The wazuh-mcp server integrates with Wazuh SIEM/XDR to provide AI agents with tools, resources, and prompts for querying and managing security data.
Agent Management
list_agents– List agents with optional status filtering (active,disconnected,never_connected,pending), sorting, and paginationget_agent– Retrieve detailed information for a specific agent by IDget_agent_stats– Get system statistics (CPU, memory, disk) for a specific agent
Security Alerts (requires a configured Wazuh Indexer/OpenSearch)
get_alerts– Retrieve recent alerts with filters for severity, agent ID, rule ID, and text searchget_alert– Fetch a single alert by IDsearch_alerts– Full-text search across all alerts with optional severity and agent filters
Detection Rules
list_rules– List rules with optional filtering by severity level and groupget_rule– Get full rule details including compliance mappings (MITRE ATT&CK, PCI-DSS, GDPR, HIPAA, NIST 800-53)search_rules– Search rules by description text
Decoders & System Info
list_decoders– List available log decoders with optional name filteringget_wazuh_version– Retrieve Wazuh manager version and API information
Pre-built Resources
Aggregated views of all registered agents, the 25 most recent security alerts, and detection rules sorted by severity
Prompt Templates
Guided workflows for alert investigation (with MITRE mapping and remediation), agent health checks, and a full security overview with compliance coverage
Additional Features
Pagination support (
limit/offset) on all list endpoints (1–100 items per request)Automatic JWT token management with refresh on expiry
Full compliance mapping for PCI-DSS, GDPR, HIPAA, NIST 800-53, and MITRE ATT&CK
Integrates with the Wazuh Indexer (OpenSearch) to provide tools for retrieving, searching, and filtering security alerts across the platform.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@wazuh-mcpInvestigate the most recent high-severity alert for agent 001"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
wazuh-mcp
A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.
Features
11 MCP Tools - Agents, alerts, rules, decoders, and version info
3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
3 MCP Prompts - Alert investigation, agent health checks, and security overviews
JWT Authentication - Automatic token management with refresh on expiry
Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
Pagination - All list endpoints support limit/offset pagination
Type-Safe - Full TypeScript with strict mode and Zod schema validation
Prerequisites
Node.js 20+
A running Wazuh manager with API access (default port 55000)
Wazuh API credentials (username/password)
(Optional) Wazuh Indexer (OpenSearch) access for alert queries
Installation
git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run buildConfiguration
Set the following environment variables:
Variable | Required | Default | Description |
| Yes | - | Wazuh API URL (e.g., |
| Yes | - | API username |
| Yes | - | API password |
| No |
| Set to |
Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.
Wazuh Indexer (OpenSearch) - Required for Alerts
Wazuh 4.x stores alerts in the Wazuh Indexer (OpenSearch), not the REST API. To enable alert tools (get_alerts, get_alert, search_alerts) and the wazuh://alerts/recent resource, configure the indexer connection:
Variable | Required | Default | Description |
| No | - | Wazuh Indexer URL (e.g., |
| No |
| Indexer username |
| No | - | Indexer password |
| No |
| Set to |
If WAZUH_INDEXER_URL is not set, alert tools will return a helpful configuration message. All other tools (agents, rules, decoders, version) work without the indexer.
Usage
Claude Desktop
Add to your Claude Desktop configuration (claude_desktop_config.json):
{
"mcpServers": {
"wazuh": {
"command": "node",
"args": ["/path/to/wazuh-mcp/dist/index.js"],
"env": {
"WAZUH_URL": "https://your-wazuh-manager:55000",
"WAZUH_USERNAME": "wazuh-wui",
"WAZUH_PASSWORD": "your-password",
"WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
"WAZUH_INDEXER_USERNAME": "admin",
"WAZUH_INDEXER_PASSWORD": "your-indexer-password"
}
}
}
}Standalone
export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm startDevelopment
npm run dev # Watch mode with tsx
npm run lint # Type checking
npm test # Run testsMCP Tools
Agent Tools
Tool | Description |
| List all agents with optional status filtering (active, disconnected, never_connected, pending) |
| Get detailed info for a specific agent by ID |
| Get CPU, memory, and disk statistics for an agent |
Alert Tools
Tool | Description |
| Retrieve recent alerts with filtering by level, agent, rule, and text search |
| Retrieve a single alert by ID |
| Full-text search across all alerts |
Rule Tools
Tool | Description |
| List detection rules with level and group filtering |
| Get full rule details including compliance mappings |
| Search rules by description text |
Other Tools
Tool | Description |
| List log decoders with optional name filtering |
| Get Wazuh manager version and API info |
MCP Resources
Resource URI | Description |
| All registered agents and their status |
| 25 most recent security alerts |
| Detection rules sorted by severity |
MCP Prompts
Prompt | Description |
| Step-by-step alert investigation with MITRE mapping and remediation |
| Comprehensive agent health assessment (status, resources, alerts) |
| Full environment security summary with compliance coverage |
Examples
List active agents
Use list_agents with status "active" to see all connected agents.Investigate a brute force attempt
Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.Check agent health
Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.Find high-severity rules
List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.Testing
npm test # Run all tests
npm run test:watch # Watch modeTests use mocked Wazuh API responses - no live Wazuh instance needed.
Project Structure
wazuh-mcp/
├── src/
│ ├── index.ts # MCP server entry point
│ ├── config.ts # Environment configuration
│ ├── client.ts # Wazuh REST API client (JWT auth)
│ ├── indexer-client.ts # Wazuh Indexer (OpenSearch) client
│ ├── types.ts # TypeScript type definitions
│ ├── resources.ts # MCP resource handlers
│ ├── prompts.ts # MCP prompt templates
│ └── tools/
│ ├── agents.ts # Agent management tools
│ ├── alerts.ts # Alert query tools
│ ├── rules.ts # Rule query tools
│ ├── decoders.ts # Decoder listing tool
│ └── version.ts # Version info tool
├── tests/
│ ├── client.test.ts # API client unit tests
│ └── tools.test.ts # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.tsLicense
MIT
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.