Active 2025-01-10

Security Detections MCP

MCP server that lets AI assistants query 6,500+ security detection rules from Sigma, Splunk ESCU, and Elastic. Detection engineer harder and smarter with AI.

mcp detection-engineering sigma splunk elastic ai
View on GitHub Documentation
Quickstart
Get started instantly
npx -y security-detections-mcp

The Problem

Detection engineers work with thousands of detection rules across multiple formats (Sigma, Splunk, Elastic). Finding relevant detections, checking coverage for specific techniques or CVEs, and understanding detection gaps requires manual searching across different repositories and formats.

The Solution

Security Detections MCP provides a unified interface for AI assistants to query 6,500+ detection rules from Sigma, Splunk ESCU, and Elastic. Using the Model Context Protocol, it enables natural language queries like 'Find PowerShell detections for credential dumping' or 'Do we have coverage for CVE-2024-27198?'

Impact

Transforms detection engineering workflows by letting AI assistants instantly search across all major detection repositories. No more context switching between repos or manual searches - just ask your AI assistant.

What is MCP?

The Model Context Protocol (MCP) lets AI assistants like Claude connect to external data sources and tools. Security Detections MCP makes 6,500+ detection rules queryable through natural language.

Unified Detection Database

Sources Indexed

  • Sigma Rules (~3,000+) - Universal signature format
  • Splunk ESCU (~2,000+) - Splunk Enterprise Security Content
  • Elastic Rules (~1,500+) - Elastic Security detection rules
  • Analytic Stories (~330) - Splunk threat narratives

Normalized Schema

All detections unified with:

  • MITRE ATT&CK mappings
  • CVE references
  • Process names
  • Severity levels
  • Data sources

Key Features

🔍 Full-Text Search

Search across:

  • Detection names and descriptions
  • Query logic
  • MITRE technique IDs
  • CVE identifiers
  • Process names
  • File paths
  • Registry keys

🎯 MITRE ATT&CK Filtering

  • Query by technique ID (T1059.001)
  • Filter by tactic (execution, persistence, etc.)
  • Coverage analysis
  • Gap identification

🛡️ CVE Coverage

Instantly find detections for specific vulnerabilities:

"Do we have detections for CVE-2024-27198?"

📊 Process-Based Search

Find all detections monitoring specific processes:

"Show me detections for powershell.exe"

📚 Analytic Stories

Query by threat campaign or story:

"What detections cover ransomware?"

Usage Examples

With Cursor/Claude

Once configured, just ask:

“Find me Sigma detections for LSASS credential dumping”

“Do we have Splunk detections covering PrintNightmare?”

“What Elastic rules detect web shell activity?”

“Show me all detections for the execution tactic”

Installation

NPX (No Install)

npx -y security-detections-mcp

Global Install

npm install -g security-detections-mcp

From Source

git clone https://github.com/MHaggis/Security-Detections-MCP.git
cd Security-Detections-MCP
npm install && npm run build

Configuration

Add to your MCP config with paths to detection repos:

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": ["-y", "security-detections-mcp"],
      "env": {
        "SIGMA_PATHS": "/path/to/sigma/rules",
        "SPLUNK_PATHS": "/path/to/security_content/detections",
        "ELASTIC_PATHS": "/path/to/detection-rules/rules"
      }
    }
  }
}

Detection Repos

Clone these to get started:

Use Cases

Detection Engineering

  • Find similar detections across platforms
  • Check coverage for new techniques
  • Identify detection gaps
  • Cross-reference detection logic

Threat Research

  • Query detections for specific threats
  • Understand detection approaches
  • Compare platform coverage
  • Research detection strategies

Incident Response

  • Quickly find relevant detections
  • Validate detection coverage
  • Adapt detections for your environment
  • Speed up detection deployment

AI-Assisted Workflows

  • Natural language detection queries
  • Automated coverage analysis
  • Detection recommendation
  • Gap identification

Technical Details

  • Database: SQLite with FTS5 full-text search
  • Indexing: Automatic on startup, manual rebuild available
  • Performance: Sub-second queries across 6,500+ rules
  • Storage: ~/.cache/security-detections-mcp/

NPM Package

Available on npm: security-detections-mcp

Get started: GitHub | npm

Query detections with AI

Get Started Report Issue

Related Modules

Active

ShellSweep

ShellSweeping the evil. PowerShell/Python/Lua tool to detect potential web shells using entropy analysis, machine learning, and YARA rules.

webshell detection hunting entropy +2
View Module → GitHub