Elastic MCP server
Run ES|QL queries and triage Elastic Security alerts from your AI agents.
About
Connect Tracecat to Elastic to run ES|QL queries and triage Elastic Security alerts from agents working alongside SOC analysts and detection engineers. You can search across SIEM indices, pull entity risk profiles, and generate detection rules from natural language without an analyst writing the query by hand. From there, agents can chain Elastic Security investigations with the rest of your stack and feed findings back into a Tracecat case.
Setup
- 1
Create an API key
The Elastic Agent Builder MCP server authenticates with a Kibana API key. The key inherits the Kibana application privileges of the user that created it, so create it with the minimum privileges your agents need.
- 2
Select the
Elastictile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theElastictile, and paste your API key. - 3
Enable
Elasticin your agentIn your
ai.agentaction orAgents→toolstab, selectElasticfrom theMCP integrationsdropdown.
Tools
platform.core.searchRun full-text and analytical searches against any Elasticsearch index.
platform.core.execute_esqlRun an ES|QL query and return results in tabular format.
platform.core.generate_esqlConvert a natural-language question into an ES|QL query.
platform.core.list_indicesList accessible indices, aliases, and data streams.
platform.core.get_document_by_idFetch the full document by ID and index.
security.alertsSearch and analyze security alerts with full-text queries.
security.create_detection_ruleGenerate an Elastic Security detection rule from a natural-language description.
security.get_entityRetrieve an entity profile with risk score and contributing alerts.
security.search_entitiesSearch the entity store with risk and criticality filters.
observability.get_logsSearch logs with histograms, counts, and pattern categories.