How to Use the Elastic Security MCP in OpenAI Agents SDK

Q: Can I use OpenAI Agents SDK to automatically write new Elastic Security rules?

Yes, your agent can call createrule to build custom log detection rules based on threat intel reports. You should use the SDK's guardrail features to validate the query syntax before the rule goes live in your SIEM.

Q: Does the OpenAI Agents SDK support real-time alert triage with Elastic Security?

It does, by using an async loop to query searchsignals over the MCP connection at set intervals. When a new threat signal matches, the agent can immediately trigger a Slack notification or hand off the task to a human analyst.

Q: How do I handle rule tuning without breaking my existing configurations?

Your agent can call getrule to inspect the exact query logic and run intervals before making changes. If a rule is too noisy, the agent uses updaterule to temporarily disable it or adjust the index scopes.

Deploy production-grade security agents using the OpenAI Agents SDK to manage Elastic Security rules and triage alerts.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Elastic Security MCP to OpenAI Agents SDK

Create your Vinkius account to connect Elastic Security to OpenAI Agents SDK and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Elastic Security with OpenAI Agents SDK

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Automate SIEM Triage with OpenAI Agents SDK

The `search_signals` tool lets your OpenAI security agent query raw generated Elastic Security alerts directly from your Python runtime. When an alert fires, the agent inspects the payload structure, analyzing hostnames, process trees, and IP geolocations to determine if an active threat requires manual intervention or if it's just a false positive. By feeding these telemetry details into specialized agent handoffs, you can route high-risk alerts to your incident response team while letting background agents resolve known administrative noise. This integration runs inside the Vinkius sandbox, keeping your API keys protected while your models run through the OpenAI tracing dashboard.

Deploy Safe Exception Logic via the MCP Server

The `add_exception` tool writes exception values directly to your Elastic exception containers to ignore telemetry from verified safe sources. If a vulnerability scanner triggers a sudden wave of alerts, your agent can catch the noise and immediately whitelist the hostname to stop the spam. Using the built-in guardrails in the OpenAI Agents SDK, you can force the agent to run verification checks before running `list_exceptions` or modifying any bypass logic. This prevents your agent from accidentally blinding your SOC by whitelisting an unverified external IP or a suspicious process.

Audit and Update Rule Coverage Dynamically

The `get_prepackaged_rules_status` tool checks if your deployment is missing the latest threat models for Windows, Linux, or Cloud environments. Your agent runs this check to verify your security posture against fresh CVEs without requiring you to manually click through the Kibana UI. When gaps are found, the agent uses `update_rule` to activate dormant protections or adjust severity scores based on actual asset valuations. This MCP Server keeps your threat detection active and current while you monitor every single rule modification live on your OpenAI developer dashboard.

Setup guide

Set up Elastic Security MCP in OpenAI Agents SDK

Prerequisites

Python 3.10+ installed
openai-agents package (pip install openai-agents)
Active Vinkius subscription with a valid endpoint token

1

Install the SDK

Run pip install openai-agents to install the OpenAI Agents SDK. The MCP integration is built-in — no extra dependencies needed.
2

Connect via SSE transport

Use MCPServerSse with your Vinkius endpoint URL. Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. The SDK auto-discovers all Elastic Security tools at runtime.
3

Create your Agent

Pass the MCP to Agent(mcp_servers=[server]). The agent receives Elastic Security tools as native definitions — JSON schemas resolve automatically.
4

Run the agent

Call Runner.run(agent, prompt) to execute. The agent invokes the appropriate Elastic Security tools and returns structured results. Copy the full example on the right to get started.

agent.py

import asyncio
from agents import Agent, Runner
from agents.mcp import MCPServerSse

async def main():
    async with MCPServerSse(
        url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    ) as server:
        agent = Agent(
            name="Elastic Security Agent",
            instructions="You have access to Elastic Security tools.",
            mcp_servers=[server],
        )
        result = await Runner.run(agent, "List recent transactions")
        print(result.final_output)

asyncio.run(main())

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Elastic Security. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Elastic Security now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Elastic Security MCP in OpenAI Agents SDK

You do not store raw Elastic credentials inside your Python code. Vinkius manages the authentication layer for this MCP Server, exposing a single secure endpoint token that your OpenAI Agents SDK uses to connect and run tools like `list_detection_rules`.

Yes, your agent can call `create_rule` to build custom log detection rules based on threat intel reports. You should use the SDK's guardrail features to validate the query syntax before the rule goes live in your SIEM.

It does, by using an async loop to query `search_signals` over the MCP connection at set intervals. When a new threat signal matches, the agent can immediately trigger a Slack notification or hand off the task to a human analyst.

Your agent can call `get_rule` to inspect the exact query logic and run intervals before making changes. If a rule is too noisy, the agent uses `update_rule` to temporarily disable it or adjust the index scopes.

All raw alerts, exception lists, and rule configurations remain within your Elastic deployment and the secure Vinkius sandbox. The OpenAI Agents SDK only receives the specific text payloads returned by tools like `list_exceptions` to process the reasoning steps.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript