Security-Detections-MCP

# Security Detections MCP An MCP (Model Context Protocol) server that lets LLMs query a unified database of **Sigma**, **Splunk ESCU**, **Elastic**, **KQL**, **Sublime**, and **CrowdStrike CQL** security detection rules. > **New here? Start with the [Setup Guide](./SETUP.md)** -- covers macOS, Windows (WSL & native), and Linux step by step. > > **Want it hosted? Skip the install entirely: [Hosted MCP Setup Guide](./docs/HOSTED_MCP.md)** ## Two Ways to Run It **Local (full power)** — the npm package you're looking at. Runs on your machine, indexes your own detection repos, exposes all 81 tools. You need Node.js and ~10 minutes. **Hosted (zero setup)** — a Streamable HTTP server at [`detect.michaelhaag.org/api/mcp/mcp`](https://detect.michaelhaag.org/mcp). Sign up, generate a token, paste one URL into your MCP client. ~25 read-only tools, always in sync with the latest content, 200 calls/day free. Read on for quick-install buttons. ### Install — Local [](https://cursor.com/en/install-mcp?name=security-detections&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyIteSIsInNlY3VyaXR5LWRldGVjdGlvbnMtbWNwIl0sImVudiI6eyJTSUdNQV9QQVRIUyI6Ii9wYXRoL3RvL3NpZ21hL3J1bGVzLC9wYXRoL3RvL3NpZ21hL3J1bGVzLXRocmVhdC1odW50aW5nIiwiU1BMVU5LX1BBVEhTIjoiL3BhdGgvdG8vc2VjdXJpdHlfY29udGVudC9kZXRlY3Rpb25zIiwiU1RPUllfUEFUSFMiOiIvcGF0aC90by9zZWN1cml0eV9jb250ZW50L3N0b3JpZXMiLCJFTEFTVElDX1BBVEhTIjoiL3BhdGgvdG8vZGV0ZWN0aW9uLXJ1bGVzL3J1bGVzIiwiS1FMX1BBVEhTIjoiL3BhdGgvdG8va3FsLXJ1bGVzIiwiU1VCTElNRV9QQVRIUyI6Ii9wYXRoL3RvL3N1YmxpbWUtcnVsZXMvZGV0ZWN0aW9uLXJ1bGVzIiwiQ1FMX0hVQl9QQVRIUyI6Ii9wYXRoL3RvL2NxbC1odWIvcXVlcmllcyJ9fQ==) [](https://vscode.dev/redirect?url=vscode:mcp/install?name=security-detections&config=%7B%22type%22%3A%22stdio%22%2C%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22security-detections-mcp%22%5D%7D) [](https://insiders.vscode.dev/redirect?url=vscode-insiders:mcp/install?name=security-detections&config=%7B%22type%22%3A%22stdio%22%2C%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22security-detections-mcp%22%5D%7D) **Claude Code** (CLI one-liner): ```bash claude mcp add security-detections -- npx -y security-detections-mcp ``` **Claude Desktop** — add to `claude_desktop_config.json`: ```json { "mcpServers": { "security-detections": { "command": "npx", "args": ["-y", "security-detections-mcp"] } } } ``` **OpenAI Codex** (CLI): ```bash codex mcp add security-detections -- npx -y security-detections-mcp ``` > After install, configure env vars (`SIGMA_PATHS`, `SPLUNK_PATHS`, etc.) to point at your detection repos. See the [Setup Guide](./SETUP.md) for full details. ### Install — Hosted (no setup, token required) 1. **Create a token** at [detect.michaelhaag.org/account/tokens](https://detect.michaelhaag.org/account/tokens). Free tier: 200 calls/day, all read-only tools. 2. **Click the button for your client** — replace `sdmcp_YOUR_TOKEN_HERE` in the resulting config with the token you just generated. [](https://cursor.com/en/install-mcp?name=security-detections-hosted&config=eyJ1cmwiOiJodHRwczovL2RldGVjdC5taWNoYWVsaGFhZy5vcmcvYXBpL21jcC9tY3AiLCJoZWFkZXJzIjp7IkF1dGhvcml6YXRpb24iOiJCZWFyZXIgc2RtY3BfWU9VUl9UT0tFTl9IRVJFIn19) [](https://vscode.dev/redirect?url=vscode:mcp/install?name=security-detections&config=%7B%22type%22%3A%22http%22%2C%22url%22%3A%22https%3A%2F%2Fdetect.michaelhaag.org%2Fapi%2Fmcp%2Fmcp%22%2C%22headers%22%3A%7B%22Authorization%22%3A%22Bearer%20sdmcp_YOUR_TOKEN_HERE%22%7D%7D) [](https://insiders.vscode.dev/redirect?url=vscode-insiders:mcp/install?name=security-detections&config=%7B%22type%22%3A%22http%22%2C%22url%22%3A%22https%3A%2F%2Fdetect.michaelhaag.org%2Fapi%2Fmcp%2Fmcp%22%2C%22headers%22%3A%7B%22Authorization%22%3A%22Bearer%20sdmcp_YOUR_TOKEN_HERE%22%7D%7D) **Claude Code** (CLI one-liner): ```bash claude mcp add --transport http security-detections https://detect.michaelhaag.org/api/mcp/mcp --header "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE" ``` **Claude Desktop** (via [`mcp-remote`](https://github.com/geelen/mcp-remote) — Desktop doesn't speak remote HTTP natively yet): ```json { "mcpServers": { "security-detections": { "command": "npx", "args": [ "-y", "mcp-remote", "https://detect.michaelhaag.org/api/mcp/mcp", "--header", "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE" ] } } } ``` **OpenAI Codex** (CLI): ```bash export SDMCP_TOKEN="sdmcp_YOUR_TOKEN_HERE" && codex mcp add security-detections --url https://detect.michaelhaag.org/api/mcp/mcp --bearer-token-env-var SDMCP_TOKEN ``` See the [Hosted MCP Setup Guide](./docs/HOSTED_MCP.md) for the full table of clients, the complete tool inventory, and troubleshooting tips. ## AI Model Routing (Web App) The web chat supports Free, Pro/Admin, and BYOK (Bring Your Own Key) routing. You can also see the active model at the top of the chat UI. ### Free Tier (default) - Default model: `nvidia/nemotron-3-super-120b-a12b:free` - Automatic fallback order if the first model is busy: 1. `nvidia/nemotron-3-super-120b-a12b:free` 2. `nousresearch/hermes-3-llama-3.1-405b:free` 3. `meta-llama/llama-3.3-70b-instruct:free` 4. `openai/gpt-oss-120b:free` ### Pro/Admin (no BYOK key set) Uses app-managed OpenRouter routing with your **Preferred Model** setting in `/account`: | Preferred Model | Routed model | |---|---| | `auto` | Free model pool (default: `nvidia/nemotron-3-super-120b-a12b:free`) | | `claude` | `anthropic/claude-sonnet-4-6` | | `claude-opus` | `anthropic/claude-opus-4-6` | | `gpt` | `openai/gpt-5.4` | | `gpt-codex` | `openai/gpt-5.3-codex` | ### BYOK behavior (takes precedence over tier routing) If you set your own API key(s), routing priority is: 1. Claude key (`sk-ant-...`) -> `claude-sonnet-4-6-20250514` via Anthropic 2. OpenAI key (`sk-...`) -> `gpt-5.4` via OpenAI 3. OpenRouter key (`sk-or-...`) -> uses the same Preferred Model mapping table above If multiple keys are present, the first match in that order is used. ## Features - **8,200+ detections** across 6 formats — Sigma, Splunk ESCU, Elastic, KQL, Sublime, CrowdStrike CQL - **MITRE ATT&CK STIX** — 172 threat actors, 784 software, 4,362 actor-technique relationships - **Procedure-level coverage** — auto-extracted behavioral clusters from every detection rule - **ATT&CK Navigator layers** — export coverage/gap JSON, filterable by source/tactic/severity/actor - **Autonomous pipeline** — CTI ingestion → gap analysis → detection generation → Atomic testing → DRAFT PR (see [Autonomous docs](./docs/AUTONOMOUS.md)) - **81 local tools / ~25 hosted tools** — unified search, MITRE mapping, coverage analysis, knowledge graph, pattern learning, sprint planning - **11 MCP Prompts** — ransomware