SIEM MCP — MCP Server Config

Add to Claude Code

0 adds

Add this MCP server to Claude Code.
Name: SIEM MCP
Merge into: ~/.claude/mcp.json under mcpServers

---
{
  "mcpServers": {
    "siem": {
      "command": "npx",
      "args": ["-y", "@anthropic-community/mcp-siem"],
      "env": {
        "SIEM_URL": "https://your-elasticsearch.example.com:9200",
        "SIEM_API_KEY": "<YOUR_API_KEY>",
        "SIEM_INDEX_PATTERN": "security-*"
      }
    }
  }
}

// ── Setup ────────────────────────────────────────────────────────────────────
// 1. Set SIEM_URL to your Elasticsearch/OpenSearch endpoint
// 2. Generate an API key with read access to security indices
// 3. Set SIEM_INDEX_PATTERN to match your security log indices
//
// ── Available tools ──────────────────────────────────────────────────────────
// search_logs            query security logs with full-text search and filters
// get_aggregations       run aggregations (top talkers, event counts, time-series)
// get_alert_rules        list active detection rules
// create_alert_rule      create a new detection rule with conditions and actions
// investigate_entity     pull all logs for a specific IP, user, or hostname

Paste into Claude Code to connect this MCP server.

Share View raw →

How to add

Full guide →

Click Add, then paste into Claude Code. Claude will connect the MCP server in your settings.

Target: .claude/mcp.json → mcpServers