security-detections-mcp 1.2.0 → 1.3.0

package/README.md

@@ -115,14 +115,15 @@ cd security_content && git sparse-checkout set detections stories && cd ..
 git clone --depth 1 --filter=blob:none --sparse https://github.com/elastic/detection-rules.git
 cd detection-rules && git sparse-checkout set rules && cd ..
 
-# Download KQL hunting queries (~300+ queries)
-git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql
+# Download KQL hunting queries (~400+ queries from 2 repos)
+git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp
+git clone --depth 1 https://github.com/jkerai1/KQL-Queries.git kql-jkerai1
 
 echo "Done! Configure your MCP with these paths:"
 echo "  SIGMA_PATHS: $(pwd)/sigma/rules,$(pwd)/sigma/rules-threat-hunting"
 echo "  SPLUNK_PATHS: $(pwd)/security_content/detections"
 echo "  ELASTIC_PATHS: $(pwd)/detection-rules/rules"
-echo "  KQL_PATHS: $(pwd)/kql"
+echo "  KQL_PATHS: $(pwd)/kql-bertjanp,$(pwd)/kql-jkerai1"
 echo "  STORY_PATHS: $(pwd)/security_content/stories"
 ```
 
@@ -143,9 +144,10 @@ git clone https://github.com/splunk/security_content.git
 git clone https://github.com/elastic/detection-rules.git
 # Use rules/ directory
 
-# KQL Hunting Queries
+# KQL Hunting Queries (multiple sources supported)
 git clone https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git
-# Use entire repo
+git clone https://github.com/jkerai1/KQL-Queries.git
+# Use entire repos, combine paths with comma
 ```
 
 ## MCP Tools
@@ -377,15 +379,20 @@ From [Elastic Detection Rules](https://github.com/elastic/detection-rules):
 - Optional: `rule.description`, `rule.query`, `rule.severity`, `rule.tags`, `rule.threat` (MITRE mappings)
 - Supports EQL, KQL, Lucene, and ESQL query languages
 
-### KQL Hunting Queries (Markdown)
+### KQL Hunting Queries (Markdown & Raw .kql)
 
-From [Bert-JanP/Hunting-Queries-Detection-Rules](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules):
-- Microsoft Defender XDR and Azure Sentinel hunting queries
-- Extracts title from markdown heading
-- Extracts KQL from fenced code blocks
+Supports multiple KQL repositories:
+
+**[Bert-JanP/Hunting-Queries-Detection-Rules](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules)** (~290 queries)
+- Microsoft Defender XDR and Azure Sentinel hunting queries in Markdown format
+- Extracts title from markdown heading, KQL from fenced code blocks
 - Extracts MITRE technique IDs from tables
-- Derives category from folder path
-- Extracts data sources (DeviceProcessEvents, SigninLogs, etc.)
+- Categories: Defender For Endpoint, Azure AD, Threat Hunting, DFIR, etc.
+
+**[jkerai1/KQL-Queries](https://github.com/jkerai1/KQL-Queries)** (~130 queries)
+- Raw `.kql` files for Defender, Entra, Azure, Office 365
+- Title derived from filename
+- Lightweight queries for kqlsearch.com
 
 ## Development
 
@@ -414,9 +421,9 @@ When fully indexed with all sources:
 | Sigma Rules | ~3,000+ |
 | Splunk ESCU | ~2,000+ |
 | Elastic Rules | ~1,500+ |
-| KQL Queries | ~300+ |
+| KQL Queries | ~420+ |
 | Analytic Stories | ~330 |
-| **Total** | **~7,000+** |
+| **Total** | **~7,200+** |
 
 ## 🔗 Using with MITRE ATT&CK MCP
 
@@ -424,7 +431,7 @@ When fully indexed with all sources:
 
 | MCP | Purpose |
 |-----|---------|
-| **security-detections-mcp** | Query 7,000+ detection rules (Sigma, Splunk ESCU, Elastic, KQL) |
+| **security-detections-mcp** | Query 7,200+ detection rules (Sigma, Splunk ESCU, Elastic, KQL) |
 | **mitre-attack-mcp** | Analyze coverage against ATT&CK framework, generate Navigator layers |
 
 ### Combined Workflow (Efficient)

package/dist/indexer.js

@@ -4,7 +4,7 @@ import { parseSigmaFile } from './parsers/sigma.js';
 import { parseSplunkFile } from './parsers/splunk.js';
 import { parseStoryFile } from './parsers/story.js';
 import { parseElasticFile } from './parsers/elastic.js';
-import { parseKqlFile } from './parsers/kql.js';
+import { parseKqlFile, parseRawKqlFile } from './parsers/kql.js';
 import { recreateDb, insertDetection, insertStory, getDetectionCount, initDb } from './db.js';
 // Recursively find all YAML files in a directory
 function findYamlFiles(dir) {
@@ -67,9 +67,8 @@ function findTomlFiles(dir) {
     }
     return files;
 }
-// Recursively find all markdown files in a directory (for KQL queries)
-function findMarkdownFiles(dir) {
-    const files = [];
+function findKqlFiles(dir) {
+    const files = { markdown: [], raw: [] };
     try {
         const entries = readdirSync(dir);
         for (const entry of entries) {
@@ -79,18 +78,24 @@ function findMarkdownFiles(dir) {
                 if (stat.isDirectory()) {
                     // Skip common non-query directories
                     if (!['Images', 'images', '.git', 'node_modules'].includes(entry)) {
-                        files.push(...findMarkdownFiles(fullPath));
+                        const subFiles = findKqlFiles(fullPath);
+                        files.markdown.push(...subFiles.markdown);
+                        files.raw.push(...subFiles.raw);
                     }
                 }
                 else if (stat.isFile()) {
                     const ext = extname(entry).toLowerCase();
+                    const lowerName = entry.toLowerCase();
                     if (ext === '.md') {
                         // Skip README files and common non-query files
-                        const lowerName = entry.toLowerCase();
                         if (lowerName !== 'readme.md' && lowerName !== 'license' && lowerName !== 'contributing.md') {
-                            files.push(fullPath);
+                            files.markdown.push(fullPath);
                         }
                     }
+                    else if (ext === '.kql') {
+                        // Raw KQL files (jkerai1/KQL-Queries format)
+                        files.raw.push(fullPath);
+                    }
                 }
             }
             catch {
@@ -159,10 +164,11 @@ export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasti
             }
         }
     }
-    // Index KQL hunting queries (markdown format)
+    // Index KQL hunting queries (markdown and raw .kql formats)
     for (const basePath of kqlPaths) {
-        const files = findMarkdownFiles(basePath);
-        for (const file of files) {
+        const files = findKqlFiles(basePath);
+        // Parse markdown files (Bert-JanP format)
+        for (const file of files.markdown) {
             const detection = parseKqlFile(file, basePath);
             if (detection) {
                 insertDetection(detection);
@@ -172,6 +178,17 @@ export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasti
                 kql_failed++;
             }
         }
+        // Parse raw .kql files (jkerai1 format)
+        for (const file of files.raw) {
+            const detection = parseRawKqlFile(file, basePath);
+            if (detection) {
+                insertDetection(detection);
+                kql_indexed++;
+            }
+            else {
+                kql_failed++;
+            }
+        }
     }
     // Index Splunk Analytic Stories (optional)
     for (const basePath of storyPaths) {

package/dist/parsers/kql.d.ts

@@ -1,2 +1,3 @@
 import type { Detection } from '../types.js';
+export declare function parseRawKqlFile(filePath: string, basePath: string): Detection | null;
 export declare function parseKqlFile(filePath: string, basePath: string): Detection | null;

package/dist/parsers/kql.js

@@ -1,5 +1,5 @@
 import { readFileSync, statSync } from 'fs';
-import { relative } from 'path';
+import { basename, relative } from 'path';
 import { createHash } from 'crypto';
 // Generate a stable ID from file path
 function generateId(filePath, name) {
@@ -272,9 +272,85 @@ function extractPlatforms(content, dataSources) {
     }
     return Array.from(platforms);
 }
+// Parse a raw .kql file (just query content, filename is title)
+export function parseRawKqlFile(filePath, basePath) {
+    try {
+        const stat = statSync(filePath);
+        if (!stat.isFile()) {
+            return null;
+        }
+        const content = readFileSync(filePath, 'utf-8');
+        const query = content.trim();
+        if (!query || query.length < 10) {
+            return null;
+        }
+        // Title from filename (remove .kql extension)
+        const fileName = basename(filePath, '.kql');
+        const title = fileName;
+        const id = generateId(filePath, title);
+        const category = extractCategory(filePath, basePath);
+        const dataSources = extractDataSources(query);
+        const processNames = extractProcessNames(query);
+        const keywords = extractKeywords(query, query);
+        const tags = extractTags(query, category);
+        const platforms = extractPlatforms(query, dataSources);
+        // Extract CVEs from query comments or content
+        const cves = [];
+        const cveMatches = query.matchAll(/CVE-\d{4}-\d+/gi);
+        for (const match of cveMatches) {
+            cves.push(match[0].toUpperCase());
+        }
+        // Extract description from first comment line if present
+        let description = '';
+        const commentMatch = query.match(/\/\/\s*(.+)/);
+        if (commentMatch) {
+            description = commentMatch[1].trim();
+        }
+        const detection = {
+            id,
+            name: title,
+            description,
+            query,
+            source_type: 'kql',
+            mitre_ids: [],
+            logsource_category: null,
+            logsource_product: 'microsoft',
+            logsource_service: 'kql',
+            severity: null,
+            status: null,
+            author: null,
+            date_created: null,
+            date_modified: null,
+            references: [],
+            falsepositives: [],
+            tags,
+            file_path: filePath,
+            raw_yaml: content,
+            cves,
+            analytic_stories: [],
+            data_sources: dataSources,
+            detection_type: 'Hunting',
+            asset_type: dataSources.some(ds => ds.startsWith('Device')) ? 'Endpoint' : 'Cloud',
+            security_domain: dataSources.some(ds => ds.startsWith('Device')) ? 'endpoint' :
+                dataSources.some(ds => ds.includes('Email')) ? 'email' : 'identity',
+            process_names: processNames,
+            file_paths: [],
+            registry_paths: [],
+            mitre_tactics: [],
+            platforms,
+            kql_category: category,
+            kql_tags: tags,
+            kql_keywords: keywords,
+        };
+        return detection;
+    }
+    catch {
+        return null;
+    }
+}
+// Parse markdown file with KQL code blocks (Bert-JanP format)
 export function parseKqlFile(filePath, basePath) {
     try {
-        // Check if file exists and is a markdown file
         const stat = statSync(filePath);
         if (!stat.isFile()) {
             return null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "security-detections-mcp",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "MCP server for querying Sigma, Splunk ESCU, Elastic, and KQL security detection rules",
   "type": "module",
   "main": "dist/index.js",