Elastic Security MCP. Audit rules and investigate alerts directly from your chat.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Elastic Security. Manage SIEM and SOC operations directly from your AI client. This server lets you search raw security signals, audit detection rules, and manage exceptions—all without leaving your chat interface.
You can list rules, create new detection logic, and check if your threat coverage is up to date, making it a full-stack auditing tool for security engineers and analysts.
What your AI agents can do
Add exception
Whitelists a hostname within an exception list, telling rules to ignore telemetry from that specific machine.
Create rule
Creates a new detection rule that tracks malicious activity and generates security signals.
Delete rule
Permanently and irreversibly deletes a custom detection rule from the SIEM.
Retrieves raw security alerts, combining hostnames, user profiles, and IP locations into one searchable record.
Lists all active detection rules and fetches their exact query language (EQL/KQL) for threat coverage mapping.
Adds or lists global exception lists, allowing you to whitelist specific hosts to silence false positive alerts.
Enables or disables existing detection rules, managing noisy alerts across large operational groups.
Creates custom log detection rules or modifies existing ones based on new threat intelligence.
Verifies if the official prepackaged rules need updates to cover the latest known threat models (Windows, Linux, Cloud).
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
019d758eadd exception
Whitelists a hostname within an exception list, telling rules to ignore telemetry from that specific machine.
019d758ecreate rule
Creates a new detection rule that tracks malicious activity and generates security signals.
019d758edelete rule
Permanently and irreversibly deletes a custom detection rule from the SIEM.
019d758efind detection rules
Searches for existing detection rules using a name, tag, or MITRE tactic to check for specific threat coverage.
019d758eget prepackaged rules status
Checks if official Elastic rules need updates to ensure the environment has the latest threat models for various OSes.
019d758eget rule
Retrieves the full details, query logic, and run intervals for a specific, existing detection rule.
019d758elist detection rules
Lists every detection rule configured in the SIEM, providing data essential for mapping MITRE ATT&CK coverage.
019d758elist exceptions
Displays all global exception lists that manage detection bypass logic for the system.
019d758esearch signals
Searches and consolidates raw security signals (alerts), enriching them with hostnames, user profiles, and IP data.
019d758eupdate rule
Enables or disables an existing detection rule to manage alerts or re-enable them after tuning.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Elastic Security, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
You're running Elastic Security, so you've got a ton of rules and alerts to manage. This server lets your AI client handle your SIEM and SOC operations right from the chat. You'll search raw security signals, audit detection rules, and manage exceptions without leaving your interface.
Search Security Signals
Your agent searches and consolidates raw security signals. It enriches these alerts by pulling in hostnames, user profiles, and IP data, giving you one searchable record for every event.
Audit Detection Rules
Your agent lists every detection rule configured in the SIEM. You can also search for existing rules using a name, tag, or MITRE tactic. For any specific rule, it gets the full details, including the query logic and run interval. You can also check the status of official Elastic rules to make sure your environment runs the latest threat models for Windows, Linux, and Cloud.
Manage Rule Exceptions
Your agent displays all global exception lists. You can also whitelist a hostname, telling the rules to ignore any telemetry coming from that specific machine.
Adjust Rule Status
Your agent enables or disables existing detection rules, letting you manage noisy alerts across huge operational groups.
Deploy New Detection Logic
Your agent creates new detection rules that track malicious activity and generate security signals. It also lets you permanently delete custom detection rules from the SIEM.
Check System Updates
Your agent gets the prepackaged rules status, verifying if the official Elastic rules need updates to cover the latest known threat models.
How Elastic Security MCP Works
- 1 First, subscribe to the Elastic Security server and provide your Kibana Host, Port, and Elastic API Key.
- 2 Second, use natural language to tell your agent what you need—for example, 'List all rules tagged Ransomware.'
- 3 Third, the agent executes the necessary tool call, retrieving structured data like rule logic, alert details, or exception lists directly into the chat.
The bottom line is that you manage your SIEM operations through conversation, using the agent to execute complex, underlying API calls.
Who Is Elastic Security MCP For?
Security Analysts and Engineers who are tired of clicking through multiple dashboards at 2 a.m. This tool lets them audit complex rules, investigate live alerts, and manage exceptions without ever leaving the chat window. It's built for people who need deep, quick visibility into a threat landscape.
