704 KQL + SPL detection rules covering all 14 MITRE ATT&CK tactics. Built by defenders, for defenders. Free tier forever — Pro playbooks and atomic tests at £29/mo.
Real queries for real SIEMs. No pseudocode.
// Microsoft Sentinel / Defender for Endpoint
DeviceProcessEvents
| where FileName in~ ("powershell.exe",
"pwsh.exe")
| where ProcessCommandLine has_any (
"-EncodedCommand",
"-e ", "-ec ",
"FromBase64String",
"IEX", "Invoke-Expression")
| project Timestamp, DeviceName,
AccountName, ProcessCommandLine`sysmon` EventCode=1
(OriginalFileName="PowerShell.EXE"
OR OriginalFileName="pwsh.dll")
(CommandLine="*-EncodedCommand*"
OR CommandLine="*FromBase64String*"
OR CommandLine="*IEX*"
OR CommandLine="*Invoke-Expression*")
| table _time host user CommandLine
ParentCommandLine
| sort - _timeEvery detection ships with both Microsoft Sentinel (KQL) and Splunk (SPL) queries. Real table names, real event IDs.
Sub-technique level coverage across all 14 tactics. Navigate by matrix, search by keyword, filter by tactic.
Known false positive sources documented for every rule. Tune faster, alert less.
Step-by-step response procedures per technique. Containment, eradication, recovery — not generic templates.
Validate your detections fire. Copy-paste atomic red team commands mapped to each technique.
Proactive threat hunting queries that find different patterns than the main detection rules.
All 14 MITRE ATT&CK tactics, every technique mapped to copy-paste detections.
Cornerstone techniques defenders look for first.
Every KQL and SPL query is free, forever. Pro adds response playbooks, atomic red team tests, and hunting queries for £29/mo.
View Pricing