security-detections-mcp 3.0.0 → 3.1.1

package/dist/indexer.d.ts

@@ -7,9 +7,13 @@ export interface IndexResult {
     elastic_failed: number;
     kql_indexed: number;
     kql_failed: number;
+    sublime_indexed: number;
+    sublime_failed: number;
+    cql_hub_indexed: number;
+    cql_hub_failed: number;
     stories_indexed: number;
     stories_failed: number;
     total: number;
 }
-export declare function indexDetections(sigmaPaths: string[], splunkPaths: string[], storyPaths?: string[], elasticPaths?: string[], kqlPaths?: string[]): IndexResult;
+export declare function indexDetections(sigmaPaths: string[], splunkPaths: string[], storyPaths?: string[], elasticPaths?: string[], kqlPaths?: string[], sublimePaths?: string[], cqlHubPaths?: string[]): IndexResult;
 export declare function needsIndexing(): boolean;

package/dist/indexer.js

@@ -5,6 +5,8 @@ import { parseSplunkFile } from './parsers/splunk.js';
 import { parseStoryFile } from './parsers/story.js';
 import { parseElasticFile } from './parsers/elastic.js';
 import { parseKqlFile, parseRawKqlFile } from './parsers/kql.js';
+import { parseSublimeFile } from './parsers/sublime.js';
+import { parseCqlHubFile } from './parsers/crowdstrike_cql.js';
 import { recreateDb, insertDetection, insertStory, getDetectionCount, initDb } from './db.js';
 // Recursively find all YAML files in a directory
 function findYamlFiles(dir) {
@@ -108,7 +110,7 @@ function findKqlFiles(dir) {
     }
     return files;
 }
-export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasticPaths = [], kqlPaths = []) {
+export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasticPaths = [], kqlPaths = [], sublimePaths = [], cqlHubPaths = []) {
     // Recreate DB to ensure schema is up to date
     recreateDb();
     initDb();
@@ -120,6 +122,10 @@ export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasti
     let elastic_failed = 0;
     let kql_indexed = 0;
     let kql_failed = 0;
+    let sublime_indexed = 0;
+    let sublime_failed = 0;
+    let cql_hub_indexed = 0;
+    let cql_hub_failed = 0;
     let stories_indexed = 0;
     let stories_failed = 0;
     // Index Sigma rules
@@ -190,6 +196,34 @@ export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasti
             }
         }
     }
+    // Index Sublime Security rules (YAML with MQL source)
+    for (const basePath of sublimePaths) {
+        const files = findYamlFiles(basePath);
+        for (const file of files) {
+            const detection = parseSublimeFile(file);
+            if (detection) {
+                insertDetection(detection);
+                sublime_indexed++;
+            }
+            else {
+                sublime_failed++;
+            }
+        }
+    }
+    // Index CQL Hub queries (CrowdStrike Query Language)
+    for (const basePath of cqlHubPaths) {
+        const files = findYamlFiles(basePath);
+        for (const file of files) {
+            const detection = parseCqlHubFile(file);
+            if (detection) {
+                insertDetection(detection);
+                cql_hub_indexed++;
+            }
+            else {
+                cql_hub_failed++;
+            }
+        }
+    }
     // Index Splunk Analytic Stories (optional)
     for (const basePath of storyPaths) {
         const files = findYamlFiles(basePath);
@@ -213,9 +247,13 @@ export function indexDetections(sigmaPaths, splunkPaths, storyPaths = [], elasti
         elastic_failed,
         kql_indexed,
         kql_failed,
+        sublime_indexed,
+        sublime_failed,
+        cql_hub_indexed,
+        cql_hub_failed,
         stories_indexed,
         stories_failed,
-        total: sigma_indexed + splunk_indexed + elastic_indexed + kql_indexed,
+        total: sigma_indexed + splunk_indexed + elastic_indexed + kql_indexed + sublime_indexed + cql_hub_indexed,
     };
 }
 export function needsIndexing() {

package/dist/parsers/crowdstrike_cql.d.ts

@@ -0,0 +1,2 @@
+import type { Detection } from '../types.js';
+export declare function parseCqlHubFile(filePath: string): Detection | null;

package/dist/parsers/crowdstrike_cql.js

@@ -0,0 +1,302 @@
+import { readFileSync } from 'fs';
+import { parse as parseYaml } from 'yaml';
+import { createHash } from 'crypto';
+// MITRE technique ID to tactic(s) mapping (top-level techniques only)
+// Some techniques belong to multiple tactics (e.g., T1078 -> initial-access & persistence)
+const TECHNIQUE_TO_TACTICS = {
+    'T1595': ['reconnaissance'], 'T1592': ['reconnaissance'], 'T1589': ['reconnaissance'],
+    'T1590': ['reconnaissance'], 'T1591': ['reconnaissance'], 'T1598': ['reconnaissance'],
+    'T1597': ['reconnaissance'], 'T1596': ['reconnaissance'], 'T1593': ['reconnaissance'],
+    'T1594': ['reconnaissance'],
+    'T1583': ['resource-development'], 'T1586': ['resource-development'], 'T1584': ['resource-development'],
+    'T1587': ['resource-development'], 'T1585': ['resource-development'], 'T1588': ['resource-development'],
+    'T1608': ['resource-development'],
+    'T1189': ['initial-access'], 'T1190': ['initial-access'],
+    'T1200': ['initial-access'], 'T1566': ['initial-access'],
+    'T1195': ['initial-access'], 'T1199': ['initial-access'],
+    'T1133': ['initial-access', 'persistence'],
+    'T1078': ['initial-access', 'persistence', 'privilege-escalation', 'defense-evasion'],
+    'T1091': ['initial-access', 'lateral-movement'],
+    'T1059': ['execution'], 'T1203': ['execution'], 'T1559': ['execution'],
+    'T1106': ['execution'], 'T1129': ['execution'],
+    'T1204': ['execution'], 'T1047': ['execution'], 'T1569': ['execution'],
+    'T1053': ['execution', 'persistence', 'privilege-escalation'],
+    'T1098': ['persistence'], 'T1197': ['persistence'], 'T1547': ['persistence', 'privilege-escalation'],
+    'T1037': ['persistence'], 'T1136': ['persistence'], 'T1543': ['persistence', 'privilege-escalation'],
+    'T1546': ['persistence', 'privilege-escalation'], 'T1574': ['persistence', 'privilege-escalation'],
+    'T1525': ['persistence'], 'T1556': ['persistence', 'credential-access', 'defense-evasion'],
+    'T1137': ['persistence'], 'T1542': ['persistence', 'defense-evasion'],
+    'T1505': ['persistence'], 'T1205': ['persistence', 'defense-evasion'],
+    'T1548': ['privilege-escalation', 'defense-evasion'], 'T1134': ['privilege-escalation', 'defense-evasion'],
+    'T1068': ['privilege-escalation'], 'T1484': ['privilege-escalation', 'defense-evasion'],
+    'T1611': ['privilege-escalation'],
+    'T1562': ['defense-evasion'], 'T1070': ['defense-evasion'], 'T1202': ['defense-evasion'],
+    'T1036': ['defense-evasion'], 'T1055': ['defense-evasion', 'privilege-escalation'],
+    'T1027': ['defense-evasion'], 'T1218': ['defense-evasion'], 'T1216': ['defense-evasion'],
+    'T1220': ['defense-evasion'], 'T1140': ['defense-evasion'], 'T1112': ['defense-evasion'],
+    'T1564': ['defense-evasion'],
+    'T1003': ['credential-access'], 'T1110': ['credential-access'], 'T1555': ['credential-access'],
+    'T1212': ['credential-access'], 'T1187': ['credential-access'], 'T1606': ['credential-access'],
+    'T1056': ['credential-access', 'collection'], 'T1557': ['credential-access', 'collection'],
+    'T1111': ['credential-access'], 'T1552': ['credential-access'], 'T1558': ['credential-access'],
+    'T1539': ['credential-access'], 'T1528': ['credential-access'], 'T1649': ['credential-access'],
+    'T1087': ['discovery'], 'T1010': ['discovery'], 'T1217': ['discovery'],
+    'T1580': ['discovery'], 'T1538': ['discovery'], 'T1526': ['discovery'],
+    'T1482': ['discovery'], 'T1083': ['discovery'], 'T1046': ['discovery'],
+    'T1135': ['discovery'], 'T1040': ['discovery', 'credential-access'],
+    'T1201': ['discovery'], 'T1120': ['discovery'], 'T1069': ['discovery'],
+    'T1057': ['discovery'], 'T1012': ['discovery'], 'T1018': ['discovery'],
+    'T1518': ['discovery'], 'T1082': ['discovery'], 'T1016': ['discovery'],
+    'T1049': ['discovery'], 'T1033': ['discovery'], 'T1007': ['discovery'],
+    'T1124': ['discovery'],
+    'T1021': ['lateral-movement'], 'T1072': ['lateral-movement'],
+    'T1080': ['lateral-movement'], 'T1550': ['lateral-movement', 'defense-evasion'],
+    'T1563': ['lateral-movement'], 'T1570': ['lateral-movement'],
+    'T1560': ['collection'], 'T1123': ['collection'], 'T1119': ['collection'],
+    'T1115': ['collection'], 'T1530': ['collection'], 'T1602': ['collection'],
+    'T1213': ['collection'], 'T1005': ['collection'], 'T1039': ['collection'],
+    'T1025': ['collection'], 'T1074': ['collection'], 'T1114': ['collection'],
+    'T1113': ['collection'], 'T1125': ['collection'],
+    'T1071': ['command-and-control'], 'T1132': ['command-and-control'],
+    'T1001': ['command-and-control'], 'T1568': ['command-and-control'],
+    'T1573': ['command-and-control'], 'T1008': ['command-and-control'],
+    'T1105': ['command-and-control'], 'T1104': ['command-and-control'],
+    'T1095': ['command-and-control'], 'T1571': ['command-and-control'],
+    'T1572': ['command-and-control'], 'T1090': ['command-and-control'],
+    'T1219': ['command-and-control'], 'T1102': ['command-and-control'],
+    'T1048': ['exfiltration'], 'T1041': ['exfiltration'], 'T1011': ['exfiltration'],
+    'T1052': ['exfiltration'], 'T1567': ['exfiltration'], 'T1029': ['exfiltration'],
+    'T1537': ['exfiltration'],
+    'T1531': ['impact'], 'T1485': ['impact'], 'T1486': ['impact'],
+    'T1565': ['impact'], 'T1491': ['impact'], 'T1561': ['impact'],
+    'T1499': ['impact'], 'T1495': ['impact'], 'T1489': ['impact'],
+    'T1490': ['impact'], 'T1498': ['impact'], 'T1496': ['impact'],
+};
+// Generate a stable ID from file path and rule name
+function generateId(filePath, name) {
+    const hash = createHash('sha256')
+        .update(`${filePath}:${name}`)
+        .digest('hex')
+        .substring(0, 32);
+    return `crowdstrike-cql-${hash}`;
+}
+// Extract MITRE tactics from technique IDs
+function extractMitreTactics(mitreIds) {
+    const tactics = new Set();
+    for (const id of mitreIds) {
+        // Get the parent technique ID (T1003.001 -> T1003)
+        const parentId = id.split('.')[0];
+        const mapped = TECHNIQUE_TO_TACTICS[parentId];
+        if (mapped) {
+            for (const tactic of mapped) {
+                tactics.add(tactic);
+            }
+        }
+    }
+    return [...tactics];
+}
+// Extract process names from CQL query text
+function extractProcessNames(cql) {
+    const processNames = new Set();
+    // Match .exe references in CQL patterns like FileName=/cmd.exe/, ImageFileName=/\\mimikatz\.exe$/
+    const exeMatches = cql.match(/[\w.-]+\.exe/gi);
+    if (exeMatches) {
+        for (const match of exeMatches) {
+            const name = match.toLowerCase();
+            if (name.length > 4 && !name.includes('*')) {
+                processNames.add(name);
+            }
+        }
+    }
+    return [...processNames];
+}
+// Extract file paths from CQL query text
+function extractFilePaths(cql) {
+    const filePaths = new Set();
+    const interestingPaths = [
+        'C:\\Windows\\Temp', 'C:\\Windows\\System32', 'C:\\Windows\\SysWOW64',
+        'C:\\ProgramData', 'C:\\Users\\Public', '\\AppData\\Local\\Temp',
+        '\\AppData\\Roaming',
+    ];
+    const cqlLower = cql.toLowerCase();
+    for (const path of interestingPaths) {
+        if (cqlLower.includes(path.toLowerCase())) {
+            filePaths.add(path);
+        }
+    }
+    if (cqlLower.includes('\\temp\\') || cqlLower.includes('\\tmp\\')) {
+        filePaths.add('Temp directory');
+    }
+    return [...filePaths];
+}
+// Extract registry paths from CQL query text
+function extractRegistryPaths(cql) {
+    const registryPaths = new Set();
+    const cqlLower = cql.toLowerCase();
+    if (cqlLower.includes('hklm') || cqlLower.includes('hkey_local_machine')) {
+        registryPaths.add('HKLM registry');
+    }
+    if (cqlLower.includes('hkcu') || cqlLower.includes('hkey_current_user')) {
+        registryPaths.add('HKCU registry');
+    }
+    if (cqlLower.includes('\\run\\') || cqlLower.includes('\\runonce\\')) {
+        registryPaths.add('Run/RunOnce keys');
+    }
+    if (cqlLower.includes('\\services\\')) {
+        registryPaths.add('Services registry');
+    }
+    return [...registryPaths];
+}
+// Extract CVE IDs from name and description
+function extractCves(text) {
+    const matches = text.match(/CVE-\d{4}-\d+/gi);
+    if (!matches)
+        return [];
+    return [...new Set(matches.map(m => m.toUpperCase()))];
+}
+// Infer platforms from CQL query and log_sources
+function extractPlatforms(cql, logSources) {
+    const platforms = new Set();
+    // Check event_platform in CQL
+    if (/event_platform\s*=\s*"?Win/i.test(cql))
+        platforms.add('windows');
+    if (/event_platform\s*=\s*"?Mac/i.test(cql))
+        platforms.add('macos');
+    if (/event_platform\s*=\s*"?Lin/i.test(cql))
+        platforms.add('linux');
+    // Infer from log_sources
+    for (const src of logSources) {
+        const lower = src.toLowerCase();
+        if (lower === 'endpoint') {
+            // Endpoint could be any OS; only add if no specific platform found
+            if (platforms.size === 0) {
+                platforms.add('windows');
