security-detections-mcp
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinesesecurity-detections-mcp
security-detections-mcp
Skill by ara.so — Security Skills collection
An MCP (Model Context Protocol) server providing LLM access to 8,200+ security detection rules across Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL formats, with MITRE ATT&CK mapping, coverage analysis, and autonomous detection engineering.
由ara.so提供的技能——安全技能合集
这是一款MCP(Model Context Protocol)服务器,为大语言模型(LLM)提供对8200+条跨Sigma、Splunk ESCU、Elastic、KQL、Sublime和CrowdStrike CQL格式的安全检测规则的访问权限,支持MITRE ATT&CK映射、覆盖分析以及自动化检测工程。
What It Does
功能介绍
- Unified detection search across 6 major security platforms (Sigma, Splunk, Elastic, KQL, Sublime, CrowdStrike)
- MITRE ATT&CK integration with 172 threat actors, 784 software, 4,362 actor-technique relationships
- Coverage analysis identifying gaps in detection by tactic/technique/actor
- ATT&CK Navigator layers exportable as JSON for visualization
- Autonomous detection pipeline from CTI ingestion to draft PR generation
- 81 MCP tools for detection engineering (local) or ~25 tools (hosted)
- 11 expert prompts for ransomware assessment, APT emulation, purple teaming
- 统一检测搜索:覆盖6大主流安全平台(Sigma、Splunk、Elastic、KQL、Sublime、CrowdStrike)
- MITRE ATT&CK集成:包含172个威胁 actor、784款软件、4362组 actor-技术关联关系
- 覆盖分析:按战术/技术/actor识别检测缺口
- ATT&CK Navigator图层:可导出为JSON格式用于可视化
- 自动化检测流水线:从CTI摄入到生成草稿PR的完整流程
- 81款MCP工具:用于本地检测工程,托管版本约提供25款工具
- 11个专家提示词:用于勒索软件评估、APT仿真、紫队演练
Installation
安装步骤
Local Installation (Full Power)
本地安装(全功能版)
Prerequisites:
- Node.js 18+
- Detection rule repositories cloned locally
Quick start with npx:
bash
npx -y security-detections-mcpConfigure in Claude Desktop ():
claude_desktop_config.jsonjson
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/path/to/sigma/rules,/path/to/sigma/rules-threat-hunting",
"SPLUNK_PATHS": "/path/to/security_content/detections",
"STORY_PATHS": "/path/to/security_content/stories",
"ELASTIC_PATHS": "/path/to/detection-rules/rules",
"KQL_PATHS": "/path/to/kql-rules",
"SUBLIME_PATHS": "/path/to/sublime-rules/detection-rules",
"CQL_HUB_PATHS": "/path/to/cql-hub/queries",
"ATTACK_STIX_PATH": "/path/to/enterprise-attack.json"
}
}
}
}Configure in Cursor ():
.cursor/settings.jsonjson
{
"mcp": {
"servers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/Users/you/detections/sigma/rules",
"SPLUNK_PATHS": "/Users/you/detections/security_content/detections"
}
}
}
}
}Configure in VS Code (settings.json):
json
{
"mcp.servers": {
"security-detections": {
"type": "stdio",
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/home/you/detections/sigma/rules"
}
}
}
}前置要求:
- Node.js 18+
- 已本地克隆检测规则仓库
使用npx快速启动:
bash
npx -y security-detections-mcp在Claude Desktop中配置():
claude_desktop_config.jsonjson
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/path/to/sigma/rules,/path/to/sigma/rules-threat-hunting",
"SPLUNK_PATHS": "/path/to/security_content/detections",
"STORY_PATHS": "/path/to/security_content/stories",
"ELASTIC_PATHS": "/path/to/detection-rules/rules",
"KQL_PATHS": "/path/to/kql-rules",
"SUBLIME_PATHS": "/path/to/sublime-rules/detection-rules",
"CQL_HUB_PATHS": "/path/to/cql-hub/queries",
"ATTACK_STIX_PATH": "/path/to/enterprise-attack.json"
}
}
}
}在Cursor中配置():
.cursor/settings.jsonjson
{
"mcp": {
"servers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/Users/you/detections/sigma/rules",
"SPLUNK_PATHS": "/Users/you/detections/security_content/detections"
}
}
}
}
}在VS Code中配置(settings.json):
json
{
"mcp.servers": {
"security-detections": {
"type": "stdio",
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/home/you/detections/sigma/rules"
}
}
}
}Hosted Installation (Zero Setup)
托管安装(零配置)
Prerequisites:
- API token from detect.michaelhaag.org/account/tokens
- Free tier: 200 calls/day, read-only tools
Claude Desktop (requires ):
mcp-remotejson
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://detect.michaelhaag.org/api/mcp/mcp",
"--header",
"Authorization: Bearer ${SDMCP_TOKEN}"
]
}
}
}VS Code / Cursor:
json
{
"mcp.servers": {
"security-detections": {
"type": "http",
"url": "https://detect.michaelhaag.org/api/mcp/mcp",
"headers": {
"Authorization": "Bearer ${SDMCP_TOKEN}"
}
}
}
}前置要求:
- 从detect.michaelhaag.org/account/tokens获取API令牌
- 免费版:每日200次调用,仅支持只读工具
Claude Desktop(需安装):
mcp-remotejson
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://detect.michaelhaag.org/api/mcp/mcp",
"--header",
"Authorization: Bearer ${SDMCP_TOKEN}"
]
}
}
}VS Code / Cursor:
json
{
"mcp.servers": {
"security-detections": {
"type": "http",
"url": "https://detect.michaelhaag.org/api/mcp/mcp",
"headers": {
"Authorization": "Bearer ${SDMCP_TOKEN}"
}
}
}
}Getting Detection Content
获取检测内容
Download all detection sources with sparse checkout:
bash
mkdir -p ~/detections && cd ~/detections使用稀疏检出下载所有检测源:
bash
mkdir -p ~/detections && cd ~/detectionsSigma rules
Sigma规则
git clone --depth 1 --filter=blob:none --sparse https://github.com/SigmaHQ/sigma.git
cd sigma && git sparse-checkout set rules rules-threat-hunting && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/SigmaHQ/sigma.git
cd sigma && git sparse-checkout set rules rules-threat-hunting && cd ..
Splunk ESCU
Splunk ESCU
git clone --depth 1 --filter=blob:none --sparse https://github.com/splunk/security_content.git
cd security_content && git sparse-checkout set detections stories && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/splunk/security_content.git
cd security_content && git sparse-checkout set detections stories && cd ..
Elastic
Elastic规则
git clone --depth 1 --filter=blob:none --sparse https://github.com/elastic/detection-rules.git
cd detection-rules && git sparse-checkout set rules && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/elastic/detection-rules.git
cd detection-rules && git sparse-checkout set rules && cd ..
KQL
KQL规则
git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp
git clone --depth 1 https://github.com/jkerai1/KQL-Queries.git kql-jkerai1
git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp
git clone --depth 1 https://github.com/jkerai1/KQL-Queries.git kql-jkerai1
Sublime
Sublime规则
git clone --depth 1 --filter=blob:none --sparse https://github.com/sublime-security/sublime-rules.git
cd sublime-rules && git sparse-checkout set detection-rules && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/sublime-security/sublime-rules.git
cd sublime-rules && git sparse-checkout set detection-rules && cd ..
CrowdStrike CQL
CrowdStrike CQL规则
git clone --depth 1 https://github.com/ByteRay-Labs/Query-Hub.git cql-hub
git clone --depth 1 https://github.com/ByteRay-Labs/Query-Hub.git cql-hub
MITRE ATT&CK STIX
MITRE ATT&CK STIX数据
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
Then update environment variables to point to these paths.curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
随后更新环境变量指向这些路径。Core MCP Tools
核心MCP工具
Detection Search & Retrieval
检测搜索与检索
typescript
// Full-text search across all detections
{
"name": "search",
"arguments": {
"query": "process injection",
"limit": 10
}
}
// Get specific detection by ID
{
"name": "get_by_id",
"arguments": {
"id": "sigma_abc123"
}
}
// List all detections with pagination
{
"name": "list_all",
"arguments": {
"limit": 50,
"offset": 0
}
}
// Filter by source type
{
"name": "list_by_source",
"arguments": {
"source_type": "sigma" // sigma, splunk_escu, elastic, kql, sublime, crowdstrike_cql
}
}
// Get index statistics
{
"name": "get_stats",
"arguments": {}
}typescript
// 跨所有检测规则进行全文搜索
{
"name": "search",
"arguments": {
"query": "process injection",
"limit": 10
}
}
// 通过ID获取特定检测规则
{
"name": "get_by_id",
"arguments": {
"id": "sigma_abc123"
}
}
// 分页列出所有检测规则
{
"name": "list_all",
"arguments": {
"limit": 50,
"offset": 0
}
}
// 按源类型过滤
{
"name": "list_by_source",
"arguments": {
"source_type": "sigma" // sigma, splunk_escu, elastic, kql, sublime, crowdstrike_cql
}
}
// 获取索引统计信息
{
"name": "get_stats",
"arguments": {}
}MITRE ATT&CK Filtering
MITRE ATT&CK过滤
typescript
// Find detections for specific technique
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1059.001" // PowerShell
}
}
// Filter by tactic
{
"name": "list_by_mitre_tactic",
"arguments": {
"tactic": "execution" // execution, persistence, privilege-escalation, etc.
}
}
// Search by CVE
{
"name": "list_by_cve",
"arguments": {
"cve_id": "CVE-2021-34527" // PrintNightmare
}
}
// Find by process name
{
"name": "list_by_process_name",
"arguments": {
"process_name": "powershell.exe"
}
}
// Filter by severity
{
"name": "list_by_severity",
"arguments": {
"level": "critical" // critical, high, medium, low
}
}
// Filter by data source
{
"name": "list_by_data_source",
"arguments": {
"data_source": "process_creation"
}
}typescript
// 查找特定技术对应的检测规则
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1059.001" // PowerShell
}
}
// 按战术过滤
{
"name": "list_by_mitre_tactic",
"arguments": {
"tactic": "execution" // execution, persistence, privilege-escalation等
}
}
// 按CVE搜索
{
"name": "list_by_cve",
"arguments": {
"cve_id": "CVE-2021-34527" // PrintNightmare
}
}
// 按进程名称查找
{
"name": "list_by_process_name",
"arguments": {
"process_name": "powershell.exe"
}
}
// 按严重程度过滤
{
"name": "list_by_severity",
"arguments": {
"level": "critical" // critical, high, medium, low
}
}
// 按数据源过滤
{
"name": "list_by_data_source",
"arguments": {
"data_source": "process_creation"
}
}Coverage Analysis
覆盖分析
typescript
// Analyze overall coverage (~2KB response)
{
"name": "analyze_coverage",
"arguments": {
"source_type": "sigma" // optional: analyze specific source
}
}
// Identify gaps for threat profile (~500B response)
{
"name": "identify_gaps",
"arguments": {
"threat_profile": "ransomware" // ransomware, apt, persistence, lateral_movement
}
}
// Get detection suggestions for technique (~2KB)
{
"name": "suggest_detections",
"arguments": {
"technique_id": "T1003.001" // LSASS Memory
}
}
// Coverage summary by tactic (~200B)
{
"name": "get_coverage_summary",
"arguments": {
"source_type": "splunk_escu"
}
}
// Analyze coverage against threat actor
{
"name": "analyze_actor_coverage",
"arguments": {
"actor": "APT29"
}
}
// Compare coverage across multiple actors
{
"name": "compare_actor_coverage",
"arguments": {
"actors": ["APT29", "APT28", "Lazarus Group"]
}
}
// Behavioral procedure breakdown for technique
{
"name": "analyze_procedure_coverage",
"arguments": {
"technique_id": "T1055"
}
}typescript
// 分析整体覆盖情况(约2KB响应)
{
"name": "analyze_coverage",
"arguments": {
"source_type": "sigma" // 可选:分析特定源
}
}
// 识别威胁场景的检测缺口(约500B响应)
{
"name": "identify_gaps",
"arguments": {
"threat_profile": "ransomware" // ransomware, apt, persistence, lateral_movement
}
}
// 获取特定技术的检测建议(约2KB)
{
"name": "suggest_detections",
"arguments": {
"technique_id": "T1003.001" // LSASS Memory
}
}
// 按战术汇总覆盖情况(约200B)
{
"name": "get_coverage_summary",
"arguments": {
"source_type": "splunk_escu"
}
}
// 分析针对特定威胁actor的覆盖情况
{
"name": "analyze_actor_coverage",
"arguments": {
"actor": "APT29"
}
}
// 对比多个actor的覆盖情况
{
"name": "compare_actor_coverage",
"arguments": {
"actors": ["APT29", "APT28", "Lazarus Group"]
}
}
// 分析特定技术的行为流程覆盖
{
"name": "analyze_procedure_coverage",
"arguments": {
"technique_id": "T1055"
}
}ATT&CK Navigator Layer Generation
ATT&CK Navigator图层生成
typescript
// Generate Navigator layer JSON
{
"name": "generate_navigator_layer",
"arguments": {
"name": "Current Coverage",
"description": "Detection coverage as of 2024-01",
"filter": {
"source": "sigma",
"tactic": "defense-evasion",
"min_severity": "medium"
},
"color_by": "coverage" // coverage, severity, source
}
}
// Export to file (local only)
{
"name": "export_navigator_layer",
