agentic-detection-lookups

agentic-detection-lookups

Machine-readable detection lookups for SIEM enrichment and AI agents. Query 800+ LOLBAS and GTFOBins binaries plus process parent-child baselines — get risk levels, abuse categories, and MITRE ATT\&CK mappings without embedding data in prompts.

Category
Visit Server

README

Agentic Detection Lookups

Machine-readable detection lookups for SIEM enrichment and AI agents. MCP-native.

Stop regex-matching 200+ binaries. Enrich in one match() call.
Feed it to your SIEM, your SOAR, your agent, or your LLM.

What is this?

A collection of structured CSV lookup files purpose-built for:

  • SIEM enrichment — one match()/lookup/join replaces entire rule categories
  • AI agent tooling — MCP server included, agents query detection context in real-time
  • Detection automation — consistent schema, CI-updated, deploy-ready

Lookup Files

File Entries OS Description
lolbas_binaries.csv 232 Windows Living Off The Land Binaries and Scripts — risk-scored, categorized, MITRE-mapped
gtfobins.csv 477 Linux GTFOBins Unix binaries — shell escape, priv-esc, file ops, MITRE-mapped
parent_child_baselines.csv 97 Both Expected/suspicious process parent→child relationships for Windows and Linux

Schema Contract

Every lookup file follows:

  1. First column = match key (the field you join on)
  2. Always includes risk or risk_if_unexpected column
  3. Always includes MITRE ATT&CK technique mapping
  4. No nested data — flat columns, pipe-delimited for multi-value
  5. UTF-8, no BOM, Unix line endings, header row always present

Quick Start

SIEM (copy-paste)

CrowdStrike NG-SIEM:

#event_simpleName=ProcessRollup2
| binary := lower(FileName)
| match(file="lolbas_binaries.csv", field=binary, column=filename, include=[categories, mitre_ids, risk])
| risk="high"

Splunk:

index=crowdstrike event_simpleName=ProcessRollup2
| rex field=FileName "(?<binary>[^\\\\]+)$"
| lookup lolbas_binaries.csv filename AS binary OUTPUT categories mitre_ids risk
| where risk="high"

Elastic (ES|QL):

FROM logs-endpoint.events.process-*
| WHERE event.action == "start"
| ENRICH lolbas-policy ON process.name = filename WITH categories, risk
| WHERE risk == "high"

Microsoft Sentinel:

DeviceProcessEvents
| extend binary = tolower(FileName)
| join kind=inner (_GetWatchlist('lolbas_binaries')) on $left.binary == $right.filename
| where risk == "high"

See queries/ for full query libraries per platform.

MCP Server (AI agents)

{
  "servers": {
    "detection-lookups": {
      "type": "stdio",
      "command": "python",
      "args": ["-m", "mcp_server"],
      "cwd": "/path/to/agentic-detection-lookups"
    }
  }
}

Then your agent can:

→ detection_lookup_binary("certutil.exe")
← {source: "lolbas", risk: "medium", categories: ["Download"], mitre_ids: ["T1105"]}

→ detection_lookup_binary("python")
← {source: "gtfobins", risk: "high", categories: ["shell", "reverse-shell", ...], mitre_ids: ["T1059"]}

→ detection_check_parent_child("winword.exe", "cmd.exe")
← {expected: false, risk_if_unexpected: "critical", mitre_id: "T1204.002"}

MCP Tools

Tool Input Output
detection_lookup_binary filename Risk, categories, MITRE IDs, source (lolbas/gtfobins)
detection_check_parent_child parent, child, os_filter Expected/suspicious, risk level, triage guidance
detection_list_by_category category, limit, offset Paginated binaries in that abuse category (cross-platform)
detection_list_by_mitre technique_id, limit, offset Paginated binaries mapped to that technique (cross-platform)
detection_search query, limit Matches across all lookup data with total/has_more
detection_list_lookups All files with row counts and columns

Data Sources

Lookup Source Update Frequency
LOLBAS binaries LOLBAS Project Weekly (automated)

Installation

Prerequisites

  • Python 3.10+
  • VS Code with GitHub Copilot (for MCP integration)

Install

git clone https://github.com/detection-forge/agentic-detection-lookups.git
cd agentic-detection-lookups
python -m venv .venv
# Windows:
.venv\Scripts\activate
# Linux/macOS:
source .venv/bin/activate
pip install -e .

Configure MCP Client (VS Code)

Add to your VS Code User settings (Ctrl+Shift+P → "Preferences: Open User Settings (JSON)") or ~/.vscode/mcp.json:

{
  "servers": {
    "detection-lookups": {
      "type": "stdio",
      "command": "/absolute/path/to/.venv/bin/python",
      "args": ["-m", "mcp_server"],
      "cwd": "/absolute/path/to/agentic-detection-lookups"
    }
  }
}

Windows example:

{
  "servers": {
    "detection-lookups": {
      "type": "stdio",
      "command": "C:\\Code\\.venv\\Scripts\\python.exe",
      "args": ["-m", "mcp_server"],
      "cwd": "C:\\Code\\agentic-detection-lookups"
    }
  }
}

Reload VS Code: Ctrl+Shift+P → "Reload Window"

Verify

In Copilot Chat (Agent mode):

Is certutil.exe a LOLBAS binary?

✅ Returns risk, categories, and MITRE mappings = working!

Run standalone (CLI)

detection-lookups

This starts the MCP server on stdio transport (useful for piping JSON-RPC or connecting other MCP clients).

Upload to your SIEM

  • CrowdStrike NG-SIEM: Upload via API or UI (Settings → Lookup Files)
  • Splunk: Settings → Lookups → Lookup table files → Add new
  • Elastic: Create enrich index + ingest pipeline
  • Sentinel: Configuration → Watchlist → Add new

Project Structure

agentic-detection-lookups/
├── lookups/                    # The data (CSV files)
│   ├── lolbas_binaries.csv
│   ├── gtfobins.csv
│   └── parent_child_baselines.csv
├── queries/                    # Copy-paste detection queries
│   ├── crowdstrike_ngsiem.md
│   ├── splunk.md
│   ├── elastic.md
│   └── microsoft_sentinel.md
├── mcp_server/                 # MCP server for AI agents
│   ├── server.py
│   └── __init__.py
├── scripts/                    # Update/maintenance scripts
├── LICENSE                     # Apache 2.0
├── NOTICE
└── pyproject.toml

Contributing

PRs welcome. See CONTRIBUTING.md for guidelines.

To add a new lookup file:

  1. Follow the schema contract (match key first, include risk + MITRE columns)
  2. Include at least one query example per SIEM platform
  3. Add a tool to the MCP server

License

Apache 2.0 — See LICENSE and NOTICE.


Built by Gene Kazimiarovich | Part of Detection Forge

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured