Crowdsentinels AI
AI-powered threat hunting and incident response MCP server for Elasticsearch/OpenSearch
What is Crowdsentinels AI?
Crowdsentinels AI is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to ai-powered threat hunting and incident response mcp server for elasticsearch/opensearch
AI-powered threat hunting and incident response MCP server for Elasticsearch/OpenSearch
This server falls under the Security and Monitoring & Observability categories on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- AI-powered threat hunting and incident response MCP server f
Use Cases
Maintainer
Works with
Installation
PIP
pip install crowdsentinel-mcp-serverManual Installation
pip install crowdsentinel-mcp-serverConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Crowdsentinels AI
CrowdSentinel MCP Server connects AI assistants to Elasticsearch and OpenSearch clusters for advanced threat hunting and incident response. It ships with 125+ tools spanning index operations, attack-pattern detection, kill-chain analysis, network forensics, and threat-intelligence enrichment from sources like VirusTotal, AbuseIPDB, and MISP. Security teams use it to automate the full investigation lifecycle — from initial triage through STIX 2.1 export — directly from their AI chat interface.
Prerequisites
- Python 3.8 or higher installed
- A running Elasticsearch 8.x, 7.x, 9.x, or OpenSearch cluster
- Elasticsearch API key or username/password credentials
- An MCP-compatible client such as Claude Desktop or Claude Code CLI
- Optional: VirusTotal, AbuseIPDB, or ThreatFox API keys for threat intel enrichment
Install the package
Install the CrowdSentinel MCP server from PyPI using pip or uv. Choose the variant that matches your Elasticsearch version.
pip install crowdsentinel-mcp-server
# For Elasticsearch 7.x:
# pip install crowdsentinel-mcp-server-es7
# For OpenSearch:
# pip install opensearch-mcp-serverRun the setup command
Run the built-in setup command to download the 6,060 detection rules (Lucene, EQL, ES|QL), Chainsaw, and the Sigma ruleset. This is a one-time operation.
crowdsentinel setupSet environment variables
Export your Elasticsearch connection details. Use ELASTICSEARCH_API_KEY for token-based auth, or ELASTICSEARCH_USERNAME and ELASTICSEARCH_PASSWORD for basic auth.
export ELASTICSEARCH_HOSTS="https://localhost:9200"
export ELASTICSEARCH_API_KEY="your_api_key_here"
# Optional threat intel keys:
export VIRUSTOTAL_API_KEY="your_vt_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_key"Verify connectivity
Use the built-in health command to confirm the server can reach your Elasticsearch cluster before configuring your MCP client.
crowdsentinel healthAdd to your MCP client
Register the server with Claude Desktop by adding it to claude_desktop_config.json, or use the Claude Code CLI to add it in one command.
# Claude Code CLI:
claude mcp add crowdsentinel \
-e ELASTICSEARCH_HOSTS="https://localhost:9200" \
-e ELASTICSEARCH_API_KEY="your_key" \
-- uvx crowdsentinel-mcp-serverOptional: disable high-risk operations
Set DISABLE_HIGH_RISK_OPERATIONS=true to block write operations and limit the server to read-only threat hunting. Recommended for production environments.
export DISABLE_HIGH_RISK_OPERATIONS="true"Crowdsentinels AI Examples
Client configuration
Claude Desktop configuration block for CrowdSentinel with API key authentication.
{
"mcpServers": {
"crowdsentinel": {
"command": "uvx",
"args": ["crowdsentinel-mcp-server"],
"env": {
"ELASTICSEARCH_HOSTS": "https://localhost:9200",
"ELASTICSEARCH_API_KEY": "your_api_key_here",
"VERIFY_CERTS": "true",
"DISABLE_HIGH_RISK_OPERATIONS": "true"
}
}
}
}Prompts to try
Example prompts that leverage CrowdSentinel's threat hunting and incident response tools.
- "Hunt for lateral movement activity in my Elasticsearch logs over the last 24 hours"
- "Run EQL detection rule ES-1042 against the windows-events-* index"
- "Is IP address 203.0.113.42 malicious? Check VirusTotal and AbuseIPDB"
- "Analyze the kill chain progression for the suspicious activity on host DESKTOP-XYZ"
- "Search for PowerShell execution events matching MITRE T1059.001"Troubleshooting Crowdsentinels AI
SSL certificate verification errors when connecting to Elasticsearch
Set VERIFY_CERTS=false for self-signed certs in dev, or provide ELASTICSEARCH_CA_CERT pointing to your CA bundle for production clusters.
crowdsentinel setup fails or detection rules are missing
Ensure you have internet access and sufficient disk space (~300 MB total). Re-run 'crowdsentinel setup' after confirming connectivity. The command downloads rules from a public GitHub repository.
PCAP analysis tools return errors about tshark not found
Install Wireshark/TShark: 'apt install tshark' on Debian/Ubuntu or 'brew install wireshark' on macOS. The network forensics tools require TShark to be available in PATH.
Frequently Asked Questions about Crowdsentinels AI
What is Crowdsentinels AI?
Crowdsentinels AI is a Model Context Protocol (MCP) server that ai-powered threat hunting and incident response mcp server for elasticsearch/opensearch It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Crowdsentinels AI?
Install via pip with: pip install crowdsentinel-mcp-server. Then configure your AI client to connect to this MCP server.
Which AI clients work with Crowdsentinels AI?
Crowdsentinels AI works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Crowdsentinels AI free to use?
Yes, Crowdsentinels AI is open source and available under the GPL-3.0 license. You can use it freely in both personal and commercial projects.
Crowdsentinels AI Alternatives — Similar Security Servers
Looking for alternatives to Crowdsentinels AI? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Crowdsentinels AI in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Crowdsentinels AI?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.