assessment, APT emulation, purple team, executive briefing, and more - **MCP Resources & Completions** — readable context, autocomplete for technique IDs, CVEs, process names ## Quick Start ```bash npx -y security-detections-mcp ``` Or clone and build: `git clone https://github.com/MHaggis/Security-Detections-MCP.git && cd Security-Detections-MCP && npm install && npm run build` Configure env vars to point at your detection repos: | Variable | Description | |----------|-------------| | `SIGMA_PATHS` | Sigma rule directories | | `SPLUNK_PATHS` | Splunk ESCU detection directories | | `ELASTIC_PATHS` | Elastic detection rule directories | | `KQL_PATHS` | KQL hunting query directories | | `SUBLIME_PATHS` | Sublime Security rule directories | | `CQL_HUB_PATHS` | CQL Hub (CrowdStrike) query directories | | `STORY_PATHS` | Splunk analytic story directories (optional) | | `ATTACK_STIX_PATH` | Path to `enterprise-attack.json` for threat actor data (optional) | See the [Setup Guide](./SETUP.md) for full per-client config examples (Cursor, VS Code, Claude Desktop, WSL). ## Getting Detection Content Download all sources with sparse checkout (rules only, not full repos): ```bash mkdir -p detections && cd detections git clone --depth 1 --filter=blob:none --sparse https://github.com/SigmaHQ/sigma.git && cd sigma && git sparse-checkout set rules rules-threat-hunting && cd .. git clone --depth 1 --filter=blob:none --sparse https://github.com/splunk/security_content.git && cd security_content && git sparse-checkout set detections stories && cd .. git clone --depth 1 --filter=blob:none --sparse https://github.com/elastic/detection-rules.git && cd detection-rules && git sparse-checkout set rules && cd .. git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp git clone --depth 1 https://github.com/jkerai1/KQL-Queries.git kql-jkerai1 git clone --depth 1 --filter=blob:none --sparse https://github.com/sublime-security/sublime-rules.git && cd sublime-rules && git sparse-checkout set detection-rules && cd .. git clone --depth 1 https://github.com/ByteRay-Labs/Query-Hub.git cql-hub ``` ## MCP Tools ### Core Detection Tools | Tool | Description | |------|-------------| | `search(query, limit)` | Full-text search across all detection fields | | `get_by_id(id)` | Get a single detection by ID | | `list_all(limit, offset)` | Paginated list of all detections | | `list_by_source(source_type)` | Filter by source (`sigma`, `splunk_escu`, `elastic`, `kql`, `sublime`, `crowdstrike_cql`) | | `get_stats()` | Index statistics | | `rebuild_index()` | Force re-index from configured paths | ### MITRE ATT&CK & Filtering | Tool | Description | |------|-------------| | `list_by_mitre(technique_id)` | Filter by technique ID (e.g., T1059.001) | | `list_by_mitre_tactic(tactic)` | Filter by tactic (execution, persistence, etc.) | | `list_by_cve(cve_id)` | Find detections for a CVE | | `list_by_process_name(process_name)` | Find detections referencing a process | | `list_by_severity(level)` | Filter by severity level | | `list_by_data_source(data_source)` | Filter by data source | ### Coverage & Analysis (Token-Optimized) | Tool | Description | |------|-------------| | `analyze_coverage(source_type?)` | Coverage stats by tactic, top techniques, weak spots (~2KB) | | `identify_gaps(threat_profile)` | Find gaps for ransomware, apt, persistence, etc. (~500B) | | `suggest_detections(technique_id)` | Detection ideas for a technique (~2KB) | | `get_coverage_summary(source_type?)` | Tactic percentages (~200B) | | `analyze_actor_coverage(actor)` | Coverage against a specific threat actor | | `compare_actor_coverage(actors)` | Compare coverage across multiple actors | | `analyze_procedure_coverage(technique_id)` | Behavioral procedure breakdown | | `generate_navigator_layer(...)` | Export ATT&CK Navigator JSON layers | ### Engineering, Knowledge Graph & More 81 tools total including pattern learning, template generation, knowledge graph, dynamic tables, and autonomous analysis. See the [Tools Reference](docs/wiki/Tools-Reference.md) for the complete list. ## MCP Prompts 11 pre-built expert workflows. Just ask by name: | Prompt | Description | |--------|-------------| | `ransomware-readiness-assessment` | Full kill-chain analysis with risk scoring | | `apt-threat-emulation` | Coverage against specific threat actors (APT29, Lazarus, etc.) | | `purple-team-exercise` | Complete test plans with procedures and expected detections | | `soc-investigation-assist` | Triage guidance, hunting queries, escalation criteria | | `detection-engineering-sprint` | Prioritized backlog with user stories | | `executive-security-briefing` | C-level report with business risk language | | `cve-response-assessment` | Rapid assessment for emerging CVEs | | `data-source-gap-analysis` | Telemetry requirements analysis | | `detection-quality-review` | Deep-dive quality analysis for a technique | | `threat-landscape-sync` | Align priorities with current threats | | `detection-coverage-diff` | Compare coverage against actors or baseline | ``` You: "Run apt-threat-emulation for APT29" → Technique-by-technique coverage, gaps, and purple team test plan ``` ## Using with MITRE ATT&CK MCP Pairs with [mitre-attack-mcp](https://github.com/MHaggis/mitre-attack-mcp) for complete threat coverage analysis. Install both: ```json { "mcpServers": { "security-detections": { "command": "npx", "args": ["-y", "security-detections-mcp"], "env": { "SIGMA_PATHS": "/path/to/sigma/rules" } }, "mitre-attack": { "command": "npx", "args": ["-y", "mitre-attack-mcp"], "env": { "ATTACK_DOMAIN": "enterprise-attack" } } } } ``` ## Stats | Source | Count | |--------|-------| | Sigma Rules | ~3,200+ | | Splunk ESCU | ~2,000+ | | Elastic Rules | ~1,500+ | | KQL Queries | ~420+ | | Sublime Rules | ~900+ | | CrowdStrike CQL | ~139+ | | **Total** | **~8,200+** | ## Development ```bash npm install && npm run build && npm test ``` ## Documentation - **[Setup Guide](./SETUP.md)** — Full install walkthrough for all platforms - **[Hosted MCP Guide](./docs/HOSTED_MCP.md)** — Hosted setup, token management, tool inventory - **[Autonomous Platform](./docs/AUTONOMOUS.md)** — CTI-to-detection pipeline - **[E2E Testing Guide](./docs/E2E-TESTING-GUIDE.md)** — Per-SIEM setup (Splunk, Sentinel, Elastic, Sigma) - **[Architecture](docs/wiki/Architecture.md)** — System design decisions - **[Knowledge Graph](docs/wiki/Knowledge-Graph.md)** — Tribal knowledge and analytical memory - **[Engineering Intelligence](docs/wiki/Engineering-Intelligence.md)** — Pattern learning and templates - **[Tools Reference](docs/wiki/Tools-Reference.md)** — Complete reference for all 81 tools ## License Apache 2.0