Executive Summary
Designed and implemented an MCP server that indexes internal detections as code and enriches them with 7,000+ public rules for context — enabling automated MITRE coverage analysis, detection gap identification, and production-ready SPL/KQL generation to support our detection engineering lifecycle.
Public detections provide benchmarking and contextual intelligence. Internal detections remain authoritative and prioritized in all coverage analysis and recommendations.
Key Achievement: Validated end-to-end workflow by generating a production-ready SIEM detection query through natural language interaction with Claude Desktop. Additionally, submitted a full vendor-style threat intelligence report and successfully received actionable detection recommendations generated through the MCP platform.
The Problem
Detection engineering requires constant cross-referencing across multiple rule libraries, MITRE ATT&CK mapping, and time-consuming gap analysis. The knowledge landscape is fragmented:
- Internal detections live inside SIEM in proprietary formats
- Sigma rules maintained in one repository with one schema
- Splunk ESCU detections use different metadata structures
- Elastic Security and Sentinel have their own formats
- No unified way to query "show me all T1550 detections across platforms"
- MITRE coverage analysis requires manual spreadsheet tracking
- LLMs cannot effectively reason about thousands of detection rules without structured access
Traditional approaches involve manually browsing GitHub repositories, searching documentation, and cobbling together analysis in spreadsheets—a workflow that doesn't scale.
Technical Solution
Architecture Overview
Data Ingestion & Normalization
Built parsers for each detection source that extract and normalize:
- Core Metadata: Name, description, severity, detection type
- MITRE Mapping: Technique IDs, tactics, sub-techniques
- Platform Context: Data sources, log types, query language
- Vulnerability Links: CVE mappings where applicable
- Query Logic: Detection queries in native platform languages
All detections stored in SQLite with FTS5 (full-text search) indexing, enabling:
- Fast text search across names, descriptions, and queries
- Efficient filtering by MITRE technique, tactic, severity
- Cross-platform comparison queries
- Pattern extraction for similar detection logic
MCP Tool Design
Exposed 80+ specialized tools through MCP interface, organized by capability:
- Search & Discovery: Full-text search, filtering by metadata, source-specific queries
- MITRE Analysis: Coverage mapping, gap identification, technique-level aggregation
- Cross-Platform Comparison: Compare detection coverage between Sigma/Splunk/Elastic/Sentinel
- Pattern Extraction: Identify common query structures, field usage, detection approaches
- Template Generation: Generate detection scaffolding based on learned patterns
- Knowledge Graph: Store analytical decisions, learnings, and reasoning for context retention
Key Architectural Decisions
- Separation of Concerns: Strict boundaries between persistence (SQLite), business logic (analysis tools), and orchestration (LLM workflows)
- Incremental Indexing: Idempotent indexing on startup allows safe re-runs and updates
- Tool Granularity: Balanced lightweight search tools vs. heavy aggregation to optimize LLM context consumption
- FTS5 for Performance: Full-text search enables sub-second queries across 7,000+ rules
- Knowledge Persistence: Built-in graph layer stores past analyses and decisions for improved reasoning
Real-World Validation
Tested the system end-to-end to validate production viability:
- Connected MCP server to Claude Desktop on macOS
- Requested MITRE coverage gap analysis on indexed detections
- Asked assistant to identify missing coverage for technique T1550 (Use Alternate Authentication Material)
- Requested generation of a Splunk SPL detection query for the gap
- Received production-ready query with proper data model usage and field references
- Submitted vendor-style detection report and received actionable recommendations
- Query executed successfully in production SIEM, returning expected results
This validation proved:
- The indexing model is usable by LLMs for complex reasoning
- Detection pattern extraction works accurately across platforms
- MITRE mapping is reliable and queryable
- Query generation produces near-production-ready output
- The entire workflow—from gap analysis to working detection—can be LLM-assisted
Why This Matters
This project demonstrates a fundamentally different approach to detection engineering—one that treats detections as queryable intelligence rather than scattered files. By making this knowledge LLM-accessible through MCP, complex analytical workflows become natural language interactions.
Strategic Value: This isn't just "I wrote some SPL rules." This is systems thinking applied to detection engineering—data modeling, AI integration, platform design, and production-oriented architecture. It positions detection engineering as a measurable, AI-assisted discipline rather than artisanal craftsmanship.