Home/ Platform/ Detection Engineering
Published: March 2026 | Last reviewed: March 22, 2026
// detection_engineering

Detection Engineering That Ships

Every threat on the platform ships with production-ready detection rules in three formats. No more writing rules from scratch, translating between SIEM languages, or guessing at field mappings. 2,700+ rules. Three formats. Every threat covered.

2,700+
Detection Rules
3
Rule Formats
465
MITRE Techniques
249+
Threats Covered

How It Works

Threadlinqs generates detection rules alongside every threat report. When a new threat is published, the corresponding SPL, KQL, and Sigma rules are created, tested against sample data, and mapped to MITRE ATT&CK techniques. You get deploy-ready content from the moment a threat hits the feed.

01
Threat Published
New threat enters the feed
->
02
Rules Generated
SPL + KQL + Sigma created
->
03
MITRE Mapped
Techniques + tactics tagged
->
04
Deploy to SIEM
Copy, export, or automate

Three Rule Formats

Every detection is written in three industry-standard formats so your team deploys to whichever SIEM or detection platform you run.

Splunk SPL
Search Processing Language queries optimized for Splunk Enterprise and Splunk Cloud. Includes index, sourcetype, and field references tuned for CIM-compliant data models.
Splunk Enterprise / Cloud / ES
Microsoft KQL
Kusto Query Language rules for Microsoft Sentinel, Defender for Endpoint, and Defender XDR. Optimized for SecurityEvent, DeviceProcessEvents, and CommonSecurityLog tables.
Sentinel / Defender / Azure
Sigma
Universal, vendor-agnostic YAML rules that convert to any SIEM backend. Includes logsource definitions, detection logic, and severity levels following the Sigma specification.
Any SIEM via Sigma CLI / pySigma

Sample Detection Rule

Below is a real detection from the platform for identifying suspicious LOLBIN abuse via CSVDE.exe for Active Directory reconnaissance, mapped to MITRE ATT&CK T1087 (Account Discovery).

SPLindex=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  EventCode=1
  (OriginalFileName="csvde.exe" OR process_name="csvde.exe")
  (CommandLine="*-f *" OR CommandLine="*-r *" OR CommandLine="*-l *")
| eval risk_score=case(
    like(CommandLine, "%objectCategory=person%"), 80,
    like(CommandLine, "%objectCategory=computer%"), 75,
    like(CommandLine, "%objectCategory=group%"), 85,
    1=1, 60
  )
| where risk_score >= 60
| stats count min(_time) as first_seen max(_time) as last_seen
    values(CommandLine) as commands
    by src_ip, user, dest
| where count >= 1
| sort -risk_score

This rule detects CSVDE.exe execution with flags commonly used for bulk AD exports, a technique observed in FIN7 and APT10 campaigns. The risk scoring prioritizes group enumeration (most dangerous for lateral movement) over computer discovery.

MITRE ATT&CK Coverage

Detection rules are mapped to 465 MITRE ATT&CK techniques across all 14 tactics, from Initial Access through Impact. The MITRE Coverage Map visualizes which techniques have active detections, where gaps exist, and the detection depth per technique.

Detection Library Features

The detection library is a full-featured search and filter interface built for detection engineers and SOC analysts who need to find the right rule fast.

Multi-Select Filters
Filter by rule format (SPL/KQL/Sigma), severity, MITRE tactic, confidence level, data source, and threat actor simultaneously.
Full-Text Search
Search across rule names, descriptions, query content, and MITRE technique IDs with instant results.
One-Click Export
Copy any rule to clipboard in its native format. Export entire rule sets for bulk import into your SIEM.
Correlation Analysis
See which threats share detection patterns, identify overlapping techniques, and analyze detection debt across your coverage.
// author
Threadlinqs Intel Team
Security Engineer at Threadlinqs Intelligence. Researching active threats, building detection rules, and mapping adversary tradecraft across SPL, KQL, and Sigma.
medium.com/@hatim.bakkali10

Access 2,700+ production-ready detection rules across SPL, KQL, and Sigma formats.

[ access_detection_library ] view pricing

Explore the Platform

Threat Intelligence
249+ tracked threats with daily intelligence debriefs and CVE enrichment.
MITRE ATT&CK Coverage
465 techniques across 14 tactics with gap analysis and drill-down.
Attack Simulations
300+ purple team scenarios to validate your detections work.
MCP Server
28 tools for AI agent integration with threat intelligence.
Actor Attribution
166 threat actors across 32 nations with operational tradecraft profiles.