Uses this to search raw security signals and audit detection rules immediately. They verify threat coverage and investigate alerts without leaving the chat.
Uses this to build and update detection logic (like calling create_rule) or manage exception lists (add_exception) using natural language.
Uses this to quickly search signals and verify threat coverage during an active investigation, needing immediate answers on specific CVEs.
What Changes When You Connect
- Audit the entire rule set with
list_detection_rules. Instead of pulling up dozens of rule dashboards, you get a single, structured list, making MITRE ATT&CK mapping fast and accurate. - Stop investigating false positives manually. Use
add_exceptionto whitelist a hostname. The system immediately ignores telemetry from that machine for bound rules, reducing noise in real-time. - When a new CVE drops, don't guess. Use
find_detection_rulesto search the entire rule base by name or MITRE tactic. This instantly verifies if your current rules cover the new threat. - See what's actually happening in the network with
search_signals. It consolidates raw alerts, pulling in source IP, user profiles, and process trees—data you can't usually find in one spot. - Manage the system's alert volume instantly. Use
update_ruleto disable a noisy detection rule or re-enable it later. You control the alert flow without touching the console. - Keep the platform current. Run
get_prepackaged_rules_statusto confirm that Elastic's official threat models for Windows, Linux, and Cloud are up to date.
Real-World Use Cases
Investigating a Suspected Breach
An Incident Responder receives a vague alert. Instead of navigating five separate dashboards, they tell their agent to search_signals for the affected user. The agent returns all raw alerts, enriched with source IP and process tree, allowing the responder to quickly trace the attack path.
Tuning False Positives
A Security Engineer knows a vulnerability scanner keeps firing benign alerts. They use list_exceptions to review global lists, then use add_exception to whitelist the scanner's hostname. The alerts instantly stop, clearing the noise and letting the team focus on real threats.
Compliance Audit for New Threats
A SOC Analyst needs to prove coverage for a new ransomware strain. They use find_detection_rules and specify 'Ransomware' as the tag. The agent returns all matching rules, allowing the analyst to build a compliance report instantly.
Deactivating a Noisy Rule
The team deploys a new rule that triggers thousands of alerts daily. A Security Engineer uses update_rule to temporarily disable it, allowing the team to tune the rule's logic without being overwhelmed by constant false positives.
The Tradeoffs
Manual Dashboard Hunting
The analyst opens the SIEM UI, clicks through the 'Rules' tab, then the 'Alerts' tab, and tries to cross-reference the MITRE Tactic ID manually. This takes 20 minutes and involves copying/pasting data between three different views.
→
First, run list_detection_rules to map the full coverage. Then, use find_detection_rules to filter by the specific MITRE tactic. Finally, use search_signals to see live examples of alerts related to those rules.
Assuming Rule Coverage
A manager hears about a new zero-day vulnerability and assumes the system is covered. They only check the main dashboard, missing niche rules or specific tag coverage.
→
Run get_prepackaged_rules_status to check the official model update status. If that looks good, use find_detection_rules to confirm coverage for the specific CVE ID or tag.
Over-relying on the UI for status
Trying to find out if a rule needs maintenance or if the exception list has been updated requires navigating multiple menus and checking multiple status indicators.
→
Use list_exceptions to see all active bypass lists. If you need to change one, use add_exception to whitelist the new host, or update_rule to adjust the rule's state.
When It Fits, When It Doesn't
Use this server if your primary pain point is auditing, investigating, or managing rules/alerts in a high-volume SIEM environment. You need to map threat coverage (e.g., MITRE ATT&CK) or quickly trace an alert's full context. Don't use it if you just need to run a single, simple SQL query against raw logs, because a dedicated log querying tool is better for that. If you only need to read static configuration data, a simple API client works fine. But when you need the AI agent to orchestrate multiple checks—like listing rules, checking their status, and then searching alerts—this is the tool you need.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Elastic Security. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Sifting through alerts shouldn't feel like digging through a junk drawer.
Today, finding the full story behind a single security alert is a nightmare. You get an alert in the SIEM, but to understand it, you have to click into the associated user profile, then open the IP geolocation map, and maybe check a separate asset management dashboard. You spend half your time copy-pasting identifiers between tabs just to build a simple timeline.
