security-detections-mcp
Query unified Sigma, Splunk, Elastic, KQL, Sublime, and CrowdStrike security detection rules via MCP server with MITRE ATT&CK mapping and coverage analysis
How do I install this agent skill?
npx skills add https://github.com/aradotso/security-skills --skill security-detections-mcpIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill provides a comprehensive toolkit for security analysts to query, analyze, and manage detection rules across multiple security platforms using the Model Context Protocol (MCP). While the skill performs legitimate security functions, it contains an autonomous pipeline for ingesting external data that introduces a potential attack surface for indirect prompt injection.
- Socketwarn
1 alert: gptAnomaly
- Snykwarn
Risk: MEDIUM · 2 issues
What does this agent skill do?
security-detections-mcp
Skill by ara.so — Security Skills collection
An MCP (Model Context Protocol) server providing LLM access to 8,200+ security detection rules across Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL formats, with MITRE ATT&CK mapping, coverage analysis, and autonomous detection engineering.
What It Does
- Unified detection search across 6 major security platforms (Sigma, Splunk, Elastic, KQL, Sublime, CrowdStrike)
- MITRE ATT&CK integration with 172 threat actors, 784 software, 4,362 actor-technique relationships
- Coverage analysis identifying gaps in detection by tactic/technique/actor
- ATT&CK Navigator layers exportable as JSON for visualization
- Autonomous detection pipeline from CTI ingestion to draft PR generation
- 81 MCP tools for detection engineering (local) or ~25 tools (hosted)
- 11 expert prompts for ransomware assessment, APT emulation, purple teaming
Installation
Local Installation (Full Power)
Prerequisites:
- Node.js 18+
- Detection rule repositories cloned locally
Quick start with npx:
npx -y security-detections-mcp
Configure in Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/path/to/sigma/rules,/path/to/sigma/rules-threat-hunting",
"SPLUNK_PATHS": "/path/to/security_content/detections",
"STORY_PATHS": "/path/to/security_content/stories",
"ELASTIC_PATHS": "/path/to/detection-rules/rules",
"KQL_PATHS": "/path/to/kql-rules",
"SUBLIME_PATHS": "/path/to/sublime-rules/detection-rules",
"CQL_HUB_PATHS": "/path/to/cql-hub/queries",
"ATTACK_STIX_PATH": "/path/to/enterprise-attack.json"
}
}
}
}
Configure in Cursor (.cursor/settings.json):
{
"mcp": {
"servers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/Users/you/detections/sigma/rules",
"SPLUNK_PATHS": "/Users/you/detections/security_content/detections"
}
}
}
}
}
Configure in VS Code (settings.json):
{
"mcp.servers": {
"security-detections": {
"type": "stdio",
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/home/you/detections/sigma/rules"
}
}
}
}
Hosted Installation (Zero Setup)
Prerequisites:
- API token from detect.michaelhaag.org/account/tokens
- Free tier: 200 calls/day, read-only tools
Claude Desktop (requires mcp-remote):
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://detect.michaelhaag.org/api/mcp/mcp",
"--header",
"Authorization: Bearer ${SDMCP_TOKEN}"
]
}
}
}
VS Code / Cursor:
{
"mcp.servers": {
"security-detections": {
"type": "http",
"url": "https://detect.michaelhaag.org/api/mcp/mcp",
"headers": {
"Authorization": "Bearer ${SDMCP_TOKEN}"
}
}
}
}
Getting Detection Content
Download all detection sources with sparse checkout:
mkdir -p ~/detections && cd ~/detections
# Sigma rules
git clone --depth 1 --filter=blob:none --sparse https://github.com/SigmaHQ/sigma.git
cd sigma && git sparse-checkout set rules rules-threat-hunting && cd ..
# Splunk ESCU
git clone --depth 1 --filter=blob:none --sparse https://github.com/splunk/security_content.git
cd security_content && git sparse-checkout set detections stories && cd ..
# Elastic
git clone --depth 1 --filter=blob:none --sparse https://github.com/elastic/detection-rules.git
cd detection-rules && git sparse-checkout set rules && cd ..
# KQL
git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp
git clone --depth 1 https://github.com/jkerai1/KQL-Queries.git kql-jkerai1
# Sublime
git clone --depth 1 --filter=blob:none --sparse https://github.com/sublime-security/sublime-rules.git
cd sublime-rules && git sparse-checkout set detection-rules && cd ..
# CrowdStrike CQL
git clone --depth 1 https://github.com/ByteRay-Labs/Query-Hub.git cql-hub
# MITRE ATT&CK STIX
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
Then update environment variables to point to these paths.
Core MCP Tools
Detection Search & Retrieval
// Full-text search across all detections
{
"name": "search",
"arguments": {
"query": "process injection",
"limit": 10
}
}
// Get specific detection by ID
{
"name": "get_by_id",
"arguments": {
"id": "sigma_abc123"
}
}
// List all detections with pagination
{
"name": "list_all",
"arguments": {
"limit": 50,
"offset": 0
}
}
// Filter by source type
{
"name": "list_by_source",
"arguments": {
"source_type": "sigma" // sigma, splunk_escu, elastic, kql, sublime, crowdstrike_cql
}
}
// Get index statistics
{
"name": "get_stats",
"arguments": {}
}
MITRE ATT&CK Filtering
// Find detections for specific technique
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1059.001" // PowerShell
}
}
// Filter by tactic
{
"name": "list_by_mitre_tactic",
"arguments": {
"tactic": "execution" // execution, persistence, privilege-escalation, etc.
}
}
// Search by CVE
{
"name": "list_by_cve",
"arguments": {
"cve_id": "CVE-2021-34527" // PrintNightmare
}
}
// Find by process name
{
"name": "list_by_process_name",
"arguments": {
"process_name": "powershell.exe"
}
}
// Filter by severity
{
"name": "list_by_severity",
"arguments": {
"level": "critical" // critical, high, medium, low
}
}
// Filter by data source
{
"name": "list_by_data_source",
"arguments": {
"data_source": "process_creation"
}
}
Coverage Analysis
// Analyze overall coverage (~2KB response)
{
"name": "analyze_coverage",
"arguments": {
"source_type": "sigma" // optional: analyze specific source
}
}
// Identify gaps for threat profile (~500B response)
{
"name": "identify_gaps",
"arguments": {
"threat_profile": "ransomware" // ransomware, apt, persistence, lateral_movement
}
}
// Get detection suggestions for technique (~2KB)
{
"name": "suggest_detections",
"arguments": {
"technique_id": "T1003.001" // LSASS Memory
}
}
// Coverage summary by tactic (~200B)
{
"name": "get_coverage_summary",
"arguments": {
"source_type": "splunk_escu"
}
}
// Analyze coverage against threat actor
{
"name": "analyze_actor_coverage",
"arguments": {
"actor": "APT29"
}
}
// Compare coverage across multiple actors
{
"name": "compare_actor_coverage",
"arguments": {
"actors": ["APT29", "APT28", "Lazarus Group"]
}
}
// Behavioral procedure breakdown for technique
{
"name": "analyze_procedure_coverage",
"arguments": {
"technique_id": "T1055"
}
}
ATT&CK Navigator Layer Generation
// Generate Navigator layer JSON
{
"name": "generate_navigator_layer",
"arguments": {
"name": "Current Coverage",
"description": "Detection coverage as of 2024-01",
"filter": {
"source": "sigma",
"tactic": "defense-evasion",
"min_severity": "medium"
},
"color_by": "coverage" // coverage, severity, source
}
}
// Export to file (local only)
{
"name": "export_navigator_layer",
"arguments": {
"output_path": "./coverage-layer.json",
"filter": {
"actor": "APT29"
}
}
}
Common Patterns
Ransomware Readiness Assessment
Use the built-in prompt:
Use the ransomware-readiness-assessment prompt to evaluate our coverage
Or manually:
// 1. Identify gaps
{
"name": "identify_gaps",
"arguments": {
"threat_profile": "ransomware"
}
}
// 2. Get detections for weak areas
