Elasticsearch has native integrations with the industry-leading Gen AI tools and providers. Check out our webinars on going Beyond RAG Basics, or Building Prod-Ready Apps with the Elastic vector database.
To build the best search solutions for your use case, start a free cloud trial or try Elastic on your local machine now.
AI agents are only as good as the surfaces they return. A text-only tool result flattens anything that is naturally visual or interactive: a dashboard, an alert list, an investigation graph, a distributed trace. The conversation becomes a place where you ask and the agent answers, but the moment the work gets dense, you leave for a separate tab, a separate product, a separate authentication boundary.
MCP Apps change the shape of that answer. A tool can now return an interactive UI alongside its text summary, and the host (Claude Desktop, Claude.ai, VS Code Copilot, Cursor) renders it inline in the conversation. The model keeps the compact text for reasoning. The human gets a live, clickable interface right next to the chat.
Three properties make this a different kind of integration than "a webhook that returns a URL":
- Context preservation. The UI lives inside the conversation. No tab switching, no hand-offs.
- Bidirectional data flow. The UI can call tools on the MCP server for fresh data, and the host can push new results from the agent back into the UI. No separate API layer or authentication plumbing.
- Sandboxed trust boundary. MCP Apps run in a host-controlled iframe. They cannot access the parent page, read cookies, or escape their container.
Security operations run on triage, investigation graphs, and Attack Discovery, where an AI agent correlates hundreds of alerts into a handful of attack chains. Observability means distributed traces and time-series drill-downs. Building in Kibana means a dashboard grid. Flatten any of that to text and you lose the thing that makes it useful. We built MCP Apps for all three and are open-sourcing them together, so the same conversation can move from a triage queue to a dependency graph to a live dashboard without ever leaving the chat.
Each of the three reference apps is one MCP server serving many interactive views, not a bundle of separate products. The security app alone surfaces six dashboards that share the same server shell, the same tool-visibility model, and the same host bridge. The pattern is small; the surface area is where the value compounds.
Elastic Security MCP App
Why it matters for the SOC
When an agent tells a SOC analyst, "There are 47 alerts on host-314, here's a summary," it hasn't done any work. It's just pointed at where the work starts. The actual work lives in the alert list, the process tree, the investigation graph, and the case file. You can't do it from a paragraph of text.
The security MCP App returns the workflow itself. The analyst prompts the agent, and the agent returns an interactive dashboard in the chat where the analyst can drill into alerts, run threat hunts, correlate attack chains, and open cases, all without losing the thread of the conversation. And because the findings, queries, and cases all land back in Elasticsearch, the same investigation is waiting in Kibana where the analyst can pick back up after the conversation has been closed.
Six interactive dashboards
The Elastic Security MCP App ships six interactive elements, one per major SOC workflow. Each one is a React UI that renders inline when the agent calls the corresponding tool:
| Tool | What it does | Interactive UI |
|---|---|---|
| Alert triage | Fetch, filter, and classify security alerts | Severity grouping, AI verdict cards, process tree, network events |
| Attack Discovery | AI-correlated attack chain analysis with on-demand generation | Attack narrative cards with confidence scoring, entity risk, MITRE mapping |
| Case management | Create, search, and manage investigation cases | Case list with alerts, observables, comments tabs, AI actions |
| Detection rules | Browse, tune, and manage detection rules | Rule browser with KQL search, query validation, noisy-rule analysis |
| Threat hunt | ES|QL workbench with entity investigation | Query editor, clickable entities and investigation graph |
| Sample data | Generate ECS security events for common attack scenarios | Scenario picker with four pre-built attack chains |
Each tool returns a compact text summary that the model can reason over, alongside the interactive UI the analyst acts on. The UI can also fetch fresh data behind the scenes through the MCP host bridge. The full tool model and bridge API live in the repo's architecture doc.
The app also ships with Claude Desktop skills, SKILL.md files that teach the agent when and how to use each tool. Download pre-built skill zips from the latest release.
From Alert to Case
Four skills cover the core SOC loop. Each one picks up a prompt, calls a tool, and returns an interactive dashboard alongside a text summary that the model reasons over. An analyst's day usually starts with an alert queue.
Triage alerts. Ask the agent to triage by host, rule, user, or time window. Ask the agent to triage by host, rule, user, or time window. The Alert Triage skill returns a dashboard of AI verdicts above the raw alert list, with one verdict per detection rule classifying that rule's activity as benign, suspicious, or malicious, each with a confidence score and a recommended action. Click any alert to open a detailed view with a process tree, network events, related alerts, and MITRE ATT&CK tags. No need to context switch between AI conversation and your alerts dashboard inside Kibana, everything is happening in real time inside your conversation.
Hunt for threats. Ask the agent to hunt across your indices. The Threat Hunt skill returns an ES|QL workbench with the query pre-populated and auto-executed, with every entity in the results clickable for drill-down. The model writes a short read-out below the table: what's unusual, what's connected, what's worth a closer look. It then offers the next pivot: either go deeper into the threat hunt, or start a new skill within the MCP app that complements the work done so far. What marries this really well is launching an attack discovery to gather more context into the alerts you’ve gone deep with and the threats you have hunted so far. What ties this really well is launching an Attack Discovery to gather more context on the alerts you’ve gone deep with and the threats you have hunted so far.
Run Attack Discovery. The Attack Discovery skill triggers the Attack Discovery API and returns a ranked list of findings. Each finding is a set of related alerts stitched into one attack chain, with MITRE tactics, a risk score, a confidence label, and the impacted hosts and users surfaced up front. The agent's summary lands below the findings in the same rank order, and the conversation now holds everything needed to act: hunt queries, triage decisions, correlated chains, all staged for the next step.
Open cases without leaving the chat. Approve findings in bulk or ask the agent to open cases for specific alerts. The Case Management skill creates one case per approved finding (source alerts attached, MITRE tactics inherited from the attack chain) and renders the live case list inline. Click a case for its detail view, which includes a row of AI action buttons: Summarize case, Suggest next steps, Extract IOCs, and Generate timeline. Each one drops a structured prompt back into the chat, so the agent picks up the case context without needing a reintroduction. The agent's summary sits below the case list and covers the full IR queue, including the cases just opened and earlier findings that still need one.
Every step in this walkthrough runs the same loop: a prompt comes in, the skill picks it up, the tool returns a compact text summary for the model to reason over, alongside an interactive UI that the analyst acts on. Chain the skills together, and they compose into an end-to-end SOC flow — hunt, triage, correlate, open cases, and drive the next pivot, all with the model carrying the session context across every step. Invoke any one on its own and it's still the full dashboard, pointed at whatever slice of your data you name. Either way, the work accumulates inside the conversation; no tab switching, no copy-paste, no hand-offs.
Two more skills round out the app: a detection-rule browser for tuning noisy rules, and a sample-data generator for spinning up realistic ECS events against a fresh cluster. A follow-up post will go deep on all six: investigation graph, attack-flow canvas, and end-to-end walkthrough.
"The MCP App for Elastic Security bridges the gap between automated detection and manual hunting. By bringing our security data directly into a single interface within Claude Desktop, we surfaced 'silent' threats in under an hour, risks that didn't trigger standard alerts but required immediate action. It's a force multiplier for our analysts." Mandy Andress: Chief Information Security Officer (CISO), Elastic.
How it works
Each MCP App is a small Node.js server whose tools return both a compact text summary for the model and a React UI that the host renders inline. Because it's built on the open MCP App spec, the same server runs on any compatible host - see the repo's architecture doc for the full design.
Try it
Requires Elasticsearch 9.x with Security enabled, plus Kibana for cases, rules, and Attack Discovery. The fastest path is the one-click .mcpb bundle from the latest release - double-click it in Claude Desktop, and you'll be prompted for your Elasticsearch URL and API key. Setup guides for Cursor, VS Code, Claude Code, Claude.ai, and building from source are in the repo.
Elastic Search MCP App: Dashboards built from conversation
Every Kibana user knows the dashboard detour: leave what you're working on, open Kibana, pick an index, pick fields, pick a visualization, tweak, and save. That's five context switches before a single chart is on screen.
The new example-mcp-dashbuilder reference app collapses that into a prompt. Ask the agent to "build me a dashboard with revenue metrics, order trends, and category breakdowns" and the dashboard comes back inside the conversation without any tab-switching required.
Behind that prompt, the agent explores your Elasticsearch data via ES|QL and selects chart types to match the data: bars for comparisons, lines for trends, metric cards for KPIs, and heatmaps for two-dimensional patterns. It lays panels out on Kibana's 48-column grid using the Elastic UI Borealis theme, and the result is fully interactive: you can drag, resize, and group panels into collapsible sections right in the chat. When the dashboard looks right, a single tool call exports it to Kibana, preserving ES|QL queries and custom colors. You can also import existing Kibana dashboards back into the chat for AI-assisted editing.
The principle is the same one behind the Security app: when the artifact is the product, returning it inside the conversation closes the loop between describing what you want and seeing it.
Under the hood, it follows the same MCP App pattern. A Node.js server registers a view_dashboard model-facing tool alongside a set of app-only tools the UI calls directly (data fetching, layout persistence, time-field detection, export/import). The dashboard view itself is a single self-contained HTML file bundled with vite-plugin-singlefile and served as an MCP App resource. Builders forking the repo get the same server shell and host bridge they see in the Security app, pointed at a different job. The example-mcp-dashbuilder README has the full architecture and chart-type reference.
Elastic Observability MCP App
The third reference app, Elastic Observability MCP App, tackles the SRE version of the same shape problem. When something breaks in production, the answer the on-call engineer needs is not a chart, it is a diagnosis stitched together from K8s metrics, APM topology, ML anomalies, and risk assessment. The shape of the answer is a causal story: what failed, why, what depends on it, and what to do next.
Six tools supporting the observability investigation workflow
| Tool | Dependency | What It Does |
|---|---|---|
| observe | Universal | Transient ES|QL + ML-anomaly access primitive — run a query once, live-sample a metric, or block until a threshold or anomaly fires. |
| manage-alerts | Universal | Create, list, get, and delete Kibana custom-threshold alerting rules. Omit the Kibana URL to run read-only. |
| ml-anomalies | ML jobs | Query ML anomaly records and open an inline anomaly-explainer view. |
| apm-health-summary | Elastic APM | Cluster-level health rollup from APM telemetry; layers in K8s and ML context when available. |
| apm-service-dependencies | Elastic APM | Service dependency graph — upstream/downstream, protocols, call volume. |
| k8s-blast-radius | Kubernetes metrics | Node-outage impact — full outage, degraded, unaffected, reschedule feasibility. |
Cluster health rollup
Ask "what's broken?" or "give me a status report" and get a one-shot orientation: overall health badge, degraded services with reasons, top pod memory consumers, anomaly severity breakdown, and service throughput — all in one inline view. This is the starting point when something feels off, but you don't know where to look. The view adapts based on what your deployment supports. APM gives you service health. Kubernetes metrics add pod and node context. ML jobs layer in anomalies.
Service dependency graph
Ask "what calls checkout?" or "show me the topology" and get a layered dependency graph — upstream callers, downstream dependencies, protocols, call volume, and latency per edge. Let’s ask Claude to “Show me the service dependencies of the frontend”:
Zoom, pan, and hover to get all the details you need to understand the complex service relationships:
Assess risk with a blast radius
Ask "what happens if my k8s node goes down?" and get a radial impact diagram: the target node at center, full-outage deployments in red, degraded in amber, unaffected in gray. A floating summary card shows pods at risk and rescheduling feasibility. Single-replica deployments are flagged as single points of failure.
Observe
The agent's primary access primitive for Elastic — one tool, three modes for three different needs. Say "what's CPU doing right now?" and it runs an ES|QL query once and returns a table. Say "show me frontend latency for the next 60 seconds" and it live-samples the metric, updating the chart in-place. Say "tell me when memory drops below 80MB" or "watch for anything unusual for the next 10 minutes" and it blocks until the condition fires or the window expires. The view adapts to the mode: a results table for one-shot queries, a live trend chart with current/peak/baseline stats for sampling and threshold conditions, and a severity-scored trigger card for anomaly mode.
How it works
Same MCP App pattern as the Security and Search apps: a Node.js server, six model-facing tools wired to six single-file view resources. Tools are grouped by deployment backend (Universal, APM-dependent, K8s-dependent, ML-dependent), so the agent and the user both know up front which tools apply to a given deployment instead of discovering capability gaps at call time. The MCP App also includes an example Agent Builder workflow: k8s-crashloop-investigation-otel that can trigger on a Kubernetes alert and return a structured root cause summary before you've opened a single dashboard.
The Agentic Stack, Interactive
Three properties about this pattern are worth stating directly. First, the tool result is no longer the end of the work, it is the start of it: the conversation returns an interface you can act on, not a summary you have to act from. Second, the same agent, the same model context, and the same conversation thread can now move across Security, Search, and Observability surfaces without leaving the conversation. Third, this only works because Elasticsearch and Kibana already expose the APIs. The MCP App is a thin interactive layer over the product capabilities we already ship.
Attack Discovery already powers the correlated findings view inside this app. Inside the stack, the same agentic pattern goes further: Elastic Workflows automate the deterministic steps (enrich entities, create cases, isolate hosts), while Agent Builder reasons over the data and invokes those workflows as tools. The MCP App brings that same security surface into the external conversation; Workflows and Agent Builder deepen it inside the stack. Different entry points, same Elastic APIs underneath.
Try it:
- Security: example-mcp-app-security
- Search and dashboards: example-mcp-dashbuilder
- Observability: example-mcp-observability
Don't have an Elasticsearch cluster yet? Start a free Elastic Cloud trial. For more on the building blocks behind the security app, see the related Security Labs posts on Elastic Workflows and Agent Builder, Agent Skills, and Attack Discovery.
Zugehörige Inhalte
16. März 2026
Agent Skills for Elastic: Turn your AI agent into an Elastic expert
Give your AI coding agent the knowledge to query, visualize, secure, and automate with Elastic Agent Skills.
22. Januar 2026
Agent Builder, beyond the chatbox: Introducing Augmented Infrastructure
Learn about Elastic Agent Builder with Augmented Infrastructure, an AI agent that enables augmented operations, augmented development, and augmented synthetics.
7. Januar 2026
Implementing an agentic reference architecture with Elastic Agent Builder and MCP
Explore an agentic reference architecture with Elastic Agent Builder, MCP, and semantic search to build a security agent for automated threat analysis.
20. Oktober 2025
Elastic MCP server: Expose Agent Builder tools to any AI agent
Discover how to use the built-in Elastic MCP server in Agent Builder to securely extend any AI agent with access to your private data and custom tools.
20. April 2026
Introducing unified API keys for Elastic Cloud Serverless and Elasticsearch
Learn how Elastic unified control plane and data plane authentication in Serverless with a globally distributed IAM architecture. Use one API key for Cloud and Elasticsearch APIs.