DuckIntel / Security Tools
Generate SIEM detection queries from IOCs. Supports Splunk SPL, Microsoft KQL (Sentinel), Elastic, YARA, Sigma, Chronicle, and SentinelOne Deep Visibility.
The SIEM Query Builder generates detection queries from lists of indicators of compromise. Paste IPs, domains, hashes, URLs, or email addresses and instantly get search queries for Splunk SPL, Microsoft Sentinel KQL, Elastic DSL, YARA rules, Sigma rules, Chronicle YARA-L, and SentinelOne Deep Visibility — all formatted and ready to copy into your SIEM.
Writing detection rules from scratch for every new IOC is tedious when you are responding to an active incident or processing a large threat intelligence report. The SIEM Query Builder handles the boilerplate — it knows the correct field names, operators, and syntax for each platform and formats multi-value queries correctly. What would take 20 minutes per platform takes 10 seconds with this tool.
The tool supports all major SIEM platforms used in enterprise environments. Splunk SPL queries use index= and sourcetype= patterns with OR-concatenated IOC lists. KQL queries target the appropriate Microsoft Sentinel and Defender tables. YARA rules are formatted with proper metadata and string sections. Sigma rules are output in YAML with correct detection and logsource fields.
Related tools
IOC Bulk ScannerDuck DecoderThreat Intelligence FeedMITRE ATT&CK Navigator
Part of DuckIntel.io — 59 free browser-based security tools for SOC analysts. No login. No tracking. 100% client-side.