security-detections-mcp 2.1.1 → 3.1.0

package/README.md

@@ -1,9 +1,105 @@
 # Security Detections MCP
 
-An MCP (Model Context Protocol) server that lets LLMs query a unified database of **Sigma**, **Splunk ESCU**, **Elastic**, and **KQL** security detection rules.
+An MCP (Model Context Protocol) server that lets LLMs query a unified database of **Sigma**, **Splunk ESCU**, **Elastic**, **KQL**, **Sublime**, and **CrowdStrike CQL** security detection rules.
+
+> **New here? Start with the [Setup Guide](./SETUP.md)** -- covers macOS, Windows (WSL & native), and Linux step by step.
+
+## What's New in 3.1 - New Detection Sources
+
+- **CrowdStrike CQL Hub** - Query and search CrowdStrike Query Language (CQL) detections from the CQL Hub community repository
+- **Sublime Rules** - Query and search Sublime Security detection rules for email-based threats
+
+## What's New in 3.0 - Autonomous Detection Platform
+
+Version 3.0 transforms this MCP into a **fully autonomous detection engineering platform**. Feed it threat intelligence, and it automatically:
+
+1. **Extracts TTPs** from threat reports, CISA alerts, or manual input
+2. **Analyzes coverage gaps** against your existing detections
+3. **Generates detections** in your SIEM's native format (SPL, KQL, EQL, or Sigma)
+4. **Runs Atomic Red Team tests** against your lab environment
+5. **Validates detections fire** by querying your SIEM
+6. **Exports attack data** for reproducibility
+7. **Stages DRAFT PRs** to your detection repo (never auto-merges)
+
+> **Multi-SIEM**: Set `SIEM_PLATFORM` to `splunk`, `sentinel`, `elastic`, or `sigma` in your `.env`. The pipeline was built on Splunk + Attack Range but adapts to any SIEM. See the **[E2E Testing Guide](./docs/E2E-TESTING-GUIDE.md)** for complete setup instructions per platform.
+
+### Architecture: LangGraph + Cursor Subagents
+
+The 3.0 architecture uses two complementary systems:
+
+| Component | Purpose | Location |
+|-----------|---------|----------|
+| **LangGraph Pipeline** | Core autonomous workflow - portable, testable, CI/CD ready | `agents/` |
+| **Cursor Subagents** | Interactive IDE agents for manual tasks | `.cursor/agents/` |
+
+### Quick Start - Autonomous Mode
+
+**Prerequisites**: Node.js 20+, an Anthropic API key. Full details in the [Setup Guide](./SETUP.md).
+
+```bash
+# Install the agents package
+cd agents && npm install --registry https://registry.npmjs.org/
+
+# Configure
+cp .env.example .env
+# Edit .env: set SIEM_PLATFORM, ANTHROPIC_API_KEY, SECURITY_CONTENT_PATH
+
+# Test with dry run first (uses mock data, no LLM calls)
+DRY_RUN=true npm run orchestrate -- --type technique --input "T1566.004 Spearphishing Voice"
+
+# Run with real LLM (creates actual detections)
+npm run orchestrate -- --type technique --input "T1566.004 Spearphishing Voice"
+
+# Or analyze a CISA alert
+npm run orchestrate -- --type cisa_alert --url https://www.cisa.gov/news-events/alerts/...
+
+# Or feed it a threat report
+npm run orchestrate -- --type threat_report --file ./report.md
+
+# Note: Use T1566.004 for testing - it has no existing coverage so will create a detection
+# T1003.001 has 100+ existing detections, so the pipeline will correctly skip it (no gap)
+```
+
+### Pipeline Stages
+
+```
+┌─────────────┐    ┌──────────────────┐    ┌────────────────────┐
+│ CTI Analyst │───>│ Coverage Analyzer│───>│ Detection Engineer │
+└─────────────┘    └──────────────────┘    └────────────────────┘
+                                                     │
+                                                     ▼
+┌───────────┐    ┌──────────────────┐    ┌──────────────────────┐
+│ PR Stager │<───│   Data Dumper    │<───│  Splunk Validator    │
+└───────────┘    └──────────────────┘    └──────────────────────┘
+                                                     ▲
+                                                     │
+                                          ┌──────────────────┐
+                                          │ Atomic Executor  │
+                                          └──────────────────┘
+```
+
+### MCP Integration
+
+The autonomous pipeline integrates with existing MCPs:
+- **security-detections** - Coverage analysis and gap identification
+- **splunk-mcp** - Detection validation (`run_detection`, `export_dump`)
+- **mitre-attack** - Technique lookups
+
+### Human-in-the-Loop
+
+**CRITICAL**: The system NEVER auto-commits or auto-merges. All PRs are created as **DRAFT** requiring human review:
+
+```
+[PR Stager] ✓ security_content DRAFT PR created: https://github.com/splunk/security_content/pull/123
+[PR Stager] ✓ attack_data DRAFT PR created: https://github.com/splunk/attack_data/pull/456
+```
+
+See the [Autonomous Platform Documentation](./docs/AUTONOMOUS.md) for full details, and the [E2E Testing Guide](./docs/E2E-TESTING-GUIDE.md) for per-SIEM setup (Splunk, Sentinel, Elastic, Sigma).
 
