Security-Detections

Security-Detections MCP provides a unified interface to query and manage Sigma, Splunk ESCU, Elastic, and KQL security detections. It operates as an autonomous detection engineering platform that can ingest threat intel, CISA alerts, threat reports, and other inputs to assess coverage, generate detections in your SIEM’s native formats, run tests, and stage PRs for review. You can run the server in autonomous mode to have the pipeline extract techniques, analyze coverage gaps, draft detections in the appropriate format, and validate them via SIEM queries. For manual tasks, the Cursor Subagents provide an interactive IDE experience to facilitate specialization, validation, and iteration. The system is designed to work with multiple SIEM platforms by setting SIEM_PLATFORM in your environment. Typical workflows include feeding a threat report or a CISA alert, allowing the pipeline to translate that input into concrete detections, and then reviewing the generated draft PRs before merging.

Prerequisites:

• Node.js 20+ and npm
• Git
• Access to a SIEM environment (Splunk, Elastic, etc.) or a test/virtual environment for validation

Setup and install steps:

1. Install Node.js and npm from https://nodejs.org/
2. Clone the MCP server repository or install the MCP package globally:
   • gh repo clone <repository-owner>/security-detections-mcp
   • cd security-detections-mcp
3. Install dependencies (if applicable) and install the MCP package via npm/npx:
   • npm install
   • npm run build (if a build step exists in the repo)
4. Configure environment variables (see mcp_config for required vars):
   • SIEM_PLATFORM (splunk | sentinel | elastic | sigma)
   • ANTHROPIC_API_KEY (your API key for LLM interactions)
   • SECURITY_CONTENT_PATH (path to local or mounted security content)
5. Start the MCP server (as per the recommended command in the repository’s docs or using the mcp_config entry):
   • npx -y security-detections-mcp
6. Verify the server starts and is reachable via the MCP tooling and the E2E tests if provided.

Tips and considerations:

• Ensure SIEM_PLATFORM matches your environment before starting the server to avoid format mismatches (Sigma, Splunk SPL, KQL, Elastic). The autonomous pipeline can generate detections in multiple formats depending on the target SIEM.
• Set ANTHROPIC_API_KEY securely and do not commit it to version control.
• Use DRY_RUN mode to validate outputs without invoking real LLM calls or firing real detections.
• If you upgrade to a new MCP version, review any breaking changes in the Autonomous Platform documentation, especially around input types (threat_report, cisa_alert, threat intelligence) and new tool availability.
• For multi-SIEM setups, ensure your .env contains SIEM_PLATFORM accordingly and that credentials/configs for each SIEM are accessible to the pipeline.
• When using the PR stager feature, remember that the system always creates DRAFT PRs; human review is required before merging.