rsigma-mcp 0.16.0

Model Context Protocol (MCP) server exposing the rsigma Sigma toolchain as tools and resources
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

# rsigma-mcp

A [Model Context Protocol](https://modelcontextprotocol.io) server that exposes the [rsigma](https://github.com/timescale/rsigma) Sigma detection-rule toolchain (parser, linter, evaluator, converter, field extraction, pipeline resolution) as MCP tools, so any MCP-aware agent (Cursor, Claude Code, …) can author, lint, validate, evaluate, and convert Sigma rules with structured, machine-readable results.

The server is transport-agnostic. The CLI drives it over stdio via `rsigma mcp serve`.

## Usage

The crate is consumed by `rsigma-cli`; you normally run the server through the CLI:

```bash
rsigma mcp serve --rules-dir /path/to/rules
```

To embed the handler in your own binary:

```rust,no_run
use rsigma_mcp::RsigmaMcp;
use rsigma_parser::LintConfig;

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    let handler = RsigmaMcp::new(None, LintConfig::default());
    rsigma_mcp::serve_stdio(handler).await
}
```

## Tools

| Tool | Purpose |
|------|---------|
| `parse_rule` | Parse Sigma YAML (rules, correlations, filters) to AST JSON. |
| `parse_condition` | Parse a Sigma condition expression to a parse-tree. |
| `lint_rules` | Lint rules; findings carry lint rule id, severity, line, and fix availability. |
| `validate_rules` | Parse + compile + correlation checks, optional pipelines and source resolution. |
| `evaluate_events` | Evaluate JSON events against rules (detections and correlations). |
| `convert_rules` | Convert rules to backend queries (`postgres`/`lynxdb`/`fibratus`). |
| `list_backends` | List conversion targets and their formats. |
| `list_fields` | List the event fields rules reference, with provenance. |
| `resolve_pipeline` | Inspect a builtin or file pipeline; optionally resolve dynamic sources. |
| `list_builtin_pipelines` | List the builtin pipelines. |
| `fix_rules` | Apply safe auto-fixes to Sigma YAML; `write: true` (path only) persists to disk. |

Every tool accepts inline content (`yaml`/`condition`/`events`) xor a file `path`, and returns structured JSON. Stdout is reserved for the MCP transport; diagnostics go to stderr.

## Resources

Three read-only resources expose reference data: `rsigma://lint/catalogue` (the 75-rule lint catalogue), `rsigma://reference/modifiers`, and `rsigma://reference/mitre-tactics`.

## Design

- Built on [`rmcp`](https://crates.io/crates/rmcp) 1.7 (the official Rust MCP SDK).
- `RsigmaMcp` is the cloneable handler; the tool methods are thin wrappers over the underlying rsigma crates.
- The CLI owns the tokio runtime entry point (`serve_stdio`), mirroring how the daemon is wired.

## Smoke test

[`scripts/mcp-smoke.py`](../../scripts/mcp-smoke.py) drives a built binary end to end over both transports and exercises every tool and resource. The `mcp` feature is opt-in, so build with it first:

```bash
cargo build --release -p rsigma --features mcp
python3 scripts/mcp-smoke.py            # stdio
python3 scripts/mcp-smoke.py --http     # Streamable HTTP + bearer auth
```

It is a post-build sanity check; CI correctness is covered by this crate's Rust tests.

## See also

- [MCP server guide](https://timescale.github.io/rsigma/guide/mcp-server/) for client setup and the full workflow.
- [`rsigma mcp serve`](https://timescale.github.io/rsigma/cli/mcp/serve/) for the flag reference.