How to Use the Elastic Security MCP in Windsurf

Q: How does Windsurf use the Elastic Security MCP Server to create and verify a new rule?

You tell Windsurf your goal. It uses createrule to build the detection in Elastic Security, then immediately follows up with searchsignals to check for any fresh alerts that match the new rule.

Q: Can Windsurf audit my Elastic Security rule coverage for a new threat?

Yes. Give it a threat name or CVE. It will use finddetectionrules to search your custom and prepackaged rules, giving you a quick coverage report.

Let Windsurf's Cascade agent manage your Elastic SIEM. It chains security tasks autonomously, from rule creation to threat investigation.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Elastic Security MCP to Windsurf

Create your Vinkius account to connect Elastic Security to Windsurf and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Elastic Security with Windsurf

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Autonomous Rule Deployment

Tell Windsurf to deploy a new detection for credential dumping. Cascade gets to work, chaining tools without asking you at each step. It uses `create_rule` to define the new logic, then immediately runs `search_signals` to see if the rule triggered on any recent activity. You get the result, not a list of questions. This MCP Server connects your agent directly to your SIEM. It's the difference between asking for directions and just arriving at the destination.

Audit Your SIEM with Windsurf

Ask Windsurf: 'Are we covered for the latest Log4j variant?' Cascade plans and executes a full audit. It starts with `get_prepackaged_rules_status` to see if your official rules are current. Then, it uses `find_detection_rules` to look for anything tagged with the specific CVE. You get a clear answer, fast. It’s a full security posture check from a single prompt, not a dozen manual queries.

Triage False Positives Instantly

A developer complains about a noisy alert flooding their logs. Just tell Windsurf to handle it. Cascade uses `search_signals` to pinpoint the exact alert, then `get_rule` to pull the underlying logic and see what's firing. It then uses `add_exception` to whitelist the known-good activity, silencing the noise. The whole process is done before you could even open the SIEM dashboard.

Setup guide

Set up Elastic Security MCP in Windsurf

Prerequisites

Windsurf IDE installed (macOS, Windows, or Linux)
Active Vinkius subscription with a valid endpoint token

1

Open MCP configuration

Click the Cascade assistant icon in the sidebar, then click the hammer icon (🔨) at the top of the panel. Select "Configure" to open ~/.codeium/windsurf/mcp_config.json.
2

Add the Elastic Security MCP

Paste the JSON snippet shown on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Refresh MCPs

Go back to the hammer icon (🔨) in Cascade and click "Refresh". Windsurf will detect the new server. No full restart is needed — the connection is hot-reloaded.
4

Verify in Cascade

Start a new Cascade conversation and ask something like "Show my Elastic Security payment history." If connected, Cascade will call the Elastic Security tools directly. You will see a green dot next to the server name in the MCP panel.

mcp_config.json

{
  "mcpServers": {
    "elastic-security-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Elastic Security. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Elastic Security now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Elastic Security MCP in Windsurf

You tell Windsurf your goal. It uses `create_rule` to build the detection in Elastic Security, then immediately follows up with `search_signals` to check for any fresh alerts that match the new rule.

Yes. Give it a threat name or CVE. It will use `find_detection_rules` to search your custom and prepackaged rules, giving you a quick coverage report.

Just describe the noisy behavior. Windsurf will find the offending rule with `get_rule` and then use `add_exception` to whitelist the specific hostname or user, stopping the false alerts.

Absolutely. If a rule is causing problems, tell Windsurf to disable it. It will use the `update_rule` tool to switch it off immediately.

It only interacts with rule definitions, exception lists, and signal metadata like hostnames and IP addresses. Your raw logs are never touched. All actions run in a dedicated Vinkius sandbox that's wiped after each operation.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript