Detection Engineering
MITRE ATT&CK detection coverage.
KQL. SPL. Every technique.
728 production-ready KQL + SPL queries covering all 14 ATT&CK tactics. Free forever. Pro playbooks and atomic tests at £29/mo. Built for SOC analysts, detection engineers, and purple teams.
728
Detections
114
Technique Families
475
ATT&CK Sub-techniques
2
Platforms (KQL + SPL)
T1059.001 PowerShell
high let SuspiciousPatterns = dynamic([
"-EncodedCommand", "-enc ", "-e ", "-ec ",
"Invoke-WebRequest", "IWR ", "Invoke-RestMethod",
"Net.WebClient", "DownloadString", "DownloadFile", "DownloadData",
"Start-BitsTransfer",
"AmsiUtils", "amsiInitFailed", "SetProtectionLevel",
"Invoke-Expression", "IEX(", "IEX ",
"-ExecutionPolicy Bypass", "-ep bypass", "-ep unrestricted",// KQL — Microsoft Sentinel / Defender for Endpoint
Free
£0/forever
- + KQL + SPL detection queries
- + Data source requirements
- + False positive guidance
- + Confidence & severity ratings
Pro
£29/user/month
- + Everything in Free
- + Response playbooks
- + Investigation & hunting queries
- + Atomic red team tests
- + Bulk export & API access