Security Detections MCP

Security Detections MCP

Unifies 7,283+ detection rules from Sigma, Splunk ESCU, Elastic, and KQL into a single queryable interface via MCP, with a web dashboard and autonomous agent pipeline for detection engineering.

Category
Visit Server

README

<p align="center"> <h1 align="center">Security Detections MCP</h1> <p align="center"> <strong>Unified Detection Engineering Platform</strong><br> <em>7,283+ detections across Sigma, Splunk ESCU, Elastic & KQL — powered by MCP</em> </p> </p>

<p align="center"> <a href="#quick-start">Quick Start</a> • <a href="#detection-workbench">Workbench</a> • <a href="#mcp-tools">106 Tools</a> • <a href="#workflow-engine">22 Workflows</a> • <a href="#autonomous-pipeline">Agents</a> • <a href="#configuration">Config</a> </p>

<p align="center"> <img src="https://img.shields.io/badge/version-3.0.0-blue" alt="Version 3.0.0"> <img src="https://img.shields.io/badge/node-%3E%3D18.0.0-green" alt="Node >= 18"> <img src="https://img.shields.io/badge/detections-7%2C283%2B-cyan" alt="7,283+ detections"> <img src="https://img.shields.io/badge/tools-106-orange" alt="106 tools"> <img src="https://img.shields.io/badge/workflows-22-purple" alt="22 workflows"> <img src="https://img.shields.io/badge/license-MIT-green" alt="MIT License"> </p>

<p align="center"> Built on <a href="https://github.com/MHaggis/Security-Detections-MCP"><strong>Security Detections MCP</strong></a> by <a href="https://github.com/MHaggis">MHaggis</a>  •  Threat Intelligence by <a href="https://threadlinqs.com"><strong>Threadlinqs</strong></a> </p>

Dashboard

What is this?

Security Detections MCP is an open-source platform that unifies 7,283+ detection rules from four major sources into a single queryable interface using the Model Context Protocol (MCP). It combines:

  • An MCP Server with 74 tools for searching, analyzing, and engineering detections
  • A Threat Intelligence MCP Server (Threadlinqs Intel) with 32 tools for real-time threat feeds, C2 tracking, MITRE mapping, and DNS enrichment
  • A Web Dashboard (Detection Workbench) for visual exploration, workflow execution, and AI-powered ad-hoc analysis
  • An Autonomous Agent Pipeline (LangGraph) for end-to-end detection generation and validation

Detection Sources

Source Rules Format Description
Sigma 3,200+ YAML Community-driven, platform-agnostic detection rules
Splunk ESCU 1,800+ YAML/SPL Splunk's Enterprise Security Content Update detections
Elastic 1,400+ TOML/EQL Elastic Security detection rules
KQL 880+ KQL Microsoft Sentinel / Defender analytics rules

Quick Start

Prerequisites

  • Node.js >= 18.0.0
  • npm >= 8.0.0
  • Git (for cloning detection repos)

1. Clone and build the MCP server

git clone https://github.com/MHaggis/Security-Detections-MCP.git
cd Security-Detections-MCP
npm install
npm run build

2. Clone detection rule repositories

mkdir -p detections && cd detections

# Sigma rules
git clone https://github.com/SigmaHQ/sigma.git

# Splunk ESCU
git clone https://github.com/splunk/security_content.git

# Elastic detection rules
git clone https://github.com/elastic/detection-rules.git

# KQL rules
git clone https://github.com/bert-jan/kql.git kql-bertjanp
git clone https://github.com/jkerai1/SentinelAnalyticRules.git kql-jkerai1

cd ..

3. Start the workbench

cd workbench
npm install
npm run dev

Open http://localhost:3000 in your browser.

4. Configure API keys

Navigate to Settings in the workbench sidebar and configure:

  • LLM Provider — Choose Anthropic (Claude) or OpenAI (GPT-4) and enter your API key
  • Threadlinqs Intel API Key — Get yours at intel.threadlinqs.com for real-time threat intelligence

Without an LLM API key, ad-hoc queries and llm_prompt workflow steps won't function. Without a Threadlinqs key, threat intelligence workflows will skip intel steps but detection tools will work normally.

