Threadlinqs for Detection Engineers — SPL, KQL & Sigma Rule Library

rule library

Three languages, one library

Every threat in Threadlinqs ships with detection rules in all three major SIEM query languages. No translation required.

SPL

1,184

Splunk Processing Language queries optimized for Enterprise Security and ES correlation searches.

KQL

1,184

Kusto Query Language rules built for Microsoft Sentinel analytics rules and hunting queries.

Sigma

1,185

SIEM-agnostic Sigma rules compatible with any platform through sigconverter or pySigma backends.

the problem

Detection engineering shouldn't be this painful

You're the person standing between a threat advisory and a working detection. The bottleneck isn't skill — it's tooling.

[ ~ ] blank_editor

Writing Rules from Scratch

Every new threat advisory lands on your desk as prose — actor name, some IOCs, maybe a MITRE mapping. You translate that into SPL, test it, tune the false positive rate, then repeat the entire process for KQL and Sigma. A single threat can consume an entire afternoon of engineering time.

[ x ] three_platforms

Maintaining Three SIEM Languages

Your organization runs Splunk for the SOC and Sentinel for the cloud team. The MSSP wants Sigma. Every detection now requires three versions, three testing cycles, and three maintenance workflows. The cognitive overhead of context-switching between query syntaxes is real and measurable.

[ ? ] coverage_blind

Tracking MITRE Coverage Gaps

You know you have detections for credential dumping and lateral movement. But what about resource development? Collection? You maintain a spreadsheet that's perpetually three weeks behind reality. Without a live coverage map, you're guessing at where the gaps are.

[ ! ] intel_translation

Translating Intel into Detections

The threat intel team sends a PDF. The SOC sends a Slack message. The CISO sends an email asking if you're covered. Each source uses different terminology, different IOC formats, different levels of specificity. The translation layer from intelligence to detection is entirely manual — and it's where coverage gaps are born.

the solution

How Threadlinqs eliminates the bottleneck

Intelligence pre-packaged as deployable detection logic. The translation layer is already built.

01

Every Threat Ships with 9 Detection Rules

Each threat in the Threadlinqs intelligence feed comes with three SPL rules, three KQL rules, and three Sigma rules — all written, tested, and mapped to specific MITRE ATT&CK techniques. The rules target different stages of the attack chain: initial access indicators, execution patterns, and persistence mechanisms.

02

One-Click Copy to Clipboard

Every rule in the detection library has a copy button. Click it, paste it into your SIEM, and you have a working detection. No reformatting, no syntax debugging, no manual escaping of special characters. The rules are formatted for direct consumption by Splunk, Sentinel, and Sigma-compatible platforms.

03

MITRE Technique Mapping Per Rule

Every detection rule is tagged with its corresponding MITRE ATT&CK technique ID, tactic, and sub-technique where applicable. When you deploy a rule, you know exactly which gap in your coverage matrix it fills. No more guessing whether T1059.001 is covered — the mapping is explicit and queryable.

04

Detection Debt Scoring

The advanced correlation engine calculates a detection debt score for every uncovered technique based on threat prevalence, actor activity, and technique popularity. High-severity threats targeting your sector with no corresponding detection get flagged first. You prioritize rule development by risk, not by recency.

SPL Detect LSASS Memory Access via Suspicious Process

severity: critical technique: T1003.001 confidence: high tactic: Credential Access

index=sysmon EventCode=10 TargetImage="*\\lsass.exe" NOT SourceImage IN ("*\\csrss.exe","*\\lsm.exe","*\\wmiprvse.exe") | where GrantedAccess IN ("0x1010","0x1410","0x1438","0x143a") | stats count min(_time) as first max(_time) as last by SourceImage TargetImage Computer | where count > 0

workflow

From library to SIEM in five steps

The detection engineering workflow Threadlinqs was designed around.

01

Browse Library

Open the detection library. 3,553 rules across SPL, KQL, and Sigma, searchable by keyword or technique ID.

02

Filter

Use the multi-select sidebar to narrow by type, severity, confidence, MITRE tactic, index, sourcetype, or author.

03

Copy Rule

Click the copy button. The rule is formatted and ready for your SIEM — no syntax adjustments needed.

04

Deploy to SIEM

Paste into Splunk saved search, Sentinel analytics rule, or Sigma pipeline. Activate and monitor.

05

Validate

Use the attack simulation view to confirm the detection fires against known TTPs for the associated threat.

capabilities

Key features for detection engineers

Detection Library

Multi-select filter sidebar with checkboxes for type, severity, confidence, tactic, index, sourcetype, table, author, and actor. Real-time count badges.

Coverage Map

MITRE ATT&CK heatmap showing detection density per technique. Color-coded by threat count. Click any cell to see associated rules.

Detection Debt Analysis

Uncovered techniques ranked by debt score. Prioritize rule development based on threat prevalence and actor targeting patterns.

Attack Simulations

Simulation scenarios mapped to each threat for detection validation. Confirm your rules fire before an attacker tests them for you.

Syntax Highlighting

SPL, KQL, and Sigma rules rendered with language-aware syntax highlighting. Keywords, operators, field names, and strings are visually distinct.

Solutions for your entire security team

// soc_teams

For SOC Teams

Real-time threat feeds, daily debriefs, and IOC context that accelerates alert triage and threat response across every shift.

// threat_hunters

For Threat Hunters

10,168 IOCs, 214 threat actors, and 10 correlation types. Actor dossiers, infrastructure mapping, and intelligence-driven hunt workflows.

Purpose-Built for Detection Engineers