Clankerusecase A threat-led detection library — pre-validated queries for SOC, threat hunters, and CTI teams. Test before production.
1444
Articles
3978
Detections Mapped
170
ATT&CK
812
CVEs
872
Critical
Search articles, techniques, CVEs CtrlK
SOC Cheat Sheet GitHub

Threat-led detection platform

Threat-led detections and hunts
built for modern SOC teams.

Continuously updated operational detections mapped to real attacker behaviour across Splunk, Sentinel, Defender, Sigma, Datadog, and CrowdStrike Falcon LogScale.

Try
3,978
Detections mapped
170
ATT&CK techniques
7
Query languages
1,444
Threat-intel articles
Continuously updatedMapped to MITRE ATT&CKMulti-platform queriesAutomated detection pipeline
Updated just now

What Clankerusecase gives your SOC

Six things every detection on the site has, by default — built for analysts who run real queues, not to fill a compliance checklist.

Threat-led, not template-led

Detections are written against active campaigns, malware families, and CVEs — pulled from 11+ vendor and CTI feeds every two hours.

SOC-ready hunting logic

Each detection ships with a starting query, the IOCs it pivots on, and the kill-chain phase it covers.

Multi-platform queries

Splunk SPL (CIM), Microsoft Defender KQL, Microsoft Sentinel KQL, Sigma, and Datadog Cloud SIEM — generated side-by-side.

Mapped to MITRE ATT&CK

Every use case is tied to its technique and sub-technique — search the matrix, pivot to detections, see the gaps.

Analyst-focused context

Not generic compliance rules: each detection carries the article it came from, the actor, the IOCs, and a kill-chain trail.

Automated detection pipeline

Threat intel in, detections out — continuously, with caching and circuit breakers so nothing stalls when an upstream flaps.

Built for the whole SOC

Useful at every level of a security operation — from first-hour triage to coverage reporting at the board level.

SOC Analyst

Triage faster with detection logic tied to today's threat landscape, not last year's templates.

Detection Engineer

Multi-platform queries — Splunk SPL, Defender KQL, Sentinel KQL, Sigma, Datadog — ready to lift, tune, deploy.

Threat Hunter

Pivot from a fresh CTI article to a working hunt query in the same minute.

SOC Manager

See coverage across MITRE ATT&CK, by platform, and against the campaigns hitting the wire this week.

Security Leadership

An open, inspectable record of what the SOC is detecting and where the gaps still are.

Browse the library

Find detections by the way your SOC works — the query language you run, the surface you defend, or the tactic you care about today.

By query language

By environment

CloudAWS · Azure · GCP · Kubernetes EndpointWindows · macOS · Linux IdentityM365 · Entra ID · Okta WebWeb apps · CDN · WAF

By MITRE ATT&CK tactic

Browse by threat actor →  ·   Open the Detection Library →  ·   Browse IOCs →

Why this is a serious detection platform

Three signals that separate an operational detection library from a marketing page.

Continuously updated

Updated just now — the detection pipeline runs every two hours, pulls fresh threat intelligence from 11+ feeds, and regenerates the library end-to-end.

This run analysed 1,444 articles, mapped each to MITRE ATT&CK, and produced queries across six platforms.

Threat-intelligence-driven

Every detection traces back to a public, citable source. No anonymous vendor templates, no generic compliance rules.

The Hacker NewsBleepingComputerMicrosoft Security BlogCISA KEVCisco TalosSecurelist (Kaspersky)SentinelLabsUnit 42ESET WeLiveSecurityLab52Cyber Security News
ℹ︎ What's an AI-badged use case? click to expand

Most use cases on this site come from generic rule files (use_cases/*.yml) — they fire whenever an article mentions a known trigger (e.g. psexecUC_LATERAL_PSEXEC). Useful, but not tailored to the specific attack.

Use cases carrying the AI badge are different. The pipeline asks Claude to read the actual article and write a detection that hunts exactly that campaign / actor / malware — Defender KQL or Splunk SPL pinned to the IOCs and TTPs the article describes. Cross-checked via WebSearch against vendor advisories (Microsoft Threat Intel, Mandiant, CrowdStrike, MITRE, abuse.ch) and linked back as "Cross-checked against:".

They sort to the top of every article card and the matrix drawer because they're the highest-fidelity content here. Use the AI use cases filter below to see only articles where Claude generated bespoke detection logic.

Filters
Source
Source
Content
Platform
Target
Splunk category
Layout

Detection Library

Every use case, structured. Click any card for the full detection page.
Coverage mode none 1 UC 2 UCs 3 UCs 4+ UCs how many of our use cases map to that technique
Heat mode none 1 article 2 articles 3+ articles how many current articles cite that technique
Cell badges ▾4 = 4 sub-techniques 3 UC = 3 use cases mapped 8 art = 8 articles cite it click any cell for the full drawer
Platform coverage D Defender Advanced Hunting KQL S Sentinel KQL Σ Sigma rule P Splunk SPL DD Datadog Cloud SIEM CS CrowdStrike Falcon LogScale CW CloudWatch Logs Insights use the toolbar's platform pills to filter the matrix
📡 About the Intel Feed Real intel from the best threat articles · click to expand

Mission: Provide actionable, contextualised threat intelligence drawn from the day's best security reporting — not a generic IOC firehose. Every indicator below has a story attached: who reported it, when, and which malware/actor/campaign it relates to.

Sources

The Hacker News BleepingComputer Microsoft Security Blog CISA KEV refreshed daily · deduplicated across publications

Pull the feed (always current)

intel/iocs.csv intel/iocs.json intel/iocs.stix.json splunk_lookup_iocs.csv 📡 iocs.rss.xml (RSS 2.0)

Drop the RSS URL into Feedly, Inoreader, Slack RSS, or your TIP's RSS connector to get notified the moment a new high-fidelity IOC lands. The feed shows the latest 100 items, newest first, with severity, source attribution and a click-through to the source article.

What each column tells you

ColumnWhat it meansWhat to do with it
valueThe actual indicator (CVE-ID, IP, domain, hash)Search your telemetry for matches
typecve · ipv4 · domain · sha256 · sha1 · md5Routes you to the right SIEM data model / Defender table
severitycrit / high / med / low — inherited from the articleTriage priority. crit+high get hunted today
sourcesPublication(s) that reported the IOC2+ sources = stronger consensus
first_seenEarliest article publication dateBounds your hunt window
article linkDirect URL to the source articleClick for full context — TTPs, additional IOCs

What you're looking at — by IOC type

  • CVE — a vulnerability identifier; match against your scanner output. Splunk: Vulnerabilities.signature · Defender: DeviceTvmSoftwareVulnerabilities.CveId
  • IPv4 — attacker-controlled C2/scanner IP. Splunk: Network_Traffic.All_Traffic.dest · Defender: DeviceNetworkEvents.RemoteIP
  • Domain — attacker hostname (C2/phishing/download). Splunk: Network_Resolution.DNS.query · Defender: DeviceNetworkEvents.RemoteUrl
  • SHA256 / SHA1 / MD5 — malicious file hashes. Splunk: Endpoint.Filesystem.file_hash · Defender: DeviceFileEvents.SHA256

How we earn the SOC's trust — high-fidelity extraction

A bad IOC feed makes an analyst block legitimate Outlook / GitHub / vendor traffic. So this pipeline is deliberately conservative:

  • CVEs and hashes are extracted by regex — unambiguous format, low false-positive rate.
  • Domains and IPs are accepted only when defanged by the source author (e.g. evil[.]com, 1[.]2[.]3[.]4, hxxps://...). That's the universal "I'm flagging this as malicious" convention.
  • Plain-text domain/IP mentions are rejected. In an RSS summary, a phrase like "Outlook users were affected" or "ASP.NET vulnerability" is the legitimate victim or platform — never an IOC. We don't ship false positives just to look busy.

If today's feed shows mostly CVEs, that reflects an honest reality: KEV publishes structured exploited-CVE data daily; defanged IPs/hashes typically live in technical write-ups whose bodies we cannot scrape. Every IOC you see has earned its place.

Severity meaning

  • CRIT — multiple sources + zero-day + active exploitation → page on-call
  • HIGH — confirmed exploitation, named threat actor, or CISA KEV → hunt this shift
  • MED — reported activity, malware family identified → weekly hunt queue
  • LOW — background reporting → context only

Integration patterns covered: Splunk lookup, Defender Advanced Hunting, MISP, OpenCTI, Sentinel TAXII. Drop the CSV / JSON / STIX feed into your TIP and the schema is documented in each file's header.

Export 📡 Subscribe via RSS Exports reflect current filters · RSS feed auto-refreshes daily
ValueTypeSev SourcesArticleFirst seenArticles
↑↓navigate open escclose

Threat actor coverage by country

Drag to spin · click a pin to filter the grid below. Pin height = actor count, colour = indigo (state) / red (criminal) / purple (mixed).

state criminal mixed
Country
Motivation

Threat actor names + country attribution are extracted from every article body via a curated alias lookup (MITRE ATT&CK Groups, Mandiant, CrowdStrike Bears/Pandas/Cobras, Microsoft Threat Intel Typhoon naming, Unit 42 Sandstorm naming). Click any actor to drill into linked articles, use cases (with SPL/KQL you can run), ATT&CK techniques, and IOCs. Click any technique pill in the drawer to pivot to the Matrix tab and see all UCs covering it.