https://github.com/elastic/example-mcp-app-security
Reference MCP App for Elastic Security — interactive SOC dashboards inside Claude, Cursor, and other MCP hosts.
https://github.com/elastic/example-mcp-app-security
ai claude cursor elastic mcp model-context-protocol security soc
Last synced: 3 months ago
JSON representation
Reference MCP App for Elastic Security — interactive SOC dashboards inside Claude, Cursor, and other MCP hosts.
- Host: GitHub
- URL: https://github.com/elastic/example-mcp-app-security
- Owner: elastic
- License: other
- Created: 2026-04-17T20:38:51.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-04-21T16:46:39.000Z (3 months ago)
- Last Synced: 2026-04-21T23:04:23.964Z (3 months ago)
- Topics: ai, claude, cursor, elastic, mcp, model-context-protocol, security, soc
- Language: TypeScript
- Homepage: https://modelcontextprotocol.io/extensions/apps/overview
- Size: 2.12 MB
- Stars: 1
- Watchers: 0
- Forks: 2
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.txt
- Notice: NOTICE.txt
Awesome Lists containing this project
README
# Elastic Security MCP App
[](https://github.com/elastic/example-mcp-app-security/releases/latest)
An [MCP App](https://modelcontextprotocol.io/extensions/apps/overview) that brings interactive blue-team security operations directly into Claude, VS Code, and other MCP-compatible AI hosts. Built on the [Model Context Protocol](https://modelcontextprotocol.io/) with interactive UI extensions that render inline in the conversation.
> **What are MCP Apps?** MCP Apps extend the Model Context Protocol to let tool servers return interactive HTML interfaces — dashboards, forms, visualizations — that render inside the AI conversation. The LLM calls a tool, and instead of just returning text, an interactive UI appears alongside the response.

## What This Does
This project provides six interactive security operations tools, each with a rich React-based UI that renders inline when Claude (or another MCP host) calls the tool:
| Tool | What It Does |
|------|-------------|
| **Alert Triage** | Fetch, filter, and triage security alerts with AI verdict cards, process tree, and network investigation |
| **Attack Discovery** | AI-powered correlated attack chain analysis with confidence scoring, entity risk, and MITRE mapping |
| **Case Management** | Create, search, and manage SOC investigation cases with AI-assisted actions |
| **Detection Rules** | Browse, tune, and manage detection rules with KQL search and noisy rules analysis |
| **Threat Hunt** | ES\|QL workbench with clickable entities and a D3 investigation graph |
| **Sample Data** | Generate ECS security events for demos across 4 attack chain scenarios |
See [docs/features.md](docs/features.md) for a full breakdown of each tool's capabilities.
## Quick Start
> [!TIP]
> **Just want to try it?** Download [`elastic-security-mcp-app.mcpb`](https://github.com/elastic/example-mcp-app-security/releases/latest) and double-click it. No Node.js, no cloning, no config files.
>
> Claude Desktop handles the rest — you'll be prompted for your Elasticsearch URL and API key during install. That's it.
For other hosts (Cursor, VS Code, Claude Code) or building from source, see [Installation](#installation) below.
## How It Works

When a user asks Claude to triage alerts or run a threat hunt, Claude calls a model-facing tool on this server. The tool returns a compact text summary to Claude **and** an interactive React UI that renders inline in the conversation. The UI then calls app-only tools directly for all subsequent interactions — keeping the LLM context small while the UI has full data access.
See [docs/architecture.md](docs/architecture.md) for details on how views are built, how the UI communicates with the server, and key design decisions.
### Skills
The `skills/` directory contains [Claude Skills](https://claude.com/docs/skills/overview) — `SKILL.md` files that teach Claude *when* and *how* to use the tools. See [docs/setup-skills.md](docs/setup-skills.md) for installation instructions.
## Installation
| Guide | Description |
|-------|-------------|
| [Add to Claude Desktop](docs/setup-claude-desktop.md) | Install the MCP app via one-click `.mcpb` or manual config |
| [Add to Cursor](docs/setup-cursor.md) | Connect the MCP app via npx or a locally running server |
| [Add to VS Code](docs/setup-vscode.md) | Connect the MCP app via npx or a locally running server |
| [Add to Claude Code](docs/setup-claude-code.md) | Register the MCP app via the `claude mcp add` CLI |
| [Add to Claude.ai](docs/setup-claude-ai.md) | Expose the MCP app via a cloudflared tunnel |
| [Build and run locally](docs/setup-local.md) | Build the MCP server from source and run it on your machine |
| [Install skills](docs/setup-skills.md) | Install skills via npx, local clone, or zip upload |
## Development
```bash
npm run dev # Watch mode
npm run typecheck # Type-check only
npm run build:views # Build views only
npm run build:server # Build server only
```
## Inspired By
- [Elastic Agent Skills](https://github.com/elastic/agent-skills/tree/main/skills/security) — SOC triage methodology and tool patterns
- [MCP Apps Specification](https://modelcontextprotocol.io/extensions/apps/overview) — Interactive UI extensions for MCP
## License
Elastic-2.0