How do I use wazuh-mcp?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@wazuh-mcp Investigate the most recent high-severity alert for agent 001" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

wazuh-mcp

TypeScript Node.js MCP License: MIT

A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.

Features

11 MCP Tools - Agents, alerts, rules, decoders, and version info
3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
3 MCP Prompts - Alert investigation, agent health checks, and security overviews
JWT Authentication - Automatic token management with refresh on expiry
Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
Pagination - All list endpoints support limit/offset pagination
Type-Safe - Full TypeScript with strict mode and Zod schema validation

Prerequisites

Node.js 20+
A running Wazuh manager with API access (default port 55000)
Wazuh API credentials (username/password)

Installation

git clone https://github.com/solomonneas/wazuh-mcp.git cd wazuh-mcp npm install npm run build

Configuration

Set the following environment variables:

Variable	Required	Default	Description
`WAZUH_URL`	Yes	-	Wazuh API URL (e.g., `https://10.0.0.2:55000`)
`WAZUH_USERNAME`	Yes	-	API username
`WAZUH_PASSWORD`	Yes	-	API password
`WAZUH_VERIFY_SSL`	No	`false`	Set to `true` to verify SSL certificates

Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.

Usage

Claude Desktop

Add to your Claude Desktop configuration (claude_desktop_config.json):

{ "mcpServers": { "wazuh": { "command": "node", "args": ["/path/to/wazuh-mcp/dist/index.js"], "env": { "WAZUH_URL": "https://your-wazuh-manager:55000", "WAZUH_USERNAME": "wazuh-wui", "WAZUH_PASSWORD": "your-password" } } } }

Standalone

export WAZUH_URL=https://your-wazuh-manager:55000 export WAZUH_USERNAME=wazuh-wui export WAZUH_PASSWORD=your-password npm start

Development

npm run dev # Watch mode with tsx npm run lint # Type checking npm test # Run tests

MCP Tools

Agent Tools

Tool	Description
`list_agents`	List all agents with optional status filtering (active, disconnected, never_connected, pending)
`get_agent`	Get detailed info for a specific agent by ID
`get_agent_stats`	Get CPU, memory, and disk statistics for an agent

Alert Tools

Tool	Description
`get_alerts`	Retrieve recent alerts with filtering by level, agent, rule, and text search
`get_alert`	Retrieve a single alert by ID
`search_alerts`	Full-text search across all alerts

Rule Tools

Tool	Description
`list_rules`	List detection rules with level and group filtering
`get_rule`	Get full rule details including compliance mappings
`search_rules`	Search rules by description text

Other Tools

Tool	Description
`list_decoders`	List log decoders with optional name filtering
`get_wazuh_version`	Get Wazuh manager version and API info

MCP Resources

Resource URI	Description
`wazuh://agents`	All registered agents and their status
`wazuh://alerts/recent`	25 most recent security alerts
`wazuh://rules/summary`	Detection rules sorted by severity

MCP Prompts

Prompt	Description
`investigate-alert`	Step-by-step alert investigation with MITRE mapping and remediation
`agent-health-check`	Comprehensive agent health assessment (status, resources, alerts)
`security-overview`	Full environment security summary with compliance coverage

Examples

List active agents

Use list_agents with status "active" to see all connected agents.

Investigate a brute force attempt

Search alerts for "brute force" and investigate the top result, including the MITRE ATT&CK technique and remediation steps.

Check agent health

Run an agent health check on agent 001 - check its connection status, resource usage, and any recent critical alerts.

Find high-severity rules

List all rules with level 12 or higher to see critical detection rules and their compliance framework mappings.

Testing

npm test # Run all tests npm run test:watch # Watch mode

Tests use mocked Wazuh API responses - no live Wazuh instance needed.

Project Structure

wazuh-mcp/ ├── src/ │ ├── index.ts # MCP server entry point │ ├── config.ts # Environment configuration │ ├── client.ts # Wazuh REST API client (JWT auth) │ ├── types.ts # TypeScript type definitions │ ├── resources.ts # MCP resource handlers │ ├── prompts.ts # MCP prompt templates │ └── tools/ │ ├── agents.ts # Agent management tools │ ├── alerts.ts # Alert query tools │ ├── rules.ts # Rule query tools │ ├── decoders.ts # Decoder listing tool │ └── version.ts # Version info tool ├── tests/ │ ├── client.test.ts # API client unit tests │ └── tools.test.ts # Tool handler unit tests ├── package.json ├── tsconfig.json ├── tsup.config.ts └── vitest.config.ts

License

MIT

wazuh-mcp

wazuh-mcp

Features

Prerequisites

Installation

Configuration

Usage

Claude Desktop

Standalone

Development

MCP Tools

Agent Tools

Alert Tools

Rule Tools

Other Tools

MCP Resources

MCP Prompts

Examples

List active agents

Investigate a brute force attempt

Check agent health

Find high-severity rules

Testing

Project Structure

License

Resources

Tools

New MCP Servers

Latest Blog Posts

MCP directory API