MCP Hub
Back to servers

wazuh-mcp

An MCP server for the Wazuh SIEM/XDR platform that enables users to query agents, security alerts, detection rules, and decoders through Claude or other MCP clients. It provides specialized tools and prompts for investigating security alerts, performing agent health checks, and generating environmental security overviews.

glama
AI & MLDevelopment Tools
Updated
Feb 7, 2026
View Source
Claim this server

wazuh-mcp

TypeScript Node.js MCP License: MIT

A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.

Features

  • 11 MCP Tools - Agents, alerts, rules, decoders, and version info
  • 3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
  • 3 MCP Prompts - Alert investigation, agent health checks, and security overviews
  • JWT Authentication - Automatic token management with refresh on expiry
  • Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
  • Pagination - All list endpoints support limit/offset pagination
  • Type-Safe - Full TypeScript with strict mode and Zod schema validation

Prerequisites

  • Node.js 20+
  • A running Wazuh manager with API access (default port 55000)
  • Wazuh API credentials (username/password)

Installation

git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build

Configuration

Set the following environment variables:

VariableRequiredDefaultDescription
WAZUH_URLYes-Wazuh API URL (e.g., https://10.0.0.2:55000)
WAZUH_USERNAMEYes-API username
WAZUH_PASSWORDYes-API password
WAZUH_VERIFY_SSLNofalseSet to true to verify SSL certificates

Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.

Usage

Claude Desktop

Add to your Claude Desktop configuration (claude_desktop_config.json):

{
  "mcpServers": {
    "wazuh": {
      "command": "node",
      "args": ["/path/to/wazuh-mcp/dist/index.js"],
      "env": {
        "WAZUH_URL": "https://your-wazuh-manager:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password"
      }
    }
  }
}

Standalone

export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm start

Development

npm run dev    # Watch mode with tsx
npm run lint   # Type checking
npm test       # Run tests

MCP Tools

Agent Tools

ToolDescription
list_agentsList all agents with optional status filtering (active, disconnected, never_connected, pending)
get_agentGet detailed info for a specific agent by ID
get_agent_statsGet CPU, memory, and disk statistics for an agent

Alert Tools

ToolDescription
get_alertsRetrieve recent alerts with filtering by level, agent, rule, and text search
get_alertRetrieve a single alert by ID
search_alertsFull-text search across all alerts

Rule Tools

ToolDescription
list_rulesList detection rules with level and group filtering
get_ruleGet full rule details including compliance mappings
search_rulesSearch rules by description text

Other Tools

ToolDescription
list_decodersList log decoders with optional name filtering
get_wazuh_versionGet Wazuh manager version and API info

MCP Resources

Resource URIDescription
wazuh://agentsAll registered agents and their status
wazuh://alerts/recent25 most recent security alerts
wazuh://rules/summaryDetection rules sorted by severity

MCP Prompts

PromptDescription
investigate-alertStep-by-step alert investigation with MITRE mapping and remediation
agent-health-checkComprehensive agent health assessment (status, resources, alerts)
security-overviewFull environment security summary with compliance coverage

Examples

List active agents

Use list_agents with status "active" to see all connected agents.

Investigate a brute force attempt

Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.

Check agent health

Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.

Find high-severity rules

List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.

Testing

npm test              # Run all tests
npm run test:watch    # Watch mode

Tests use mocked Wazuh API responses - no live Wazuh instance needed.

Project Structure

wazuh-mcp/
├── src/
│   ├── index.ts           # MCP server entry point
│   ├── config.ts          # Environment configuration
│   ├── client.ts          # Wazuh REST API client (JWT auth)
│   ├── types.ts           # TypeScript type definitions
│   ├── resources.ts       # MCP resource handlers
│   ├── prompts.ts         # MCP prompt templates
│   └── tools/
│       ├── agents.ts      # Agent management tools
│       ├── alerts.ts      # Alert query tools
│       ├── rules.ts       # Rule query tools
│       ├── decoders.ts    # Decoder listing tool
│       └── version.ts     # Version info tool
├── tests/
│   ├── client.test.ts     # API client unit tests
│   └── tools.test.ts      # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.ts

License

MIT

Reviews

No reviews yet

Sign in to write a review