security-detections-mcp 2.1.1 → 3.1.0

package/dist/db.js

@@ -51,7 +51,10 @@ export function initDb() {
       platforms TEXT,
       kql_category TEXT,
       kql_tags TEXT,
-      kql_keywords TEXT
+      kql_keywords TEXT,
+      sublime_attack_types TEXT,
+      sublime_detection_methods TEXT,
+      sublime_tactics TEXT
     )
   `);
     // Create FTS5 virtual table for full-text search with all searchable fields
@@ -74,6 +77,9 @@ export function initDb() {
       kql_category,
       kql_tags,
       kql_keywords,
+      sublime_attack_types,
+      sublime_detection_methods,
+      sublime_tactics,
       content='detections',
       content_rowid='rowid'
     )
@@ -81,22 +87,22 @@ export function initDb() {
     // Create triggers to keep FTS in sync
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_ai AFTER INSERT ON detections BEGIN
-      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords);
+      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords, sublime_attack_types, sublime_detection_methods, sublime_tactics)
+      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords, NEW.sublime_attack_types, NEW.sublime_detection_methods, NEW.sublime_tactics);
     END
   `);
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_ad AFTER DELETE ON detections BEGIN
-      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords);
+      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords, sublime_attack_types, sublime_detection_methods, sublime_tactics)
+      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords, OLD.sublime_attack_types, OLD.sublime_detection_methods, OLD.sublime_tactics);
     END
   `);
     db.exec(`
     CREATE TRIGGER IF NOT EXISTS detections_au AFTER UPDATE ON detections BEGIN
-      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords);
-      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords);
+      INSERT INTO detections_fts(detections_fts, rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords, sublime_attack_types, sublime_detection_methods, sublime_tactics)
+      VALUES ('delete', OLD.rowid, OLD.id, OLD.name, OLD.description, OLD.query, OLD.mitre_ids, OLD.tags, OLD.cves, OLD.analytic_stories, OLD.data_sources, OLD.process_names, OLD.file_paths, OLD.registry_paths, OLD.mitre_tactics, OLD.platforms, OLD.kql_category, OLD.kql_tags, OLD.kql_keywords, OLD.sublime_attack_types, OLD.sublime_detection_methods, OLD.sublime_tactics);
+      INSERT INTO detections_fts(rowid, id, name, description, query, mitre_ids, tags, cves, analytic_stories, data_sources, process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords, sublime_attack_types, sublime_detection_methods, sublime_tactics)
+      VALUES (NEW.rowid, NEW.id, NEW.name, NEW.description, NEW.query, NEW.mitre_ids, NEW.tags, NEW.cves, NEW.analytic_stories, NEW.data_sources, NEW.process_names, NEW.file_paths, NEW.registry_paths, NEW.mitre_tactics, NEW.platforms, NEW.kql_category, NEW.kql_tags, NEW.kql_keywords, NEW.sublime_attack_types, NEW.sublime_detection_methods, NEW.sublime_tactics);
     END
   `);
     // Create indexes for common queries
@@ -199,15 +205,16 @@ export function recreateDb() {
 export function insertDetection(detection) {
     const database = initDb();
     const stmt = database.prepare(`
-    INSERT OR REPLACE INTO detections 
-    (id, name, description, query, source_type, mitre_ids, logsource_category, 
-     logsource_product, logsource_service, severity, status, author, 
+    INSERT OR REPLACE INTO detections
+    (id, name, description, query, source_type, mitre_ids, logsource_category,
+     logsource_product, logsource_service, severity, status, author,
      date_created, date_modified, refs, falsepositives, tags, file_path, raw_yaml,
      cves, analytic_stories, data_sources, detection_type, asset_type, security_domain,
-     process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+     process_names, file_paths, registry_paths, mitre_tactics, platforms, kql_category, kql_tags, kql_keywords,
+     sublime_attack_types, sublime_detection_methods, sublime_tactics)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   `);
-    stmt.run(detection.id, detection.name, detection.description, detection.query, detection.source_type, JSON.stringify(detection.mitre_ids), detection.logsource_category, detection.logsource_product, detection.logsource_service, detection.severity, detection.status, detection.author, detection.date_created, detection.date_modified, JSON.stringify(detection.references), JSON.stringify(detection.falsepositives), JSON.stringify(detection.tags), detection.file_path, detection.raw_yaml, JSON.stringify(detection.cves), JSON.stringify(detection.analytic_stories), JSON.stringify(detection.data_sources), detection.detection_type, detection.asset_type, detection.security_domain, JSON.stringify(detection.process_names), JSON.stringify(detection.file_paths), JSON.stringify(detection.registry_paths), JSON.stringify(detection.mitre_tactics), JSON.stringify(detection.platforms), detection.kql_category, JSON.stringify(detection.kql_tags), JSON.stringify(detection.kql_keywords));
+    stmt.run(detection.id, detection.name, detection.description, detection.query, detection.source_type, JSON.stringify(detection.mitre_ids), detection.logsource_category, detection.logsource_product, detection.logsource_service, detection.severity, detection.status, detection.author, detection.date_created, detection.date_modified, JSON.stringify(detection.references), JSON.stringify(detection.falsepositives), JSON.stringify(detection.tags), detection.file_path, detection.raw_yaml, JSON.stringify(detection.cves), JSON.stringify(detection.analytic_stories), JSON.stringify(detection.data_sources), detection.detection_type, detection.asset_type, detection.security_domain, JSON.stringify(detection.process_names), JSON.stringify(detection.file_paths), JSON.stringify(detection.registry_paths), JSON.stringify(detection.mitre_tactics), JSON.stringify(detection.platforms), detection.kql_category, JSON.stringify(detection.kql_tags), JSON.stringify(detection.kql_keywords), JSON.stringify(detection.sublime_attack_types), JSON.stringify(detection.sublime_detection_methods), JSON.stringify(detection.sublime_tactics));
 }
 function rowToDetection(row) {
     return {
@@ -244,6 +251,9 @@ function rowToDetection(row) {
         kql_category: row.kql_category,
         kql_tags: JSON.parse(row.kql_tags || '[]'),
         kql_keywords: JSON.parse(row.kql_keywords || '[]'),
+        sublime_attack_types: JSON.parse(row.sublime_attack_types || '[]'),
+        sublime_detection_methods: JSON.parse(row.sublime_detection_methods || '[]'),
+        sublime_tactics: JSON.parse(row.sublime_tactics || '[]'),
     };
 }
 export function searchDetections(query, limit = 50) {
@@ -419,6 +429,7 @@ export function getStats() {
     const splunk = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'splunk_escu'").get().count;
     const elastic = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'elastic'").get().count;
     const kql = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'kql'").get().count;
+    const sublime = database.prepare("SELECT COUNT(*) as count FROM detections WHERE source_type = 'sublime'").get().count;
     // Count by severity
     const severityRows = database.prepare(`
     SELECT severity, COUNT(*) as count FROM detections 
@@ -496,6 +507,7 @@ export function getStats() {
         splunk_escu: splunk,
         elastic,
         kql,
+        sublime,
         by_severity,
         by_logsource_product,
         mitre_coverage,

package/dist/index.js

@@ -27,17 +27,19 @@ const SPLUNK_PATHS = parsePaths(process.env.SPLUNK_PATHS);
 const ELASTIC_PATHS = parsePaths(process.env.ELASTIC_PATHS);
 const STORY_PATHS = parsePaths(process.env.STORY_PATHS);
 const KQL_PATHS = parsePaths(process.env.KQL_PATHS);
+const SUBLIME_PATHS = parsePaths(process.env.SUBLIME_PATHS);
+const CQL_HUB_PATHS = parsePaths(process.env.CQL_HUB_PATHS);
 // Auto-index on startup if paths are configured and DB is empty
 function autoIndex() {
-    if (SIGMA_PATHS.length === 0 && SPLUNK_PATHS.length === 0 && ELASTIC_PATHS.length === 0 && KQL_PATHS.length === 0) {
+    if (SIGMA_PATHS.length === 0 && SPLUNK_PATHS.length === 0 && ELASTIC_PATHS.length === 0 && KQL_PATHS.length === 0 && SUBLIME_PATHS.length === 0 && CQL_HUB_PATHS.length === 0) {
         return;
     }
     initDb();
     if (needsIndexing()) {
         console.error('[security-detections-mcp] Auto-indexing detections...');
-        const result = indexDetections(SIGMA_PATHS, SPLUNK_PATHS, STORY_PATHS, ELASTIC_PATHS, KQL_PATHS);
+        const result = indexDetections(SIGMA_PATHS, SPLUNK_PATHS, STORY_PATHS, ELASTIC_PATHS, KQL_PATHS, SUBLIME_PATHS, CQL_HUB_PATHS);
         let msg = `[security-detections-mcp] Indexed ${result.total} detections`;
-        msg += ` (${result.sigma_indexed} Sigma, ${result.splunk_indexed} Splunk, ${result.elastic_indexed} Elastic, ${result.kql_indexed} KQL)`;
+        msg += ` (${result.sigma_indexed} Sigma, ${result.splunk_indexed} Splunk, ${result.elastic_indexed} Elastic, ${result.kql_indexed} KQL, ${result.sublime_indexed} Sublime, ${result.cql_hub_indexed} CrowdStrike CQL)`;
         if (result.stories_indexed > 0) {
             msg += `, ${result.stories_indexed} stories`;
         }

package/dist/indexer.d.ts

@@ -7,9 +7,13 @@ export interface IndexResult {
     elastic_failed: number;
     kql_indexed: number;
     kql_failed: number;
+    sublime_indexed: number;
+    sublime_failed: number;
+    cql_hub_indexed: number;
+    cql_hub_failed: number;
     stories_indexed: number;
     stories_failed: number;
     total: number;
 }
-export declare function indexDetections(sigmaPaths: string[], splunkPaths: string[], storyPaths?: string[], elasticPaths?: string[], kqlPaths?: string[]): IndexResult;
+export declare function indexDetections(sigmaPaths: string[], splunkPaths: string[], storyPaths?: string[], elasticPaths?: string[], kqlPaths?: string[], sublimePaths?: string[], cqlHubPaths?: string[]): IndexResult;
 export declare function needsIndexing(): boolean;

package/dist/indexer.js

@@ -5,6 +5,8 @@ import { parseSplunkFile } from './parsers/splunk.js';
 import { parseStoryFile } from './parsers/story.js';
 import { parseElasticFile } from './parsers/elastic.js';
 import { parseKqlFile, parseRawKqlFile } from './parsers/kql.js';
+import { parseSublimeFile } from './parsers/sublime.js';
+import { parseCqlHubFile } from './parsers/crowdstrike_cql.js';
 import { recreateDb, insertDetection, insertStory, getDetectionCount, initDb } from './db.js';
 // Recursively find all YAML files in a directory
 function findYamlFiles(dir) {
@@ -108,7 +110,7 @@ function findKqlFiles(dir) {
     }
     return files;
 }
-export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasticPaths = [], kqlPaths = []) {
+export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasticPaths = [], kqlPaths = [], sublimePaths = [], cqlHubPaths = []) {
     // Recreate DB to ensure schema is up to date
     recreateDb();
     initDb();
@@ -120,6 +122,10 @@ export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasti
     let elastic_failed = 0;
     let kql_indexed = 0;
     let kql_failed = 0;
+    let sublime_indexed = 0;
+    let sublime_failed = 0;
+    let cql_hub_indexed = 0;
+    let cql_hub_failed = 0;
     let stories_indexed = 0;
     let stories_failed = 0;
     // Index Sigma rules
@@ -190,6 +196,34 @@ export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasti
             }
         }
     }
+    // Index Sublime Security rules (YAML with MQL source)
+    for (const basePath of sublimePaths) {
+        const files = findYamlFiles(basePath);
+        for (const file of files) {
+            const detection = parseSublimeFile(file);
+            if (detection) {
+                insertDetection(detection);
+                sublime_indexed++;
+            }
+            else {
+                sublime_failed++;
+            }
+        }
+    }
+    // Index CQL Hub queries (CrowdStrike Query Language)
+    for (const basePath of cqlHubPaths) {
+        const files = findYamlFiles(basePath);
+        for (const file of files) {
+            const detection = parseCqlHubFile(file);
+            if (detection) {
+                insertDetection(detection);
+                cql_hub_indexed++;
+            }
+            else {
+                cql_hub_failed++;
+            }
+        }
+    }
     // Index Splunk Analytic Stories (optional)
     for (const basePath of storyPaths) {
         const files = findYamlFiles(basePath);
@@ -213,9 +247,13 @@ export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasti
         elastic_failed,
         kql_indexed,
         kql_failed,
+        sublime_indexed,
+        sublime_failed,
+        cql_hub_indexed,
+        cql_hub_failed,
         stories_indexed,
         stories_failed,
-        total: sigma_indexed + splunk_indexed + elastic_indexed + kql_indexed,
+        total: sigma_indexed + splunk_indexed + elastic_indexed + kql_indexed + sublime_indexed + cql_hub_indexed,
     };
 }
 export function needsIndexing() {

package/dist/parsers/crowdstrike_cql.d.ts

@@ -0,0 +1,2 @@
+import type { Detection } from '../types.js';
+export declare function parseCqlHubFile(filePath: string): Detection | null;

package/dist/parsers/crowdstrike_cql.js

@@ -0,0 +1,302 @@
+import { readFileSync } from 'fs';
+import { parse as parseYaml } from 'yaml';
+import { createHash } from 'crypto';
+// MITRE technique ID to tactic(s) mapping (top-level techniques only)
+// Some techniques belong to multiple tactics (e.g., T1078 -> initial-access & persistence)
+const TECHNIQUE_TO_TACTICS = {
+    'T1595': ['reconnaissance'], 'T1592': ['reconnaissance'], 'T1589': ['reconnaissance'],
+    'T1590': ['reconnaissance'], 'T1591': ['reconnaissance'], 'T1598': ['reconnaissance'],
+    'T1597': ['reconnaissance'], 'T1596': ['reconnaissance'], 'T1593': ['reconnaissance'],
+    'T1594': ['reconnaissance'],
+    'T1583': ['resource-development'], 'T1586': ['resource-development'], 'T1584': ['resource-development'],
+    'T1587': ['resource-development'], 'T1585': ['resource-development'], 'T1588': ['resource-development'],
+    'T1608': ['resource-development'],
+    'T1189': ['initial-access'], 'T1190': ['initial-access'],
+    'T1200': ['initial-access'], 'T1566': ['initial-access'],
+    'T1195': ['initial-access'], 'T1199': ['initial-access'],
+    'T1133': ['initial-access', 'persistence'],
+    'T1078': ['initial-access', 'persistence', 'privilege-escalation', 'defense-evasion'],
+    'T1091': ['initial-access', 'lateral-movement'],
+    'T1059': ['execution'], 'T1203': ['execution'], 'T1559': ['execution'],
+    'T1106': ['execution'], 'T1129': ['execution'],
+    'T1204': ['execution'], 'T1047': ['execution'], 'T1569': ['execution'],
+    'T1053': ['execution', 'persistence', 'privilege-escalation'],
+    'T1098': ['persistence'], 'T1197': ['persistence'], 'T1547': ['persistence', 'privilege-escalation'],
+    'T1037': ['persistence'], 'T1136': ['persistence'], 'T1543': ['persistence', 'privilege-escalation'],
+    'T1546': ['persistence', 'privilege-escalation'], 'T1574': ['persistence', 'privilege-escalation'],
+    'T1525': ['persistence'], 'T1556': ['persistence', 'credential-access', 'defense-evasion'],
+    'T1137': ['persistence'], 'T1542': ['persistence', 'defense-evasion'],
+    'T1505': ['persistence'], 'T1205': ['persistence', 'defense-evasion'],
+    'T1548': ['privilege-escalation', 'defense-evasion'], 'T1134': ['privilege-escalation', 'defense-evasion'],
+    'T1068': ['privilege-escalation'], 'T1484': ['privilege-escalation', 'defense-evasion'],
+    'T1611': ['privilege-escalation'],
+    'T1562': ['defense-evasion'], 'T1070': ['defense-evasion'], 'T1202': ['defense-evasion'],
+    'T1036': ['defense-evasion'], 'T1055': ['defense-evasion', 'privilege-escalation'],
+    'T1027': ['defense-evasion'], 'T1218': ['defense-evasion'], 'T1216': ['defense-evasion'],
+    'T1220': ['defense-evasion'], 'T1140': ['defense-evasion'], 'T1112': ['defense-evasion'],
+    'T1564': ['defense-evasion'],
+    'T1003': ['credential-access'], 'T1110': ['credential-access'], 'T1555': ['credential-access'],
+    'T1212': ['credential-access'], 'T1187': ['credential-access'], 'T1606': ['credential-access'],
+    'T1056': ['credential-access', 'collection'], 'T1557': ['credential-access', 'collection'],
+    'T1111': ['credential-access'], 'T1552': ['credential-access'], 'T1558': ['credential-access'],
+    'T1539': ['credential-access'], 'T1528': ['credential-access'], 'T1649': ['credential-access'],
+    'T1087': ['discovery'], 'T1010': ['discovery'], 'T1217': ['discovery'],
+    'T1580': ['discovery'], 'T1538': ['discovery'], 'T1526': ['discovery'],
+    'T1482': ['discovery'], 'T1083': ['discovery'], 'T1046': ['discovery'],
+    'T1135': ['discovery'], 'T1040': ['discovery', 'credential-access'],
