agentic-detection-lookups
Machine-readable detection lookups for SIEM enrichment and AI agents. Query 800+ LOLBAS and GTFOBins binaries plus process parent-child baselines — get risk levels, abuse categories, and MITRE ATT\&CK mappings without embedding data in prompts.
README
Agentic Detection Lookups
Machine-readable detection lookups for SIEM enrichment and AI agents. MCP-native.
Stop regex-matching 200+ binaries. Enrich in one
match()call.
Feed it to your SIEM, your SOAR, your agent, or your LLM.
What is this?
A collection of structured CSV lookup files purpose-built for:
- SIEM enrichment — one
match()/lookup/joinreplaces entire rule categories - AI agent tooling — MCP server included, agents query detection context in real-time
- Detection automation — consistent schema, CI-updated, deploy-ready
Lookup Files
| File | Entries | OS | Description |
|---|---|---|---|
lolbas_binaries.csv |
232 | Windows | Living Off The Land Binaries and Scripts — risk-scored, categorized, MITRE-mapped |
gtfobins.csv |
477 | Linux | GTFOBins Unix binaries — shell escape, priv-esc, file ops, MITRE-mapped |
parent_child_baselines.csv |
97 | Both | Expected/suspicious process parent→child relationships for Windows and Linux |
Schema Contract
Every lookup file follows:
- First column = match key (the field you join on)
- Always includes
riskorrisk_if_unexpectedcolumn - Always includes MITRE ATT&CK technique mapping
- No nested data — flat columns, pipe-delimited for multi-value
- UTF-8, no BOM, Unix line endings, header row always present
Quick Start
SIEM (copy-paste)
CrowdStrike NG-SIEM:
#event_simpleName=ProcessRollup2
| binary := lower(FileName)
| match(file="lolbas_binaries.csv", field=binary, column=filename, include=[categories, mitre_ids, risk])
| risk="high"
Splunk:
index=crowdstrike event_simpleName=ProcessRollup2
| rex field=FileName "(?<binary>[^\\\\]+)$"
| lookup lolbas_binaries.csv filename AS binary OUTPUT categories mitre_ids risk
| where risk="high"
Elastic (ES|QL):
FROM logs-endpoint.events.process-*
| WHERE event.action == "start"
| ENRICH lolbas-policy ON process.name = filename WITH categories, risk
| WHERE risk == "high"
Microsoft Sentinel:
DeviceProcessEvents
| extend binary = tolower(FileName)
| join kind=inner (_GetWatchlist('lolbas_binaries')) on $left.binary == $right.filename
| where risk == "high"
See queries/ for full query libraries per platform.
MCP Server (AI agents)
{
"servers": {
"detection-lookups": {
"type": "stdio",
"command": "python",
"args": ["-m", "mcp_server"],
"cwd": "/path/to/agentic-detection-lookups"
}
}
}
Then your agent can:
→ detection_lookup_binary("certutil.exe")
← {source: "lolbas", risk: "medium", categories: ["Download"], mitre_ids: ["T1105"]}
→ detection_lookup_binary("python")
← {source: "gtfobins", risk: "high", categories: ["shell", "reverse-shell", ...], mitre_ids: ["T1059"]}
→ detection_check_parent_child("winword.exe", "cmd.exe")
← {expected: false, risk_if_unexpected: "critical", mitre_id: "T1204.002"}
MCP Tools
| Tool | Input | Output |
|---|---|---|
detection_lookup_binary |
filename | Risk, categories, MITRE IDs, source (lolbas/gtfobins) |
detection_check_parent_child |
parent, child, os_filter | Expected/suspicious, risk level, triage guidance |
detection_list_by_category |
category, limit, offset | Paginated binaries in that abuse category (cross-platform) |
detection_list_by_mitre |
technique_id, limit, offset | Paginated binaries mapped to that technique (cross-platform) |
detection_search |
query, limit | Matches across all lookup data with total/has_more |
detection_list_lookups |
— | All files with row counts and columns |
Data Sources
| Lookup | Source | Update Frequency |
|---|---|---|
| LOLBAS binaries | LOLBAS Project | Weekly (automated) |
Installation
Prerequisites
- Python 3.10+
- VS Code with GitHub Copilot (for MCP integration)
Install
git clone https://github.com/detection-forge/agentic-detection-lookups.git
cd agentic-detection-lookups
python -m venv .venv
# Windows:
.venv\Scripts\activate
# Linux/macOS:
source .venv/bin/activate
pip install -e .
Configure MCP Client (VS Code)
Add to your VS Code User settings (Ctrl+Shift+P → "Preferences: Open User Settings (JSON)") or ~/.vscode/mcp.json:
{
"servers": {
"detection-lookups": {
"type": "stdio",
"command": "/absolute/path/to/.venv/bin/python",
"args": ["-m", "mcp_server"],
"cwd": "/absolute/path/to/agentic-detection-lookups"
}
}
}
Windows example:
{ "servers": { "detection-lookups": { "type": "stdio", "command": "C:\\Code\\.venv\\Scripts\\python.exe", "args": ["-m", "mcp_server"], "cwd": "C:\\Code\\agentic-detection-lookups" } } }
Reload VS Code: Ctrl+Shift+P → "Reload Window"
Verify
In Copilot Chat (Agent mode):
Is certutil.exe a LOLBAS binary?
✅ Returns risk, categories, and MITRE mappings = working!
Run standalone (CLI)
detection-lookups
This starts the MCP server on stdio transport (useful for piping JSON-RPC or connecting other MCP clients).
Upload to your SIEM
- CrowdStrike NG-SIEM: Upload via API or UI (Settings → Lookup Files)
- Splunk: Settings → Lookups → Lookup table files → Add new
- Elastic: Create enrich index + ingest pipeline
- Sentinel: Configuration → Watchlist → Add new
Project Structure
agentic-detection-lookups/
├── lookups/ # The data (CSV files)
│ ├── lolbas_binaries.csv
│ ├── gtfobins.csv
│ └── parent_child_baselines.csv
├── queries/ # Copy-paste detection queries
│ ├── crowdstrike_ngsiem.md
│ ├── splunk.md
│ ├── elastic.md
│ └── microsoft_sentinel.md
├── mcp_server/ # MCP server for AI agents
│ ├── server.py
│ └── __init__.py
├── scripts/ # Update/maintenance scripts
├── LICENSE # Apache 2.0
├── NOTICE
└── pyproject.toml
Contributing
PRs welcome. See CONTRIBUTING.md for guidelines.
To add a new lookup file:
- Follow the schema contract (match key first, include risk + MITRE columns)
- Include at least one query example per SIEM platform
- Add a tool to the MCP server
License
Apache 2.0 — See LICENSE and NOTICE.
Built by Gene Kazimiarovich | Part of Detection Forge
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.