About & methodology

What this is

Clankerusecase is a free, continuously-updated detection engineering resource. A pipeline watches 11+ threat-intelligence sources (The Hacker News, BleepingComputer, Microsoft Security Blog, Cisco Talos, Securelist, SentinelLabs, Unit 42, ESET, Lab52, CISA KEV, GitHub Security Advisories) and, within ~2 hours of an article publishing, turns it into MITRE ATT&CK-mapped detection use cases with queries for Microsoft Defender (KQL), Microsoft Sentinel (KQL), Splunk (SPL/CIM), Sigma, Datadog Cloud SIEM, and CrowdStrike Falcon LogScale — plus extracted, defanged IOCs and kill-chain context.

Who runs it

This is a solo project by Virtualhaggis — a security practitioner building the tool they wanted on shift: a way to go from "I just read about this campaign" to "here is the query I run" in one click. It runs in spare time, with no company behind it, no SLA, and no warranty. The generator code, the detection content, and the full pipeline are open source: github.com/Virtualhaggis/usecaseintel.

How detections are generated

Two paths feed the library:

• Curated catalogue — hand-built use cases (YAML in the repo) that fire when an article matches known behavioural triggers. Written and reviewed by a human.
• AI-generated use cases (badged AI on the site) — for each new article, Claude reads the full article text, code blocks, IOC tables and screenshots, cross-checks claims against vendor advisories via web search, and drafts detections specific to that campaign. These then go through the validation gauntlet below, with failed queries re-prompted and unsafe or malformed ones dropped.

Every detection links back to its source article, so you can verify the logic against the original reporting in under a minute.

What we validate — and what we don't

Every published query is checked for:

• Defender / Sentinel KQL: real grammar parse (Microsoft Kusto.Language) + table and column names validated against a 58-table, 1,600+-column schema, with automatic near-miss correction.
• Splunk SPL: structural validation (balanced quotes/parentheses/macros, CIM datamodel allowlist).
• Sigma: parses via pySigma with required-field checks.
• CloudWatch Logs Insights: keyword/field heuristics against the CloudTrail schema.
• All platforms: a safety denylist — queries containing side-effectful commands (e.g. outputlookup, sendemail, externaldata()) are never published.
• MITRE technique IDs validated against the current ATT&CK release.

What we do NOT do (yet):

• Execute queries against live telemetry or replayed attack data — schema-valid is not the same as field-tested.
• Measure real-world false-positive rates. The per-UC confidence and FP guidance are model-assessed estimates, not measurements.
• Guarantee performance — some hunting queries are expensive on large tenants.

Bottom line: treat everything here as a strong, context-rich starting point. Test in staging, tune the allowlists to your environment, then promote to production.

What the labels mean

• Alerting tier — specific enough (named binaries, hashes, thresholds, temporal correlation) that it is a candidate for alerting after tuning. Hunting tier — needs analyst review; expect noise.
• Confidence (High/Medium/Low) — the generator's assessment of how tightly the query matches the attack described in the source article. It is not a measured precision figure.
• AI badge — generated by the pipeline for a specific article, cross-checked against vendor advisories. Weekly — synthesised across the fortnight's articles.
• SVS (SOC Value Score) — a 0-100 composite of probability, impact, detectability, and effort, for ranking the library. Heuristic, not gospel.

Using the content

Everything is MIT-licensed — code and detection content. Deploy the queries in your SOC, adapt them, ship them in internal detection libraries, use them commercially. Attribution is appreciated but not required. Machine-readable exports, refreshed every run:

• IOC feed — CSV · JSON · STIX 2.1 · RSS · Splunk lookup
• Use-case catalogue (JSON) and rule packs — Splunk savedsearches.conf and Sentinel ARM templates
• Sigma rules (compile to KQL/SPL/Lucene via pySigma)
• The full repo — clone it, the briefings and use-case YAML are all in there

Found a bad detection?

Tell us — that is how an AI-assisted library earns trust. Open a GitHub issue with the UC title and what is wrong (false positives, broken syntax, wrong field, missed coverage). Reports get triaged and fixes ship through the normal pipeline runs.