# wazuh-mcp
[](https://www.typescriptlang.org/)
[](https://nodejs.org/)
[](https://modelcontextprotocol.io/)
[](https://opensource.org/licenses/MIT)
A [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) server for the [Wazuh](https://wazuh.com/) SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.
## Features
- **11 MCP Tools** - Agents, alerts, rules, decoders, and version info
- **3 MCP Resources** - Pre-built views for agents, recent alerts, and rule summaries
- **3 MCP Prompts** - Alert investigation, agent health checks, and security overviews
- **JWT Authentication** - Automatic token management with refresh on expiry
- **Full Compliance Mapping** - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
- **Pagination** - All list endpoints support limit/offset pagination
- **Type-Safe** - Full TypeScript with strict mode and Zod schema validation
## Prerequisites
- Node.js 20+
- A running Wazuh manager with API access (default port 55000)
- Wazuh API credentials (username/password)
## Installation
```bash
git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build
```
## Configuration
Set the following environment variables:
| Variable | Required | Default | Description |
|----------|----------|---------|-------------|
| `WAZUH_URL` | Yes | - | Wazuh API URL (e.g., `https://10.0.0.2:55000`) |
| `WAZUH_USERNAME` | Yes | - | API username |
| `WAZUH_PASSWORD` | Yes | - | API password |
| `WAZUH_VERIFY_SSL` | No | `false` | Set to `true` to verify SSL certificates |
Alternative variable names `WAZUH_BASE_URL` and `WAZUH_USER` are also supported.
## Usage
### Claude Desktop
Add to your Claude Desktop configuration (`claude_desktop_config.json`):
```json
{
"mcpServers": {
"wazuh": {
"command": "node",
"args": ["/path/to/wazuh-mcp/dist/index.js"],
"env": {
"WAZUH_URL": "https://your-wazuh-manager:55000",
"WAZUH_USERNAME": "wazuh-wui",
"WAZUH_PASSWORD": "your-password"
}
}
}
}
```
### Standalone
```bash
export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm start
```
### Development
```bash
npm run dev # Watch mode with tsx
npm run lint # Type checking
npm test # Run tests
```
## MCP Tools
### Agent Tools
| Tool | Description |
|------|-------------|
| `list_agents` | List all agents with optional status filtering (active, disconnected, never_connected, pending) |
| `get_agent` | Get detailed info for a specific agent by ID |
| `get_agent_stats` | Get CPU, memory, and disk statistics for an agent |
### Alert Tools
| Tool | Description |
|------|-------------|
| `get_alerts` | Retrieve recent alerts with filtering by level, agent, rule, and text search |
| `get_alert` | Retrieve a single alert by ID |
| `search_alerts` | Full-text search across all alerts |
### Rule Tools
| Tool | Description |
|------|-------------|
| `list_rules` | List detection rules with level and group filtering |
| `get_rule` | Get full rule details including compliance mappings |
| `search_rules` | Search rules by description text |
### Other Tools
| Tool | Description |
|------|-------------|
| `list_decoders` | List log decoders with optional name filtering |
| `get_wazuh_version` | Get Wazuh manager version and API info |
## MCP Resources
| Resource URI | Description |
|-------------|-------------|
| `wazuh://agents` | All registered agents and their status |
| `wazuh://alerts/recent` | 25 most recent security alerts |
| `wazuh://rules/summary` | Detection rules sorted by severity |
## MCP Prompts
| Prompt | Description |
|--------|-------------|
| `investigate-alert` | Step-by-step alert investigation with MITRE mapping and remediation |
| `agent-health-check` | Comprehensive agent health assessment (status, resources, alerts) |
| `security-overview` | Full environment security summary with compliance coverage |
## Examples
### List active agents
```
Use list_agents with status "active" to see all connected agents.
```
### Investigate a brute force attempt
```
Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.
```
### Check agent health
```
Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.
```
### Find high-severity rules
```
List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.
```
## Testing
```bash
npm test # Run all tests
npm run test:watch # Watch mode
```
Tests use mocked Wazuh API responses - no live Wazuh instance needed.
## Project Structure
```
wazuh-mcp/
├── src/
│ ├── index.ts # MCP server entry point
│ ├── config.ts # Environment configuration
│ ├── client.ts # Wazuh REST API client (JWT auth)
│ ├── types.ts # TypeScript type definitions
│ ├── resources.ts # MCP resource handlers
│ ├── prompts.ts # MCP prompt templates
│ └── tools/
│ ├── agents.ts # Agent management tools
│ ├── alerts.ts # Alert query tools
│ ├── rules.ts # Rule query tools
│ ├── decoders.ts # Decoder listing tool
│ └── version.ts # Version info tool
├── tests/
│ ├── client.test.ts # API client unit tests
│ └── tools.test.ts # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.ts
```
## License
MIT
