Summary

This project offers a Model Context Protocol (MCP) server that unifies diverse security detection rule formats (Sigma, Splunk ESCU, Elastic, KQL) into a queryable database. It enables Large Language Models (LLMs) to perform advanced security analysis, threat emulation, and automated detection engineering. Aimed at security analysts and detection engineers, it significantly enhances the efficiency and effectiveness of managing and utilizing security detection content.

How It Works

The server indexes detection rules from multiple sources into a unified SQLite database. It exposes these rules and a suite of tools via MCP, allowing LLMs to query, analyze, and generate detections. Key features include dynamic pattern extraction from rule logic, a knowledge graph for persistent analytical memory, and token-optimized tools for efficient LLM interaction, facilitating complex workflows like automated threat emulation and gap analysis.

Quick Start & Requirements

• Installation: Recommended: npx -y security-detections-mcp. Alternative: Clone, npm install, npm run build.
• Configuration: Requires environment variables (SIGMA_PATHS, SPLUNK_PATHS, ELASTIC_PATHS, KQL_PATHS, STORY_PATHS) for rule directories.
• Prerequisites: Node.js, npm.
• Resource Footprint: Indexes 7,200+ detections; disk space needed for rules and SQLite DB. Setup time varies with rule repo size.
• Integration: Examples provided for Cursor IDE, Claude Desktop, VS Code.

Highlighted Details

• MCP Prompts: 11 expert workflows for ransomware assessment, APT emulation, executive briefings, etc.
• Unified Search: Single interface for Sigma, Splunk, Elastic, KQL detections with full-text search.
• Detection Engineering Intelligence: Tools for pattern learning, template generation, and field analysis across formats.
• Knowledge Graph: Persistent analytical memory for reasoning and decision logging.
• Token-Optimized Tools: Efficient tools minimizing LLM token usage.

Maintenance & Community

No specific details on contributors, sponsorships, or community channels are provided.

Licensing & Compatibility

• License: Apache 2.0.
• Compatibility: Permissive, suitable for commercial use.

Limitations & Caveats

• Pattern Extraction: KQL/Elastic extraction may miss complex expressions or unusual naming.
• Client Features: Elicitation, Sampling, Resource Subscriptions depend on client MCP support; fallbacks exist. Cursor IDE's support was noted as potentially incomplete (Jan 2025).
• MITRE Mapping: Relies on source data MITRE tags.
• Gap Analysis: Gaps are relative to defined threat profiles.