Wazuh MCP Server

AI-powered security operations with Wazuh SIEM + Claude Desktop. Natural language threat detection, automated incident response & compliance.

GitHub

Wazuh MCP Server

License: MIT Python 3.11+ MCP 2025-11-25 Docker

Production-ready MCP server connecting AI assistants to Wazuh SIEM.

Version 4.1.0 | Wazuh 4.8.0 - 4.14.3 | Full Changelog

Why This MCP Server?

Security teams using Wazuh SIEM generate thousands of alerts, vulnerabilities, and events daily. Analyzing this data requires constant context-switching between dashboards, writing API queries, and manually correlating information.

This MCP server solves that problem by providing a secure bridge between AI assistants (like Claude) and your Wazuh deployment. Query alerts, analyze threats, check agent health, and generate compliance reports—all through natural conversation.

You: "Show me critical alerts from the last 24 hours"
Claude: [Uses get_wazuh_alerts tool] Found 12 critical alerts...

You: "Which agents have unpatched critical vulnerabilities?"
Claude: [Uses get_wazuh_critical_vulnerabilities tool] 3 agents affected...

Take It Further: Autonomous Agentic SOC

Ready to move beyond manual security operations?

Combine this MCP server with Wazuh OpenClaw Autopilot to build a fully autonomous Security Operations Center powered by AI agents.

While this MCP server gives you conversational access to Wazuh, OpenClaw takes it to the next level—deploying AI agents that work around the clock to triage alerts, correlate incidents, and recommend responses without human intervention.

CapabilityWhat It Does
Autonomous Alert TriageAI agents continuously analyze incoming alerts, prioritize threats, and create structured incident cases
Intelligent CorrelationAutomatically groups related alerts into attack timelines with blast radius assessment
AI-Powered Response PlanningGenerates actionable response recommendations with risk scoring
Human-in-the-Loop SafetyCritical actions require Slack approval—automation with guardrails
Traditional SOC: Alert → Analyst reviews → Hours later → Response
Agentic SOC:     Alert → AI triages → Seconds later → Response ready for approval

This is the future of security operations. Start with the MCP server, scale to autonomous agents.

Explore OpenClaw Autopilot →

Features

CategoryCapabilities
MCP Protocol100% compliant with MCP 2025-11-25, Streamable HTTP + Legacy SSE
Security Tools48 specialized tools for alerts, agents, vulnerabilities, compliance, active response
AuthenticationOAuth 2.0 with DCR, Bearer tokens (JWT), or authless mode
Production ReadyCircuit breakers, rate limiting, security & monitoring middleware, Prometheus metrics
DeploymentDocker containerized, multi-platform (AMD64/ARM64), serverless-ready
Token EfficiencyCompact output mode reduces responses by ~66%

48 Security Tools

CategoryTools
Alerts (3)get_wazuh_alerts, get_wazuh_alert_summary, analyze_alert_patterns
Agents (6)get_wazuh_agents, get_wazuh_running_agents, check_agent_health, get_agent_processes, get_agent_ports, get_agent_configuration
Vulnerabilities (3)get_wazuh_vulnerabilities, get_wazuh_critical_vulnerabilities, get_wazuh_vulnerability_summary
Security Analysis (7)search_security_events, analyze_security_threat, check_ioc_reputation, perform_risk_assessment, get_top_security_threats, generate_security_report, run_compliance_check
System (10)get_wazuh_statistics, get_wazuh_weekly_stats, get_wazuh_cluster_health, get_wazuh_cluster_nodes, get_wazuh_rules_summary, get_wazuh_remoted_stats, get_wazuh_log_collector_stats, search_wazuh_manager_logs, get_wazuh_manager_error_logs, validate_wazuh_connection
Active Response (9)wazuh_block_ip, wazuh_isolate_host, wazuh_kill_process, wazuh_disable_user, wazuh_quarantine_file, wazuh_active_response, wazuh_firewall_drop, wazuh_host_deny, wazuh_restart
Verification (5)wazuh_check_blocked_ip, wazuh_check_agent_isolation, wazuh_check_process, wazuh_check_user_status, wazuh_check_file_quarantine
Rollback (5)wazuh_unisolate_host, wazuh_enable_user, wazuh_restore_file, wazuh_firewall_allow, wazuh_host_allow

Quick Start

Prerequisites

  • Docker 20.10+ with Compose v2.20+
  • Wazuh 4.8.0 - 4.14.3 with API access

1. Clone and Configure

git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
cp .env.example .env

Edit .env with your Wazuh credentials:

WAZUH_HOST=https://your-wazuh-server.com
WAZUH_USER=your-api-user
WAZUH_PASS=your-api-password

2. Deploy

python deploy.py
# Or: docker compose up -d

3. Verify

curl http://localhost:3000/health

4. Connect Claude Desktop

  1. Go to SettingsConnectorsAdd custom connector
  2. Enter: https://your-server-domain.com/mcp
  3. Add authentication in Advanced settings

Detailed setup: Claude Integration Guide

Configuration

Required Variables

VariableDescription
WAZUH_HOSTWazuh server URL
WAZUH_USERAPI username
WAZUH_PASSAPI password

Optional Variables

VariableDefaultDescription
WAZUH_PORT55000API port
MCP_HOST0.0.0.0Server bind address
MCP_PORT3000Server port
AUTH_MODEbeareroauth, bearer, or none
AUTH_SECRET_KEYautoJWT signing key
ALLOWED_ORIGINShttps://claude.aiCORS origins
REDIS_URL-Redis URL for serverless mode

Wazuh Indexer (Required for vulnerabilities in 4.8.0+)

VariableDescription
WAZUH_INDEXER_HOSTIndexer hostname
WAZUH_INDEXER_PORTIndexer port (default: 9200)
WAZUH_INDEXER_USERIndexer username
WAZUH_INDEXER_PASSIndexer password

API Endpoints

EndpointDescription
/mcpRecommended - Streamable HTTP (MCP 2025-11-25)
/sseLegacy SSE endpoint
/healthHealth check
/metricsPrometheus metrics
/docsOpenAPI documentation
/auth/tokenToken exchange (bearer mode)

Documentation

GuideDescription
Claude IntegrationClaude Desktop setup, authentication modes
Advanced FeaturesHA, serverless, compact mode, MCP compliance
TroubleshootingCommon issues and solutions
OperationsDeployment, monitoring, maintenance
API DocumentationTool-specific documentation
SecuritySecurity configuration and best practices

Project Structure

src/wazuh_mcp_server/
├── server.py           # MCP server with 48 tools (Streamable HTTP + SSE)
├── config.py           # Configuration management with validation
├── config_validator.py # Startup configuration validation
├── auth.py             # JWT & API key authentication
├── oauth.py            # OAuth 2.0 with DCR
├── security.py         # Rate limiting, CORS, input validation, security middleware
├── monitoring.py       # Prometheus metrics, request tracking middleware
├── resilience.py       # Circuit breakers, retries, graceful shutdown
├── session_store.py    # Pluggable sessions (in-memory + Redis)
└── api/
    ├── wazuh_client.py    # Wazuh Manager API client
    └── wazuh_indexer.py   # Wazuh Indexer API client (alerts + vulnerabilities)

Security

  • Authentication: JWT tokens, OAuth 2.0 with DCR, all endpoints protected
  • Security Middleware: Automatic security headers (X-Content-Type-Options, X-Frame-Options, CSP)
  • Rate Limiting: Per-client request throttling
  • Input Validation: Comprehensive parameter validation with SQL injection and XSS protection
  • Container Security: Non-root user, read-only filesystem
# Generate secure API key
openssl rand -hex 32

# Set file permissions
chmod 600 .env

Contributing

We welcome contributions! Please see:

License

MIT License - see LICENSE

Acknowledgments

Contributors

AvatarUsernameContributions
@alokemajumderCode, Issues, Discussions
@gensecai-devCode, Discussions
@aiunmuktoCode, PRs
@KaribusanCode, Issues, PRs
@lwsinclairCode, PRs
@taylorwaltonPRs
@MilkyWay88PRs
@kanylbullenCode, PRs
@UberkarhuIssues
@cbassonbgroupIssues
@cybersentinel-06Issues
@daod-arshadIssues
@mamemaIssues
@marcolinux46Issues
@matveevandreyIssues
@punkpeyeIssues
@tonyliu9189Issues
@Vasanth120vDiscussions
@gnix45Discussions
@melmasry1987Discussions

Auto-updated by GitHub Actions

Related Servers