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                    Detection Workbench (Next.js)                │
│  Dashboard │ Tools │ Workflows │ Ad-Hoc │ Threats │ Coverage    │
├──────────────────────┬──────────────────────────────────────────┤
│    MCP Bridge        │         LLM Client                      │
│  (StdioTransport)    │   (Anthropic / OpenAI)                  │
├──────────┬───────────┼──────────────────────────────────────────┤
│          │           │                                          │
│  ┌───────▼────────┐  │  ┌─────────────────────┐                │
│  │ security-      │  │  │ threadlinqs-intel    │                │
│  │ detections     │  │  │ MCP Server (v3.1.1)  │                │
│  │ MCP Server     │  │  │                      │                │
│  │                │  │  │ 32 tools:            │                │
│  │ 74 tools:      │  │  │ • Threat feeds       │                │
│  │ • Search       │  │  │ • C2 tracking        │                │
│  │ • MITRE map    │  │  │ • MITRE mapping      │                │
│  │ • Knowledge    │  │  │ • CVE/CWE lookup     │                │
│  │ • Engineering  │  │  │ • IOC search         │                │
│  │ • Autonomous   │  │  │ • Simulations        │                │
│  └───────┬────────┘  │  └──────────┬──────────┘                │
│          │           │             │                            │
│  ┌───────▼───────────▼─────────────▼──────────┐                │
│  │              SQLite Cache                   │                │
│  │         7,283+ indexed detections           │                │
│  └───────────────┬────────────────────────────┘                │
│                  │                                              │
│  ┌───────────────▼────────────────────────────┐                │
│  │         Detection Rule Repositories         │                │
│  │   Sigma │ Splunk ESCU │ Elastic │ KQL       │                │
│  └─────────────────────────────────────────────┘                │
└─────────────────────────────────────────────────────────────────┘

Detection Workbench

The workbench is a full-featured web dashboard built with Next.js 15, React 19, and Tailwind CSS v4. It features a terminal-inspired hacker aesthetic with JetBrains Mono font, colored status indicators, and // section headers.

Dashboard

The command center with real-time stats, quick-launch workflows, recent activity, and server status at a glance.

Dashboard

Metric Value
Total Tools 106
Indexed Detections 7,283+
Pre-built Workflows 22
MCP Servers 2

Tool Explorer

Browse, search, and execute all 106 tools across both MCP servers. Blue indicators for security-detections, purple for threadlinqs-intel.

Tool Explorer

Click any tool to inspect its schema, parameters, and test it directly from the browser.

Tool Detail

Filter by server to see the 32 Threadlinqs Intel tools — threat feeds, C2 tracking, simulations, and more.

Intel Tools

Workflow Library

22 pre-built detection engineering workflows spanning threat hunting, coverage analysis, CVE assessment, and intelligence operations.

Workflows

Visual Workflow Builder

Drag-and-drop canvas for designing custom detection pipelines. Connect tool calls, transforms, LLM analysis steps, conditionals, loops, and parallel branches.

Workflow Builder

Workflow Execution

Execute workflows against live MCP servers with real-time step-by-step progress tracking. Each step shows its type (tool_call, transform, llm_prompt), target server, and execution status.

Workflow Execution

Results include LLM-generated analysis with executive summaries, threat inventories, MITRE coverage matrices, and prioritized recommendations.

Execution Results

Ad-Hoc Terminal

Natural language interface powered by your configured LLM. Ask questions about your detections, threats, and coverage — the system automatically selects and calls the right MCP tools, then synthesizes the results.

Ad-Hoc Terminal

Example queries:

  • "What ransomware detections do we have?"
  • "Show coverage gaps for credential access"
  • "Compare Sigma vs Splunk detection counts"
  • "Pull the latest threats from Threadlinqs and contrast them against my detections"

Ad-Hoc Results

All Pages

Page Path Description
Dashboard / Stats, quick-launch, recent activity, server status
Ad-Hoc Terminal /adhoc Natural language queries with automatic tool orchestration
Tool Explorer /tools Browse and execute all 106 MCP tools
Workflow Library /workflows View and run 22 pre-built workflows
Workflow Builder /workflows/builder Visual drag-and-drop pipeline designer
Threats /threats Real-time threat intelligence feed
Coverage /coverage MITRE ATT&CK coverage analysis
History /history Execution history and past results
Settings /config LLM provider, API keys, MCP server status

MCP Tools

security-detections (74 tools)

Core Detection Tools

Tool Params Description
search query, limit, source_type Full-text search across all detection fields
get_by_id id Get detection by unique identifier
get_raw_yaml id Get original YAML/TOML source
list_all limit, offset List all detections with pagination
list_by_source source, limit, offset Filter by source (sigma, splunk_escu, elastic, kql)
list_by_mitre technique_id, limit Filter by MITRE ATT&CK technique
list_by_logsource category, product, service, limit, offset Filter by log source fields
list_by_severity severity, limit, offset Filter by severity level
list_by_cve cve_id, limit Find detections related to a CVE
list_by_analytic_story story, limit Filter by Splunk analytic story
list_by_process_name process, limit, offset Filter by process name
list_by_detection_type type, limit, offset Filter by detection type
list_by_data_source data_source, limit, offset Filter by data source
list_by_mitre_tactic tactic, limit, offset Filter by MITRE tactic
list_by_kql_category category, limit, offset Filter KQL by category
list_by_kql_tag tag, limit, offset Filter KQL by tag
list_by_kql_datasource datasource, limit, offset Filter KQL by data source
list_by_name_pattern pattern, limit, offset Wildcard search on detection name

Analytics & Coverage

Tool Description
get_stats Platform-wide detection statistics
get_technique_ids All MITRE technique IDs with detection counts
get_technique_count Count detections for a specific technique
analyze_coverage Analyze MITRE coverage with gap identification
identify_gaps Find techniques with missing or thin coverage
suggest_detections Get recommendations for new detections to build
get_detection_list Generate filterable detection inventory
compare_sources Compare coverage across Sigma, Splunk, Elastic, KQL
count_by_source Count detections per source type
smart_compare Intelligent cross-source comparison
get_coverage_summary Executive-level coverage summary
get_top_gaps Highest-priority detection gaps

Analytic Stories

Tool Description
search_stories Full-text search across analytic stories
get_story Get detailed story information
list_stories List all analytic stories
list_stories_by_category Filter stories by category

Knowledge Graph (Tribal Knowledge)

Tool Description
create_entity Create knowledge entities (threat actors, techniques, etc.)
create_relation Create relationships between entities with reasoning
add_observation Add facts with confidence scoring
delete_entity Remove entity and associated data
delete_observation Delete specific observation
search_knowledge Full-text search across all knowledge
read_graph Read entire graph or filtered subgraph
open_entity Full entity details with relations and observations
log_decision Record significant decisions with reasoning
add_learning Store reusable patterns and insights
get_relevant_decisions Find past decisions relevant to current context
get_learnings Get applicable learnings for current task

Engineering Intelligence

Tool Description
get_query_patterns Common query patterns for a MITRE technique
get_field_reference Available fields for a Splunk data model
get_macro_reference Common Splunk macros and usage patterns
find_similar_detections Find detections similar to what you want to create
suggest_detection_template Generate detection template from technique + patterns

Dynamic Tables

Tool Description
create_table Create custom runtime tables
insert_row Insert data into dynamic table
query_table Query with filtering, sorting, pagination
list_tables List all tables (including pre-built analysis tables)
drop_table Remove table and data
describe_table Get schema and statistics

Pre-built tables: gap_analyses, source_comparisons, threat_actor_profiles, detection_recommendations

Autonomous Analysis

Tool Description
auto_analyze_coverage Automatic coverage analysis across threat profiles
auto_gap_report Comprehensive gap report with prioritized recommendations
auto_compare_sources Detailed cross-source comparison with reasoning
llm_enhanced_analysis LLM-enhanced analysis via MCP sampling
check_sampling_status Check if MCP sampling is available

Cache & Templates

Tool Description
save_query Cache query results with optional TTL
get_saved_query Retrieve cached results
list_saved_queries List all saved queries
rebuild_index Force re-index all detections
save_template Save reusable query templates with {{placeholders}}
run_template Execute template with parameter substitution
list_templates List all templates with usage stats
get_template Get template details and schema
delete_template Remove a template

threadlinqs-intel (32 tools) — intelthreadlinqs-mcp@3.1.1

Threat Intelligence

Tool Description
search_threats Search threat intelligence database by keyword, CVE, MITRE technique, or actor
get_threat Get full threat report with TTPs, IOCs, detections, and attribution
get_recent_threats Get most recently published threats, ordered by creation date
list_threat_categories List all threat categories with counts
get_threat_transcripts Multi-agent intelligence analysis transcripts for a threat

