wazuh-mcp
An MCP server for the Wazuh SIEM/XDR platform that enables users to query agents, security alerts, detection rules, and decoders through Claude or other MCP clients. It provides specialized tools and prompts for investigating security alerts, performing agent health checks, and generating environmental security overviews.
README
wazuh-mcp
A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.
Features
- 11 MCP Tools - Agents, alerts, rules, decoders, and version info
- 3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
- 3 MCP Prompts - Alert investigation, agent health checks, and security overviews
- JWT Authentication - Automatic token management with refresh on expiry
- Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
- Pagination - All list endpoints support limit/offset pagination
- Type-Safe - Full TypeScript with strict mode and Zod schema validation
Prerequisites
- Node.js 20+
- A running Wazuh manager with API access (default port 55000)
- Wazuh API credentials (username/password)
Installation
git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build
Configuration
Set the following environment variables:
| Variable | Required | Default | Description |
|---|---|---|---|
WAZUH_URL |
Yes | - | Wazuh API URL (e.g., https://10.0.0.2:55000) |
WAZUH_USERNAME |
Yes | - | API username |
WAZUH_PASSWORD |
Yes | - | API password |
WAZUH_VERIFY_SSL |
No | false |
Set to true to verify SSL certificates |
Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.
Usage
Claude Desktop
Add to your Claude Desktop configuration (claude_desktop_config.json):
{
"mcpServers": {
"wazuh": {
"command": "node",
"args": ["/path/to/wazuh-mcp/dist/index.js"],
"env": {
"WAZUH_URL": "https://your-wazuh-manager:55000",
"WAZUH_USERNAME": "wazuh-wui",
"WAZUH_PASSWORD": "your-password"
}
}
}
}
Standalone
export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm start
Development
npm run dev # Watch mode with tsx
npm run lint # Type checking
npm test # Run tests
MCP Tools
Agent Tools
| Tool | Description |
|---|---|
list_agents |
List all agents with optional status filtering (active, disconnected, never_connected, pending) |
get_agent |
Get detailed info for a specific agent by ID |
get_agent_stats |
Get CPU, memory, and disk statistics for an agent |
Alert Tools
| Tool | Description |
|---|---|
get_alerts |
Retrieve recent alerts with filtering by level, agent, rule, and text search |
get_alert |
Retrieve a single alert by ID |
search_alerts |
Full-text search across all alerts |
Rule Tools
| Tool | Description |
|---|---|
list_rules |
List detection rules with level and group filtering |
get_rule |
Get full rule details including compliance mappings |
search_rules |
Search rules by description text |
Other Tools
| Tool | Description |
|---|---|
list_decoders |
List log decoders with optional name filtering |
get_wazuh_version |
Get Wazuh manager version and API info |
MCP Resources
| Resource URI | Description |
|---|---|
wazuh://agents |
All registered agents and their status |
wazuh://alerts/recent |
25 most recent security alerts |
wazuh://rules/summary |
Detection rules sorted by severity |
MCP Prompts
| Prompt | Description |
|---|---|
investigate-alert |
Step-by-step alert investigation with MITRE mapping and remediation |
agent-health-check |
Comprehensive agent health assessment (status, resources, alerts) |
security-overview |
Full environment security summary with compliance coverage |
Examples
List active agents
Use list_agents with status "active" to see all connected agents.
Investigate a brute force attempt
Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.
Check agent health
Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.
Find high-severity rules
List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.
Testing
npm test # Run all tests
npm run test:watch # Watch mode
Tests use mocked Wazuh API responses - no live Wazuh instance needed.
Project Structure
wazuh-mcp/
├── src/
│ ├── index.ts # MCP server entry point
│ ├── config.ts # Environment configuration
│ ├── client.ts # Wazuh REST API client (JWT auth)
│ ├── types.ts # TypeScript type definitions
│ ├── resources.ts # MCP resource handlers
│ ├── prompts.ts # MCP prompt templates
│ └── tools/
│ ├── agents.ts # Agent management tools
│ ├── alerts.ts # Alert query tools
│ ├── rules.ts # Rule query tools
│ ├── decoders.ts # Decoder listing tool
│ └── version.ts # Version info tool
├── tests/
│ ├── client.test.ts # API client unit tests
│ └── tools.test.ts # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.ts
License
MIT
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。