+                platforms.add('linux');
+            }
+        }
+        else if (lower === 'network') {
+            platforms.add('network');
+        }
+        else if (lower === 'cloud' || lower.includes('aws') || lower.includes('azure') || lower.includes('gcp')) {
+            platforms.add('cloud');
+        }
+    }
+    return [...platforms];
+}
+// Map log_sources to asset type
+function deriveAssetType(logSources) {
+    if (!logSources || logSources.length === 0)
+        return null;
+    const first = logSources[0].toLowerCase();
+    if (first === 'endpoint')
+        return 'Endpoint';
+    if (first === 'network')
+        return 'Network';
+    if (first === 'cloud' || first.includes('aws') || first.includes('azure') || first.includes('gcp'))
+        return 'Cloud';
+    if (first === 'identity' || first === 'idp')
+        return 'Endpoint';
+    return null;
+}
+// Map log_sources to security domain
+function deriveSecurityDomain(logSources) {
+    if (!logSources || logSources.length === 0)
+        return null;
+    const first = logSources[0].toLowerCase();
+    if (first === 'endpoint')
+        return 'endpoint';
+    if (first === 'network')
+        return 'network';
+    if (first === 'cloud' || first.includes('aws') || first.includes('azure') || first.includes('gcp'))
+        return 'cloud';
+    if (first === 'identity' || first === 'idp')
+        return 'access';
+    return null;
+}
+// Map tags to detection type
+function deriveDetectionType(tags) {
+    for (const tag of tags) {
+        const lower = tag.toLowerCase();
+        if (lower === 'hunting')
+            return 'Hunting';
+        if (lower === 'detection')
+            return 'TTP';
+        if (lower === 'anomaly')
+            return 'Anomaly';
+        if (lower === 'correlation')
+            return 'Correlation';
+    }
+    return null;
+}
+export function parseCqlHubFile(filePath) {
+    try {
+        const content = readFileSync(filePath, 'utf-8');
+        const rule = parseYaml(content);
+        // name and cql are required
+        if (!rule.name || !rule.cql) {
+            return null;
+        }
+        const id = generateId(filePath, rule.name);
+        const mitreIds = rule.mitre_ids || [];
+        const logSources = rule.log_sources || [];
+        const tags = rule.tags || [];
+        const csModules = rule.cs_required_modules || [];
+        // Build description: include explanation if present
+        let description = rule.description || '';
+        if (rule.explanation) {
+            description = description
+                ? `${description}\n\n${rule.explanation}`
+                : rule.explanation;
+        }
+        // Combine text fields for CVE extraction
+        const combinedText = `${rule.name} ${rule.description || ''}`;
+        // Build enriched tags: include cs_required_modules as prefixed tags
+        const enrichedTags = [
+            ...tags,
+            ...csModules.map(m => `cs_module:${m}`),
+        ];
+        const detection = {
+            id,
+            name: rule.name,
+            description,
+            query: rule.cql,
+            source_type: 'crowdstrike_cql',
+            mitre_ids: mitreIds,
+            logsource_category: logSources.length > 0 ? logSources[0].toLowerCase() : null,
+            logsource_product: 'crowdstrike',
+            logsource_service: 'falcon_logscale',
+            severity: null,
+            status: null,
+            author: rule.author || null,
+            date_created: null,
+            date_modified: null,
+            references: [],
+            falsepositives: [],
+            tags: enrichedTags,
+            file_path: filePath,
+            raw_yaml: content,
+            cves: extractCves(combinedText),
+            analytic_stories: [],
+            data_sources: logSources,
+            detection_type: deriveDetectionType(tags),
+            asset_type: deriveAssetType(logSources),
+            security_domain: deriveSecurityDomain(logSources),
+            process_names: extractProcessNames(rule.cql),
+            file_paths: extractFilePaths(rule.cql),
+            registry_paths: extractRegistryPaths(rule.cql),
+            mitre_tactics: extractMitreTactics(mitreIds),
+            platforms: extractPlatforms(rule.cql, logSources),
+            kql_category: null,
+            kql_tags: [],
+            kql_keywords: [],
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
+        };
+        return detection;
+    }
+    catch {
+        // Skip files that can't be parsed
+        return null;
+    }
+}

package/dist/parsers/elastic.js

@@ -235,6 +235,9 @@ export function parseElasticFile(filePath) {
             kql_category: null,
             kql_tags: [],
             kql_keywords: [],
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }

package/dist/parsers/kql.js

@@ -341,6 +341,9 @@ export function parseRawKqlFile(filePath, basePath) {
             kql_category: category,
             kql_tags: tags,
             kql_keywords: keywords,
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }
@@ -415,6 +418,9 @@ export function parseKqlFile(filePath, basePath) {
             kql_category: category,
             kql_tags: tags,
             kql_keywords: keywords,
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }

package/dist/parsers/sigma.js

@@ -388,6 +388,9 @@ export function parseSigmaFile(filePath) {
             kql_category: null,
             kql_tags: [],
             kql_keywords: [],
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }

package/dist/parsers/splunk.js

@@ -182,6 +182,9 @@ export function parseSplunkFile(filePath) {
             kql_category: null,
             kql_tags: [],
             kql_keywords: [],
+            sublime_attack_types: [],
+            sublime_detection_methods: [],
+            sublime_tactics: [],
         };
         return detection;
     }

package/dist/parsers/sublime.d.ts

@@ -0,0 +1,2 @@
+import type { Detection } from '../types.js';
+export declare function parseSublimeFile(filePath: string): Detection | null;

package/dist/parsers/sublime.js

@@ -0,0 +1,106 @@
+import { readFileSync } from 'fs';
+import { parse as parseYaml } from 'yaml';
+import { createHash } from 'crypto';
+// Best-effort mapping from Sublime tactics_and_techniques to MITRE ATT&CK tactics
+const TACTICS_MAP = {
+    'evasion': 'defense-evasion',
+    'exploit': 'execution',
+    'social engineering': 'initial-access',
+    'impersonation: brand': 'initial-access',
+    'impersonation: employee': 'initial-access',
+    'impersonation: vip': 'initial-access',
+    'lookalike domain': 'initial-access',
+    'spoofing': 'initial-access',
+    'scripting': 'execution',
+    'macros': 'execution',
+    'encryption': 'defense-evasion',
+};
+// Generate a stable ID from file path and rule name
+function generateId(filePath, name) {
+    const hash = createHash('sha256')
+        .update(`${filePath}:${name}`)
+        .digest('hex')
+        .substring(0, 32);
+    return `sublime-${hash}`;
+}
+// Extract author names from the authors array
+function extractAuthorNames(authors) {
+    if (!authors || authors.length === 0)
+        return null;
+    const names = authors
+        .map(a => a.name || a.twitter || a.github || 'Unknown')
+        .filter(Boolean);
+    return names.length > 0 ? names.join(', ') : null;
+}
+// Map Sublime tactics to MITRE ATT&CK tactics (best-effort)
+function mapToMitreTactics(tactics) {
+    if (!tactics)
+        return [];
+    const mitreTactics = new Set();
+    for (const tactic of tactics) {
+        const mapped = TACTICS_MAP[tactic.toLowerCase()];
+        if (mapped) {
+            mitreTactics.add(mapped);
+        }
+    }
+    return [...mitreTactics];
+}
+export function parseSublimeFile(filePath) {
+    try {
+        const content = readFileSync(filePath, 'utf-8');
+        const rule = parseYaml(content);
+        // name and source are required
+        if (!rule.name || !rule.source) {
+            return null;
+        }
+        // type must be 'rule' or 'exclusion'
+        if (rule.type !== 'rule' && rule.type !== 'exclusion') {
+            return null;
+        }
+        const id = rule.id || generateId(filePath, rule.name);
+        const detection = {
+            id,
+            name: rule.name,
+            description: rule.description || '',
+            query: rule.source,
+            source_type: 'sublime',
+            mitre_ids: [],
+            logsource_category: 'email',
+            logsource_product: 'email',
+            logsource_service: null,
+            severity: rule.severity || null,
+            status: null,
+            author: extractAuthorNames(rule.authors),
+            date_created: null,
+            date_modified: null,
+            references: rule.references || [],
+            falsepositives: rule.false_positives || [],
+            tags: rule.tags || [],
+            file_path: filePath,
+            raw_yaml: content,
+            cves: [],
+            analytic_stories: [],
+            data_sources: ['Email Messages', 'Email Headers', 'Email Attachments'],
+            detection_type: rule.type === 'exclusion' ? 'Exclusion' : 'Rule',
+            asset_type: 'Email',
+            security_domain: 'access',
+            process_names: [],
+            file_paths: [],
+            registry_paths: [],
+            mitre_tactics: mapToMitreTactics(rule.tactics_and_techniques),
+            platforms: ['email'],
+            kql_category: null,
+            kql_tags: [],
+            kql_keywords: [],
+            // Sublime-specific fields
+            sublime_attack_types: rule.attack_types || [],
+            sublime_detection_methods: rule.detection_methods || [],
+            sublime_tactics: rule.tactics_and_techniques || [],
+        };
+        return detection;
+    }
+    catch {
+        // Skip files that can't be parsed
+        return null;
+    }
+}