Detections & Coverage

Tool Description
get_detections Get detection rules, filter by threat ID or type (SPL, KQL, Sigma)
export_detection Export detection in raw SIEM format
get_mitre_coverage Full MITRE ATT&CK framework coverage map
get_mitre_technique Detailed info for a specific MITRE ATT&CK technique

IOC Intelligence & DNS Enrichment

Tool Description
search_iocs Search IOCs — IPs, domains, hashes, URLs, behavioral indicators
enrich_iocs Trigger DNS enrichment for IOCs (single, per-threat, or bulk)
get_ioc_dns Get passive DNS enrichment data for a specific IOC (IP or domain)
get_enrichment_graph DNS enrichment infrastructure graph — nodes and edges
get_enrichment_overview DNS enrichment overview — totals, discovered domains, cross-threat links

C2 Tracking

Tool Description
list_c2_beacons Wild C2 beacons — command-and-control infrastructure intel
get_c2_stats C2 framework distribution, geographic spread, watermarks
get_c2_operators C2 operator cluster analysis — behavioral fingerprints
get_c2_cross_correlations Cross-intelligence correlations — IP, tag, MITRE matches
get_c2_watermarks Cobalt Strike watermark clusters
get_c2_timeline Monthly C2 framework version distribution
get_c2_configs Full C2 beacon configurations — sleep, jitter, user agents

Correlations & Lookups

Tool Description
get_correlations_overview Aggregated intelligence from 7 correlation engines
get_correlation_engine Detailed data from a specific correlation engine
get_cve_details CVE lookup with severity, CVSS, and description
get_cwe_details CWE weakness lookup with description and mitigations

Simulations & Debriefs

Tool Description
list_simulations List attack simulation scenarios
get_threat_simulations Get simulation commands for a specific threat
list_debriefs List daily intelligence debriefs
get_debrief Get specific daily debrief by date

Platform

Tool Description
get_platform_stats Platform statistics — threats, detections, IOCs, coverage
get_roadmap Platform roadmap — planned features and ideas
get_changelog Recent updates, features, and fixes

Workflow Engine

The workflow engine supports 6 step types that can be chained into multi-step detection engineering pipelines:

Step Type Description Example
tool_call Execute an MCP tool on a specified server search on security-detections
transform Extract or reshape data between steps $steps.threats[0].id
llm_prompt Send a prompt to the configured LLM for analysis Coverage gap analysis
conditional Branch execution based on a condition $steps.count > 0
loop Iterate over an array, executing steps per item Loop over techniques
parallel Execute multiple steps concurrently Query multiple sources

Binding System

Steps can reference outputs from previous steps using $-expressions:

$input.cve_id              # Workflow input parameter
$steps.threats             # Output from step with id "threats"
$steps.threats[0].id       # First item's id field
$steps.detail.mitre_attack # Nested field access

Pre-built Workflows (22)

Threat Intelligence

Workflow Tags Description
Threat Coverage Check threats, coverage, gaps Get recent threats, extract MITRE techniques, identify detection gaps
CVE Impact Assessment cve, threats, assessment Assess CVE impact by finding related threats and detections
Daily Threat Debrief daily, debrief, threats Generate daily threat intelligence summary with coverage report
New Threat Triage triage, threat, detections Triage specific threat with detection check and recommendations
Threat Actor Profile threat-actor, profile, techniques Build complete threat actor profile with TTPs and coverage
IOC Enrichment ioc, enrichment, threats Enrich IOCs with threat context, technique mapping, coverage check
Weekly Security Report weekly, report, summary Comprehensive weekly report with stats and correlations

Coverage Analysis

Workflow Tags Description
Detection Gap Analysis gaps, coverage, mitre Compare MITRE coverage between threat intel and detections
Coverage Sync sync, coverage, mitre Parallel sync of MITRE coverage across intel and detections
Detection Source Comparison comparison, sources Compare counts and coverage across Sigma, Splunk, Elastic, KQL
Detection Quality Report quality, optimization Find thin coverage, over-covered areas, rebalancing suggestions

