Detection Library

Advanced Threat Detection Rules

Access a comprehensive library of 80+ pre-built detection rules for malware, phishing, APTs, and advanced threats. Our rules continuously monitor the entire web infrastructure, analyzing billions of data points across domains, certificates, network traffic, and digital assets to identify emerging threats in real-time.

Explore Rules Start Free Trial

80+

Detection Rules

25+

Threat Categories

99.5%

Detection Accuracy

24/7

Rule Updates

Detection Rule Categories

Malware Detection

Comprehensive rules for detecting malware families, ransomware, trojans, and other malicious software across multiple attack vectors and delivery methods.

Phishing Detection

Advanced rules for identifying phishing campaigns, credential harvesting, and social engineering attacks targeting your organization and users.

APT Detection

Sophisticated rules for detecting Advanced Persistent Threats, nation-state actors, and long-term targeted attacks against your infrastructure.

Network Anomalies

Rules for detecting unusual network traffic patterns, lateral movement, data exfiltration, and other suspicious network activities.

Brand Abuse

Specialized rules for detecting brand impersonation, domain spoofing, and unauthorized use of your organization's intellectual property.

Mobile Threats

Detection rules for mobile-specific threats including malicious apps, SMS phishing, and mobile device compromise indicators.

Sample Detection Rules

Our detection rules continuously monitor the entire web infrastructure, analyzing billions of data points across domains, certificates, network traffic, and digital assets to identify emerging threats and security vulnerabilities in real-time.

Ransomware Detection

Detects file encryption patterns, ransom note creation, and communication with C2 servers associated with known ransomware families.

Credential Harvesting

Identifies phishing attempts targeting login credentials through fake login pages, email campaigns, and social engineering tactics.

Domain Spoofing

Identifies domains that closely resemble your organization's domain and may be used for brand impersonation or phishing attacks.

Blacklisting

Monitor and detect blacklisted IPs, domains, and URLs to prevent access to known malicious resources and infrastructure.

Malware Detection

Identify various types of malware including trojans, spyware, and rootkits through behavioral analysis and signature matching.

Cloud Security

Detect misconfigurations and security issues in cloud environments including exposed storage buckets and unauthorized API access.

Threat Hunting

Proactive threat hunting rules to identify advanced persistent threats, stealthy malware, and sophisticated attack techniques.

LLM Powered Analysis

AI-powered threat analysis using large language models to detect sophisticated attacks and generate threat intelligence.

APK Analysis

Detect malicious Android applications through static and dynamic analysis, identifying suspicious permissions and behaviors.

Certificate Analysis

Monitor SSL/TLS certificates for anomalies, expired certificates, and suspicious certificate authorities.

Domain Monitoring

Track domain registrations, DNS changes, and subdomain activities to detect potential threats and brand abuse.

Fingerprint Detection

Identify unique device and browser fingerprints to detect bot traffic and suspicious user behavior patterns.

Link Analysis

Analyze URLs and links for malicious patterns, redirect chains, and suspicious link shorteners.

Network Traffic

Monitor network traffic patterns, protocol anomalies, and suspicious communication behaviors.

Page Title Analysis

Detect suspicious page titles, typosquatting attempts, and brand impersonation through title analysis.

Resource Monitoring

Track web resources, file downloads, and asset changes to detect unauthorized modifications or malicious content.

Script Analysis

Detect malicious JavaScript, PowerShell scripts, and other executable code through behavioral and signature analysis.

Server Monitoring

Monitor server configurations, services, and vulnerabilities to detect potential security weaknesses.

Technology Stack

Identify and monitor technology stacks, frameworks, and versions to detect outdated or vulnerable components.

Comprehensive Security

Multi-layered detection combining multiple data sources and analysis techniques for comprehensive threat detection.

Detection Library SDK

Build custom detection rules with our powerful Python SDK designed for security analysts and threat hunters

Developer-First Design

Built by security analysts for security analysts. Our SDK provides a clean, intuitive Python interface that makes creating custom detection rules simple and efficient.

Client-side detection logic
Modular directory structure
Lucene query syntax support
Webhook integration

Rapid Development

Get up and running in minutes with our comprehensive detection categories and pre-built templates. Focus on threat hunting, not infrastructure setup.

Pre-built detection templates
Command-line runner
Programmatic API access
Real-time webhook notifications

Quick Start Examples

Command Line Usage

# APK Brand Impersonation Detection
python run_detection.py apk "YourBrand" "yourdomain.com"
# Domain Malicious Detection
python run_detection.py domain "suspicious-domain.com"
# Certificate Detection
python run_detection.py certificate "client-domain.com"

Programmatic Usage

from domains.malicious_domains import detect_malicious_domains
result = detect_malicious_domains("example.com")
print(result)
# Custom Lucene Query
result = detection_runner.search(
    lucene_query="domain.name:example.com AND meta.risk_score:[0.8 TO 1.0]"
)

Adding Custom Detections

Create new detection rules in minutes with our simple Python framework. Each detection type has its own directory with specific queries that can be executed independently or integrated into your security workflows.

def detect_custom_threat(target: str) -> dict:
query = f"domain.name:{target} AND threat_ai:malicious"
fields = "domain.name,threat_ai,meta.risk_score"
return detection_runner.run_detection(
detection_type="custom_threat",
query=query,
fields=fields,
metadata={"target": target}
    )

Installation & Setup

Get started with Webamon SDK in minutes. Choose your preferred installation method and start building custom detection rules.

From PyPI (Recommended)

Install via pip for the most up-to-date version with full feature support and automatic updates.

# Install Webamon SDK
pip install webamon-sdk
# Verify installation
webamon-sdk --version

Install from Source

Clone from GitHub and install from source for development or custom builds.

# Clone repository
git clone https://github.com/webamon-org/detection-library.git
# Install from source
cd detection-library && pip install -e .
# Verify installation
webamon-sdk --version

Threat Intelligence Integrations

Seamlessly integrate with threat intelligence platforms and receive real-time notifications

MISP Integration

Automatically share detection results and threat indicators with MISP (Malware Information Sharing Platform) for collaborative threat intelligence and community-driven security.

Automatic IOCs export
Real-time threat sharing
Community collaboration
Standardized formats

OpenCTI Integration

Connect with OpenCTI for advanced threat intelligence management, knowledge graphs, and automated threat analysis workflows.

Knowledge graph integration
Automated analysis
Threat actor mapping
Campaign tracking

Real-Time Notifications

Stay informed instantly when threats are detected with flexible notification options that integrate seamlessly into your existing security workflows and communication channels.

Webhook Notifications

Receive real-time HTTP POST notifications to your custom endpoints when detections occur. Perfect for integrating with SIEMs, SOAR platforms, and custom security tools.

Endpoint: POST /webhook/detections
Format: JSON payload
Authentication: HMAC signature

Email Notifications

Get detailed email alerts with threat summaries, affected assets, and recommended actions. Customize frequency, severity filters, and recipient groups.

Instant alerts
Digest reports
Custom templates
Severity filtering

Enhance Your Detection Capabilities

Access our comprehensive detection library and strengthen your security posture with proven, up-to-date detection rules. Deploy them across your infrastructure in minutes.

Get Started on GitHub Start Free Trial View Pricing