Talk to Your SIEM: Wazuh MCP Server

Stop wrestling with complex SIEM queries and API documentation. This MCP server transforms your Wazuh security data into natural conversations with AI assistants like Claude.

Instead of memorizing API endpoints and crafting elaborate queries, you can now ask questions like "Show me critical vulnerabilities on web servers" or "What processes are running on agent 001?" and get structured, actionable data from your Wazuh deployment.

Why Your Security Team Needs This

Security operations teams spend too much time fighting with tools instead of fighting threats. Traditional SIEM interfaces require:

• Memorizing dozens of API endpoints
• Writing complex queries for simple questions
• Context switching between multiple dashboards
• Manual correlation of data across different views

This MCP server eliminates that friction by providing direct access to your Wazuh data through natural language interactions.

Real Security Operations Impact

Alert Triage in Seconds Ask "What are the highest priority alerts from the last hour?" instead of navigating through multiple API calls and alert dashboards. Get immediate context with agent details, vulnerability scores, and recommended actions.

Vulnerability Management Made Simple Query "Show me all critical vulnerabilities on production web servers" and receive prioritized remediation guidance instead of parsing through CSV exports and cross-referencing asset inventories.

Incident Response Acceleration During security incidents, ask "What processes are running on the compromised host?" or "Show me all network connections from this agent" to get forensic data in real-time without switching tools.

Compliance Reporting Without Pain Generate evidence for PCI-DSS, HIPAA, or GDPR audits by asking natural language questions about your security posture instead of building custom reports.

Comprehensive Security Data Access

The server provides deep integration with both Wazuh Manager and Wazuh Indexer, giving you access to:

• Security alerts and events for threat detection and incident response
• Agent health monitoring including system processes and network ports
• Vulnerability assessments with risk scoring and patch prioritization
• Security rules and configurations for detection optimization
• Log analysis and forensics for incident investigation
• Cluster health management for infrastructure reliability
• Compliance monitoring across regulatory frameworks

Production-Ready Architecture

Built in Rust for performance and reliability, this server handles production workloads with proper SSL validation, authentication, and error handling. Deploy it as a binary, Docker container, or build from source - whatever fits your infrastructure.

The stdio transport integrates seamlessly with Claude Desktop, while optional HTTP endpoints support custom integrations.

Enhanced Threat Intelligence

Pair this with the Cortex MCP Server for complete threat intelligence workflows. Automatically analyze suspicious artifacts from Wazuh alerts using 140+ analyzers including VirusTotal, Shodan, and MISP.

When Wazuh detects a suspicious file hash, your AI assistant can automatically analyze it through multiple threat intelligence sources and provide contextualized recommendations for response actions.

Getting Started

Quick Setup with Pre-built Binary:

1. Download the binary for your platform from the releases page
2. Configure your claude_desktop_config.json with Wazuh connection details
3. Start asking natural language questions about your security data

Docker Deployment:

docker pull ghcr.io/gbrigandi/mcp-server-wazuh:latest

Configure environment variables for your Wazuh Manager and Indexer connections, then integrate with your preferred MCP client.

The server connects to both your Wazuh Manager API (port 55000) and Wazuh Indexer (port 9200) to provide comprehensive security context from a single interface.

Transform your security operations from reactive dashboard-driven investigations to proactive, conversation-driven threat hunting. Your security team will thank you.