Threat Hunting

Workflow Tags Description
C2 Framework Hunting c2, hunting Identify C2 frameworks and check detection coverage
Lateral Movement Hunt lateral-movement, hunting Map lateral movement techniques, build hunting plan
Credential Theft Audit credentials, audit Audit credential dumping, brute force, kerberoasting detections
Exfiltration Watchlist exfiltration, dlp Map exfiltration techniques, C2 channels, DLP blind spots

Posture Assessment

Workflow Tags Description
Ransomware Readiness ransomware, readiness Evaluate detection posture against ransomware TTPs
Initial Access Posture initial-access, phishing Assess phishing, drive-by, supply chain, valid account coverage
Privilege Escalation Review privesc, escalation Deep dive into UAC bypass, token manipulation, process injection
PowerShell Threat Matrix powershell, lolbas PowerShell attack analysis: obfuscation, AMSI bypass, LOLBins
Cloud Security Coverage cloud, aws, azure, gcp Cloud-specific attack coverage across AWS, Azure, GCP
Defense Evasion Deep Dive evasion, defense Exhaustive analysis of the largest MITRE tactic
Threat Simulation Readiness simulation, purple-team Check if detection stack catches simulated TTPs

Autonomous Pipeline

The agents/ directory contains a LangGraph-based autonomous pipeline for end-to-end detection generation and validation:

CTI Analyst ──► Coverage Analyzer ──► Detection Engineer ──► Atomic Executor
                                                                    │
                                                            Splunk Validator
                                                                    │
                                                              Data Dumper
                                                                    │
                                                              PR Stager

Agent Nodes

Agent Role
CTI Analyst Analyzes threat intelligence and extracts TTPs
Coverage Analyzer Maps existing detection coverage against threats
Detection Engineer Generates new detection rules for gaps
Atomic Executor Creates Atomic Red Team test cases
Splunk Validator Validates SPL syntax and logic
SIEM Validator Cross-platform SIEM validation
FP Analyst Assesses false positive risk
QA Reviewer Quality assurance review
Verifier End-to-end verification
Data Dumper Exports results to structured formats
PR Stager Stages detection PRs for review
Attack Range Builder Provisions test environments

Setup

cd agents
cp .env.example .env
# Edit .env with your ANTHROPIC_API_KEY and SIEM_PLATFORM
npm install
npm run build

Configuration

MCP Server Configuration

The MCP servers are configured in .cursor/mcp.json:

{
  "mcpServers": {
    "security-detections": {
      "command": "node",
      "args": ["./dist/index.js"],
      "env": {
        "SIGMA_PATHS": "./detections/sigma/rules,./detections/sigma/rules-threat-hunting",
        "SPLUNK_PATHS": "./detections/security_content/detections",
        "ELASTIC_PATHS": "./detections/detection-rules/rules",
        "KQL_PATHS": "./detections/kql-bertjanp,./detections/kql-jkerai1",
        "STORY_PATHS": "./detections/security_content/stories"
      }
    },
    "threadlinqs-intel": {
      "command": "npx",
      "args": ["-y", "intelthreadlinqs-mcp@3.1.1"],
      "env": {
        "THREADLINQS_API_KEY": ""
      }
    }
  }
}

LLM Configuration

The workbench supports two LLM providers configured in the Settings page:

Provider Models API Key Env Var
Anthropic claude-sonnet-4-20250514, claude-haiku-4-20250414, claude-opus-4-20250514 ANTHROPIC_API_KEY
OpenAI gpt-4o, gpt-4o-mini, gpt-4-turbo OPENAI_API_KEY

API keys can be set in three ways (in priority order):

  1. Settings page in the workbench UI
  2. Environment variables (ANTHROPIC_API_KEY, OPENAI_API_KEY, THREADLINQS_API_KEY)
  3. .env.local file in the workbench/ directory

Workbench Engine Settings

Setting Default Description
max_prompt_size 12,000 chars Maximum prompt length sent to LLM
per_binding_limit 3,000 chars Max chars per step binding in prompts
llm_timeout 180s LLM request timeout
error_policy continue continue or stop on step failure
max_tokens 4,096 Maximum LLM response tokens

Using with AI Assistants

Claude Code (CLI)

Add the MCP servers to your Claude Code configuration:

