An MCP (Model Context Protocol) server that lets LLMs query a unified database of Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL security detection rules.
New here? Start with the Setup Guide -- covers macOS, Windows (WSL & native), and Linux step by step.
Want it hosted? Skip the install entirely: Hosted MCP Setup Guide
Local (full power) — the npm package you're looking at. Runs on your machine, indexes your own detection repos, exposes all 81 tools. You need Node.js and ~10 minutes.
Hosted (zero setup) — a Streamable HTTP server at detect.michaelhaag.org/api/mcp/mcp. Sign up, generate a token, paste one URL into your MCP client. ~25 read-only tools, always in sync with the latest content, 200 calls/day free. Read on for quick-install buttons.
Claude Code (CLI one-liner):
claude mcp add security-detections -- npx -y security-detections-mcpClaude Desktop — add to claude_desktop_config.json:
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"]
}
}
}OpenAI Codex (CLI):
codex mcp add security-detections -- npx -y security-detections-mcpAfter install, configure env vars (
SIGMA_PATHS,SPLUNK_PATHS, etc.) to point at your detection repos. See the Setup Guide for full details.
- Create a token at detect.michaelhaag.org/account/tokens. Free tier: 200 calls/day, all read-only tools.
- Click the button for your client — replace
sdmcp_YOUR_TOKEN_HEREin the resulting config with the token you just generated.
Claude Code (CLI one-liner):
claude mcp add --transport http security-detections https://detect.michaelhaag.org/api/mcp/mcp --header "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"Claude Desktop (via mcp-remote — Desktop doesn't speak remote HTTP natively yet):
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://detect.michaelhaag.org/api/mcp/mcp",
"--header",
"Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"
]
}
}
}OpenAI Codex (CLI):
export SDMCP_TOKEN="sdmcp_YOUR_TOKEN_HERE" && codex mcp add security-detections --url https://detect.michaelhaag.org/api/mcp/mcp --bearer-token-env-var SDMCP_TOKENSee the Hosted MCP Setup Guide for the full table of clients, the complete tool inventory, and troubleshooting tips.
The web chat supports Free, Pro/Admin, and BYOK (Bring Your Own Key) routing. You can also see the active model at the top of the chat UI.
- Default model:
nvidia/nemotron-3-super-120b-a12b:free - Automatic fallback order if the first model is busy:
nvidia/nemotron-3-super-120b-a12b:freenousresearch/hermes-3-llama-3.1-405b:freemeta-llama/llama-3.3-70b-instruct:freeopenai/gpt-oss-120b:free
Uses app-managed OpenRouter routing with your Preferred Model setting in /account:
| Preferred Model | Routed model |
|---|---|
auto |
Free model pool (default: nvidia/nemotron-3-super-120b-a12b:free) |
claude |
anthropic/claude-sonnet-4-6 |
claude-opus |
anthropic/claude-opus-4-6 |
gpt |
openai/gpt-5.4 |
gpt-codex |
openai/gpt-5.3-codex |
If you set your own API key(s), routing priority is:
- Claude key (
sk-ant-...) ->claude-sonnet-4-6-20250514via Anthropic - OpenAI key (
sk-...) ->gpt-5.4via OpenAI - OpenRouter key (
sk-or-...) -> uses the same Preferred Model mapping table above
If multiple keys are present, the first match in that order is used.
- 8,200+ detections across 6 formats — Sigma, Splunk ESCU, Elastic, KQL, Sublime, CrowdStrike CQL
- MITRE ATT&CK STIX — 172 threat actors, 784 software, 4,362 actor-technique relationships
- Procedure-level coverage — auto-extracted behavioral clusters from every detection rule
- ATT&CK Navigator layers — export coverage/gap JSON, filterable by source/tactic/severity/actor
- Autonomous pipeline — CTI ingestion → gap analysis → detection generation → Atomic testing → DRAFT PR (see Autonomous docs)
- 81 local tools / ~25 hosted tools — unified search, MITRE mapping, coverage analysis, knowledge graph, pattern learning, sprint planning
- 11 MCP Prompts — ransomware assessment, APT emulation, purple team, executive briefing, and more
- MCP Resources & Completions — readable context, autocomplete for technique IDs, CVEs, process names
npx -y security-detections-mcpOr clone and build: git clone https://github.com/MHaggis/Security-Detections-MCP.git && cd Security-Detections-MCP && npm install && npm run build
Configure env vars to point at your detection repos:
| Variable | Description |
|---|---|
SIGMA_PATHS |
Sigma rule directories |
SPLUNK_PATHS |
Splunk ESCU detection directories |
ELASTIC_PATHS |
Elastic detection rule directories |
KQL_PATHS |
KQL hunting query directories |
SUBLIME_PATHS |
Sublime Security rule directories |
CQL_HUB_PATHS |
CQL Hub (CrowdStrike) query directories |
STORY_PATHS |
Splunk analytic story directories (optional) |
ATTACK_STIX_PATH |
Path to enterprise-attack.json for threat actor data (optional) |
See the Setup Guide for full per-client config examples (Cursor, VS Code, Claude Desktop, WSL).