"arguments": {
"output_path": "./coverage-layer.json",
"filter": {
"actor": "APT29"
}
}
}typescript
// 生成Navigator图层JSON
{
"name": "generate_navigator_layer",
"arguments": {
"name": "Current Coverage",
"description": "Detection coverage as of 2024-01",
"filter": {
"source": "sigma",
"tactic": "defense-evasion",
"min_severity": "medium"
},
"color_by": "coverage" // coverage, severity, source
}
}
// 导出到文件(仅本地版支持)
{
"name": "export_navigator_layer",
"arguments": {
"output_path": "./coverage-layer.json",
"filter": {
"actor": "APT29"
}
}
}Common Patterns
常见使用场景
Ransomware Readiness Assessment
勒索软件就绪评估
Use the built-in prompt:
Use the ransomware-readiness-assessment prompt to evaluate our coverageOr manually:
typescript
// 1. Identify gaps
{
"name": "identify_gaps",
"arguments": {
"threat_profile": "ransomware"
}
}
// 2. Get detections for weak areas
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1486" // Data Encrypted for Impact
}
}
// 3. Generate coverage layer
{
"name": "generate_navigator_layer",
"arguments": {
"name": "Ransomware Coverage",
"filter": {
"threat_profile": "ransomware"
}
}
}使用内置提示词:
使用ransomware-readiness-assessment提示词评估我们的覆盖情况或手动执行:
typescript
// 1. 识别检测缺口
{
"name": "identify_gaps",
"arguments": {
"threat_profile": "ransomware"
}
}
// 2. 获取薄弱环节的检测规则
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1486" // Data Encrypted for Impact
}
}
// 3. 生成覆盖图层
{
"name": "generate_navigator_layer",
"arguments": {
"name": "Ransomware Coverage",
"filter": {
"threat_profile": "ransomware"
}
}
}APT Threat Emulation
APT威胁仿真
typescript
// 1. Analyze actor coverage
{
"name": "analyze_actor_coverage",
"arguments": {
"actor": "APT29"
}
}
// 2. Get techniques used by actor
{
"name": "get_actor_techniques",
"arguments": {
"actor": "APT29"
}
}
// 3. Find detections for each technique
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1059.001"
}
}
// 4. Compare with other actors
{
"name": "compare_actor_coverage",
"arguments": {
"actors": ["APT29", "APT28"]
}
}typescript
// 1. 分析actor覆盖情况
{
"name": "analyze_actor_coverage",
"arguments": {
"actor": "APT29"
}
}
// 2. 获取actor使用的技术
{
"name": "get_actor_techniques",
"arguments": {
"actor": "APT29"
}
}
// 3. 查找每个技术对应的检测规则
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1059.001"
}
}
// 4. 与其他actor对比
{
"name": "compare_actor_coverage",
"arguments": {
"actors": ["APT29", "APT28"]
}
}Detection Gap Analysis
检测缺口分析
typescript
// 1. Get coverage summary
{
"name": "get_coverage_summary",
"arguments": {}
}
// 2. Analyze coverage by tactic
{
"name": "analyze_coverage",
"arguments": {}
}
// 3. Identify specific gaps
{
"name": "identify_gaps",
"arguments": {
"threat_profile": "apt"
}
}
// 4. Get suggestions for weak techniques
{
"name": "suggest_detections",
"arguments": {
"technique_id": "T1078" // Valid Accounts
}
}typescript
// 1. 获取覆盖汇总
{
"name": "get_coverage_summary",
"arguments": {}
}
// 2. 按战术分析覆盖情况
{
"name": "analyze_coverage",
"arguments": {}
}
// 3. 识别特定缺口
{
"name": "identify_gaps",
"arguments": {
"threat_profile": "apt"
}
}
// 4. 获取薄弱技术的检测建议
{
"name": "suggest_detections",
"arguments": {
"technique_id": "T1078" // Valid Accounts
}
}Building Detection Content
构建检测内容
typescript
// 1. Search existing detections for pattern
{
"name": "search",
"arguments": {
"query": "lateral movement SMB",
"limit": 10
}
}
// 2. Analyze procedure coverage
{
