Labsco
TocharianOU logo

Elasticsearch Security Solution

โ˜… 7

from TocharianOU

An Elasticsearch server focused on security and threat analysis. Requires a valid Elasticsearch license (trial, platinum, or enterprise) for connection.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredAdvanced setup

Elasticsearch MCP Server

npm version Downloads Ask DeepWiki

Enhanced Elasticsearch MCP Server Solution - Security & Threat Analysis Focused

This is a professional security-focused solution maintained by TocharianOU. It enables comprehensive interaction with all Elasticsearch APIs, specifically optimized for security analysis, threat detection, and incident investigation. Features include advanced security monitoring, anomaly detection, threat hunting, root cause analysis, and comprehensive audit capabilities.

Key Security Features:

  • Real-time threat detection and security monitoring
  • Advanced machine learning for anomaly detection
  • Root cause analysis and attack chain tracking
  • Security incident investigation and forensics
  • Compliance monitoring and audit reporting

Note: This solution requires a valid Elasticsearch license (trial, platinum, or enterprise) and is designed for security professionals, SOC teams, and threat analysts.

Connect to your Elasticsearch data directly from any MCP Client (such as Claude Desktop) using the Model Context Protocol (MCP). Interact with your Elasticsearch security data through natural language queries for advanced threat analysis and incident response.

Multi-Version Elasticsearch Support

Automatically supports Elasticsearch 5.x - 9.x with intelligent version detection:

VersionStatusClientNotes
ES 5.xโœ…5.6.22EOL - Basic tools only
ES 6.xโœ…6.8.8EOL - ILM available (6.6+)
ES 7.xโœ…7.17.14LTS - Full features
ES 8.xโœ…8.19.1Recommended - Latest features, ES|QL (8.11+)
ES 9.x+โœ…Auto-fallbackFuture-ready

Key Features:

  • Automatic version detection - No manual configuration needed
  • Smart client selection - Loads the right client for your ES version
  • Adaptive features - Disables unsupported tools (e.g., Data Streams on ES < 7.9, ES|QL on ES < 8.11)
  • Version-specific optimizations - Handles API differences transparently

What happens:

Connect โ†’ Detect ES version โ†’ Load matching client โ†’ Register compatible tools

SSL/TLS Connection

To connect to Elasticsearch with a self-signed certificate or in a test environment, you can set the following environment variable:

NODE_TLS_REJECT_UNAUTHORIZED=0

โš ๏ธ This disables Node.js SSL certificate validation. Use only in development or testing environments. For production, always use a trusted CA certificate.

Available Tools

ToolDescriptionMin Version
list_indicesList indices with pattern filter, health filter, sorting and token-aware summaryES 5.x+
get_mappingsGet field mappings with flat/tree/raw modes, field filtering and multi-index compareES 5.x+
es_searchFull Query DSL search with auto-highlight on text/vector fieldsES 5.x+
execute_es_apiExecute any ES REST endpoint directly (GET/POST/PUT/DELETE/HEAD)ES 5.x+
get_shardsShard info with health analysis, problem detection and recommendationsES 5.x+
list_data_streamsList and analyze Data Streams with ILM info and backing index detailsES 7.9+
esql_queryExecute ES|QL pipe-based queries with tabular output and parameterised supportES 8.11+

Tools not supported by your cluster version are automatically skipped at startup.

ES|QL Query Tool (esql_query)

ES|QL is Elasticsearch's modern pipe-based query language, ideal for analytics and data exploration without complex JSON DSL.

Example queries:

FROM logs-* | WHERE level == "error" | STATS count = COUNT(*) BY service | SORT count DESC | LIMIT 20
FROM metrics-* | WHERE @timestamp > NOW() - 1 hour | STATS avg_cpu = AVG(cpu.usage) BY host.name
FROM auditbeat-* | WHERE event.action == "user_login" AND event.outcome == "failure" | LIMIT 50

Parameters:

  • query โ€” the ES|QL string (required)
  • params โ€” positional parameters replacing ? placeholders (optional)
  • include_types โ€” include column type info in output (optional, default false)
  • break_token_rule โ€” bypass token limit for large results (optional, default false)

Automatically registered only on ES 8.11+ clusters.

Contributing

We welcome contributions from the community! For details on how to contribute, please see Contributing Guidelines.

How It Works

  1. The MCP Client analyzes your request and determines which Elasticsearch operations are needed.
  2. The MCP server comunicate with ES.
  3. The MCP Client processes the results and presents them in a user-friendly format, including highlights, aggregation summaries, and anomaly insights.

Security Analysis Examples

[!TIP] Here are security-focused queries you can try with your MCP Client.

Threat Detection:

  • "Analyze brute force attack attempts in the past 24 hours"
  • "Detect abnormal login behavior and suspicious IP addresses in the system"
  • "Identify potential SQL injection attack patterns and malicious requests"
  • "Discover DDoS attack signatures and traffic anomalies in network flows"

Root Cause Analysis:

  • "Trace the complete attack chain and impact scope for specific security incidents"
  • "Analyze root causes and propagation paths of system failures"
  • "Identify data breach sources and involved sensitive information"
  • "Investigate user privilege abuse incidents with timeline and operation records"

Threat Intelligence:

  • "Create machine learning models to detect zero-day attacks and unknown threats"
  • "Establish behavioral baselines and identify activities deviating from normal patterns"
  • "Analyze threat levels and attack history of malicious domains and IP addresses"
  • "Detect behavioral characteristics and attack patterns of Advanced Persistent Threats (APT)"

Real-time Monitoring:

  • "Monitor active threats and ongoing attacks in the current system"
  • "Detect abnormal data access patterns and privilege escalation behaviors"
  • "Discover suspicious network communications and data exfiltration activities"
  • "Identify security causes of abnormal system resource consumption and performance degradation"

Security Best Practices

[!WARNING] Avoid using cluster-admin privileges. Create dedicated API keys with limited scope and apply fine-grained access control at the index level to prevent unauthorized data access.

Package Integrity Verification

When downloading release packages, always verify checksums to ensure integrity:

# Verify SHA256 checksum
shasum -a 256 -c elasticsearch-mcp-vX.Y.Z.tar.gz.sha256

# Verify SHA512 checksum
shasum -a 512 -c elasticsearch-mcp-vX.Y.Z.tar.gz.sha512

This protects against:

  • Corrupted downloads
  • Tampered packages
  • Man-in-the-middle attacks

Elasticsearch Access Control

You can create a dedicated Elasticsearch API key with minimal permissions to control access to your data:

{
  "name": "es-mcp-server-access",
  "role_descriptors": {
    "mcp_server_role": {
      "cluster": [
        "monitor"
      ],
      "indices": [
        {
          "names": [
            "index-1",
            "index-2",
            "index-pattern-*"
          ],
          "privileges": [
            "read",
            "view_index_metadata"
          ]
        }
      ]
    }
  }
}

License

This project is licensed under the Apache License 2.0.