# Elastic Security MCP for AI Agents MCP

> Elastic Security connects your AI client directly to your SIEM environment, giving you conversational control over threat detection and SOC auditing. You can search raw security alerts, manage complex custom rulesets, audit MITRE ATT&CK coverage, and handle exceptions—all without leaving the chat window.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** siem, threat-detection, soc-operations, cybersecurity, alert-management, mitre-att-ck

## Description

Managing a modern security stack is complicated. Usually, checking rule logic or searching for specific threats means jumping through three dashboards, running CLI commands, and cross-referencing spreadsheets. This MCP lets you skip all that overhead. Instead of navigating complex consoles, you talk to your AI client and tell it exactly what you need done with your threat detection environment.

It's like having a security expert sitting next to you who has instant access to every rule, alert, and log entry in the system. Need to check if a new ransomware variant is covered? Just ask. Found a false positive from a scanner? Whitelist it instantly. This MCP brings that level of detailed control straight into your conversation flow. Vinkius hosts this connection, so you can plug directly into your favorite AI client and start managing your SIEM operations immediately.

## Tools

### add_exception
Adds a hostname to an exception list, telling the SIEM engine to ignore telemetry from that specific host for certain rules.

### create_rule
Defines and activates a new log detection rule that tracks malicious activity patterns across your environment.

### delete_rule
Permanently removes custom-written detection rules from the system, which is an irreversible action.

### list_exceptions
Retrieves a list of global exception lists that manage specific rules and detect known administrative behavior to bypass alerts.

### find_detection_rules
Searches for existing detection rules using criteria like name, tag, or MITRE tactic to quickly evaluate coverage against new threats.

### get_rule
Retrieves exact details, including run intervals and query logic, for a single specified detection rule.

### get_prepackaged_rules_status
Checks if your environment's official prepackaged rules are up to date against the latest threat models (Windows, Linux, Cloud).

### list_detection_rules
Displays a comprehensive list of every configured detection rule within the SIEM system for full inventory.

### search_signals
Searches raw, generated security alerts (Signals), enriching them with user profiles and IP geolocation data in one view.

### update_rule
Enables or disables an existing detection rule to manage noisy triggers or re-activate rules after tuning.

## Prompt Examples

**Prompt:** 
```
Show me all active rules related to suspicious process execution.
```

**Response:** 
```
**Active Rules Found:**
*   **Volume Shadow Copy Deletion via WMIC:** Severity: High | MITRE Tactic: Defense Evasion
*   **Suspicious PowerShell Call:** Severity: Medium | MITRE Tactic: Execution
*   **Ransomware-linked Process Execution:** Severity: Critical | MITRE Tactic: Impact

You can use the full logic for any of these, or disable 'Suspicious PowerShell Call' if it generates too much noise.
```

**Prompt:** 
```
What happened with the user admin_root yesterday?
```

**Response:** 
```
**Security Signals for admin_root (Yesterday):**
*   **10:15 AM:** Suspicious LDAP Query detected from 192.168.1.5.
    *Source IP:* 192.168.1.5 | *Process Tree:* winlogbeat -> powershell.exe
*   **10:45 AM:** Brute Force Attempt recorded on the Domain Controller.
    *Details:* Failed logins from multiple IPs within a five-minute window.
```

**Prompt:** 
```
Check if my current detection rules are up to date.
```

**Response:** 
```
**System Health Check Results:**
*   **Windows Environment:** Status - Needs Update. The latest official threat model for credential dumping was released two days ago.
*   **Linux/Cloud:** Status - Current. All required models are within the last 48 hours.

**Action Recommended:** Run an update on the Windows prepackaged rules immediately to close this gap.
```

## Capabilities

### Search and correlate raw security alerts
Retrieve comprehensive security signals by searching across hostnames, user profiles, IP geolocations, and full process trees.

### Create and modify detection logic
Build new custom log detection rules or update existing ones to track malicious activity patterns (TTPs) in real-time.

### Audit threat coverage and rule status
Search for specific rules by MITRE tactic, check if official prepackaged rules need updates, or list all configured detection rules for gap analysis.

### Manage false positive exceptions
Whitelist hostnames in exception lists or add global exception records to prevent known-good administrative behavior from triggering alerts.

### Control rule lifecycles and state
Irreversibly delete custom rules or enable/disable specific detection rules across large organizational units as needed for tuning.

## Use Cases

### Investigating a new ransomware pattern
The team notices unusual activity. They ask their agent to search for security signals from the last hour, focusing on user 'admin_root' and looking for process trees related to volume shadow copy deletion. The system returns specific alerts with source IPs.

### Tuning false positive alert noise
The Security Engineer knows a vulnerability scanner runs weekly but triggers dozens of alerts. They tell the agent to check global exception lists and then use `add_exception` to whitelist the scanning host, clearing up the dashboard.

### Auditing threat gaps for compliance
During a compliance review, the CISO needs proof of coverage for 'Lateral Movement'. They ask the agent to search detection rules specifically by the MITRE tactic tag. The system returns all relevant rule names and their current status.

### Responding to zero-day reports
A new CVE is reported overnight. An Incident Responder asks for a list of all configured detection rules, filtered by 'CVE' or the affected asset type, allowing them to quickly verify if existing logic tracks the threat.

## Benefits

- Stop manually cross-referencing rule logic. Use the `find_detection_rules` tool to search by MITRE tactic or name, instantly showing if your coverage is adequate for new threats.
- Reduce alert fatigue immediately. If you have false positives from scanners, use `add_exception` or `list_exceptions` to whitelist hosts and keep the noise down without disabling vital rules.
- Gain full visibility into incidents with `search_signals`. Instead of piecing together data, you get a single view that consolidates hostnames, user profiles, and IP geolocations for every alert.
- Maintain system health effortlessly. Run `get_prepackaged_rules_status` to verify if the official rules need updating, ensuring you're covered by the latest threat models.
- Tweak your environment with precision. Use `update_rule` or `delete_rule` to manage detection rule state—disabling noisy triggers without deleting necessary logic.

## How It Works

The bottom line is you manage threat hunting and SOC operations entirely through conversation.

1. Subscribe to this MCP and provide your Kibana Host, Port, and Elastic API Key.
2. Your AI client connects to the service, authenticating your access rights across the security stack.
3. You interact with the system using natural language prompts to execute complex tasks like searching signals or updating detection rules.

## Frequently Asked Questions

**How does the Elastic Security MCP improve my SOC alert management?**
The MCP lets you manage complex SIEM operations entirely through natural conversation. Instead of clicking between dashboards to find threat coverage, you can ask the agent directly if a specific vulnerability is tracked by existing rules.

**Can I use the Elastic Security MCP to handle false positive alerts?**
Yes. You can whitelist hostnames or add global exception lists using this MCP. This prevents known-good administrative activity, like scanner checks, from generating unnecessary alerts and cleaning up your dashboard.

**What kind of security events can I search for with the Elastic Security MCP?**
You can search raw generated security signals (alerts). The system consolidates all necessary metadata—hostnames, user profiles, and IP geolocations—into one view, making investigations much faster.

**Is this MCP good for auditing compliance against MITRE ATT&CK?**
Absolutely. You can find detection rules by specific tags or the MITRE tactic they cover. This lets you prove your coverage status quickly and easily, which is essential during audits.

**How do I update or modify an existing security rule using Elastic Security MCP?**
You can enable or disable rules using this MCP via natural language commands. This allows you to manage noisy triggers across large units without manually editing the rule logic in the console.