704 KQL + SPL detection rules covering all 14 MITRE ATT&CK tactics. Built by defenders, for defenders. Free tier forever — Pro playbooks and atomic tests at £29/mo.
Real queries for real SIEMs. No pseudocode.
// Microsoft Sentinel / Defender for Endpoint
DeviceProcessEvents
| where FileName in~ ("powershell.exe",
"pwsh.exe")
| where ProcessCommandLine has_any (
"-EncodedCommand",
"-e ", "-ec ",
"FromBase64String",
"IEX", "Invoke-Expression")
| project Timestamp, DeviceName,
AccountName, ProcessCommandLine`sysmon` EventCode=1
(OriginalFileName="PowerShell.EXE"
OR OriginalFileName="pwsh.dll")
(CommandLine="*-EncodedCommand*"
OR CommandLine="*FromBase64String*"
OR CommandLine="*IEX*"
OR CommandLine="*Invoke-Expression*")
| table _time host user CommandLine
ParentCommandLine
| sort - _timeEvery detection ships with both Microsoft Sentinel (KQL) and Splunk (SPL) queries. Real table names, real event IDs.
Sub-technique level coverage across all 14 tactics. Navigate by matrix, search by keyword, filter by tactic.
Known false positive sources documented for every rule. Tune faster, alert less.
Step-by-step response procedures per technique. Containment, eradication, recovery — not generic templates.
Validate your detections fire. Copy-paste atomic red team commands mapped to each technique.
Proactive threat hunting queries that find different patterns than the main detection rules.
Every KQL and SPL query is free, forever. Pro adds response playbooks, atomic red team tests, and hunting queries for £29/mo.
View Pricing