"name": "analyze_procedure_coverage",
"arguments": {
"technique_id": "T1021.002" // SMB/Windows Admin Shares
}
}
// 3. Get detection template
{
"name": "generate_detection_template",
"arguments": {
"technique_id": "T1021.002",
"format": "sigma"
}
}
// 4. Validate against existing detections
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1021.002"
}
}typescript
// 1. 搜索现有检测规则中的模式
{
"name": "search",
"arguments": {
"query": "lateral movement SMB",
"limit": 10
}
}
// 2. 分析流程覆盖情况
{
"name": "analyze_procedure_coverage",
"arguments": {
"technique_id": "T1021.002" // SMB/Windows Admin Shares
}
}
// 3. 获取检测模板
{
"name": "generate_detection_template",
"arguments": {
"technique_id": "T1021.002",
"format": "sigma"
}
}
// 4. 与现有检测规则对比验证
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1021.002"
}
}Cross-Platform Detection Comparison
跨平台检测对比
typescript
// Compare Sigma vs Splunk for technique
// 1. Get Sigma detections
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1003.001"
}
}
// Filter results by source_type: "sigma"
// 2. Get Splunk detections
{
"name": "list_by_source",
"arguments": {
"source_type": "splunk_escu"
}
}
// Filter by same technique
// 3. Compare coverage
{
"name": "analyze_coverage",
"arguments": {
"source_type": "sigma"
}
}
{
"name": "analyze_coverage",
"arguments": {
"source_type": "splunk_escu"
}
}typescript
// 对比Sigma与Splunk针对某技术的检测规则
// 1. 获取Sigma检测规则
{
"name": "list_by_mitre",
"arguments": {
"technique_id": "T1003.001"
}
}
// 按source_type: "sigma"过滤结果
// 2. 获取Splunk检测规则
{
"name": "list_by_source",
"arguments": {
"source_type": "splunk_escu"
}
}
// 按同一技术过滤
// 3. 对比覆盖情况
{
"name": "analyze_coverage",
"arguments": {
"source_type": "sigma"
}
}
{
"name": "analyze_coverage",
"arguments": {
"source_type": "splunk_escu"
}
}Configuration Reference
配置参考
Environment Variables
环境变量
| Variable | Description | Example |
|---|---|---|
| Comma-separated Sigma rule directories | |
| Splunk ESCU detection directories | |
| Splunk analytic story directories (optional) | |
| Elastic detection rule directories | |
| KQL hunting query directories (comma-separated) | |
| Sublime Security rule directories | |
| CQL Hub (CrowdStrike) query directories | |
| Path to | |
| 变量名 | 描述 | 示例 |
|---|---|---|
| 逗号分隔的Sigma规则目录 | |
| Splunk ESCU检测规则目录 | |
| Splunk分析场景目录(可选) | |
| Elastic检测规则目录 | |
| 逗号分隔的KQL狩猎查询目录 | |
| Sublime Security规则目录 | |
| CQL Hub(CrowdStrike)查询目录 | |
| | |
Source Type Values
源类型取值
- - Sigma rules (YAML)
sigma - - Splunk Enterprise Security Content Update
splunk_escu - - Elastic Security detection rules
elastic - - Kusto Query Language hunting queries
kql - - Sublime Security detection rules
sublime - - CrowdStrike Query Language (CQL)
crowdstrike_cql
- - Sigma规则(YAML格式)
sigma - - Splunk Enterprise Security Content Update
splunk_escu - - Elastic Security检测规则
elastic - - Kusto Query Language狩猎查询
kql - - Sublime Security检测规则
sublime - - CrowdStrike Query Language (CQL)
crowdstrike_cql
Tactic Values (MITRE ATT&CK)
MITRE ATT&CK战术取值
reconnaissanceresource-developmentinitial-accessexecutionpersistenceprivilege-escalationdefense-evasioncredential-accessdiscoverylateral-movementcollectioncommand-and-controlexfiltrationimpact
reconnaissanceresource-developmentinitial-accessexecutionpersistenceprivilege-escalationdefense-evasioncredential-accessdiscoverylateral-movementcollectioncommand-and-controlexfiltrationimpact
Troubleshooting
故障排除
MCP Server Not Indexing Rules
MCP服务器未索引规则
Problem: shows 0 detections
get_statsSolution:
- Verify paths exist:
ls -la /path/to/sigma/rules - Check environment variables are set correctly in MCP config
- Rebuild index manually:
typescript
{ "name": "rebuild_index", "arguments": {} } - Check MCP server logs in Claude Desktop:
~/Library/Logs/Claude/mcp*.log
问题: 显示0条检测规则
get_stats解决方案:
- 验证路径存在:
ls -la /path/to/sigma/rules - 检查MCP配置中的环境变量是否设置正确
- 手动重建索引:
typescript
{ "name": "rebuild_index", "arguments": {} } - 查看Claude Desktop中的MCP服务器日志:
~/Library/Logs/Claude/mcp*.log
Permission Denied Errors
权限拒绝错误
Problem: Cannot read detection files
Solution:
bash
undefined问题: 无法读取检测文件
解决方案:
bash
undefinedFix permissions on detection directories
修复检测目录权限
chmod -R 755 ~/detections
undefinedchmod -R 755 ~/detections
undefinedHosted MCP 401 Unauthorized
托管MCP返回401未授权
Problem: Token authentication failing
Solution:
- Verify token starts with
sdmcp_ - Check token is not expired at detect.michaelhaag.org/account/tokens
- Ensure header format is correct
Authorization: Bearer - Free tier rate limit: 200 calls/day
问题: 令牌认证失败
解决方案:
- 验证令牌以开头
sdmcp_ - 在detect.michaelhaag.org/account/tokens检查令牌是否过期
- 确保头格式正确
Authorization: Bearer - 免费版限制:每日200次调用
Missing MITRE ATT&CK Data
缺少MITRE ATT&CK数据
Problem: Actor/technique queries return empty
Solution:
- Download STIX bundle:
bash
curl -o ~/detections/enterprise-attack.json \ https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json - Set environment variable
ATTACK_STIX_PATH - Rebuild index
问题: Actor/技术查询返回空结果
解决方案:
- 下载STIX数据包:
bash
curl -o ~/detections/enterprise-attack.json \ https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json - 设置环境变量
ATTACK_STIX_PATH - 重建索引
Sigma Rules Not Parsing
Sigma规则解析失败
Problem: Some Sigma rules show errors
Solution:
- Ensure you're using the official SigmaHQ repo
- Update to latest rules:
cd sigma && git pull - Some experimental rules may have schema issues - this is expected
- Check parsing errors in MCP logs
问题: 部分Sigma规则显示错误
解决方案:
- 确保使用官方SigmaHQ仓库
- 更新到最新规则:
cd sigma && git pull - 部分实验性规则可能存在 schema 问题,属于正常现象
- 在MCP日志中查看解析错误
Slow Initial Index Build
初始索引构建缓慢
Problem: First startup takes 30+ seconds
Solution:
- Expected behavior with 8,200+ detections
- Subsequent startups use cached index (~2 seconds)
- Use hosted MCP for zero startup time
- Reduce to only needed sources
PATHS
问题: 首次启动耗时30秒以上
解决方案:
- 8200+条检测规则的正常现象
- 后续启动将使用缓存索引(约2秒)
- 使用托管MCP实现零启动时间
- 仅保留需要的源以减少数量
PATHS
Advanced Usage
高级用法
Custom Detection Repositories
自定义检测仓库
Add your private detections:
json
{
"env": {
"SIGMA_PATHS": "/path/to/sigma/rules,/path/to/my-custom-sigma",
"SPLUNK_PATHS": "/path/to/security_content/detections,/path/to/internal-splunk"
}
}添加私有检测规则:
json
{
"env": {
"SIGMA_PATHS": "/path/to/sigma/rules,/path/to/my-custom-sigma",
"SPLUNK_PATHS": "/path/to/security_content/detections,/path/to/internal-splunk"
}
}Autonomous Detection Pipeline
自动化检测流水线
Enable autonomous CTI → detection generation:
typescript
// Configure autonomous settings (local only)
{
"name": "configure_autonomous",
"arguments": {
"enabled": true,
"cti_sources": ["misp", "otx"],
"auto_pr": false // Manual review before PR
}
}
// Trigger gap analysis
{
"name": "run_autonomous_analysis",
"arguments": {
"threat_actor": "APT29"
}
}See Autonomous docs for full pipeline details.
启用从CTI到检测规则生成的自动化流程:
typescript
// 配置自动化设置(仅本地版支持)
{
"name": "configure_autonomous",
"arguments": {
"enabled": true,
"cti_sources": ["misp", "otx"],
"auto_pr": false // PR生成前需人工审核
}
}
// 触发缺口分析
{
"name": "run_autonomous_analysis",
"arguments": {
"threat_actor": "APT29"
}
}完整流水线详情请查看自动化文档。
Exporting for SIEM
导出到SIEM
typescript
// Export detections in native format
{
"name": "export_detections",
"arguments": {
"technique_id": "T1055",
"format": "sigma", // or splunk, elastic, kql
"output_path": "./exports/process_injection.yml"
}
}typescript
// 以原生格式导出检测规则
{
"name": "export_detections",
"arguments": {
"technique_id": "T1055",
"format": "sigma", // 或splunk, elastic, kql
"output_path": "./exports/process_injection.yml"
}
}Expert Prompts
专家提示词
Built-in workflows accessible by name:
- - Full kill-chain coverage analysis
ransomware-readiness-assessment - - Actor-specific detection mapping
apt-threat-emulation - - Combined offensive/defensive planning
purple-team-exercise - - High-level coverage summary
executive-briefing - - Engineering backlog prioritization
detection-sprint-planning - - Privilege abuse coverage
insider-threat-detection - - Cloud-specific technique coverage
cloud-security-assessment - - Third-party risk detection
supply-chain-security - - Exfiltration technique coverage
data-exfiltration-defense - - Entry point detection review
initial-access-hardening - - Credential access coverage
credential-theft-protection
Usage:
Use the ransomware-readiness-assessment prompt可通过名称调用内置工作流:
- - 完整杀伤链覆盖分析
ransomware-readiness-assessment - - 特定Actor检测映射
apt-threat-emulation - - 攻防结合规划
purple-team-exercise - - 高层覆盖汇总
executive-briefing - - 工程待办事项优先级排序
detection-sprint-planning - - 权限滥用覆盖分析
insider-threat-detection - - 云特定技术覆盖分析
cloud-security-assessment - - 第三方风险检测
supply-chain-security - - 数据泄露技术覆盖分析
data-exfiltration-defense - - 入口点检测审查
initial-access-hardening - - 凭证窃取覆盖分析
credential-theft-protection
用法示例:
使用ransomware-readiness-assessment提示词Resources
相关资源
- GitHub: https://github.com/MHaggis/Security-Detections-MCP
- Web App: https://detect.michaelhaag.org
- Setup Guide: https://github.com/MHaggis/Security-Detections-MCP/blob/main/SETUP.md
- Hosted MCP Guide: https://github.com/MHaggis/Security-Detections-MCP/blob/main/docs/HOSTED_MCP.md
- Tools Reference: https://github.com/MHaggis/Security-Detections-MCP/blob/main/docs/wiki/Tools-Reference.md
- API Token: https://detect.michaelhaag.org/account/tokens
- GitHub仓库: https://github.com/MHaggis/Security-Detections-MCP
- Web应用: https://detect.michaelhaag.org
- 安装指南: https://github.com/MHaggis/Security-Detections-MCP/blob/main/SETUP.md
- 托管MCP指南: https://github.com/MHaggis/Security-Detections-MCP/blob/main/docs/HOSTED_MCP.md
- 工具参考: https://github.com/MHaggis/Security-Detections-MCP/blob/main/docs/wiki/Tools-Reference.md
- API令牌: https://detect.michaelhaag.org/account/tokens