With the Elastic Security MCP Server, you simply ask your agent to 'Search signals for user X'. The agent handles the complex plumbing, returning one consolidated view that includes the hostname, user profile, and IP geolocations right in the chat. You get the full context, instantly.
Elastic Security MCP Server: Control rules and alerts.
Before this server, managing detection rules meant logging into the Kibana interface, navigating to the rule builder, and manually toggling switches or editing complex KQL statements. Managing exceptions meant navigating a separate 'Exception List' panel to add a hostname.
Now, you tell your agent, 'Disable the rule for process Y, and whitelist host Z.' The agent executes `update_rule` and `add_exception` in sequence. You don't touch the UI; you just get confirmation that the state change is complete. It's immediate, repeatable, and auditable through chat.
Common Questions About Elastic Security MCP
How do I use the `search_signals` tool with Elastic Security? +
You prompt the agent to search signals using specific criteria (e.g., 'Search signals for user X in the last hour'). The tool returns raw alerts, enriched with key data like source IP and process trees, which is critical for incident response.
Can `list_detection_rules` show me the MITRE ATT&CK coverage? +
Yes, the tool lists all rules and provides the exact EQL or KQL statements. This allows you to map the rules against the MITRE ATT&CK framework directly within your audit reports.
What is the difference between `add_exception` and `list_exceptions`? +
Use list_exceptions to view all global exception lists and see what is currently bypassed. Use add_exception when you need to whitelist a specific hostname to stop false positive alerts from triggering.
How do I check if my security rules are up to date? +
Run get_prepackaged_rules_status. This tool verifies if Elastic's official prepackaged rules need updating to ensure you have the latest threat models for your environment.
How do I use `find_detection_rules` to check for specific threats like ransomware? +
You search by name, tag, or MITRE tactic. This expedites SOC auditing when you need to evaluate coverage for a newly reported CVE or specific threat.
What is the purpose of the `update_rule` tool in Elastic Security? +
It lets you enable or disable an existing detection rule. Use this to manage noisy triggers or re-enable logic after you've tuned an environment.
When should I use `get_rule` instead of `list_detection_rules`? +
Use get_rule when you need specific details on one rule. It provides the run interval, severity, index scope, and explicit reference URLs for a single rule.
Can `delete_rule` permanently remove a custom detection rule? +
Yes, delete_rule hard-deletes a custom rule completely. Remember this action is irreversible, and you can't delete pre-built Elastic rules.
Can my agent list all detection rules currently active in my SIEM? +
Yes. Use the 'list_detection_rules' tool. It returns both custom rules and Elastic prepackaged ML algorithms, which is vital for mapping your MITRE ATT&CK coverage.
How do I whitelist a hostname to resolve a false positive via chat? +
Use the 'add_exception' mutation. Provide the Exception List ID and the hostname string. The agent will update the container, implicitly ignoring telemetry matched on this host for any bound rule.
Can I search for security alerts (Signals) using KQL through the agent? +
Absolutely. The 'search_signals' tool allows you to retrieve critical alert logs. You can provide an optional KQL query to filter for specific users, hostnames, or process trees within your security telemetry.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Semgrep
Equip your AI agent with read/write access to Semgrep's SAST platform to audit code security findings, update triage statuses, and enforce custom semantic rules.
Azure Service Bus Topic
This MCP does exactly one thing: it publishes messages to a single Azure Service Bus Topic. That's its only function, and nothing else. Incredible for giving your AI the power to trigger cloud events.
Deterministic JWT Inspector
Transform your AI into a cybersecurity diagnostic tool. Instantly decode and inspect JSON Web Tokens (Headers, Payloads, and Expiry metadata) without requiring signature keys.
You might also like
Zoho CRM Admin
Manage Zoho CRM users, roles, profiles, layouts, territories, and tags — complete admin control through conversation.
USAspending (Federal Spending)
Analyze US federal spending data — query agency budgets, track awards, and explore geographic spending patterns directly from your AI agent.
Givebutter
Manage fundraising campaigns, track donations, and oversee donors via AI agents with Givebutter.