Crowdsentinels AI

v0.5.6Securitystable

AI-powered threat hunting and incident response MCP server for Elasticsearch/OpenSearch

crowdsentinels-ai-mcpmcpai-integration
Share:
204
Stars
0
Downloads
0
Weekly
0/5

What is Crowdsentinels AI?

Crowdsentinels AI is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to ai-powered threat hunting and incident response mcp server for elasticsearch/opensearch

AI-powered threat hunting and incident response MCP server for Elasticsearch/OpenSearch

This server falls under the Security and Monitoring & Observability categories on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • AI-powered threat hunting and incident response MCP server f

Use Cases

Hunt threats and detect suspicious patterns in Elasticsearch/OpenSearch logs.
Automate incident response workflows with AI-powered security analysis.
Investigate security events across distributed systems.
thomasxm

Maintainer

LicenseGPL-3.0
Languagepython
Versionv0.5.6
UpdatedMay 18, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

PIP

pip install crowdsentinel-mcp-server

Manual Installation

pip install crowdsentinel-mcp-server

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Crowdsentinels AI

CrowdSentinel MCP Server connects AI assistants to Elasticsearch and OpenSearch clusters for advanced threat hunting and incident response. It ships with 125+ tools spanning index operations, attack-pattern detection, kill-chain analysis, network forensics, and threat-intelligence enrichment from sources like VirusTotal, AbuseIPDB, and MISP. Security teams use it to automate the full investigation lifecycle — from initial triage through STIX 2.1 export — directly from their AI chat interface.

Prerequisites

  • Python 3.8 or higher installed
  • A running Elasticsearch 8.x, 7.x, 9.x, or OpenSearch cluster
  • Elasticsearch API key or username/password credentials
  • An MCP-compatible client such as Claude Desktop or Claude Code CLI
  • Optional: VirusTotal, AbuseIPDB, or ThreatFox API keys for threat intel enrichment
1

Install the package

Install the CrowdSentinel MCP server from PyPI using pip or uv. Choose the variant that matches your Elasticsearch version.

pip install crowdsentinel-mcp-server
# For Elasticsearch 7.x:
# pip install crowdsentinel-mcp-server-es7
# For OpenSearch:
# pip install opensearch-mcp-server
2

Run the setup command

Run the built-in setup command to download the 6,060 detection rules (Lucene, EQL, ES|QL), Chainsaw, and the Sigma ruleset. This is a one-time operation.

crowdsentinel setup
3

Set environment variables

Export your Elasticsearch connection details. Use ELASTICSEARCH_API_KEY for token-based auth, or ELASTICSEARCH_USERNAME and ELASTICSEARCH_PASSWORD for basic auth.

export ELASTICSEARCH_HOSTS="https://localhost:9200"
export ELASTICSEARCH_API_KEY="your_api_key_here"
# Optional threat intel keys:
export VIRUSTOTAL_API_KEY="your_vt_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_key"
4

Verify connectivity

Use the built-in health command to confirm the server can reach your Elasticsearch cluster before configuring your MCP client.

crowdsentinel health
5

Add to your MCP client

Register the server with Claude Desktop by adding it to claude_desktop_config.json, or use the Claude Code CLI to add it in one command.

# Claude Code CLI:
claude mcp add crowdsentinel \
  -e ELASTICSEARCH_HOSTS="https://localhost:9200" \
  -e ELASTICSEARCH_API_KEY="your_key" \
  -- uvx crowdsentinel-mcp-server
6

Optional: disable high-risk operations

Set DISABLE_HIGH_RISK_OPERATIONS=true to block write operations and limit the server to read-only threat hunting. Recommended for production environments.

export DISABLE_HIGH_RISK_OPERATIONS="true"

Crowdsentinels AI Examples

Client configuration

Claude Desktop configuration block for CrowdSentinel with API key authentication.

{
  "mcpServers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key_here",
        "VERIFY_CERTS": "true",
        "DISABLE_HIGH_RISK_OPERATIONS": "true"
      }
    }
  }
}

Prompts to try

Example prompts that leverage CrowdSentinel's threat hunting and incident response tools.

- "Hunt for lateral movement activity in my Elasticsearch logs over the last 24 hours"
- "Run EQL detection rule ES-1042 against the windows-events-* index"
- "Is IP address 203.0.113.42 malicious? Check VirusTotal and AbuseIPDB"
- "Analyze the kill chain progression for the suspicious activity on host DESKTOP-XYZ"
- "Search for PowerShell execution events matching MITRE T1059.001"

Troubleshooting Crowdsentinels AI

SSL certificate verification errors when connecting to Elasticsearch

Set VERIFY_CERTS=false for self-signed certs in dev, or provide ELASTICSEARCH_CA_CERT pointing to your CA bundle for production clusters.

crowdsentinel setup fails or detection rules are missing

Ensure you have internet access and sufficient disk space (~300 MB total). Re-run 'crowdsentinel setup' after confirming connectivity. The command downloads rules from a public GitHub repository.

PCAP analysis tools return errors about tshark not found

Install Wireshark/TShark: 'apt install tshark' on Debian/Ubuntu or 'brew install wireshark' on macOS. The network forensics tools require TShark to be available in PATH.

Frequently Asked Questions about Crowdsentinels AI

What is Crowdsentinels AI?

Crowdsentinels AI is a Model Context Protocol (MCP) server that ai-powered threat hunting and incident response mcp server for elasticsearch/opensearch It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Crowdsentinels AI?

Install via pip with: pip install crowdsentinel-mcp-server. Then configure your AI client to connect to this MCP server.

Which AI clients work with Crowdsentinels AI?

Crowdsentinels AI works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Crowdsentinels AI free to use?

Yes, Crowdsentinels AI is open source and available under the GPL-3.0 license. You can use it freely in both personal and commercial projects.

Crowdsentinels AI Alternatives — Similar Security Servers

Looking for alternatives to Crowdsentinels AI? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "crowdsentinels-ai-mcp": { "command": "pip", "args": ["install", "crowdsentinel-mcp-server"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Crowdsentinels AI?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides