How to Use the Elastic Security MCP in Claude Code

Q: How do I use Claude Code to query Elastic Security signals from a shell script?

Use the command claude exec elastic-security-mcp searchsignals --query 'your-query'. You can pipe the JSON output to tools like jq to parse the results right in your terminal.

Q: What's the command to list all my Elastic Security rules with Claude Code and filter them?

Run claude exec elastic-security-mcp listdetectionrules grep 'my-filter'. This pipes the full list of rules to grep for quick, text-based filtering in your shell.

Q: How can I automate adding exceptions to Elastic Security from my terminal using Claude Code?

It's a single command: claude exec elastic-security-mcp addexception --listid 'my-whitelist' --value '10.0.1.5'. This is perfect for scripting bulk whitelisting operations.

Pipe Elastic Security data into your terminal. Automate SOC checks and incident response in your CI/CD pipelines with Claude Code.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Elastic Security MCP to Claude Code

Create your Vinkius account to connect Elastic Security to Claude Code and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Elastic Security with Claude Code

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Integrate SIEM Checks into CI/CD

Make security a part of every build. Add a step to your CI/CD pipeline that runs a quick audit. A simple command like `claude exec elastic-security-mcp find_detection_rules --tag 'production'` checks if the right rules are active before a deploy. If the command fails or returns empty, the pipeline stops. No GUI, no manual checks. Just a pass/fail status right in your build logs.

Headless Alert Triage via SSH

You get an alert at 2 AM. No need to find a laptop and log into a VPN. Just SSH into a jump box and get to work. Run `claude exec elastic-security-mcp search_signals --query 'host.name:db-prod-01'` to see what's happening on the affected server. The output is clean JSON, so you can pipe it directly to `jq` for filtering. Find the problem, get the details, and move on.

Script Bulk Rule Management with Claude Code

Your team just finished a rule tuning session and you have a list of 50 noisy rules to disable. Don't click through a web UI. Just put the rule IDs in a text file and run a one-liner: `cat noisy_rules.txt | xargs -I {} claude exec elastic-security-mcp update_rule --rule_id {} --enabled false`. This is how you manage a SIEM at scale. The MCP Server turns tedious tasks into simple shell commands.

Setup guide

Set up Elastic Security MCP in Claude Code

Prerequisites

Claude Code CLI installed (npm install -g @anthropic-ai/claude-code)
Active Vinkius subscription with a valid endpoint token

1

Run the add command

Open your terminal and run the command shown on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com. Use --scope user to make it available across all projects.
2

Verify the connection

Start a Claude Code session and type /mcp to list connected servers. You should see elastic-security-mcp with a green status indicator.
3

Start using tools

Ask Claude Code something like "Check my latest Elastic Security transactions." It will automatically discover and invoke the available Elastic Security tools.

Terminal

claude mcp add --transport http elastic-security-mcp https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Get your connection token →

Prerequisites

Claude Code CLI installed
Active Vinkius subscription with a valid endpoint token

1

Open the config file

Create or edit .mcp.json in your project root for project-level scope, or ~/.claude.json for user-level scope.
2

Add the Elastic Security MCP

Paste the JSON snippet shown on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Code

Start a new Claude Code session. Type /mcp to confirm the server is connected. The tools will be automatically available in your conversation.

.mcp.json

{
  "mcpServers": {
    "elastic-security-mcp": {
      "type": "url",
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Elastic Security. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Elastic Security now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Elastic Security MCP in Claude Code

Use the command `claude exec elastic-security-mcp search_signals --query 'your-query'`. You can pipe the JSON output to tools like `jq` to parse the results right in your terminal.

Yes. Set up a cron job to run a shell script. Inside, you can call `claude exec elastic-security-mcp get_prepackaged_rules_status` to check for updates or `update_rule` to toggle rules on a schedule.

Run `claude exec elastic-security-mcp list_detection_rules | grep 'my-filter'`. This pipes the full list of rules to `grep` for quick, text-based filtering in your shell.

It's a single command: `claude exec elastic-security-mcp add_exception --list_id 'my-whitelist' --value '10.0.1.5'`. This is perfect for scripting bulk whitelisting operations.

It strictly handles SIEM metadata: rule definitions, exception list contents, and alert data like IPs and process trees. Vinkius provides a zero-trust environment, so your command and its data disappear once the task is complete.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript