Elastic MCP server
Run ES|QL queries and triage Elastic Security alerts from your AI agents.
About
Connect Tracecat to Elastic to run ES|QL queries and triage Elastic Security alerts from agents working alongside SOC analysts and detection engineers. You can search across SIEM indices, pull entity risk profiles, and generate detection rules from natural language without an analyst writing the query by hand. From there, agents can chain Elastic Security investigations with the rest of your stack and feed findings back into a Tracecat case.
Setup
- 1
Create an API key
The Elastic Agent Builder MCP server authenticates with a Kibana API key. The key inherits the Kibana application privileges of the user that created it, so create it with the minimum privileges your agents need.
- 2
Select the
Elastictile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theElastictile, and paste your API key. - 3
Enable
Elasticin your agentIn your
ai.agentaction orAgents→toolstab, selectElasticfrom theMCP integrationsdropdown.
Tools
platform.core.search | Run full-text and analytical searches against any Elasticsearch index. |
platform.core.execute_esql | Run an ES|QL query and return results in tabular format. |
platform.core.generate_esql | Convert a natural-language question into an ES|QL query. |
platform.core.list_indices | List accessible indices, aliases, and data streams. |
platform.core.get_document_by_id | Fetch the full document by ID and index. |
security.alerts | Search and analyze security alerts with full-text queries. |
security.create_detection_rule | Generate an Elastic Security detection rule from a natural-language description. |
security.get_entity | Retrieve an entity profile with risk score and contributing alerts. |
security.search_entities | Search the entity store with risk and criticality filters. |
observability.get_logs | Search logs with histograms, counts, and pattern categories. |