detection rules

---
 README.html | 1 +
 README.md   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/README.html b/README.html
index 3e3816f..e7f4504 100644
--- a/README.html
+++ b/README.html
@@ -145,6 +145,7 @@
 <li><a href="https://github.com/InQuest/awesome-yara#rules">Awesome YARA Rules</a></li>
 <li><a href="https://github.com/chronicle/detection-rules">Chronicle Detection Rules</a> - Collection of YARA-L 2.0 sample rules for the Chronicle Detection API.</li>
 <li><a href="https://github.com/GoogleCloudPlatform/security-analytics">GCP Security Analytics</a> - Community Security Analytics provides a set of community-driven audit &amp; threat queries for Google Cloud.</li>
+<li><a href="https://github.com/sublime-security/sublime-rules">Sublime Detection Rules</a> - Email attack detection, response, and hunting rules.</li>
 </ul>
 <h2 id="dataset">Dataset</h2>
 <ul>
diff --git a/README.md b/README.md
index c91332e..8483a7b 100644
--- a/README.md
+++ b/README.md
@@ -140,6 +140,7 @@
 - [Chronicle Detection Rules](https://github.com/chronicle/detection-rules) - Collection of YARA-L 2.0 sample rules for the Chronicle Detection API.
 - [GCP Security Analytics](https://github.com/GoogleCloudPlatform/security-analytics) - Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud.
 - [ThreatHunter-Playbook](https://github.com/OTRF/ThreatHunter-Playbook) - A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
+- [Sublime Detection Rules](https://github.com/sublime-security/sublime-rules) - Email attack detection, response, and hunting rules.
 
 ## Dataset
 

From a597b5340937fae1002862cb55af9be0f544bfe5 Mon Sep 17 00:00:00 2001
From: Josh Kamdjou <jkamdjou@gmail.com>
Date: Fri, 24 Mar 2023 13:27:04 -0400
Subject: [PATCH 10/10] Add new section: 'Email Monitoring'

---
 README.html | 5 +++++
 README.md   | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/README.html b/README.html
index 3e3816f..3438077 100644
--- a/README.html
+++ b/README.html
@@ -19,6 +19,7 @@
 <li><a href="#detection-alerting-and-automation-platforms">Detection, Alerting and Automation Platforms</a></li>
 <li><a href="#endpoint-monitoring">Endpoint Monitoring</a></li>
 <li><a href="#network-monitoring">Network Monitoring</a></li></ul></li>
+<li><a href="#email-monitoring">Email Monitoring</a></li></ul></li>
 <li>🔍 <a href="#detection-rules">Detection Rules</a></li>
 <li>📑 <a href="#dataset">Dataset</a></li>
 <li>📘 <a href="#resources">Resources</a><ul>
@@ -136,6 +137,10 @@
 <li><a href="https://github.com/CERT-Polska/hfinger">Hfinger</a> - Fingerprinting HTTP requests</li>
 <li><a href="https://github.com/salesforce/jarm">JARM</a> - An active Transport Layer Security (TLS) server fingerprinting tool.</li>
 </ul>
+<h3 id="email-monitoring">Email Monitoring</h3>
+<ul>
+<li><a href="https://github.com/sublime-security/sublime-platform">Sublime Platform</a> - An email threat detection engine</li>
+</ul>
 <h2 id="detection-rules">Detection Rules</h2>
 <ul>
 <li><a href="https://github.com/SigmaHQ/sigma">Sigma</a> - Generic Signature Format for SIEM Systems</li>
diff --git a/README.md b/README.md
index c91332e..82a1225 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@
     - [Detection, Alerting and Automation Platforms](#detection-alerting-and-automation-platforms)
     - [Endpoint Monitoring](#endpoint-monitoring)
     - [Network Monitoring](#network-monitoring)
+    - [Email Monitoring](#email-monitoring)
   - 🔍 [Detection Rules](#detection-rules)
   - 📑 [Dataset](#dataset)
   - 📘 [Resources](#resources)
@@ -130,6 +131,10 @@
 - [Hfinger](https://github.com/CERT-Polska/hfinger) - Fingerprinting HTTP requests
 - [JARM](https://github.com/salesforce/jarm) - An active Transport Layer Security (TLS) server fingerprinting tool.
 
+### Email Monitoring
+
+- [Sublime Platform](https://github.com/sublime-security/sublime-platform) - An email threat detection engine
+
 ## Detection Rules
 
 - [Sigma](https://github.com/SigmaHQ/sigma) - Generic Signature Format for SIEM Systems