Kibana FAQs

Question 1

What is the Kibana MCP Server?

Accepted Answer

The Kibana MCP Server allows AI assistants to interact with and manage Kibana Security alerts through the Model Context Protocol (MCP). It provides tools to tag alerts, adjust their status, and fetch them based on specific criteria.

Question 2

What authentication methods are supported?

Accepted Answer

The server supports both API Key (recommended) and Username/Password authentication for connecting to your Kibana instance. API key is prioritized if both are configured.

Question 3

How do I connect an MCP client (like Cursor or Claude Desktop) to the server?

Accepted Answer

You need to configure your MCP client's settings (e.g., `mcp.json` for Cursor, `claude_desktop_config.json` for Claude Desktop) to point to the Kibana MCP Server, specifying the command to run the server and the necessary environment variables for Kibana connection.

Question 4

What can I do with the Kibana MCP Server?

Accepted Answer

You can use it to automate security alert triage, enrich alerts with AI insights, and create AI-driven workflows for incident response within your Kibana environment.

Question 5

How do I run a local testing environment?

Accepted Answer

The project includes a Docker Compose based testing environment that spins up Elasticsearch and Kibana, and automatically seeds it with a sample detection rule. Simply run the `testing/quickstart-test-env.sh` script.

Kibana

Kibana

Key Features

Use Cases

Key Features

Use Cases