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1486" // Data Encrypted for Impact
}
}
// 3. Generate coverage layer
{
"name": "generate_navigator_layer",
"arguments": {
"name": "Ransomware Coverage",
"filter": {
"threat_profile": "ransomware"
}
}
}
APT Threat Emulation
// 1. Analyze actor coverage
{
"name": "analyze_actor_coverage",
"arguments": {
"actor": "APT29"
}
}
// 2. Get techniques used by actor
{
"name": "get_actor_techniques",
"arguments": {
"actor": "APT29"
}
}
// 3. Find detections for each technique
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1059.001"
}
}
// 4. Compare with other actors
{
"name": "compare_actor_coverage",
"arguments": {
"actors": ["APT29", "APT28"]
}
}
Detection Gap Analysis
// 1. Get coverage summary
{
"name": "get_coverage_summary",
"arguments": {}
}
// 2. Analyze coverage by tactic
{
"name": "analyze_coverage",
"arguments": {}
}
// 3. Identify specific gaps
{
"name": "identify_gaps",
"arguments": {
"threat_profile": "apt"
}
}
// 4. Get suggestions for weak techniques
{
"name": "suggest_detections",
"arguments": {
"technique_id": "T1078" // Valid Accounts
}
}
Building Detection Content
// 1. Search existing detections for pattern
{
"name": "search",
"arguments": {
"query": "lateral movement SMB",
"limit": 10
}
}
// 2. Analyze procedure coverage
{
"name": "analyze_procedure_coverage",
"arguments": {
"technique_id": "T1021.002" // SMB/Windows Admin Shares
}
}
// 3. Get detection template
{
"name": "generate_detection_template",
"arguments": {
"technique_id": "T1021.002",
"format": "sigma"
}
}
// 4. Validate against existing detections
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1021.002"
}
}
Cross-Platform Detection Comparison
// Compare Sigma vs Splunk for technique
// 1. Get Sigma detections
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1003.001"
}
}
// Filter results by source_type: "sigma"
// 2. Get Splunk detections
{
"name": "list_by_source",
"arguments": {
"source_type": "splunk_escu"
}
}
// Filter by same technique
// 3. Compare coverage
{
"name": "analyze_coverage",
"arguments": {
"source_type": "sigma"
}
}
{
"name": "analyze_coverage",
"arguments": {
"source_type": "splunk_escu"
}
}
Configuration Reference
Environment Variables
| Variable | Description | Example |
|---|---|---|
SIGMA_PATHS | Comma-separated Sigma rule directories | /path/to/sigma/rules,/path/to/sigma/rules-threat-hunting |
SPLUNK_PATHS | Splunk ESCU detection directories | /path/to/security_content/detections |
STORY_PATHS | Splunk analytic story directories (optional) | /path/to/security_content/stories |
ELASTIC_PATHS | Elastic detection rule directories | /path/to/detection-rules/rules |
KQL_PATHS | KQL hunting query directories (comma-separated) | /path/to/kql-bertjanp,/path/to/kql-jkerai1 |
SUBLIME_PATHS | Sublime Security rule directories | /path/to/sublime-rules/detection-rules |
CQL_HUB_PATHS | CQL Hub (CrowdStrike) query directories | /path/to/cql-hub/queries |
ATTACK_STIX_PATH | Path to enterprise-attack.json STIX bundle | /path/to/enterprise-attack.json |
Source Type Values
sigma- Sigma rules (YAML)splunk_escu- Splunk Enterprise Security Content Updateelastic- Elastic Security detection ruleskql- Kusto Query Language hunting queriessublime- Sublime Security detection rulescrowdstrike_cql- CrowdStrike Query Language (CQL)
Tactic Values (MITRE ATT&CK)
reconnaissanceresource-developmentinitial-accessexecutionpersistenceprivilege-escalationdefense-evasioncredential-accessdiscoverylateral-movementcollectioncommand-and-controlexfiltrationimpact
Troubleshooting
MCP Server Not Indexing Rules
Problem: get_stats shows 0 detections
Solution:
- Verify paths exist:
ls -la /path/to/sigma/rules - Check environment variables are set correctly in MCP config
- Rebuild index manually:
{ "name": "rebuild_index", "arguments": {} } - Check MCP server logs in Claude Desktop:
~/Library/Logs/Claude/mcp*.log
Permission Denied Errors
Problem: Cannot read detection files
Solution:
# Fix permissions on detection directories
chmod -R 755 ~/detections
Hosted MCP 401 Unauthorized
Problem: Token authentication failing
Solution:
- Verify token starts with
sdmcp_ - Check token is not expired at detect.michaelhaag.org/account/tokens
- Ensure
Authorization: Bearerheader format is correct - Free tier rate limit: 200 calls/day
Missing MITRE ATT&CK Data
Problem: Actor/technique queries return empty
Solution:
- Download STIX bundle:
curl -o ~/detections/enterprise-attack.json \ https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json - Set
ATTACK_STIX_PATHenvironment variable - Rebuild index
Sigma Rules Not Parsing
Problem: Some Sigma rules show errors
Solution:
- Ensure you're using the official SigmaHQ repo
- Update to latest rules:
cd sigma && git pull - Some experimental rules may have schema issues - this is expected
- Check parsing errors in MCP logs
Slow Initial Index Build
Problem: First startup takes 30+ seconds
Solution:
- Expected behavior with 8,200+ detections
- Subsequent startups use cached index (~2 seconds)
- Use hosted MCP for zero startup time
- Reduce
PATHSto only needed sources
Advanced Usage
Custom Detection Repositories
Add your private detections:
{
"env": {
"SIGMA_PATHS": "/path/to/sigma/rules,/path/to/my-custom-sigma",
"SPLUNK_PATHS": "/path/to/security_content/detections,/path/to/internal-splunk"
}
}
Autonomous Detection Pipeline
Enable autonomous CTI → detection generation:
// Configure autonomous settings (local only)
{
"name": "configure_autonomous",
"arguments": {
"enabled": true,
"cti_sources": ["misp", "otx"],
"auto_pr": false // Manual review before PR
}
}
// Trigger gap analysis
{
"name": "run_autonomous_analysis",
"arguments": {
"threat_actor": "APT29"
}
}
See Autonomous docs for full pipeline details.
Exporting for SIEM
// Export detections in native format
{
"name": "export_detections",
"arguments": {
"technique_id": "T1055",
"format": "sigma", // or splunk, elastic, kql
"output_path": "./exports/process_injection.yml"
}
}
Expert Prompts
Built-in workflows accessible by name:
ransomware-readiness-assessment- Full kill-chain coverage analysisapt-threat-emulation- Actor-specific detection mappingpurple-team-exercise- Combined offensive/defensive planningexecutive-briefing- High-level coverage summarydetection-sprint-planning- Engineering backlog prioritizationinsider-threat-detection- Privilege abuse coveragecloud-security-assessment- Cloud-specific technique coveragesupply-chain-security- Third-party risk detectiondata-exfiltration-defense- Exfiltration technique coverageinitial-access-hardening- Entry point detection reviewcredential-theft-protection- Credential access coverage
Usage:
Use the ransomware-readiness-assessment prompt
Resources
- GitHub: https://github.com/MHaggis/Security-Detections-MCP
- Web App: https://detect.michaelhaag.org
- Setup Guide: https://github.com/MHaggis/Security-Detections-MCP/blob/main/SETUP.md
- Hosted MCP Guide: https://github.com/MHaggis/Security-Detections-MCP/blob/main/docs/HOSTED_MCP.md
- Tools Reference: https://github.com/MHaggis/Security-Detections-MCP/blob/main/docs/wiki/Tools-Reference.md
- API Token: https://detect.michaelhaag.org/account/tokens
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/aradotso/security-skills/security-detections-mcp">View security-detections-mcp on skillZs</a>