How do I use wazuh-mcp?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@wazuh-mcp Investigate the most recent high-severity alert for agent 001" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

wazuh-mcp

TypeScript Node.js MCP License: MIT

A Model Context Protocol (MCP) server for the Wazuh SIEM/XDR platform. Query agents, security alerts, detection rules, and decoders directly from Claude or any MCP-compatible client.

Features

11 MCP Tools - Agents, alerts, rules, decoders, and version info
3 MCP Resources - Pre-built views for agents, recent alerts, and rule summaries
3 MCP Prompts - Alert investigation, agent health checks, and security overviews
JWT Authentication - Automatic token management with refresh on expiry
Full Compliance Mapping - PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK
Pagination - All list endpoints support limit/offset pagination
Type-Safe - Full TypeScript with strict mode and Zod schema validation

Prerequisites

Node.js 20+
A running Wazuh manager with API access (default port 55000)
Wazuh API credentials (username/password)

Installation

git clone https://github.com/solomonneas/wazuh-mcp.git
cd wazuh-mcp
npm install
npm run build

Configuration

Set the following environment variables:

Variable	Required	Default	Description
`WAZUH_URL`	Yes	-	Wazuh API URL (e.g., `https://10.0.0.2:55000`)
`WAZUH_USERNAME`	Yes	-	API username
`WAZUH_PASSWORD`	Yes	-	API password
`WAZUH_VERIFY_SSL`	No	`false`	Set to `true` to verify SSL certificates

Alternative variable names WAZUH_BASE_URL and WAZUH_USER are also supported.

Usage

Claude Desktop

Add to your Claude Desktop configuration (claude_desktop_config.json):

{
  "mcpServers": {
    "wazuh": {
      "command": "node",
      "args": ["/path/to/wazuh-mcp/dist/index.js"],
      "env": {
        "WAZUH_URL": "https://your-wazuh-manager:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password"
      }
    }
  }
}

Standalone

export WAZUH_URL=https://your-wazuh-manager:55000
export WAZUH_USERNAME=wazuh-wui
export WAZUH_PASSWORD=your-password
npm start

Development

npm run dev    # Watch mode with tsx
npm run lint   # Type checking
npm test       # Run tests

MCP Tools

Agent Tools

Tool	Description
`list_agents`	List all agents with optional status filtering (active, disconnected, never_connected, pending)
`get_agent`	Get detailed info for a specific agent by ID
`get_agent_stats`	Get CPU, memory, and disk statistics for an agent

Alert Tools

Tool	Description
`get_alerts`	Retrieve recent alerts with filtering by level, agent, rule, and text search
`get_alert`	Retrieve a single alert by ID
`search_alerts`	Full-text search across all alerts

Rule Tools

Tool	Description
`list_rules`	List detection rules with level and group filtering
`get_rule`	Get full rule details including compliance mappings
`search_rules`	Search rules by description text

Other Tools

Tool	Description
`list_decoders`	List log decoders with optional name filtering
`get_wazuh_version`	Get Wazuh manager version and API info

MCP Resources

Resource URI	Description
`wazuh://agents`	All registered agents and their status
`wazuh://alerts/recent`	25 most recent security alerts
`wazuh://rules/summary`	Detection rules sorted by severity

MCP Prompts

Prompt	Description
`investigate-alert`	Step-by-step alert investigation with MITRE mapping and remediation
`agent-health-check`	Comprehensive agent health assessment (status, resources, alerts)
`security-overview`	Full environment security summary with compliance coverage

Examples

List active agents

Use list_agents with status "active" to see all connected agents.

Investigate a brute force attempt

Search alerts for "brute force" and investigate the top result,
including the MITRE ATT&CK technique and remediation steps.

Check agent health

Run an agent health check on agent 001 - check its connection status,
resource usage, and any recent critical alerts.

Find high-severity rules

List all rules with level 12 or higher to see critical detection rules
and their compliance framework mappings.

Testing

npm test              # Run all tests
npm run test:watch    # Watch mode

Tests use mocked Wazuh API responses - no live Wazuh instance needed.

Project Structure

wazuh-mcp/
├── src/
│   ├── index.ts           # MCP server entry point
│   ├── config.ts          # Environment configuration
│   ├── client.ts          # Wazuh REST API client (JWT auth)
│   ├── types.ts           # TypeScript type definitions
│   ├── resources.ts       # MCP resource handlers
│   ├── prompts.ts         # MCP prompt templates
│   └── tools/
│       ├── agents.ts      # Agent management tools
│       ├── alerts.ts      # Alert query tools
│       ├── rules.ts       # Rule query tools
│       ├── decoders.ts    # Decoder listing tool
│       └── version.ts     # Version info tool
├── tests/
│   ├── client.test.ts     # API client unit tests
│   └── tools.test.ts      # Tool handler unit tests
├── package.json
├── tsconfig.json
├── tsup.config.ts
└── vitest.config.ts

License

MIT

wazuh-mcp

wazuh-mcp

Features

Prerequisites

Installation

Configuration

Usage

Claude Desktop

Standalone

Development

MCP Tools

Agent Tools

Alert Tools

Rule Tools

Other Tools

MCP Resources

MCP Prompts

Examples

List active agents

Investigate a brute force attempt

Check agent health

Find high-severity rules

Testing

Project Structure

License

Resources

Tools

Latest Blog Posts

MCP directory API