DETECT
SIEM query builder
Pick a reviewed detection and get the exact query for Splunk, Sentinel, Defender XDR, Elastic,
OpenSearch and QRadar - compiled deterministically, so field names and operators are correct by construction,
not guessed. Deterministic: same input, same query, every time.
● No AI in the loop · deterministic and correct by construction
Why it matters · hover a mode above, the Sigma source, or a backend tab
▤
Pick a detection
0⚙
Build conditions
Event type
Match
Conditions
Exclude (optional) - drop a match if any are true
Fields are the generic Sigma taxonomy for the event type; the compiler maps each to the right field per SIEM. Unsupported combos show inline on that SIEM's tab.
〈〉
Pseudocode
Grammar:
event ∈ process, network, dns, file, registry, ps, auth
<event> where <cond> [and|or <cond>]…cond := field op value | field in (v1,v2,…)op := == | contains | startswith | endswith | matches | > | >= | < | <= | cidrevent ∈ process, network, dns, file, registry, ps, auth
mimikatz
office powershell
beacon to 443
long DNS query
in(...) list
◆
Hunt indicators
Type
Pasted indicators become a Sigma rule (DestinationIp / QueryName / Hashes / c-uri); the compiler maps the field per backend - no invented names. Auto-detect reads each line's type; because one rule targets one log source, a mixed list builds the dominant type and tells you what to build separately. Paste straight from the IOC triage page or from your own findings.
≡
Sigma source
Analysts trust seeing the source - the YAML is editable.
▤
Compiled query
readySelect a detection, then compile.