+    'T1201': ['discovery'], 'T1120': ['discovery'], 'T1069': ['discovery'],
+    'T1057': ['discovery'], 'T1012': ['discovery'], 'T1018': ['discovery'],
+    'T1518': ['discovery'], 'T1082': ['discovery'], 'T1016': ['discovery'],
+    'T1049': ['discovery'], 'T1033': ['discovery'], 'T1007': ['discovery'],
+    'T1124': ['discovery'],
+    'T1021': ['lateral-movement'], 'T1072': ['lateral-movement'],
+    'T1080': ['lateral-movement'], 'T1550': ['lateral-movement', 'defense-evasion'],
+    'T1563': ['lateral-movement'], 'T1570': ['lateral-movement'],
+    'T1560': ['collection'], 'T1123': ['collection'], 'T1119': ['collection'],
+    'T1115': ['collection'], 'T1530': ['collection'], 'T1602': ['collection'],
+    'T1213': ['collection'], 'T1005': ['collection'], 'T1039': ['collection'],
+    'T1025': ['collection'], 'T1074': ['collection'], 'T1114': ['collection'],
+    'T1113': ['collection'], 'T1125': ['collection'],
+    'T1071': ['command-and-control'], 'T1132': ['command-and-control'],
+    'T1001': ['command-and-control'], 'T1568': ['command-and-control'],
+    'T1573': ['command-and-control'], 'T1008': ['command-and-control'],
+    'T1105': ['command-and-control'], 'T1104': ['command-and-control'],
+    'T1095': ['command-and-control'], 'T1571': ['command-and-control'],
+    'T1572': ['command-and-control'], 'T1090': ['command-and-control'],
+    'T1219': ['command-and-control'], 'T1102': ['command-and-control'],
+    'T1048': ['exfiltration'], 'T1041': ['exfiltration'], 'T1011': ['exfiltration'],
+    'T1052': ['exfiltration'], 'T1567': ['exfiltration'], 'T1029': ['exfiltration'],
+    'T1537': ['exfiltration'],
+    'T1531': ['impact'], 'T1485': ['impact'], 'T1486': ['impact'],
+    'T1565': ['impact'], 'T1491': ['impact'], 'T1561': ['impact'],
+    'T1499': ['impact'], 'T1495': ['impact'], 'T1489': ['impact'],
+    'T1490': ['impact'], 'T1498': ['impact'], 'T1496': ['impact'],
+};
+// Generate a stable ID from file path and rule name
+function generateId(filePath, name) {
+    const hash = createHash('sha256')
+        .update(`${filePath}:${name}`)
+        .digest('hex')
+        .substring(0, 32);
+    return `crowdstrike-cql-${hash}`;
+}
+// Extract MITRE tactics from technique IDs
+function extractMitreTactics(mitreIds) {
+    const tactics = new Set();
+    for (const id of mitreIds) {
+        // Get the parent technique ID (T1003.001 -> T1003)
+        const parentId = id.split('.')[0];
+        const mapped = TECHNIQUE_TO_TACTICS[parentId];
+        if (mapped) {
+            for (const tactic of mapped) {
+                tactics.add(tactic);
+            }
+        }
+    }
+    return [...tactics];
+}
+// Extract process names from CQL query text
+function extractProcessNames(cql) {
+    const processNames = new Set();
+    // Match .exe references in CQL patterns like FileName=/cmd.exe/, ImageFileName=/\\mimikatz\.exe$/
+    const exeMatches = cql.match(/[\w.-]+\.exe/gi);
+    if (exeMatches) {
+        for (const match of exeMatches) {
+            const name = match.toLowerCase();
+            if (name.length > 4 && !name.includes('*')) {
+                processNames.add(name);
+            }
+        }
+    }
+    return [...processNames];
+}
+// Extract file paths from CQL query text
+function extractFilePaths(cql) {
+    const filePaths = new Set();
+    const interestingPaths = [
+        'C:\\Windows\\Temp', 'C:\\Windows\\System32', 'C:\\Windows\\SysWOW64',
+        'C:\\ProgramData', 'C:\\Users\\Public', '\\AppData\\Local\\Temp',
+        '\\AppData\\Roaming',
+    ];
+    const cqlLower = cql.toLowerCase();
+    for (const path of interestingPaths) {
+        if (cqlLower.includes(path.toLowerCase())) {
+            filePaths.add(path);
+        }
+    }
+    if (cqlLower.includes('\\temp\\') || cqlLower.includes('\\tmp\\')) {
+        filePaths.add('Temp directory');
+    }
+    return [...filePaths];
+}
+// Extract registry paths from CQL query text
+function extractRegistryPaths(cql) {
+    const registryPaths = new Set();
+    const cqlLower = cql.toLowerCase();
+    if (cqlLower.includes('hklm') || cqlLower.includes('hkey_local_machine')) {
+        registryPaths.add('HKLM registry');
+    }
+    if (cqlLower.includes('hkcu') || cqlLower.includes('hkey_current_user')) {
+        registryPaths.add('HKCU registry');
+    }
+    if (cqlLower.includes('\\run\\') || cqlLower.includes('\\runonce\\')) {
+        registryPaths.add('Run/RunOnce keys');
+    }
+    if (cqlLower.includes('\\services\\')) {
+        registryPaths.add('Services registry');
+    }
+    return [...registryPaths];
+}
+// Extract CVE IDs from name and description
+function extractCves(text) {
+    const matches = text.match(/CVE-\d{4}-\d+/gi);
+    if (!matches)
+        return [];
+    return [...new Set(matches.map(m => m.toUpperCase()))];
+}
+// Infer platforms from CQL query and log_sources
+function extractPlatforms(cql, logSources) {
+    const platforms = new Set();
+    // Check event_platform in CQL
+    if (/event_platform\s*=\s*"?Win/i.test(cql))
+        platforms.add('windows');
+    if (/event_platform\s*=\s*"?Mac/i.test(cql))
+        platforms.add('macos');
+    if (/event_platform\s*=\s*"?Lin/i.test(cql))
+        platforms.add('linux');
+    // Infer from log_sources
+    for (const src of logSources) {
+        const lower = src.toLowerCase();
+        if (lower === 'endpoint') {
+            // Endpoint could be any OS; only add if no specific platform found
+            if (platforms.size === 0) {
+                platforms.add('windows');
+                platforms.add('linux');
+            }
+        }
+        else if (lower === 'network') {
+            platforms.add('network');
+        }
+        else if (lower === 'cloud' || lower.includes('aws') || lower.includes('azure') || lower.includes('gcp')) {
+            platforms.add('cloud');
+        }
+    }
+    return [...platforms];
+}
+// Map log_sources to asset type
+function deriveAssetType(logSources) {
+    if (!logSources || logSources.length === 0)
+        return null;
+    const first = logSources[0].toLowerCase();
+    if (first === 'endpoint')
+        return 'Endpoint';
+    if (first === 'network')
+        return 'Network';
+    if (first === 'cloud' || first.includes('aws') || first.includes('azure') || first.includes('gcp'))
+        return 'Cloud';
+    if (first === 'identity' || first === 'idp')
+        return 'Endpoint';
+    return null;
+}
+// Map log_sources to security domain
+function deriveSecurityDomain(logSources) {
+    if (!logSources || logSources.length === 0)
+        return null;
+    const first = logSources[0].toLowerCase();
+    if (first === 'endpoint')
+        return 'endpoint';
+    if (first === 'network')
+        return 'network';
+    if (first === 'cloud' || first.includes('aws') || first.includes('azure') || first.includes('gcp'))
+        return 'cloud';
+    if (first === 'identity' || first === 'idp')
+        return 'access';
+    return null;
+}
+// Map tags to detection type
+function deriveDetectionType(tags) {
+    for (const tag of tags) {
+        const lower = tag.toLowerCase();
+        if (lower === 'hunting')
+            return 'Hunting';
+        if (lower === 'detection')
+            return 'TTP';
+        if (lower === 'anomaly')
+            return 'Anomaly';
+        if (lower === 'correlation')
+            return 'Correlation';
+    }
+    return null;
+}
+export function parseCqlHubFile(filePath) {
+    try {
+        const content = readFileSync(filePath, 'utf-8');
+        const rule = parseYaml(content);
+        // name and cql are required
+        if (!rule.name || !rule.cql) {
+            return null;
+        }
