How to Use the Elastic Security MCP in Cline

Q: Can I use Cline to automate searching for Elastic Security signals and generating reports?

Yes. Tell Cline what to look for. It will use searchsignals to get data from Elastic Security and then write a formatted report—in markdown, JSON, or text—directly into your VS Code workspace.

Tell Cline to build your SOC runbooks. It queries Elastic Security, writes the automation scripts, and stages the full commit for you.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Elastic Security MCP to Cline

Create your Vinkius account to connect Elastic Security to Cline and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Elastic Security with Cline

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Generate SOC Automation Scripts

Stop manually checking for SIEM updates. Tell Cline: 'Write a Python script that checks if my prepackaged Elastic rules are outdated.' Cline connects to this MCP Server, uses the `get_prepackaged_rules_status` tool, and writes the actual script for you. It doesn't just show you the data. It builds the tool you'll use every day, saving it right in your workspace. You get a finished script, ready to run or commit.

Build Incident Reports with Cline

A critical alert fires. Instead of copy-pasting from five different screens, just tell Cline: 'Investigate signal ID 123 and create a markdown incident report.' Cline gets to work. It calls `search_signals` to pull the alert payload, `get_rule` to fetch the rule's description and MITRE mapping, and formats everything into a clean `.md` file. The report appears in your editor, complete with hostnames, user profiles, and process trees.

Manage Detection Rules as Code

Treat your SIEM rules like any other part of your codebase. You can tell Cline, 'Draft a change to disable the old login rule and create a new one based on this spec.' It will generate the code to call `update_rule` and `create_rule`, placing it in a new script. You review the diff, approve it, and Cline can even stage the commit. This is GitOps for your security posture.

Setup guide

Set up Elastic Security MCP in Cline

Prerequisites

VS Code with Cline extension installed
Active Vinkius subscription with a valid endpoint token

1

Open Cline MCP settings

Click the Cline icon in the VS Code sidebar to open the Cline panel. Then click the MCP Servers icon (server stack) at the top-right corner of the panel.
2

Add a remote server

Click "Remote Servers" at the top, then click "Add Remote MCP". In the Name field, type elastic-security-mcp. In the URL field, paste your Vinkius endpoint: https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp. Get your token from cloud.vinkius.com.
3

Enable the server

After saving, the server appears in the Cline MCP panel. Toggle the switch to enable it. The status indicator turns green when the connection is live.
4

Start using tools

Return to the Cline chat and ask: "Check my latest Elastic Security refund status." Cline will discover the available tools and request your approval before invoking each one — giving you full control over every action.

Cline MCP Settings

{
  "mcpServers": {
    "elastic-security-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Elastic Security. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Elastic Security now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Elastic Security MCP in Cline

Describe the rule you want in plain English. Cline will write the Python or TypeScript code that calls the `create_rule` tool, complete with the correct parameters, and save it as a new file.

Yes. Tell Cline what to look for. It will use `search_signals` to get data from Elastic Security and then write a formatted report—in markdown, JSON, or text—directly into your VS Code workspace.

You can have Cline script the entire whitelisting process. It will generate code that uses `add_exception` to add a value to an exception list, making the process repeatable and auditable.

Definitely. Just ask Cline to 'write a script to disable rule XYZ.' It will generate the code to call the `update_rule` tool, which you can then run to toggle the rule's state.

The server only processes the data needed for a given task, like rule logic or signal metadata. It never accesses raw logs. Every transaction happens inside a Vinkius ephemeral sandbox, ensuring no sensitive data is ever stored.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript