wazuh-mcp

Active

MCP server for the Wazuh SIEM/XDR - query alerts, agents, and vulnerabilities from your AI client.

GitHub repo → npm: wazuh-mcp →
npm i -g wazuh-mcp

WHAT IT DOES

wazuh-mcp is a Model Context Protocol server for the Wazuh SIEM/XDR platform. Point an MCP-compatible client at it and your Wazuh deployment becomes a set of tools the agent can call: enumerate agents, pull security alerts, review the CVE backlog, read detection rules and decoders, and run posture checks without leaving the assistant.

It exposes 28 tools, 3 read-only resources, and 3 guided prompts. Authentication is handled with automatic JWT token management against the Wazuh API, and alert and vulnerability queries run against the Wazuh Indexer (OpenSearch) when configured. Compliance mappings (PCI-DSS, GDPR, HIPAA, NIST 800-53, MITRE ATT&CK) ride along on rule lookups.

Sensitive fields (IPs, full logs, hashes, command lines, secret config values) are minimized by default and only returned on explicit opt-in. SIEM content that originates on monitored endpoints is wrapped in untrusted-data markers to blunt prompt injection against the calling agent.

INSTALL

Published to npm. Install globally to get the wazuh-mcp binary, or run it on demand with npx. Requires Node.js 20+ and a running Wazuh manager with API access.

$ npm i -g wazuh-mcp # install the server binary
$ npx wazuh-mcp # or run it without installing

Configure with WAZUH_URL, WAZUH_USERNAME, and WAZUH_PASSWORD. Set WAZUH_INDEXER_URL (plus indexer credentials) to enable alert and vulnerability tools.

CLIENT CONFIG

A sample mcpServers entry (Claude Desktop, or any MCP client that reads the same shape). It runs the installed binary over stdio. 

{
  "mcpServers": {
    "wazuh": {
      "command": "wazuh-mcp",
      "env": {
        "WAZUH_URL": "https://your-wazuh-manager:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_INDEXER_URL": "https://your-wazuh-indexer:9200",
        "WAZUH_INDEXER_USERNAME": "admin",
        "WAZUH_INDEXER_PASSWORD": "your-indexer-password"
      }
    }
  }
}

For Claude Code use claude mcp add wazuh ... -- wazuh-mcp. The repo README also documents OpenClaw, Codex CLI, and Hermes Agent.

CAPABILITIES / TOOLS EXPOSED

28 MCP tools across agents, alerts, vulnerabilities, detection content, posture, and the manager. Grouped below; see the README for the full per-argument reference.

Agents & system inventory

list_agents / get_agent / get_agent_stats
Enumerate agents with status filters; pull CPU, memory, and disk stats.
get_agent_os / get_agent_packages / get_agent_processes
Syscollector OS, installed package, and process inventory.
get_agent_ports / get_agent_network / get_agent_hotfixes
Open ports, network interfaces, and Windows hotfixes per agent.

Alerts & vulnerabilities

get_alerts / get_alert / search_alerts
Retrieve and full-text search alerts by time range, level, agent, and rule (via the Wazuh Indexer).
list_vulnerabilities / search_vulnerabilities
Query the CVE inventory by CVE, agent, severity, and package.

Detection content

list_rules / get_rule / search_rules
Browse detection rules with level/group filters and full compliance mappings.
list_decoders
List log decoders with optional name filtering.

Posture & integrity

get_sca_policies / get_sca_checks
Security Configuration Assessment policies, scores, and per-check remediation.
get_fim_files / get_rootcheck
File Integrity Monitoring results and rootkit-detection findings.

Manager, groups & diagnostics

get_manager_logs / get_manager_config
Manager logs by level/module and active config (secrets redacted by default).
list_groups / get_group_agents
List agent groups and the agents inside each one.
get_wazuh_version / diagnose_wazuh_connection
Version info plus a sanitized connection/TLS/auth/indexer-readiness check.

Plus 3 resources (wazuh://agents, wazuh://alerts/recent, wazuh://rules/summary) and 3 prompts (investigate-alert, agent-health-check, security-overview).

28
MCP tools
3
resources
3
prompts
MIT
license