security-detections-mcp 3.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. package/README.md +95 -17
  2. package/dist/db/detections.d.ts +8 -8
  3. package/dist/db/detections.js +14 -7
  4. package/dist/db/schema.js +15 -9
  5. package/dist/db.d.ts +3 -3
  6. package/dist/db.js +27 -15
  7. package/dist/index.js +5 -3
  8. package/dist/indexer.d.ts +5 -1
  9. package/dist/indexer.js +40 -2
  10. package/dist/parsers/crowdstrike_cql.d.ts +2 -0
  11. package/dist/parsers/crowdstrike_cql.js +302 -0
  12. package/dist/parsers/elastic.js +3 -0
  13. package/dist/parsers/kql.js +6 -0
  14. package/dist/parsers/sigma.js +3 -0
  15. package/dist/parsers/splunk.js +3 -0
  16. package/dist/parsers/sublime.d.ts +2 -0
  17. package/dist/parsers/sublime.js +106 -0
  18. package/dist/resources/index.js +1 -1
  19. package/dist/tools/detections/analysis.js +4 -4
  20. package/dist/tools/detections/comparison.js +3 -3
  21. package/dist/tools/detections/filters.js +1 -1
  22. package/dist/tools/detections/search.js +1 -1
  23. package/dist/tools/engineering/index.js +2 -2
  24. package/dist/types/detection.d.ts +46 -4
  25. package/dist/types/detection.js +1 -1
  26. package/dist/types/index.d.ts +2 -2
  27. package/dist/types/index.js +1 -1
  28. package/dist/types/stats.d.ts +1 -0
  29. package/package.json +1 -1
package/dist/types/detection.d.ts CHANGED
@@ -1,16 +1,16 @@
1
1
  /**
2
2
  * Detection Types
3
- * Core detection interfaces for Sigma, Splunk ESCU, Elastic, and KQL rules
3
+ * Core detection interfaces for Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL rules
4
4
  */
5
5
  /**
6
- * Unified detection schema - normalized from Sigma, Splunk ESCU, Elastic, and KQL sources
6
+ * Unified detection schema - normalized from Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL sources
7
7
  */
8
8
  export interface Detection {
9
9
  id: string;
10
10
  name: string;
11
11
  description: string;
12
12
  query: string;
13
- source_type: 'sigma' | 'splunk_escu' | 'elastic' | 'kql';
13
+ source_type: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql';
14
14
  mitre_ids: string[];
15
15
  logsource_category: string | null;
16
16
  logsource_product: string | null;
@@ -39,6 +39,9 @@ export interface Detection {
39
39
  kql_category: string | null;
40
40
  kql_tags: string[];
41
41
  kql_keywords: string[];
42
+ sublime_attack_types: string[];
43
+ sublime_detection_methods: string[];
44
+ sublime_tactics: string[];
42
45
  }
43
46
  /**
44
47
  * Lightweight detection summary - for fast retrieval without full query/yaml bloat
@@ -46,11 +49,35 @@ export interface Detection {
46
49
  export interface DetectionSummary {
47
50
  id: string;
48
51
  name: string;
49
- source_type: 'sigma' | 'splunk_escu' | 'elastic' | 'kql';
52
+ source_type: 'sigma' | 'splunk_escu' | 'elastic' | 'kql' | 'sublime' | 'crowdstrike_cql';
50
53
  mitre_ids: string[];
51
54
  severity: string | null;
52
55
  mitre_tactics: string[];
53
56
  }
57
+ /**
58
+ * Sublime Security rule structure (YAML format with MQL source)
59
+ * @see https://github.com/sublime-security/sublime-rules
60
+ */
61
+ export interface SublimeRule {
62
+ name: string;
63
+ description: string;
64
+ type: 'rule' | 'exclusion';
65
+ source: string;
66
+ id?: string;
67
+ severity?: 'low' | 'medium' | 'high' | 'critical';
68
+ references?: string[];
69
+ tags?: string[];
70
+ authors?: Array<{
71
+ name?: string;
72
+ twitter?: string;
73
+ github?: string;
74
+ email?: string;
75
+ }>;
76
+ attack_types?: string[];
77
+ tactics_and_techniques?: string[];
78
+ detection_methods?: string[];
79
+ false_positives?: string[];
80
+ }
54
81
  /**
55
82
  * Sigma rule structure based on official Sigma specification
56
83
  * @see https://github.com/SigmaHQ/sigma-specification
@@ -163,3 +190,18 @@ export interface ElasticTechnique {
163
190
  reference?: string;
164
191
  subtechnique?: ElasticTechnique[];
165
192
  }
193
+ /**
194
+ * CQL Hub rule structure (CrowdStrike Query Language)
195
+ * @see https://github.com/ByteRay-Labs/Query-Hub
196
+ */
197
+ export interface CqlHubRule {
198
+ name: string;
199
+ cql: string;
200
+ mitre_ids?: string[];
201
+ description?: string;
202
+ author?: string;
203
+ log_sources?: string[];
204
+ tags?: string[];
205
+ cs_required_modules?: string[];
206
+ explanation?: string;
207
+ }
package/dist/types/detection.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
2
  * Detection Types
3
- * Core detection interfaces for Sigma, Splunk ESCU, Elastic, and KQL rules
3
+ * Core detection interfaces for Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL rules
4
4
  */
5
5
  export {};
package/dist/types/index.d.ts CHANGED
@@ -4,14 +4,14 @@
4
4
  * This module exports all type definitions used throughout the MCP server.
5
5
  * Types are organized into logical modules:
6
6
  *
7
- * - detection: Core detection types (Sigma, Splunk, Elastic, KQL)
7
+ * - detection: Core detection types (Sigma, Splunk, Elastic, KQL, CrowdStrike CQL)
8
8
  * - story: Analytic story and campaign grouping types
9
9
  * - stats: Statistics, comparisons, and cached query types
10
10
  * - knowledge: Knowledge graph types for agent memory
11
11
  * - dynamic: Dynamic table types for runtime schema extension
12
12
  * - meta: Meta-tool types for custom tools and workflows
13
13
  */
14
- export type { Detection, DetectionSummary, SigmaRule, SplunkDetection, ElasticRule, ElasticThreat, ElasticTechnique, } from './detection.js';
14
+ export type { Detection, DetectionSummary, SigmaRule, SplunkDetection, ElasticRule, ElasticThreat, ElasticTechnique, SublimeRule, CqlHubRule, } from './detection.js';
15
15
  export type { AnalyticStory, SplunkStoryYaml, } from './story.js';
16
16
  export type { IndexStats, SourceComparison, SavedQuery, } from './stats.js';
17
17
  export type { KnowledgeEntity, KnowledgeRelation, KnowledgeObservation, KnowledgeDecision, KnowledgeLearning, KnowledgeQueryOptions, } from './knowledge.js';
package/dist/types/index.js CHANGED
@@ -4,7 +4,7 @@
4
4
  * This module exports all type definitions used throughout the MCP server.
5
5
  * Types are organized into logical modules:
6
6
  *
7
- * - detection: Core detection types (Sigma, Splunk, Elastic, KQL)
7
+ * - detection: Core detection types (Sigma, Splunk, Elastic, KQL, CrowdStrike CQL)
8
8
  * - story: Analytic story and campaign grouping types
9
9
  * - stats: Statistics, comparisons, and cached query types
10
10
  * - knowledge: Knowledge graph types for agent memory
package/dist/types/stats.d.ts CHANGED
@@ -11,6 +11,7 @@ export interface IndexStats {
11
11
  splunk_escu: number;
12
12
  elastic: number;
13
13
  kql: number;
14
+ sublime: number;
14
15
  by_severity: Record<string, number>;
15
16
  by_logsource_product: Record<string, number>;
16
17
  mitre_coverage: number;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "security-detections-mcp",
3
- "version": "3.0.0",
3
+ "version": "3.1.0",
4
4
  "description": "Advanced MCP server for security detections with Detection Engineering Intelligence, Knowledge Graph (Tribal Knowledge), Elicitation, and Resource Subscriptions",
5
5
  "sigmaSpecVersion": "2.0.0",
6
6
  "type": "module",