Query Wazuh security alerts with powerful filters. Use this to triage incidents, hunt for specific threat patterns, or get an overview of recent security events.

Fetch a single Wazuh alert by its ID with full contextual detail. Use this when investigating a specific alert from wazuh_list_alerts results.

Get a high-level summary of recent alerts: severity distribution, top attacking IPs, most triggered rules, and MITRE technique coverage. Use this as the first step in security posture assessment or shift handoff.

List all Wazuh agents with their status, OS, version, and last connection. Filter by status ('active', 'disconnected', 'never_connected'), search by name or IP, and control pagination.

Get detailed information about a specific agent: configuration, enabled modules, OS details, group membership, and connection history.

Get a fleet-wide health overview: counts by connection status, agents by OS/platform, version distribution, and stale agents. Use this for daily ops check or before an investigation.

Get the Security Configuration Assessment (SCA) compliance status for an agent. Shows which policies are applied, pass/fail counts, and overall compliance scores.

Get detailed SCA check results — see exactly which compliance checks passed or failed on an agent. Filter by policy, search, or result status.

Generate a compliance summary report across agents. Shows which agents have SCA enabled, their compliance scores, and failed-check counts grouped by policy. Ideal for audit prep.

Search raw security events across all Wazuh agents. Use this for deep threat hunting — search for IOCs like IPs, file hashes, commands, or process names in the raw event stream.

Query File Integrity Monitoring (FIM) records. See what files were added, modified, or deleted on an agent. Essential for breach impact analysis and configuration drift detection.

Query the Wazuh vulnerability-detector inventory. Find CVEs affecting your fleet, filtered by severity, agent, or specific CVE ID.

Search the MITRE ATT&CK framework as integrated with Wazuh. Look up techniques, find which Wazuh rules map to a technique, or discover what techniques are covered by your detection ruleset.

Retrieve Wazuh manager daemon statistics: events per second (EPS), queue sizes, processed events, and daemon health. Essential for capacity planning and troubleshooting performance issues.

Get the Wazuh cluster health status: node list, sync status, and connectivity between manager nodes. Use this when checking if the cluster is healthy or diagnosing replication failures.

Search and list Wazuh detection rules. Filter by rule level, compliance framework (PCI DSS, GDPR, HIPAA, NIST 800-53), or MITRE ATT&CK technique. Essential for understanding your detection coverage and tuning rules.

Retrieve Wazuh manager logs for troubleshooting. Filter by category ('ossec', 'api', 'all'), search for specific errors or warnings, and paginate through results.

Get detailed statistics for a specific Wazuh cluster node. Shows per-node EPS, queue sizes, daemon status, and resource utilization. Essential for diagnosing cluster imbalances.

⚠️ DESTRUCTIVE: Trigger an active-response command on a Wazuh agent. Can block IPs via firewall, quarantine hosts, run custom scripts, etc.

🔒 SAFETY: By default, this tool DOES NOT execute anything. It returns a confirmation prompt showing exactly what will happen. You MUST call it again with confirm=True and the correct confirmation_token to execute.

⚠️ DESTRUCTIVE: Execute an arbitrary command on a remote Wazuh agent via the active-response infrastructure.

🔒 SAFETY: Same confirmation flow as wazuh_run_active_response. You MUST confirm explicitly before the command runs.

List all Wazuh agent groups. Groups are used to organize agents by function (e.g., 'web-servers', 'database', 'production'). Useful for scoping queries and active responses to specific agent sets.

Get detailed information about a specific agent group, including its configuration and member agents.

List all agents belonging to a specific agent group.

List all CDB (Constant Database) lists configured in Wazuh. CDB lists store key-value data used by rules — IP blocklists, user whitelists, IOC databases, etc. Essential for understanding what threat intelligence feeds are active.

Read the contents of a specific CDB list. CDB lists are used for IP reputation, user whitelists, IOC matching, and more. Returns the key-value entries in the list.

Generate a coverage map showing which Wazuh rules map to which MITRE ATT&CK techniques, NIST 800-53 controls, PCI DSS requirements, GDPR articles, and HIPAA controls. Essential for compliance gap analysis and detection engineering.

Generate a vulnerability heatmap showing CVE severity distribution across agents. Identifies which systems have the most critical unpatched vulnerabilities. Essential for patch prioritization.

After identifying a security incident, reconstruct a timeline of all related events leading to it. Takes an alert ID, traces back through related events on the same agent, and builds a chronological timeline of what happened.