# Add the security-detections MCP server
claude mcp add security-detections \
  -e SIGMA_PATHS="/path/to/detections/sigma/rules,/path/to/detections/sigma/rules-threat-hunting" \
  -e SPLUNK_PATHS="/path/to/detections/security_content/detections" \
  -e ELASTIC_PATHS="/path/to/detections/detection-rules/rules" \
  -e KQL_PATHS="/path/to/detections/kql-bertjanp,/path/to/detections/kql-jkerai1" \
  -e STORY_PATHS="/path/to/detections/security_content/stories" \
  -- node /path/to/Security-Detections-MCP/dist/index.js

# Add the threadlinqs-intel MCP server
claude mcp add threadlinqs-intel \
  -e THREADLINQS_API_KEY="your-threadlinqs-api-key" \
  -- npx -y intelthreadlinqs-mcp@3.1.1

Or add them directly to ~/.claude.json (global) or .claude/settings.json (project-level):

{
  "mcpServers": {
    "security-detections": {
      "command": "node",
      "args": ["/path/to/Security-Detections-MCP/dist/index.js"],
      "env": {
        "SIGMA_PATHS": "/path/to/detections/sigma/rules,/path/to/detections/sigma/rules-threat-hunting",
        "SPLUNK_PATHS": "/path/to/detections/security_content/detections",
        "ELASTIC_PATHS": "/path/to/detections/detection-rules/rules",
        "KQL_PATHS": "/path/to/detections/kql-bertjanp,/path/to/detections/kql-jkerai1",
        "STORY_PATHS": "/path/to/detections/security_content/stories"
      }
    },
    "threadlinqs-intel": {
      "command": "npx",
      "args": ["-y", "intelthreadlinqs-mcp@3.1.1"],
      "env": {
        "THREADLINQS_API_KEY": "your-threadlinqs-api-key"
      }
    }
  }
}

Claude Desktop / Cursor / Windsurf

Add the servers to your MCP configuration file (.cursor/mcp.json, claude_desktop_config.json, etc.):

{
  "mcpServers": {
    "security-detections": {
      "command": "node",
      "args": ["/path/to/Security-Detections-MCP/dist/index.js"],
      "env": {
        "SIGMA_PATHS": "/path/to/detections/sigma/rules",
        "SPLUNK_PATHS": "/path/to/detections/security_content/detections",
        "ELASTIC_PATHS": "/path/to/detections/detection-rules/rules",
        "KQL_PATHS": "/path/to/detections/kql-bertjanp,/path/to/detections/kql-jkerai1"
      }
    },
    "threadlinqs-intel": {
      "command": "npx",
      "args": ["-y", "intelthreadlinqs-mcp@3.1.1"],
      "env": {
        "THREADLINQS_API_KEY": "your-threadlinqs-api-key"
      }
    }
  }
}

Example Prompts

"Search for all detections related to T1059.001 (PowerShell)"

"Compare Sigma vs Splunk ESCU coverage for credential access techniques"

"Find detection gaps in our lateral movement coverage"

"What detections do we have for ransomware encryption behaviors?"

"Create a knowledge entity for APT29 with all known techniques"

"Generate a gap report for the top 10 most critical MITRE techniques"

API Reference

The workbench exposes a REST API for programmatic access:

Method Endpoint Description
GET /api/mcp/servers List MCP servers and status (auto-connects on first call)
POST /api/mcp/servers Reconnect a server ({action: "reconnect", server: "name"})
GET /api/mcp/tools List all available tools
POST /api/mcp/{server}/{tool} Execute a tool
GET /api/workflows List all workflows
POST /api/workflows Create a workflow
GET /api/workflows/{id} Get workflow details
PUT /api/workflows/{id} Update a workflow
POST /api/workflows/{id}/execute Execute a workflow
GET /api/workflows/{id}/stream Stream execution events (SSE)
GET /api/executions List execution history
DELETE /api/executions Clear execution history
POST /api/adhoc Execute ad-hoc query (SSE stream)
GET /api/settings Get settings (keys masked)
POST /api/settings Update settings
GET /api/settings?test=true Test LLM connection

