Wazuh MCP Server

What it does

Connects AI assistants like Claude to a Wazuh Security Information and Event Management (SIEM) system, enabling natural language queries for security operations, compliance auditing, and threat hunting.

Tools

• get_wazuh_alert_summary: Retrieves and summarizes security alerts from the Wazuh Indexer.
• get_wazuh_vulnerability_summary: Assesses the security posture of agents via vulnerability data.
• get_wazuh_agent_processes: Investigates running processes on specific agents for threat hunting.
• get_wazuh_agent_ports: Monitors open ports and network services to identify attack vectors.
• get_wazuh_running_agents: Tracks agent health and connectivity status.
• get_wazuh_rules_summary: Reviews security detection rules for optimization.
• search_wazuh_manager_logs: Searches manager logs for incident investigation.
• get_wazuh_cluster_health: Monitors Wazuh cluster status and reliability.

Installation

Add the following to your claude_desktop_config.json:

{
  "mcpServers": {
    "wazuh": {
      "command": "/path/to/mcp-server-wazuh",
      "args": [],
      "env": {
        "WAZUH_API_HOST": "your_wazuh_manager_api_host",
        "WAZUH_API_PORT": "55000",
        "WAZUH_API_USERNAME": "your_wazuh_api_user",
        "WAZUH_API_PASSWORD": "your_wazuh_api_password",
        "WAZUH_INDEXER_HOST": "your_wazuh_indexer_host",
        "WAZUH_INDEXER_PORT": "9200",
        "WAZUH_INDEXER_USERNAME": "your_wazuh_indexer_user",
        "WAZUH_INDEXER_PASSWORD": "your_wazuh_indexer_password",
        "WAZUH_VERIFY_SSL": "false"
      }
    }
  }
}

Supported hosts

• Claude Desktop