Elastic Security MCP App
Brings interactive blue-team security operations into AI hosts, enabling alert triage, attack discovery, case management, detection rules, threat hunting, and sample data generation with rich inline UIs.
README
Elastic Security MCP App
Quick Demo
https://github.com/user-attachments/assets/cb62a569-1ef0-4fb0-90c7-587b98fb2049
An MCP App that brings interactive blue-team security operations directly into Claude, VS Code, and other MCP-compatible AI hosts. Built on the Model Context Protocol with interactive UI extensions that render inline in the conversation.
What are MCP Apps? MCP Apps extend the Model Context Protocol to let tool servers return interactive HTML interfaces — dashboards, forms, visualizations — that render inside the AI conversation. The LLM calls a tool, and instead of just returning text, an interactive UI appears alongside the response.
What This Does
This project provides six interactive security operations tools, each with a rich React-based UI that renders inline when Claude (or another MCP host) calls the tool:
| Tool | What It Does |
|---|---|
| Alert Triage | Fetch, filter, and triage security alerts with AI verdict cards, process tree, and network investigation |
| Attack Discovery | AI-powered correlated attack chain analysis with confidence scoring, entity risk, and MITRE mapping |
| Case Management | Create, search, and manage SOC investigation cases with AI-assisted actions |
| Detection Rules | Browse, tune, and manage detection rules with KQL search and noisy rules analysis |
| Threat Hunt | ES|QL workbench with clickable entities and a D3 investigation graph |
| Sample Data | Generate ECS security events for demos across 4 attack chain scenarios |
See docs/features.md for a full breakdown of each tool's capabilities.
Quick Start
[!TIP] Just want to try it? Download
example-mcp-app-security.mcpband double-click it. No Node.js, no cloning, no config files.Claude Desktop handles the rest — during install, fill in your Elasticsearch URL, Kibana URL, and API key. See Creating an API key if you need to generate one first.
For the API key's permissions, see Required permissions (stateful) or Serverless permissions (Elastic Cloud Serverless Security projects). The stateful Quickstart uses Kibana's built-in editor (full-featured) or viewer (read-only) role plus a small companion role for index access — fastest unless you need a fully scripted custom role.
For other hosts (Cursor, VS Code, Claude Code) or building from source, see Installation below.
How It Works
When a user asks Claude to triage alerts or run a threat hunt, Claude calls a model-facing tool on this server. The tool returns a compact text summary to Claude and an interactive React UI that renders inline in the conversation. The UI then calls app-only tools directly for all subsequent interactions — keeping the LLM context small while the UI has full data access.
See docs/architecture.md for details on how views are built, how the UI communicates with the server, and key design decisions.
Telemetry
The MCP App emits anonymised usage events via @elastic/ebt. Shipping is mirrored to the user's Kibana telemetry opt-in — nothing leaves the process unless Kibana reports optIn === true. See docs/telemetry.md for the event catalog, what's collected, and how to opt out.
Skills
The skills/ directory contains Claude Skills — SKILL.md files that teach Claude when and how to use the tools. See docs/setup-skills.md for installation instructions.
Installation
| Guide | Description |
|---|---|
| Add to Claude Desktop | Install the MCP app via one-click .mcpb or manual config |
| Add to Cursor | Connect the MCP app via npx or a locally running server |
| Add to VS Code | Connect the MCP app via npx or a locally running server |
| Add to Claude Code | Register the MCP app via the claude mcp add CLI |
| Add to Claude.ai | Expose the MCP app via a cloudflared tunnel |
| Build and run locally | Build the MCP server from source and run it on your machine |
| Install skills | Install skills via npx, local clone, or zip upload |
| Updating | How to update to a newer release |
Development
npm run dev # Watch mode
npm run typecheck # Type-check only
npm run build:views # Build views only
npm run build:server # Build server only
Inspired By
- Elastic Agent Skills — SOC triage methodology and tool patterns
- MCP Apps Specification — Interactive UI extensions for MCP
License
Elastic-2.0
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.