| name | fleetpkg |
|---|---|
| description | Query and analyze Elastic Fleet integration packages using the fleetpkg MCP server. Use when answering questions about Elastic Integrations: package metadata, field definitions, ingest pipelines, security detection rules, ECS schema, changelogs, documentation, transforms, data streams, and Kibana saved objects. Useful for analysis, finding bugs, discovering prior art, and researching the integrations ecosystem. |
| compatibility | Requires the fleetpkg MCP server. |
| allowed-tools | mcp__fleetpkg__fleetpkg_get_sql_tables mcp__fleetpkg__fleetpkg_execute_sql_query mcp__fleetpkg__fleetpkg_search_docs mcp__fleetpkg__fleetpkg_search_changelogs mcp__fleetpkg__fleetpkg_search_security_rules mcp__fleetpkg__fleetpkg_search_ecs_fields mcp__fleetpkg__fleetpkg_match_ecs_fields |
You have access to a set of MCP tools prefixed with fleetpkg_ that let you query a SQLite database
containing the complete metadata of every Elastic Fleet integration package. Use these tools to
answer questions about the Elastic Integrations ecosystem.
The MCP server manages its own connection to the elastic/integrations repository — you do not need local access to use these tools. All queries run against the server's database. However, if you do have a local checkout of elastic/integrations, you can use query results (file paths and line numbers returned by SQL) to read the full source files directly for deeper inspection.
Use the fleetpkg tools whenever the user asks about:
- Package metadata — versions, owners, categories, descriptions, release dates
- Field definitions — data types, mappings, ECS references for any integration field
- Ingest pipelines — processor types, processor attributes, pipeline structure and analysis
- Security detection rules — rule queries, severity, MITRE ATT&CK mappings, required fields, index patterns
- ECS (Elastic Common Schema) — field lookups, discovering ECS fields by concept, checking if fields exist in ECS
- Changelogs — release history, what changed in a version, when a feature was added or a bug was fixed
- Documentation — searching across READMEs, guides, and knowledge base articles
- Transforms — pivot/latest configurations, source/destination settings
- Data streams — types, Elasticsearch settings, agent configuration
- Kibana saved objects — dashboards, visualizations, and their cross-references
- Prior art — how other integrations handle a specific field, processor pattern, or data source
- Impact analysis — which integrations or security rules use a field you plan to change
Returns the complete database schema (all tables and columns with descriptions). Call this first if you need to understand the schema before writing a query.
Execute arbitrary read-only SQL against the database. This is the most powerful and flexible tool. Use it for precise, structured queries that the specialized search tools cannot answer.
Tips for writing queries:
- Join through the relationship tables to connect entities (e.g.,
data_stream_fieldslinksfieldstodata_streams). - Use
packages.nameanddata_streams.dir_nametogether as the human-readable identifier for a data stream. - The
ingest_processorstable has atypecolumn (e.g.,set,grok,rename) and anattributesJSON column with the processor's full configuration. - Use
json_extract()to query into JSON columns likeingest_processors.attributes. - Limit result sets when exploring (
LIMIT 20) to avoid overwhelming output.
Full-text search over package documentation (READMEs, guides, knowledge base articles).
Uses FTS5 with porter stemming. Supports phrases ("log rotation"), prefix (authent*),
and boolean operators (SSL AND certificate).
Use this to find integrations related to a topic, discover documentation about a feature, or locate setup guides.
Full-text search over changelog entries. Same FTS5 syntax.
Use this to find when a feature was added, a bug was fixed, or a breaking change was introduced.
Full-text search over security detection rules (title, description, query, setup guide, investigation notes).
Use this to find which security rules reference a particular field, technique, or data source. Critical for impact analysis when refactoring fields that security rules might depend on.
Full-text search over ECS field definitions (~1990 fields). Accepts plain keywords, dotted field names, or camelCase identifiers — automatically normalized for broad discovery.
Use this when looking for ECS fields related to a concept (e.g., searching "network bytes" to find
source.bytes, destination.bytes, network.bytes).
Check whether specific field names exist in ECS. Returns each field annotated with is_ecs,
ecs_data_type, and ecs_description.
Use this to determine if a field should use external: ecs in its definition.
- Understand the question. Determine which tables or search indexes are relevant.
- Use full-text search tools for broad discovery (docs, changelogs, security rules, ECS fields).
- Use SQL queries for precise, structured analysis (counts, joins, filtering by attributes).
- Combine tools when needed — e.g., search ECS fields by concept, then use SQL to find which integrations define those fields.
-- When was the last release of the Okta integration?
SELECT c.version, c.date
FROM changelogs c
JOIN packages p ON p.id = c.packages_id
WHERE p.name = 'okta'
ORDER BY c.id DESC
LIMIT 1;-- Which integration pipelines do NOT have an append processor that sets event.kind to pipeline_error?
SELECT DISTINCT p.name, ds.dir_name
FROM packages p
JOIN data_streams ds ON ds.packages_id = p.id
JOIN ingest_pipelines ip ON ip.data_streams_id = ds.id
WHERE NOT EXISTS (
SELECT 1 FROM ingest_processors proc
WHERE proc.ingest_pipelines_id = ip.id
AND proc.type = 'append'
AND json_extract(proc.attributes, '$.field') = 'error.message'
);-- Which pipelines use a set processor with copy_from vs a Mustache template value?
SELECT
SUM(CASE WHEN json_extract(attributes, '$.copy_from') IS NOT NULL THEN 1 ELSE 0 END) AS copy_from_count,
SUM(CASE WHEN json_extract(attributes, '$.value') LIKE '%{{%}}%' THEN 1 ELSE 0 END) AS mustache_count
FROM ingest_processors
WHERE type = 'set';-- What is the data type of a specific field across all integrations?
SELECT p.name, ds.dir_name, f.name, f.type
FROM fields f
JOIN data_stream_fields dsf ON dsf.field_id = f.id
JOIN data_streams ds ON ds.id = dsf.data_stream_id
JOIN packages p ON p.id = ds.packages_id
WHERE f.name = 'source.mac'
ORDER BY p.name, ds.dir_name;-- How do integration pipelines handle source.mac? Find processors that reference it.
SELECT p.name, ds.dir_name, proc.type, proc.attributes
FROM ingest_processors proc
JOIN ingest_pipelines ip ON ip.id = proc.ingest_pipelines_id
JOIN data_streams ds ON ds.id = ip.data_streams_id
JOIN packages p ON p.id = ds.packages_id
WHERE proc.attributes LIKE '%source.mac%'
ORDER BY p.name;Use fleetpkg_search_security_rules to find rules mentioning a field:
query: "process.name"
Or use SQL for structured analysis:
-- Which security rules require a specific field?
SELECT kso.title, sr.severity, sr.risk_score, sr.type
FROM security_rule_required_fields rf
JOIN security_rules sr ON sr.id = rf.security_rules_id
JOIN kibana_saved_objects kso ON kso.id = sr.kibana_saved_objects_id
WHERE rf.name = 'process.name'
ORDER BY sr.risk_score DESC;Use fleetpkg_search_ecs_fields to discover fields by concept:
query: "network IP address source destination"
Use fleetpkg_match_ecs_fields to check if fields are in ECS:
["source.ip", "destination.ip", "custom.my_field"]-- Which integrations configure a pivot transform and who owns them?
SELECT p.name, p.owner_github
FROM transforms t
JOIN packages p ON p.id = t.packages_id
WHERE t.pivot IS NOT NULL;Use fleetpkg_search_docs to find integrations by topic:
query: "firewall"
query: "authentication AND SAML"
Relates to andrewkroh/fleetpkg-mcp#53