Elastic has launched an automated Kubernetes incident investigation workflow and new observability skills for MCP-based AI tools, aimed at site reliability engineers handling alerts in Kubernetes environments.
The workflow starts analysing logs, metrics, anomalies and cluster events as soon as an alert fires. It then presents a likely root cause and suggested next steps before an engineer begins a manual investigation.
The release expands Elastic's earlier MCP app work, which brought security and observability workflows into tools such as Claude, VS Code, Cursor and GitHub Copilot. The latest version follows the same model, delivering investigations inside AI tools and IDEs that support the MCP standard.
Engineers can review operational data and interactive views within those tools instead of switching between separate observability consoles during an outage. The app can show cluster health summaries, service dependency graphs, anomaly details with actual versus typical values, blast radius analysis for node failures and alert rule management.
How it works
The launch centres on two related products: an agentic investigation workflow that runs diagnostics automatically when an alert is triggered, and a Kubernetes MCP app with observability skills that let engineers investigate environments conversationally through AI assistants and development tools.
These tools query live data from Elasticsearch, which stores the logs and metrics used in the investigation. The Kubernetes offering also builds on existing dashboards, prebuilt alert templates and machine learning-based anomaly detection.
The goal is to reduce the delay between an alert appearing and an engineer identifying the source of a problem. In large Kubernetes deployments, that lag can lengthen outages and increase pressure on on-call teams, particularly when incidents happen outside normal working hours.
Bahaaldine Azarmi, general manager of observability at Elastic, commented on the release.
"Engineers who get paged at 3 a.m. don't want to start a new investigation from scratch, they want answers," said Bahaaldine Azarmi, general manager of observability at Elastic. "With this release, Elastic kicks off the investigation the moment an alert fires, so teams reach resolution faster and with more confidence. And because it runs inside the tools engineers already use, there's no context switch and no new interface to learn."
Market context
The move reflects a broader push across the software industry to embed operational and security workflows directly into AI assistants used by developers and infrastructure teams. Rather than requiring staff to open separate specialist platforms, vendors are increasingly placing diagnostics, recommendations and data exploration inside the same environments where engineers write code and manage systems.
For observability suppliers, Kubernetes remains a key target because of the complexity of tracing failures across clusters, nodes, services and workloads. Troubleshooting often requires teams to correlate multiple data sources quickly, including logs, system metrics and infrastructure events.
Elastic is positioning the new workflow as a way to assemble that evidence automatically. Engineers will either receive a confirmed root cause or at least a structured starting point for further investigation, reducing the need to begin with a blank screen when an incident occurs.
Availability
The wider Kubernetes integration, including dashboards, alert templates and machine learning anomaly detection, is available across Elastic Cloud Hosted, Serverless and self-managed deployments. The Kubernetes investigation workflow and the Elastic Observability MCP App are currently in technical preview.
Elastic also said Elasticsearch stores Kubernetes logs and metrics at scale with 2.5x better storage efficiency than other observability vendors.