Skip to content
View cray44's full-sized avatar

Block or report cray44

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
cray44/README.md

Chris Ray

Detection engineer with a network engineering background. I build detections that actually work — grounded in how traffic moves, how protocols behave, and where adversaries hide in both.

Most detection engineering starts at the endpoint. I also read packets.

What I work on

  • Detection engineering — Sigma rules, KQL/SPL/ES|QL, SIEM tuning, alert quality over alert volume
  • Network-based detection — Zeek, Suricata, JA4, DNS/TLS/beaconing anomalies, NSM architecture
  • Threat-informed defense — ATT&CK coverage mapping, detection gap analysis, purple team validation
  • Detection-as-code — CI/CD pipelines for detection content: lint, validate, deploy

Focus areas

Identity threats, cloud detection (AWS/Azure), and network-layer adversary behavior — the stuff that gets missed when your detection program lives entirely in EDR telemetry.

Background

Came up through network engineering before moving into security. That foundation shapes how I think about detection: protocol semantics, traffic baselines, and the behavioral signatures that endpoint tooling doesn't see.

Repos worth looking at

Repo What it is
detection-notes Detection writeups in ADS format — hypothesis, data sources, blind spots, FP analysis
sigma-to-spl Sigma → production SPL converter: field mapping, index routing, macro substitution, savedsearches.conf output
detection-validator Validates Sigma rules against paired JSON test samples — asserts malicious match, zero benign match, no Splunk required
spl-coverage-map Generates ATT&CK Navigator coverage layers from Sigma rule directories or Markdown detection writeups
detection-workbench Detection lifecycle manager — tracks detections from idea to stable, wires into sigma-to-spl and detection-validator, Claude-assisted hypothesis generation and rule critique
detection-decision-records Governance layer for detection-as-code — versioned records for FP-tuning decisions, deployment status, and deprecation; exports Sigma Filters and SPL NOT clauses

Building this portfolio in public. Content is added incrementally — quality over quantity.

Pinned Loading

  1. detection-decision-records detection-decision-records Public

    Detection Decision Records — governance layer for detection-as-code

    Python

  2. detection-validator detection-validator Public

    Validates Sigma detection rules against paired JSON test samples — no Splunk required

    Python

  3. detection-workbench detection-workbench Public

    Detection lifecycle manager — tracks detections from idea to stable, wires into sigma-to-spl, detection-validator, and Claude for critique

    Python

  4. sigma-to-spl sigma-to-spl Public

    Python

  5. spl-coverage-map spl-coverage-map Public

    Generate ATT&CK Navigator coverage layers from Sigma rules and SPL searches

    Python