 [![Install MCP Server](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=security-detections&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyIteSIsInNlY3VyaXR5LWRldGVjdGlvbnMtbWNwIl0sImVudiI6eyJTSUdNQV9QQVRIUyI6Ii9wYXRoL3RvL3NpZ21hL3J1bGVzLC9wYXRoL3RvL3NpZ21hL3J1bGVzLXRocmVhdC1odW50aW5nIiwiU1BMVU5LX1BBVEhTIjoiL3BhdGgvdG8vc2VjdXJpdHlfY29udGVudC9kZXRlY3Rpb25zIiwiU1RPUllfUEFUSFMiOiIvcGF0aC90by9zZWN1cml0eV9jb250ZW50L3N0b3JpZXMiLCJFTEFTVElDX1BBVEhTIjoiL3BhdGgvdG8vZGV0ZWN0aW9uLXJ1bGVzL3J1bGVzIiwiS1FMX1BBVEhTIjoiL3BhdGgvdG8va3FsLXJ1bGVzIn19)
 
+> **Detailed setup**: See the **[Setup Guide](./SETUP.md)** for step-by-step install on macOS, Windows (WSL & native), and Linux with troubleshooting for common issues.
+
 ## 🐛 Version 2.1.1 (Bug Fix)
 
 - **Fixed Windows EBUSY crash** - SQLite database recreation now handles Windows file locking with retry logic. Previously, Windows users would get `EBUSY: resource busy or locked` on startup.
@@ -122,7 +218,7 @@ Claude will:
 - **🆕 Server Instructions** - Built-in usage guide with examples for better LLM understanding
 - **🆕 Structured Errors** - Helpful error messages with suggestions and similar items
 - **🆕 Interactive Tools** - Gap prioritization and sprint planning with form-based input (Cursor 0.42+)
-- **Unified Search** - Query Sigma, Splunk ESCU, Elastic, and KQL detections from a single interface
+- **Unified Search** - Query Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL detections from a single interface
 - **Full-Text Search** - SQLite FTS5 powered search across names, descriptions, queries, MITRE tactics, CVEs, process names, and more
 - **MITRE ATT&CK Mapping** - Filter detections by technique ID or tactic
 - **CVE Coverage** - Find detections for specific CVE vulnerabilities
@@ -130,7 +226,7 @@ Claude will:
 - **Analytic Stories** - Query by Splunk analytic story (optional - enhances context)
 - **KQL Categories** - Filter KQL queries by category (Defender For Endpoint, Azure AD, Threat Hunting, etc.)
 - **Auto-Indexing** - Automatically indexes detections on startup from configured paths
-- **Multi-Format Support** - YAML (Sigma, Splunk), TOML (Elastic), Markdown (KQL)
+- **Multi-Format Support** - YAML (Sigma, Splunk, Sublime, CrowdStrike CQL), TOML (Elastic), Markdown (KQL)
 - **Logsource Filtering** - Filter Sigma rules by category, product, or service
 - **Severity Filtering** - Filter by criticality level
 
@@ -170,7 +266,9 @@ Add to your MCP config (`~/.cursor/mcp.json` or `.cursor/mcp.json` in your proje
         "SPLUNK_PATHS": "/path/to/security_content/detections",
         "ELASTIC_PATHS": "/path/to/detection-rules/rules",
         "STORY_PATHS": "/path/to/security_content/stories",
-        "KQL_PATHS": "/path/to/Hunting-Queries-Detection-Rules"
+        "KQL_PATHS": "/path/to/Hunting-Queries-Detection-Rules",
+        "SUBLIME_PATHS": "/path/to/sublime-rules/detection-rules",
+        "CQL_HUB_PATHS": "/path/to/cql-hub/queries"
       }
     }
   }
@@ -192,7 +290,9 @@ Add to `~/Library/Application Support/Claude/claude_desktop_config.json`:
         "SPLUNK_PATHS": "/Users/you/security_content/detections",
         "ELASTIC_PATHS": "/Users/you/detection-rules/rules",
         "STORY_PATHS": "/Users/you/security_content/stories",
-        "KQL_PATHS": "/Users/you/Hunting-Queries-Detection-Rules"
+        "KQL_PATHS": "/Users/you/Hunting-Queries-Detection-Rules",
+        "SUBLIME_PATHS": "/Users/you/sublime-rules/detection-rules",
+        "CQL_HUB_PATHS": "/Users/you/cql-hub/queries"
       }
     }
   }
@@ -214,7 +314,9 @@ Add to `~/.vscode/mcp.json`:
         "SPLUNK_PATHS": "/Users/you/security_content/detections",
         "ELASTIC_PATHS": "/Users/you/detection-rules/rules",
         "KQL_PATHS": "/Users/you/kql-bertjanp,/Users/you/kql-jkerai1",
-        "STORY_PATHS": "/Users/you/security_content/stories"
+        "STORY_PATHS": "/Users/you/security_content/stories",
+        "SUBLIME_PATHS": "/Users/you/sublime-rules/detection-rules",
+        "CQL_HUB_PATHS": "/Users/you/cql-hub/queries"
       }
     }
   }
@@ -236,7 +338,9 @@ Add to `~/.vscode/mcp.json`:
         "SPLUNK_PATHS": "/Users/you/security_content/detections",
         "ELASTIC_PATHS": "/Users/you/detection-rules/rules",
         "KQL_PATHS": "/Users/you/kql-bertjanp,/Users/you/kql-jkerai1",
-        "STORY_PATHS": "/Users/you/security_content/stories"
+        "STORY_PATHS": "/Users/you/security_content/stories",
+        "SUBLIME_PATHS": "/Users/you/sublime-rules/detection-rules",
+        "CQL_HUB_PATHS": "/Users/you/cql-hub/queries"
       }
     }
   }
@@ -250,6 +354,8 @@ Add to `~/.vscode/mcp.json`:
 | `SPLUNK_PATHS` | Comma-separated paths to Splunk ESCU detection directories | At least one source required |
 | `ELASTIC_PATHS` | Comma-separated paths to Elastic detection rule directories | At least one source required |
 | `KQL_PATHS` | Comma-separated paths to KQL hunting query directories | At least one source required |
+| `SUBLIME_PATHS` | Comma-separated paths to Sublime Security rule directories | At least one source required |
+| `CQL_HUB_PATHS` | Comma-separated paths to CQL Hub (CrowdStrike) query directories | At least one source required |
 | `STORY_PATHS` | Comma-separated paths to Splunk analytic story directories | No (enhances context) |
 
 ## Getting Detection Content
@@ -278,11 +384,20 @@ cd detection-rules && git sparse-checkout set rules && cd ..
 git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp
 git clone --depth 1 https://github.com/jkerai1/KQL-Queries.git kql-jkerai1
 
+# Download Sublime Security email detection rules (~900+ rules)
+git clone --depth 1 --filter=blob:none --sparse https://github.com/sublime-security/sublime-rules.git
+cd sublime-rules && git sparse-checkout set detection-rules && cd ..
+
+# Download CQL Hub CrowdStrike queries (~139+ queries)
+git clone --depth 1 https://github.com/ByteRay-Labs/Query-Hub.git cql-hub
+
 echo "Done! Configure your MCP with these paths:"
 echo "  SIGMA_PATHS: $(pwd)/sigma/rules,$(pwd)/sigma/rules-threat-hunting"
 echo "  SPLUNK_PATHS: $(pwd)/security_content/detections"
 echo "  ELASTIC_PATHS: $(pwd)/detection-rules/rules"
 echo "  KQL_PATHS: $(pwd)/kql-bertjanp,$(pwd)/kql-jkerai1"
+echo "  SUBLIME_PATHS: $(pwd)/sublime-rules/detection-rules"
+echo "  CQL_HUB_PATHS: $(pwd)/cql-hub/queries"
 echo "  STORY_PATHS: $(pwd)/security_content/stories"
 ```
 
@@ -307,6 +422,14 @@ git clone https://github.com/elastic/detection-rules.git
 git clone https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git
 git clone https://github.com/jkerai1/KQL-Queries.git
 # Use entire repos, combine paths with comma
+
+# Sublime Security Rules
+git clone https://github.com/sublime-security/sublime-rules.git
+# Use detection-rules/ directory
+
+# CQL Hub (CrowdStrike Query Language)
+git clone https://github.com/ByteRay-Labs/Query-Hub.git
+# Use queries/ directory
 ```
 
 ## 🆕 MCP Resources - Readable Context
@@ -336,7 +459,7 @@ The server provides **autocomplete suggestions** as you type argument values:
 | `process_name` | Process names in your detections (powershell.exe, etc.) |
 | `tactic` | All 14 MITRE tactics |
 | `severity` | informational, low, medium, high, critical |
-| `source_type` | sigma, splunk_escu, elastic, kql |
+| `source_type` | sigma, splunk_escu, elastic, kql, sublime, crowdstrike_cql |
 | `threat_profile` | ransomware, apt, initial-access, persistence, etc. |
 
 This prevents typos and helps discover what values are available in your detection corpus.
@@ -395,7 +518,7 @@ Tool: prioritize_gaps(threat_profile="ransomware")
 | `search(query, limit)` | Full-text search across all detection fields (names, descriptions, queries, CVEs, process names, etc.) |
 | `get_by_id(id)` | Get a single detection by its ID |
 | `list_all(limit, offset)` | Paginated list of all detections |
-| `list_by_source(source_type)` | Filter by `sigma`, `splunk_escu`, `elastic`, or `kql` |
+| `list_by_source(source_type)` | Filter by `sigma`, `splunk_escu`, `elastic`, `kql`, `sublime`, or `crowdstrike_cql` |
 | `get_raw_yaml(id)` | Get the original YAML/TOML/Markdown content |
 | `get_stats()` | Get index statistics |
 | `rebuild_index()` | Force re-index from configured paths |
@@ -746,7 +869,7 @@ Tool: list_by_cve(cve_id="CVE-2024-27198")
 ```
 LLM: "What detections do we have for credential dumping?"
 Tool: search(query="credential dumping", limit=10)
-→ Returns results from Sigma, Splunk, Elastic, AND KQL
+→ Returns results from Sigma, Splunk, Elastic, KQL, Sublime, AND CrowdStrike CQL
 ```
 
 #### Find Web Server Attack Detections
@@ -771,6 +894,22 @@ LLM: "What KQL queries do we have for Defender For Endpoint?"
 Tool: list_by_kql_category(category="Defender For Endpoint")
 ```
 
+#### Find BEC/Phishing Email Detections
+
+```
+LLM: "What email detections do we have for BEC fraud?"
+Tool: list_by_source(source_type="sublime")
+→ Returns Sublime Security email detection rules for BEC, phishing, malware, etc.
+```
+
+#### Find CrowdStrike CQL Hunting Queries
+
+```
+LLM: "What CrowdStrike queries do we have for lateral movement?"
+Tool: list_by_source(source_type="crowdstrike_cql")
+→ Returns CQL Hub queries for CrowdStrike NextGen SIEM and Falcon LogScale
+```
+
 #### Search for BloodHound Detections
 
 ```
@@ -781,7 +920,7 @@ Tool: search(query="bloodhound", limit=10)
 
 ## Unified Schema
 
-All detection sources (Sigma, Splunk, Elastic, KQL) are normalized to a common schema:
+All detection sources (Sigma, Splunk, Elastic, KQL, Sublime, CrowdStrike CQL) are normalized to a common schema:
 
 ### Core Fields
 
@@ -790,8 +929,8 @@ All detection sources (Sigma, Splunk, Elastic, KQL) are normalized to a common s
 | `id` | Unique identifier |
 | `name` | Detection name/title |
 | `description` | What the detection looks for |
-| `query` | Detection logic (Sigma YAML, Splunk SPL, Elastic EQL, or KQL) |
-| `source_type` | `sigma`, `splunk_escu`, `elastic`, or `kql` |
+| `query` | Detection logic (Sigma YAML, Splunk SPL, Elastic EQL, KQL, Sublime MQL, or CrowdStrike CQL) |
+| `source_type` | `sigma`, `splunk_escu`, `elastic`, `kql`, `sublime`, or `crowdstrike_cql` |
 | `severity` | Detection severity level |
 | `status` | Rule status (stable, test, experimental, production, etc.) |
 | `author` | Rule author |
@@ -823,6 +962,14 @@ All detection sources (Sigma, Splunk, Elastic, KQL) are normalized to a common s
 | `kql_keywords` | Security keywords extracted for search |
 | `platforms` | Platforms (windows, azure-ad, office-365, etc.) |
 
+### Sublime-Specific Fields
+
+| Field | Description |
+|-------|-------------|
+| `sublime_attack_types` | Attack types (BEC/Fraud, Credential Phishing, Malware/Ransomware, etc.) |
+| `sublime_detection_methods` | Detection methods (Content analysis, URL analysis, Computer Vision, etc.) |
+| `sublime_tactics` | Tactics and techniques (Evasion, Impersonation: Brand, Social engineering, etc.) |
+
 ## Database
 
 The index is stored at `~/.cache/security-detections-mcp/detections.sqlite`.
@@ -860,6 +1007,22 @@ From [Elastic Detection Rules](https://github.com/elastic/detection-rules):
 - Optional: `rule.description`, `rule.query`, `rule.severity`, `rule.tags`, `rule.threat` (MITRE mappings)
 - Supports EQL, KQL, Lucene, and ESQL query languages
 
+### Sublime Security Rules (YAML)
+
+From [Sublime Security](https://github.com/sublime-security/sublime-rules):
+- Required: `name`, `type` (rule/exclusion), `source` (MQL query)
+- Optional: `description`, `severity`, `id`, `references`, `tags`, `authors`, `attack_types`, `tactics_and_techniques`, `detection_methods`, `false_positives`
+- Uses MQL (Message Query Language) for email-specific detection logic
+- Covers BEC/fraud, credential phishing, malware delivery, spam, and more
+
+### CrowdStrike CQL Queries (YAML)
+
+From [CQL Hub](https://github.com/ByteRay-Labs/Query-Hub):
+- Required: `name`, `cql` (CrowdStrike Query Language query)
+- Optional: `description`, `mitre_ids`, `author`, `log_sources`, `tags`, `cs_required_modules`, `explanation`
+- Community-driven detection and hunting queries for CrowdStrike NextGen SIEM and Falcon LogScale
+- Covers endpoint, network, cloud, and identity detection use cases
+
 ### KQL Hunting Queries (Markdown & Raw .kql)
 
 Supports multiple KQL repositories:
@@ -944,6 +1107,8 @@ SIGMA_PATHS="./detections/sigma/rules" \
 SPLUNK_PATHS="./detections/splunk/detections" \
 ELASTIC_PATHS="./detections/elastic/rules" \
 KQL_PATHS="./detections/kql" \
+SUBLIME_PATHS="./detections/sublime-rules/detection-rules" \
+CQL_HUB_PATHS="./detections/cql-hub/queries" \
 STORY_PATHS="./detections/splunk/stories" \
 npm start
 ```
@@ -958,11 +1123,13 @@ When fully indexed with all sources:
 | Splunk ESCU | ~2,000+ |
 | Elastic Rules | ~1,500+ |
 | KQL Queries | ~420+ |
+| Sublime Rules | ~900+ |
+| CrowdStrike CQL | ~139+ |
 | Analytic Stories | ~330 |
-| **Total Detections** | **~7,200+** |
+| **Total Detections** | **~8,200+** |
 | **Indexed Patterns** | **10,235+** |
 | **Techniques with Patterns** | **528+** |
-| **Detection Formats** | **4** (Sigma, Splunk, Elastic, KQL) |
+| **Detection Formats** | **6** (Sigma, Splunk, Elastic, KQL, Sublime, CrowdStrike CQL) |
 | **Total Tools** | **71+** |
 | **MCP Prompts** | **11** |
 | **MCP Resources** | **9 static + 5 templates** |
@@ -1067,7 +1234,7 @@ For detailed information on v2.1 features:
 
 | MCP | Purpose |
 |-----|---------|
-| **security-detections-mcp** | Query 7,200+ detection rules + 11 expert workflow prompts |
+| **security-detections-mcp** | Query 8,100+ detection rules + 11 expert workflow prompts |
 | **mitre-attack-mcp** | ATT&CK framework data, threat groups, Navigator layers |
 
 ### With MCP Prompts (Easiest)
@@ -1133,7 +1300,9 @@ LLM workflow:
         "SIGMA_PATHS": "/path/to/sigma/rules",
         "SPLUNK_PATHS": "/path/to/security_content/detections",
         "ELASTIC_PATHS": "/path/to/detection-rules/rules",
-        "KQL_PATHS": "/path/to/kql-hunting-queries"
+        "KQL_PATHS": "/path/to/kql-hunting-queries",
+        "SUBLIME_PATHS": "/path/to/sublime-rules/detection-rules",
+        "CQL_HUB_PATHS": "/path/to/cql-hub/queries"
       }
     },
     "mitre-attack": {

package/dist/db/detections.d.ts

@@ -12,7 +12,7 @@ export interface ValidationResult {
     similar?: string[];
 }
 export interface TechniqueIdFilters {
-    source_type?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql';
+    source_type?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql';
     tactic?: string;
     severity?: string;
 }
@@ -59,7 +59,7 @@ export interface DetectionSuggestion {
 export interface NavigatorLayerOptions {
     name: string;
     description?: string;
-    source_type?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql';
+    source_type?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql';
     tactic?: string;
     severity?: string;
 }
@@ -107,7 +107,7 @@ export declare function listDetections(limit?: number, offset?: number): Detecti
 /**
  * List detections filtered by source type.
  */
-export declare function listBySource(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql', limit?: number, offset?: number): Detection[];
+export declare function listBySource(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql', limit?: number, offset?: number): Detection[];
 /**
  * List detections by MITRE technique ID.
  */
@@ -183,15 +183,15 @@ export declare function getTechniqueIds(filters?: TechniqueIdFilters): string[];
 /**
  * Analyze coverage by tactic and identify strengths/weaknesses.
  */
-export declare function analyzeCoverage(sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql'): CoverageReport;
+export declare function analyzeCoverage(sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql'): CoverageReport;
 /**
  * Identify gaps based on a threat profile.
  */
-export declare function identifyGaps(threatProfile: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql'): GapAnalysis;
+export declare function identifyGaps(threatProfile: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql'): GapAnalysis;
 /**
  * Suggest detections for a technique.
  */
-export declare function suggestDetections(techniqueId: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql'): DetectionSuggestion;
+export declare function suggestDetections(techniqueId: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql'): DetectionSuggestion;
 /**
  * Generate an ATT&CK Navigator layer from detection coverage.
  */
@@ -203,7 +203,7 @@ export declare function searchDetectionList(query: string, limit?: number): Dete
 /**
  * List detections by source with optional name filter, returning lightweight results.
  */
-export declare function listDetectionsBySourceLight(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql', nameFilter?: string, limit?: number): DetectionListItem[];
+export declare function listDetectionsBySourceLight(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql', nameFilter?: string, limit?: number): DetectionListItem[];
 /**
  * Compare detections across sources for a topic.
  */
@@ -211,7 +211,7 @@ export declare function compareDetectionsBySource(topic: string, limit?: number)
 /**
  * Get detection names and IDs matching a pattern, grouped by source.
  */
-export declare function getDetectionNamesByPattern(pattern: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql'): {
+export declare function getDetectionNamesByPattern(pattern: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql'): {
     source: string;
     detections: Array<{
         name: string;

package/dist/db/detections.js

@@ -75,6 +75,9 @@ function rowToDetection(row) {
         kql_category: row.kql_category,
         kql_tags: safeJsonParse(row.kql_tags, []),
         kql_keywords: safeJsonParse(row.kql_keywords, []),
+        sublime_attack_types: safeJsonParse(row.sublime_attack_types, []),
+        sublime_detection_methods: safeJsonParse(row.sublime_detection_methods, []),
+        sublime_tactics: safeJsonParse(row.sublime_tactics, []),
     };
 }
 function rowToListItem(row) {
@@ -95,15 +98,16 @@ function rowToListItem(row) {
 export function insertDetection(detection) {
     const database = getDb();
     const stmt = database.prepare(`
-    INSERT OR REPLACE INTO detections 
-    (id, name, description, query, source_type, mitre_ids, logsource_category, 
-     logsource_product, logsource_service, severity, status, author, 
+    INSERT OR REPLACE INTO detections
+    (id, name, description, query, source_type, mitre_ids, logsource_category,
+     logsource_product, logsource_service, severity, status, author,
      date_created, date_modified, refs, falsepositives, tags, file_path, raw_yaml,
      cves, analytic_stories, data_sources, detection_type, asset_type, security_domain,
-     process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+     process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords,
+     sublime_attack_types, sublime_detection_methods, sublime_tactics)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   `);
-    stmt.run(detection.id, detection.name, detection.description, detection.query, detection.source_type, JSON.stringify(detection.mitre_ids), detection.logsource_category, detection.logsource_product, detection.logsource_service, detection.severity, detection.status, detection.author, detection.date_created, detection.date_modified, JSON.stringify(detection.references), JSON.stringify(detection.falsepositives), JSON.stringify(detection.tags), detection.file_path, detection.raw_yaml, JSON.stringify(detection.cves), JSON.stringify(detection.analytic_stories), JSON.stringify(detection.data_sources), detection.detection_type, detection.asset_type, detection.security_domain, JSON.stringify(detection.process_names), JSON.stringify(detection.file_paths), JSON.stringify(detection.registry_paths), JSON.stringify(detection.mitre_tactics), JSON.stringify(detection.platforms), detection.kql_category, JSON.stringify(detection.kql_tags), JSON.stringify(detection.kql_keywords));
+    stmt.run(detection.id, detection.name, detection.description, detection.query, detection.source_type, JSON.stringify(detection.mitre_ids), detection.logsource_category, detection.logsource_product, detection.logsource_service, detection.severity, detection.status, detection.author, detection.date_created, detection.date_modified, JSON.stringify(detection.references), JSON.stringify(detection.falsepositives), JSON.stringify(detection.tags), detection.file_path, detection.raw_yaml, JSON.stringify(detection.cves), JSON.stringify(detection.analytic_stories), JSON.stringify(detection.data_sources), detection.detection_type, detection.asset_type, detection.security_domain, JSON.stringify(detection.process_names), JSON.stringify(detection.file_paths), JSON.stringify(detection.registry_paths), JSON.stringify(detection.mitre_tactics), JSON.stringify(detection.platforms), detection.kql_category, JSON.stringify(detection.kql_tags), JSON.stringify(detection.kql_keywords), JSON.stringify(detection.sublime_attack_types), JSON.stringify(detection.sublime_detection_methods), JSON.stringify(detection.sublime_tactics));
 }
 /**
  * Get a detection by its ID.
@@ -348,6 +352,7 @@ export function getStats() {
     const splunk = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'splunk_escu'").get().count;
     const elastic = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'elastic'").get().count;
     const kql = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'kql'").get().count;
+    const sublime = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'sublime'").get().count;
     // Count by severity
     const severityRows = database.prepare(`
     SELECT severity, COUNT(*) as count FROM detections 
@@ -425,6 +430,7 @@ export function getStats() {
         splunk_escu: splunk,
         elastic,
         kql,
+        sublime,
         by_severity,
         by_logsource_product,
         mitre_coverage,
@@ -863,6 +869,7 @@ export function compareDetectionsBySource(topic, limit = 100) {
         splunk_escu: [],
         elastic: [],
         kql: [],
+        sublime: [],
     };
     const byTactic = {};
     for (const row of rows) {
@@ -936,7 +943,7 @@ export function countDetectionsBySource(topic) {
     GROUP BY d.source_type
   `);
     const rows = stmt.all(topic);
-    const result = { sigma: 0, splunk_escu: 0, elastic: 0, kql: 0 };
+    const result = { sigma: 0, splunk_escu: 0, elastic: 0, kql: 0, sublime: 0, crowdstrike_cql: 0 };
     for (const row of rows) {
         result[row.source_type] = row.count;
     }

package/dist/db/schema.js

@@ -56,7 +56,10 @@ function createDetectionsTable(db) {
       platforms TEXT,
       kql_category TEXT,
       kql_tags TEXT,
-      kql_keywords TEXT
+      kql_keywords TEXT,
+      sublime_attack_types TEXT,
+      sublime_detection_methods TEXT,
+      sublime_tactics TEXT
     )
   `);
 }
@@ -83,6 +86,9 @@ function createDetectionsFts(db) {
       kql_category,
       kql_tags,
       kql_keywords,
+      sublime_attack_types,
+      sublime_detection_methods,
+      sublime_tactics,
       content='detections',
       content_rowid='rowid'
     )
@@ -95,24 +101,24 @@ function createDetectionsTriggers(db) {
     // After INSERT trigger
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_ai AFTER INSERT ON detections BEGIN
-      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords);
+      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords, sublime_attack_types, sublime_detection_methods, sublime_tactics)
+      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords, NEW.sublime_attack_types, NEW.sublime_detection_methods, NEW.sublime_tactics);
     END
   `);
     // After DELETE trigger
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_ad AFTER DELETE ON detections BEGIN
-      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords);
+      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords, sublime_attack_types, sublime_detection_methods, sublime_tactics)
+      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords, OLD.sublime_attack_types, OLD.sublime_detection_methods, OLD.sublime_tactics);
     END
   `);
     // After UPDATE trigger
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_au AFTER UPDATE ON detections BEGIN
-      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords);
-      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords);
+      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords, sublime_attack_types, sublime_detection_methods, sublime_tactics)
+      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords, OLD.sublime_attack_types, OLD.sublime_detection_methods, OLD.sublime_tactics);
+      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords, sublime_attack_types, sublime_detection_methods, sublime_tactics)
+      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords, NEW.sublime_attack_types, NEW.sublime_detection_methods, NEW.sublime_tactics);
     END
   `);
 }

package/dist/db.d.ts

@@ -8,7 +8,7 @@ export declare function insertDetection(detection: Detection): void;
 export declare function searchDetections(query: string, limit?: number): Detection[];
 export declare function getDetectionById(id: string): Detection | null;
 export declare function listDetections(limit?: number, offset?: number): Detection[];
-export declare function listBySource(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql', limit?: number, offset?: number): Detection[];
+export declare function listBySource(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql', limit?: number, offset?: number): Detection[];
 export declare function listByMitre(techniqueId: string, limit?: number, offset?: number): Detection[];
 export declare function listByLogsource(category?: string, product?: string, service?: string, limit?: number, offset?: number): Detection[];
 export declare function listBySeverity(level: string, limit?: number, offset?: number): Detection[];
@@ -117,9 +117,9 @@ export interface SourceComparisonResult {
     };
 }
 export declare function searchDetectionList(query: string, limit?: number): DetectionListItem[];
-export declare function listDetectionsBySourceLight(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql', nameFilter?: string, limit?: number): DetectionListItem[];
+export declare function listDetectionsBySourceLight(sourceType: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql', nameFilter?: string, limit?: number): DetectionListItem[];
 export declare function compareDetectionsBySource(topic: string, limit?: number): SourceComparisonResult;
-export declare function getDetectionNamesByPattern(pattern: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql'): {
+export declare function getDetectionNamesByPattern(pattern: string, sourceType?: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql'): {
     source: string;
     detections: Array<{
         name: string;