kibana
MCP Server for Kibana SecOps
claude mcp add --transport stdio ggilligan12-kibana-mcp docker run -i --rm --network host -e KIBANA_URL -e KIBANA_API_KEY kibana-mcp \ --env KIBANA_URL="https://your-kibana.example.com:5601" \ --env KIBANA_API_KEY="your_base64_api_key"
How to use
This MCP server integrates Kibana Security with the Model Context Protocol to manage alerts, rules, and exception lists via AI assistants. It exposes tools such as get_alerts, tag_alert, adjust_alert_status, find_rules, get_rule_exceptions, add_rule_exception_items, create_exception_list, and associate_shared_exception_list, enabling you to fetch alerts, tag or update statuses, search and manage detection rules, and handle exception lists directly from your MCP client. To use it, configure the Kibana MCP server in your MCP client (Claude Desktop, Cursor, etc.) with the Kibana URL and an API key. The recommended setup runs the server via Docker with network access to Kibana, exporting KIBANA_URL and KIBANA_API_KEY so the MCP client can authenticate and query Kibana.
How to install
Prerequisites:
- Docker installed on the host where you run the MCP server
- Access to a Kibana instance (URL and API key)
- Optional: an existing MCP client configuration to reference the server
Installation steps:
- Build the Kibana MCP server image (assuming you have the repository checked out locally):
git clone https://github.com/ggilligan12/kibana-mcp.git
cd kibana-mcp
docker build -t kibana-mcp .
- Run the server (provide Kibana URL and API key via environment variables):
export KIBANA_URL="https://your-kibana.example.com:5601"
export KIBANA_API_KEY="your_base64_api_key"
docker run -it --rm --network host \
-e KIBANA_URL \
-e KIBANA_API_KEY \
kibana-mcp
- Add the MCP server to your client configuration (example):
{
"mcpServers": {
"kibana-mcp": {
"command": "docker",
"args": ["run", "-i", "--rm", "--network", "host", "-e", "KIBANA_URL", "-e", "KIBANA_API_KEY", "kibana-mcp"]
}
}
}
- If you prefer using a direct environment-variable setup, you can also embed the values in the config as shown in the README examples.
Additional notes
Notes and tips:
- The recommended setup uses Docker with environment variables KIBANA_URL and KIBANA_API_KEY. If you use username/password authentication instead, you can replace KIBANA_API_KEY with KIBANA_USERNAME and KIBANA_PASSWORD in the env or config.
- Ensure your Kibana instance accepts API key authentication and that the API key has sufficient privileges to read alerts, search rules, and manage exceptions.
- When running in a shared environment, avoid printing credentials in logs. Use secure methods to pass env vars (e.g., secret management or container orchestration secrets).
- If you encounter connectivity issues, verify that the host network access and Kibana URL are correct, and that the MCP client can reach the container.
- The server exposes tools for common security operations; consult Kibana and MCP client documentation for advanced usage and parameter details.
Related MCP Servers
web-eval-agent
An MCP server that autonomously evaluates web applications.
mcp-neo4j
Neo4j Labs Model Context Protocol servers
Gitingest
mcp server for gitingest
zotero
Model Context Protocol (MCP) server for the Zotero API, in Python
fhir
FHIR MCP Server – helping you expose any FHIR Server or API as a MCP Server.
unitree-go2
The Unitree Go2 MCP Server is a server built on the MCP that enables users to control the Unitree Go2 robot using natural language commands interpreted by a LLM.