+        const id = generateId(filePath, rule.name);
+        const mitreIds = rule.mitre_ids || [];
+        const logSources = rule.log_sources || [];
+        const tags = rule.tags || [];
+        const csModules = rule.cs_required_modules || [];
+        // Build description: include explanation if present
+        let description = rule.description || '';
+        if (rule.explanation) {
+            description = description
+                ? `${description}\n\n${rule.explanation}`
+                : rule.explanation;
+        }
+        // Combine text fields for CVE extraction
+        const combinedText = `${rule.name} ${rule.description || ''}`;
+        // Build enriched tags: include cs_required_modules as prefixed tags
+        const enrichedTags = [
+            ...tags,
+            ...csModules.map(m => `cs_module:${m}`),
+        ];
+        const detection = {
+            id,
+            name: rule.name,
+            description,
+            query: rule.cql,
+            source_type: 'crowdstrike_cql',
+            mitre_ids: mitreIds,
+            logsource_category: logSources.length > 0 ? logSources[0].toLowerCase() : null,
+            logsource_product: 'crowdstrike',
+            logsource_service: 'falcon_logscale',
+            severity: null,
+            status: null,
+            author: rule.author || null,
+            date_created: null,
+            date_modified: null,
+            references: [],
+            falsepositives: [],
+            tags: enrichedTags,
+            file_path: filePath,
+            raw_yaml: content,
+            cves: extractCves(combinedText),
+            analytic_stories: [],
+            data_sources: logSources,
+            detection_type: deriveDetectionType(tags),
+            asset_type: deriveAssetType(logSources),
+            security_domain: deriveSecurityDomain(logSources),
+            process_names: extractProcessNames(rule.cql),
+            file_paths: extractFilePaths(rule.cql),
+            registry_paths: extractRegistryPaths(rule.cql),
+            mitre_tactics: extractMitreTactics(mitreIds),
+            platforms: extractPlatforms(rule.cql, logSources),
+            kql_category: null,
+            kql_tags: [],
+            kql_keywords: [],
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
+        };
+        return detection;
+    }
+    catch {
+        // Skip files that can't be parsed
+        return null;
+    }
+}

package/dist/parsers/elastic.js

@@ -235,6 +235,9 @@ export function parseElasticFile(filePath) {
             kql_category: null,
             kql_tags: [],
             kql_keywords: [],
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }

package/dist/parsers/kql.js

@@ -341,6 +341,9 @@ export function parseRawKqlFile(filePath, basePath) {
             kql_category: category,
             kql_tags: tags,
             kql_keywords: keywords,
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }
@@ -415,6 +418,9 @@ export function parseKqlFile(filePath, basePath) {
             kql_category: category,
             kql_tags: tags,
             kql_keywords: keywords,
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }

package/dist/parsers/sigma.js

@@ -388,6 +388,9 @@ export function parseSigmaFile(filePath) {
             kql_category: null,
             kql_tags: [],
             kql_keywords: [],
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }

package/dist/parsers/splunk.js

@@ -182,6 +182,9 @@ export function parseSplunkFile(filePath) {
             kql_category: null,
             kql_tags: [],
             kql_keywords: [],
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }

package/dist/parsers/sublime.d.ts

@@ -0,0 +1,2 @@
+import type { Detection } from '../types.js';
+export declare function parseSublimeFile(filePath: string): Detection | null;