Project Structure

Security-Detections-MCP/
├── src/                          # MCP server source
│   ├── index.ts                  # Server entry point
│   ├── db/                       # SQLite database layer
│   ├── handlers/                 # MCP protocol handlers
│   ├── resources/                # MCP resources
│   ├── tools/                    # 74 MCP tools
│   │   ├── detections/           # Core detection query tools
│   │   ├── stories/              # Analytic story tools
│   │   ├── knowledge/            # Knowledge graph (12 tools)
│   │   ├── engineering/          # Detection engineering intelligence
│   │   ├── autonomous/           # Autonomous analysis tools
│   │   ├── dynamic/              # Dynamic table tools
│   │   ├── cache/                # Query caching tools
│   │   ├── meta/                 # Template tools
│   │   └── registry.ts           # Plugin-style tool registry
│   ├── types/                    # TypeScript type definitions
│   └── utils/                    # Shared utilities
│
├── workbench/                    # Detection Workbench (Next.js 15)
│   ├── app/                      # App Router pages & API routes
│   │   ├── api/                  # REST API endpoints
│   │   ├── adhoc/                # Ad-hoc terminal page
│   │   ├── tools/                # Tool explorer page
│   │   ├── workflows/            # Workflow library + builder
│   │   ├── threats/              # Threat intelligence page
│   │   ├── coverage/             # Coverage analysis page
│   │   ├── history/              # Execution history page
│   │   └── config/               # Settings page
│   ├── components/               # React components
│   │   ├── layout/               # Sidebar, header
│   │   ├── tools/                # Tool list, tool form
│   │   ├── shared/               # Loading, markdown renderer
│   │   └── workflow-builder/     # Visual workflow builder
│   ├── lib/                      # Core libraries
│   │   ├── mcp-pool.ts           # MCP server process pool
│   │   ├── mcp-config.ts         # MCP configuration loader
│   │   ├── llm-client.ts         # LLM abstraction (Anthropic/OpenAI)
│   │   ├── workflow-engine.ts    # Workflow execution engine
│   │   ├── workflow-presets.ts   # 22 pre-built workflows
│   │   └── transforms.ts        # $-binding expression resolver
│   └── types/                    # Workbench type definitions
│
├── agents/                       # Autonomous LangGraph pipeline
│   ├── nodes/                    # 12 agent node implementations
│   ├── graphs/                   # Orchestration graph definitions
│   ├── state/                    # LangGraph state management
│   ├── tools/                    # Specialized agent tools
│   └── tests/                    # Agent test suite
│
├── detections/                   # Detection rule repositories (git cloned)
│   ├── sigma/                    # SigmaHQ rules
│   ├── security_content/         # Splunk ESCU
│   ├── detection-rules/          # Elastic rules
│   ├── kql-bertjanp/             # KQL rules (bert-jan)
│   └── kql-jkerai1/              # KQL rules (jkerai1)
│
├── .cursor/
│   ├── mcp.json                  # MCP server configuration
│   ├── rules/                    # 6 Cursor AI rules
│   └── agents/                   # 15 Cursor agent definitions
│
├── docs/                         # Documentation & screenshots
└── package.json                  # Root package (v3.0.0)

Tech Stack

Layer Technology
MCP Server Node.js, TypeScript, @modelcontextprotocol/sdk, better-sqlite3
Workbench Next.js 15, React 19, Tailwind CSS v4, Zustand, React Flow
LLM Integration Anthropic Claude API, OpenAI API (configurable)
Threat Intel Threadlinqs Intel MCP (intelthreadlinqs-mcp@3.1.1)
Agent Pipeline LangGraph, TypeScript
Database SQLite with FTS5 full-text search
Detection Formats Sigma YAML, Splunk YAML/SPL, Elastic TOML/EQL, KQL

Development

Build the MCP server

npm run build          # Compile TypeScript
npm run dev            # Watch mode
npm run lint           # Type check (strict)

Run the workbench

cd workbench
npm run dev            # Development server (hot reload)
npm run build          # Production build
npm run start          # Production server

Run tests

npm test               # Full test suite
npm run test:platform  # Cross-platform tests
npm run test:ci        # CI integration tests
npm run test:engineering  # Engineering tools tests

Contributing

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/amazing-detection)
  3. Commit your changes (git commit -m 'Add amazing detection workflow')
  4. Push to the branch (git push origin feature/amazing-detection)
  5. Open a Pull Request

Acknowledgments

<p align="center"> <strong>Built with MCP</strong> • <strong>Open Source</strong> • <strong>Detection Engineering</strong> </p>

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured