AI-powered security operations with Wazuh SIEM + Claude Desktop. Natural language threat detection, automated incident response & compliance. Real-time monitoring, ML anomaly detection. Transform your SOC with conversational security analysis. Production-ready MCP server.
Documentation
Wazuh MCP Server
Production-ready MCP server connecting AI assistants to Wazuh SIEM.
Version 4.1.1 | Wazuh 4.8.0 - 4.14.3 | Full Changelog
---
Why This MCP Server?
Security teams using Wazuh SIEM generate thousands of alerts, vulnerabilities, and events daily. Analyzing this data requires constant context-switching between dashboards, writing API queries, and manually correlating information.
This MCP server solves that problem by providing a secure bridge between AI assistants (like Claude) and your Wazuh deployment. Query alerts, analyze threats, check agent health, and generate compliance reports—all through natural conversation.
You: "Show me critical alerts from the last 24 hours"
Claude: [Uses get_wazuh_alerts tool] Found 12 critical alerts...
You: "Which agents have unpatched critical vulnerabilities?"
Claude: [Uses get_wazuh_critical_vulnerabilities tool] 3 agents affected...---
Take It Further: Autonomous Agentic SOC
Ready to move beyond manual security operations?
Combine this MCP server with **Wazuh OpenClaw Autopilot** to build a fully autonomous Security Operations Center powered by AI agents.
While this MCP server gives you conversational access to Wazuh, OpenClaw takes it to the next level—deploying AI agents that work around the clock to triage alerts, correlate incidents, and recommend responses without human intervention.
| Capability | What It Does |
|---|---|
| Autonomous Alert Triage | AI agents continuously analyze incoming alerts, prioritize threats, and create structured incident cases |
| Intelligent Correlation | Automatically groups related alerts into attack timelines with blast radius assessment |
| AI-Powered Response Planning | Generates actionable response recommendations with risk scoring |
| Human-in-the-Loop Safety | Critical actions require Slack approval—automation with guardrails |
Traditional SOC: Alert → Analyst reviews → Hours later → Response
Agentic SOC: Alert → AI triages → Seconds later → Response ready for approvalThis is the future of security operations. Start with the MCP server, scale to autonomous agents.
**Explore OpenClaw Autopilot →**
---
Features
| Category | Capabilities |
|---|---|
| MCP Protocol | 100% compliant with MCP 2025-11-25, Streamable HTTP + Legacy SSE |
| Security Tools | 48 specialized tools for alerts, agents, vulnerabilities, compliance, active response |
| Authentication | OAuth 2.0 with DCR, Bearer tokens (JWT), or authless mode |
| Production Ready | Circuit breakers, rate limiting, security & monitoring middleware, Prometheus metrics |
| Deployment | Docker containerized, multi-platform (AMD64/ARM64), serverless-ready |
| Token Efficiency | Compact output mode reduces responses by ~66% |
48 Security Tools
| Category | Tools |
|---|---|
| Alerts (3) | get_wazuh_alerts, get_wazuh_alert_summary, analyze_alert_patterns |
| Agents (6) | get_wazuh_agents, get_wazuh_running_agents, check_agent_health, get_agent_processes, get_agent_ports, get_agent_configuration |
| Vulnerabilities (3) | get_wazuh_vulnerabilities, get_wazuh_critical_vulnerabilities, get_wazuh_vulnerability_summary |
| Security Analysis (7) | search_security_events, analyze_security_threat, check_ioc_reputation, perform_risk_assessment, get_top_security_threats, generate_security_report, run_compliance_check |
| System (10) | get_wazuh_statistics, get_wazuh_weekly_stats, get_wazuh_cluster_health, get_wazuh_cluster_nodes, get_wazuh_rules_summary, get_wazuh_remoted_stats, get_wazuh_log_collector_stats, search_wazuh_manager_logs, get_wazuh_manager_error_logs, validate_wazuh_connection |
| Active Response (9) | wazuh_block_ip, wazuh_isolate_host, wazuh_kill_process, wazuh_disable_user, wazuh_quarantine_file, wazuh_active_response, wazuh_firewall_drop, wazuh_host_deny, wazuh_restart |
| Verification (5) | wazuh_check_blocked_ip, wazuh_check_agent_isolation, wazuh_check_process, wazuh_check_user_status, wazuh_check_file_quarantine |
| Rollback (5) | wazuh_unisolate_host, wazuh_enable_user, wazuh_restore_file, wazuh_firewall_allow, wazuh_host_allow |
---
Quick Start
Prerequisites
- Docker 20.10+ with Compose v2.20+
- Wazuh 4.8.0 - 4.14.3 with API access
1. Clone and Configure
git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
cp .env.example .envEdit .env with your Wazuh credentials:
WAZUH_HOST=https://your-wazuh-server.com
WAZUH_USER=your-api-user
WAZUH_PASS=your-api-password2. Deploy
python deploy.py
# Or: docker compose up -d3. Verify
curl http://localhost:3000/health4. Connect Claude Desktop
1. Go to Settings → Connectors → Add custom connector
2. Enter: https://your-server-domain.com/mcp
3. Add authentication in Advanced settings
Detailed setup: Claude Integration Guide
---
Configuration
Required Variables
| Variable | Description |
|---|---|
WAZUH_HOST | Wazuh server URL |
WAZUH_USER | API username |
WAZUH_PASS | API password |
Optional Variables
| Variable | Default | Description |
|---|---|---|
WAZUH_PORT | 55000 | API port |
MCP_HOST | 0.0.0.0 | Server bind address |
MCP_PORT | 3000 | Server port |
AUTH_MODE | bearer | oauth, bearer, or none |
AUTH_SECRET_KEY | auto | JWT signing key |
ALLOWED_ORIGINS | https://claude.ai | CORS origins |
REDIS_URL | - | Redis URL for serverless mode |
Wazuh Indexer (Required for vulnerabilities in 4.8.0+)
| Variable | Description |
|---|---|
WAZUH_INDEXER_HOST | Indexer hostname |
WAZUH_INDEXER_PORT | Indexer port (default: 9200) |
WAZUH_INDEXER_USER | Indexer username |
WAZUH_INDEXER_PASS | Indexer password |
---
API Endpoints
| Endpoint | Description |
|---|---|
/mcp | Recommended - Streamable HTTP (MCP 2025-11-25) |
/sse | Legacy SSE endpoint |
/health | Health check |
/metrics | Prometheus metrics |
/docs | OpenAPI documentation |
/auth/token | Token exchange (bearer mode) |
---
Documentation
| Guide | Description |
|---|---|
| Claude Integration | Claude Desktop setup, authentication modes |
| Advanced Features | HA, serverless, compact mode, MCP compliance |
| Troubleshooting | Common issues and solutions |
| Operations | Deployment, monitoring, maintenance |
| API Documentation | Tool-specific documentation |
| Security | Security configuration and best practices |
---
Project Structure
src/wazuh_mcp_server/
├── server.py # MCP server with 48 tools (Streamable HTTP + SSE)
├── config.py # Configuration management with validation
├── config_validator.py # Startup configuration validation
├── auth.py # JWT & API key authentication
├── oauth.py # OAuth 2.0 with DCR
├── security.py # Rate limiting, CORS, input validation, security middleware
├── monitoring.py # Prometheus metrics, request tracking middleware
├── resilience.py # Circuit breakers, retries, graceful shutdown
├── session_store.py # Pluggable sessions (in-memory + Redis)
└── api/
├── wazuh_client.py # Wazuh Manager API client
└── wazuh_indexer.py # Wazuh Indexer API client (alerts + vulnerabilities)---
Security
- Authentication: JWT tokens, OAuth 2.0 with DCR, all endpoints protected
- Security Middleware: Automatic security headers (X-Content-Type-Options, X-Frame-Options, CSP)
- Rate Limiting: Per-client request throttling
- Input Validation: Comprehensive parameter validation with SQL injection and XSS protection
- Container Security: Non-root user, read-only filesystem
# Generate secure API key
openssl rand -hex 32
# Set file permissions
chmod 600 .env---
Contributing
We welcome contributions! Please see:
- Issues - Bug reports and feature requests
- Discussions - Questions and ideas
---
License
MIT License - see LICENSE
---
Acknowledgments
- Wazuh - Open source security platform
- Model Context Protocol - AI integration standard
- FastAPI - Python web framework
---
Contributors
Contributors
| Avatar | Username | Contributions |
|---|---|---|
| @alokemajumder | Code, Issues, Discussions | |
| @gensecai-dev | Code, Discussions | |
| @aiunmukto | Code, PRs | |
| @Karibusan | Code, Issues, PRs | |
| @lwsinclair | Code, PRs | |
| @taylorwalton | PRs | |
| @MilkyWay88 | PRs | |
| @kanylbullen | Code, PRs | |
| @Uberkarhu | Issues | |
| @cbassonbgroup | Issues | |
| @cybersentinel-06 | Issues | |
| @daod-arshad | Issues | |
| @mamema | Issues | |
| @marcolinux46 | Issues | |
| @matveevandrey | Issues | |
| @punkpeye | Issues | |
| @tonyliu9189 | Issues | |
| @Vasanth120v | Discussions | |
| @gnix45 | Discussions | |
| @melmasry1987 | Discussions |
Auto-updated by GitHub Actions
Similar MCP
Based on tags & features
Trending MCP
Most active this week