%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
Security Detections MCP
Security Detections MCP is a server based on the Model Context Protocol that allows LLMs to query a unified security detection rule database covering Sigma, Splunk ESCU, Elastic, and KQL formats. The latest version 3.0 is upgraded to an autonomous detection engineering platform that can automatically extract TTPs from threat intelligence, analyze coverage gaps, generate SIEM-native format detection rules, run tests, and verify. The project includes over 71 tools, 11 pre-built workflow prompts, and a knowledge graph system, supporting multiple SIEM platforms.
rating : 4 points
downloads : 6.7K
What is Security Detections MCP?
Security Detections MCP is an intelligent security detection platform that unifies detection rules from different security tools (Sigma, Splunk, Elastic, KQL) into a single database, allowing AI assistants to intelligently query, analyze, and generate security detection rules. The latest version 3.0 is an autonomous detection engineering platform that can automatically analyze threat intelligence, identify coverage gaps, generate detection rules, and verify their effectiveness.How to use Security Detections MCP?
You can connect to the server by configuring an MCP client (such as Cursor, Claude Desktop, VS Code), and then use natural language to query detection rules, analyze security coverage, generate new detection rules, or run expert-level security assessment workflows.Applicable Scenarios
Suitable for security analysts, detection engineers, SOC teams, threat hunters, and red/blue team members for security tasks such as quickly querying existing detection rules, identifying security coverage gaps, generating new detection rules, assessing ransomware readiness, and simulating APT attack coverage.Main Features
Unified Detection Rule Query
Query over 7,200 detection rules from Sigma, Splunk ESCU, Elastic, and KQL from a single interface, supporting full-text search, MITRE ATT&CK technique filtering, CVE filtering, etc.
Autonomous Detection Engineering Platform (New in 3.0)
Automatically analyze threat intelligence, extract TTPs, identify coverage gaps, generate SIEM-native detection rules, run Atomic Red Team tests, and verify detection effectiveness.
11 Expert-Level Workflow Prompts
Pre-built expert workflows, including ransomware readiness assessment, APT threat simulation, purple team exercises, SOC investigation assistance, and executive security briefings.
Detection Engineering Intelligence
Learn patterns from existing detection rules, automatically generate detection templates, track commonly used fields and macro references, and suggest improvements based on patterns.
Knowledge Graph/Tribal Knowledge
Persist a knowledge graph to record the reasons and context of analysis decisions, helping future AI assistants understand the logic of historical decisions.
Multi-SIEM Platform Support
Supports Splunk, Microsoft Sentinel, Elastic, and Sigma formats, and can generate detection rules for the corresponding platforms according to the configuration.
Over 71 Tools
Provides over 71 tools covering multiple categories such as core detection queries, engineering intelligence, knowledge management, dynamic analysis, and autonomous analysis.
MCP Resource and Parameter Completion
Provides readable MCP resource context and automatic parameter completion to help AI assistants better understand available data and use tools correctly.
Advantages
Unified query of detection rules from multiple security platforms, saving time on switching tools
Automated threat analysis and detection generation, significantly improving detection engineering efficiency
Pre-built expert workflows ensure consistency and professionalism in analysis
Knowledge graph records decision-making logic, forming inheritable tribal knowledge
Supports human-in-the-loop review, with all PRs created as drafts to ensure security and controllability
Cross-platform support, can run on macOS, Windows (WSL and native), and Linux
Limitations
Requires configuration of detection rule source paths, with a certain complexity in initial setup
Pattern extraction may not be accurate enough for complex expressions in KQL and Elastic formats
Some advanced features (such as interactive confirmation, sampling) require client support
Coverage analysis depends on the accuracy of MITRE tags in the source data
Requires Anthropic API key and Node.js environment
How to Use
Installation and Configuration
Run directly via npx or clone the repository and build locally. Configure environment variables to point to your detection rule source paths.
