v1.0.0 — Elastic Security MCP App
Initial release of the Elastic Security MCP App — an MCP App that brings interactive blue-team security operations directly into Claude, Cursor, VS Code, and other MCP-compatible AI hosts.
Tools
Six interactive security operations tools, each with a rich React-based UI that renders inline in the AI conversation:
Alert Triage — Fetch, filter, and triage security alerts with AI verdict cards, process tree visualization, network investigation, and MITRE ATT&CK mapping. Claude acts as a senior analyst with intent-aware filtering and structured Malicious/Suspicious/Benign classifications.
Attack Discovery — On-demand AI-powered correlated attack chain analysis using Elastic's Attack Discovery API. Includes confidence scoring, entity risk assessment, attack flow diagrams, MITRE tactics mapping, and approve/reject triage workflows.
Case Management — Create, search, and manage SOC investigation cases via the Kibana Cases API. Features tabbed detail views, AI action buttons (summarize, suggest next steps, extract IOCs, generate timeline), auto-attach alerts, and markdown-rendered comments.
Detection Rules — Browse, tune, and manage detection rules with KQL search, severity indicators, MITRE tags, query validation, and noisy rules analysis with alert volume bar charts.
Threat Hunt — ES|QL query workbench with a D3 investigation graph. Progressive entity expansion, hover-to-trace connections, draggable nodes, clickable entities, and real Elasticsearch data on click.
Sample Data Generator — Generate ECS-compliant security events across four attack chain scenarios: Windows Credential Theft, AWS Privilege Escalation, Okta Identity Takeover, and Ransomware Kill Chain. All data tagged for safe cleanup.
Installation
Multiple installation options available:
- Claude Desktop: One-click install via .mcpb package
- Cursor / VS Code: Via npx, local stdio, or HTTP connection
- Claude Code: Via claude mcp add CLI
- Claude.ai: Via cloudflared tunnel
See the installation guides for details.
Skills
Includes five Agent Skills that teach Claude when and how to use each tool: alert triage, attack discovery triage, case management, detection rule management, and sample data generation. Install via npx, local clone, or zip upload.
Requirements
- Node.js 22+
- Elasticsearch 8.x or 9.x with Security enabled
- Kibana 8.x or 9.x (for cases, rules, and attack discovery)
- An Elasticsearch API key (how to create one)