Wazuh-MCP-Server

Name: Wazuh-MCP-Server
Rating: 2.5 (174 reviews)
Author: gensecaihq

by gensecaihq·★ 174·Score 51

MCP server enabling conversational queries to Wazuh SIEM for threat detection, incident response, and compliance checks.

securitymonitoringdeveloper-tools

Forks

Open issues

2 mo ago

Last commit

2d ago

Indexed

Overview

The Wazuh MCP Server provides AI-powered security operations through natural language queries to Wazuh SIEM systems. It exposes 48 security tools that allow users to query alerts, hunt threats, check vulnerabilities, and trigger active responses across Wazuh deployments through conversation. The server supports both cloud and local LLMs, with robust security features including RBAC, audit logging, input validation, and rate limiting. Production-ready with comprehensive documentation and maintained by an active development team.

Try asking AI

After installing, here are 5 things you can ask your AI assistant:

you:SOC analysts querying alerts and triggering response actions in natural language

you:Security teams conducting compliance checks and vulnerability assessments

you:Incident responders triaging threats and investigating security events

you:What Wazuh versions are supported?

you:Can I use this with on-premises LLMs?

When to choose this

Choose this if you're already using Wazuh SIEM and want to leverage AI for conversational security operations without replacing your existing security infrastructure.

When NOT to choose this

Don't choose this if you're not using Wazuh SIEM, as it requires a Wazuh deployment to function and won't integrate with other security platforms.

Tools this server exposes

12 tools extracted from the README

get_wazuh_alerts
Query and retrieve Wazuh alerts with filtering options
get_wazuh_alert_summary
Get a summary of alert statistics and trends
analyze_alert_patterns
Analyze patterns and correlations in security alerts
get_wazuh_agents
List all registered Wazuh agents
get_wazuh_vulnerabilities
Query vulnerability data from Wazuh
analyze_security_threat
Analyze potential security threats and provide assessments
wazuh_block_ip
Block an IP address across Wazuh agents
wazuh_isolate_host
Isolate a compromised host from the network
generate_security_report
Generate a comprehensive security report
run_compliance_check
Run compliance checks against security standards
wazuh_check_blocked_ip
Verify if an IP is currently blocked
wazuh_unisolate_host
Remove isolation from a previously isolated host

Comparable tools

splunk-mcpelastic-security-mcpsiem-mcp-server

Installation

Quick Start

**Docker Deployment (Recommended)**:

git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
cp .env.example .env
# Edit .env with your Wazuh credentials
docker compose up -d

**Connect to Claude Desktop**:

Go to Settings → Connectors → Add custom connector URL: https://your-server/mcp Add Bearer token in Advanced settings

FAQ

What Wazuh versions are supported?: This MCP server supports Wazuh versions 4.8.0 through 4.14.4.
Can I use this with on-premises LLMs?: Yes, it works with local LLMs via Ollama, Open WebUI, or mcphost with no data leaving your network.

Compare Wazuh-MCP-Server with

Wazuh-MCP-Server vs mcp-server-chart Wazuh-MCP-Server vs everything Wazuh-MCP-Server vs filesystem Wazuh-MCP-Server vs time Wazuh-MCP-Server vs sequentialthinking

GitHub →

Last updated 2026-05-17 · Auto-generated from public README + GitHub signals.