%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%230080ff;%20}%20%3c/style%3e%3c/defs%3e%3cpath%20class='st0'%20d='M16.2,11.1c.4.5.4,1.2,0,1.8l-4.7,7.1h-3.8l5.3-8L7.6,4h3.8l4.7,7.1Z'/%3e%3c/svg%3e)
Configure MCP Client
Configure the MCP server connection in Cursor, Claude Desktop, or VS Code, and set environment variables.
Download Detection Rule Content
Use the provided script to quickly download all detection rule sources, or manually clone the relevant repositories.
Start Querying and Analyzing
Use an AI assistant to query detection rules, run expert workflows, or start autonomous detection engineering using natural language.
Usage Examples
Ransomware Readiness Assessment
Comprehensively assess the organization's detection and response capabilities against the ransomware attack chain, identify key vulnerabilities, and provide a remediation roadmap.
APT Threat Simulation Analysis
Assess the detection coverage of specific advanced persistent threat (APT) groups, such as APT29, Lazarus, Volt Typhoon, etc.
Detection Engineering Sprint Planning
Generate a prioritized detection development backlog based on threat intelligence, including user stories and acceptance criteria.
CVE Response Assessment
Quickly assess the existing detection coverage of newly disclosed CVE vulnerabilities and generate immediate action suggestions.
Executive Security Briefing
Generate a professional security briefing for the board or CISO, using business risk language and investment suggestions.
Frequently Asked Questions
What prerequisites are required for this MCP server?
How to obtain the detection rule content?
Will the autonomous detection engineering platform automatically submit code?
Which SIEM platforms are supported?
How to test the coverage of a specific MITRE technique?
What should Windows users do if they encounter an EBUSY error?
How to use it in conjunction with the MITRE ATT&CK MCP?
What is Tribal Knowledge?
Related Resources
GitHub Repository
Project source code, issue tracking, and latest updates
Setup Guide
Detailed installation and configuration guide covering macOS, Windows, and Linux systems
Autonomous Platform Documentation
Detailed documentation for the v3.0 autonomous detection engineering platform
End-to-End Testing Guide
Complete testing guide by SIEM platform (Splunk, Sentinel, Elastic, Sigma)
MITRE ATT&CK MCP
Supporting MITRE ATT&CK MCP server, providing threat framework data
Sigma Rule Repository
Official repository for Sigma detection rules
Splunk Security Content
Splunk ESCU detection rules and stories
Elastic Detection Rules
Elastic detection rule repository
Markdownify MCP
Markdownify is a multi-functional file conversion service that supports converting multiple formats such as PDFs, images, audio, and web page content into Markdown format.
TypeScript
39.0K
5 points
Notion Api MCP
Certified
A Python-based MCP Server that provides advanced to-do list management and content organization functions through the Notion API, enabling seamless integration between AI models and Notion.
Python
23.7K
4.5 points
Duckduckgo MCP Server
Certified
The DuckDuckGo Search MCP Server provides web search and content scraping services for LLMs such as Claude.
Python
81.2K
4.3 points
Gitlab MCP Server
Certified
The GitLab MCP server is a project based on the Model Context Protocol that provides a comprehensive toolset for interacting with GitLab accounts, including code review, merge request management, CI/CD configuration, and other functions.
TypeScript
27.2K
4.3 points
Figma Context MCP
Framelink Figma MCP Server is a server that provides access to Figma design data for AI programming tools (such as Cursor). By simplifying the Figma API response, it helps AI more accurately achieve one - click conversion from design to code.
TypeScript
69.4K
4.5 points
Unity
Certified
UnityMCP is a Unity editor plugin that implements the Model Context Protocol (MCP), providing seamless integration between Unity and AI assistants, including real - time state monitoring, remote command execution, and log functions.
C#
37.3K
5 points
Gmail MCP Server
A Gmail automatic authentication MCP server designed for Claude Desktop, supporting Gmail management through natural language interaction, including complete functions such as sending emails, label management, and batch operations.
TypeScript
24.9K
4.5 points
Context7
Context7 MCP is a service that provides real-time, version-specific documentation and code examples for AI programming assistants. It is directly integrated into prompts through the Model Context Protocol to solve the problem of LLMs using outdated information.
TypeScript
106.6K
4.7 points