Download all sources with sparse checkout (rules only, not full repos):
mkdir -p detections && cd detections
git clone --depth 1 --filter=blob:none --sparse https://github.com/SigmaHQ/sigma.git && cd sigma && git sparse-checkout set rules rules-threat-hunting && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/splunk/security_content.git && cd security_content && git sparse-checkout set detections stories && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/elastic/detection-rules.git && cd detection-rules && git sparse-checkout set rules && cd ..
git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp
git clone --depth 1 https://github.com/jkerai1/KQL-Queries.git kql-jkerai1
git clone --depth 1 --filter=blob:none --sparse https://github.com/sublime-security/sublime-rules.git && cd sublime-rules && git sparse-checkout set detection-rules && cd ..
git clone --depth 1 https://github.com/ByteRay-Labs/Query-Hub.git cql-hub| Tool | Description |
|---|---|
search(query, limit) |
Full-text search across all detection fields |
get_by_id(id) |
Get a single detection by ID |
list_all(limit, offset) |
Paginated list of all detections |
list_by_source(source_type) |
Filter by source (sigma, splunk_escu, elastic, kql, sublime, crowdstrike_cql) |
get_stats() |
Index statistics |
rebuild_index() |
Force re-index from configured paths |
| Tool | Description |
|---|---|
list_by_mitre(technique_id) |
Filter by technique ID (e.g., T1059.001) |
list_by_mitre_tactic(tactic) |
Filter by tactic (execution, persistence, etc.) |
list_by_cve(cve_id) |
Find detections for a CVE |
list_by_process_name(process_name) |
Find detections referencing a process |
list_by_severity(level) |
Filter by severity level |
list_by_data_source(data_source) |
Filter by data source |
| Tool | Description |
|---|---|
analyze_coverage(source_type?) |
Coverage stats by tactic, top techniques, weak spots (~2KB) |
identify_gaps(threat_profile) |
Find gaps for ransomware, apt, persistence, etc. (~500B) |
suggest_detections(technique_id) |
Detection ideas for a technique (~2KB) |
get_coverage_summary(source_type?) |
Tactic percentages (~200B) |
analyze_actor_coverage(actor) |
Coverage against a specific threat actor |
compare_actor_coverage(actors) |
Compare coverage across multiple actors |
analyze_procedure_coverage(technique_id) |
Behavioral procedure breakdown |
generate_navigator_layer(...) |
Export ATT&CK Navigator JSON layers |
81 tools total including pattern learning, template generation, knowledge graph, dynamic tables, and autonomous analysis. See the Tools Reference for the complete list.
11 pre-built expert workflows. Just ask by name:
| Prompt | Description |
|---|---|
ransomware-readiness-assessment |
Full kill-chain analysis with risk scoring |
apt-threat-emulation |
Coverage against specific threat actors (APT29, Lazarus, etc.) |
purple-team-exercise |
Complete test plans with procedures and expected detections |
soc-investigation-assist |
Triage guidance, hunting queries, escalation criteria |
detection-engineering-sprint |
Prioritized backlog with user stories |
executive-security-briefing |
C-level report with business risk language |
cve-response-assessment |
Rapid assessment for emerging CVEs |
data-source-gap-analysis |
Telemetry requirements analysis |
detection-quality-review |
Deep-dive quality analysis for a technique |
threat-landscape-sync |
Align priorities with current threats |
detection-coverage-diff |
Compare coverage against actors or baseline |
You: "Run apt-threat-emulation for APT29"
→ Technique-by-technique coverage, gaps, and purple team test plan
Pairs with mitre-attack-mcp for complete threat coverage analysis. Install both:
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": { "SIGMA_PATHS": "/path/to/sigma/rules" }
},
"mitre-attack": {
"command": "npx",
"args": ["-y", "mitre-attack-mcp"],
"env": { "ATTACK_DOMAIN": "enterprise-attack" }
}
}
}| Source | Count |
|---|---|
| Sigma Rules | ~3,200+ |
| Splunk ESCU | ~2,000+ |
| Elastic Rules | ~1,500+ |
| KQL Queries | ~420+ |
| Sublime Rules | ~900+ |
| CrowdStrike CQL | ~139+ |
| Total | ~8,200+ |
npm install && npm run build && npm test- Setup Guide — Full install walkthrough for all platforms
- Hosted MCP Guide — Hosted setup, token management, tool inventory
- Autonomous Platform — CTI-to-detection pipeline
- E2E Testing Guide — Per-SIEM setup (Splunk, Sentinel, Elastic, Sigma)
- Architecture — System design decisions
- Knowledge Graph — Tribal knowledge and analytical memory
- Engineering Intelligence — Pattern learning and templates
- Tools Reference — Complete reference for all 81 tools
Apache 2.0