package/dist/resources/index.js

@@ -182,7 +182,7 @@ function getTacticResource(tactic) {
  * Get statistics and sample detections for a source type
  */
 function getSourceResource(sourceType) {
-    const validSources = ['sigma', 'splunk_escu', 'elastic', 'kql'];
+    const validSources = ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'];
     const normalizedSource = sourceType.toLowerCase();
     if (!validSources.includes(normalizedSource)) {
         return {

package/dist/tools/detections/analysis.js

@@ -23,7 +23,7 @@ export const analysisTools = [
             properties: {
                 source_type: {
                     type: 'string',
-                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql'],
+                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'],
                     description: 'Filter by source type',
                 },
                 tactic: {
@@ -66,7 +66,7 @@ export const analysisTools = [
             properties: {
                 source_type: {
                     type: 'string',
-                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql'],
+                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'],
                     description: 'Filter by source type (optional - analyzes all if not specified)',
                 },
             },
@@ -90,7 +90,7 @@ export const analysisTools = [
                 },
                 source_type: {
                     type: 'string',
-                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql'],
+                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'],
                     description: 'Filter by source type (optional)',
                 },
             },
@@ -124,7 +124,7 @@ export const analysisTools = [
                 },
                 source_type: {
                     type: 'string',
-                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql'],
+                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'],
                     description: 'Filter by source type (optional)',
                 },
             },

package/dist/tools/detections/comparison.js

@@ -15,7 +15,7 @@ export const comparisonTools = [
                 },
                 source_type: {
                     type: 'string',
-                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql'],
+                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'],
                     description: 'Optional: filter by source type',
                 },
                 limit: {
@@ -147,7 +147,7 @@ export const comparisonTools = [
                 },
                 source_type: {
                     type: 'string',
-                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql'],
+                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'],
                     description: 'Optional: filter to specific source',
                 },
             },
@@ -235,7 +235,7 @@ export const comparisonTools = [
             properties: {
                 source_type: {
                     type: 'string',
-                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql'],
+                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'],
                     description: 'Filter by source type (optional)',
                 },
             },

package/dist/tools/detections/filters.js

@@ -10,7 +10,7 @@ export const filterTools = [
             properties: {
                 source_type: {
                     type: 'string',
-                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql'],
+                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'],
                     description: 'Source type to filter by',
                 },
                 limit: {

package/dist/tools/detections/search.js

@@ -22,7 +22,7 @@ export const searchTools = [
                 },
                 source_type: {
                     type: 'string',
-                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql'],
+                    enum: ['sigma', 'splunk_escu', 'elastic', 'kql', 'sublime', 'crowdstrike_cql'],
                     description: 'Filter results by detection source type',
                 },
             },