Wazuh MCP Server

Model Context Protocol (MCP) server for Wazuh SIEM/XDR platform

Provides 30 tools + advanced DSL search for Claude Desktop to interact with Wazuh.

Features

• ✅ 30 Direct Tools: Agents, alerts, vulnerabilities, rules, stats, cluster, compliance
• ✅ Advanced Search: 18 operators, all aggregation types, MITRE ATT&CK support
• ✅ Enhanced DSL Builder: Full OpenSearch DSL with IP filtering (CIDR), date histograms, nested aggregations
• ✅ Claude Desktop Ready: stdio transport for seamless integration

Architecture

graph TD
    subgraph "Local Environment"
        Client["Claude Desktop (MCP Client)"]
        Server["Wazuh MCP Server (Stdio)"]
    end

    subgraph "Wazuh Infrastructure"
        API["Wazuh API (Manager)"]
        Indexer["Wazuh Indexer (Search)"]
    end

    Client <-->|"JSON-RPC (stdio)"| Server
    Server <-->|"HTTPS / REST"| API
    Server <-->|"HTTPS / DSL"| Indexer

Quick Start

1. Install Dependencies

pip install -r requirements.txt

2. Configure Environment

Create .env file:

WAZUH_API_HOST=https://your-wazuh-manager
WAZUH_API_PORT=55000
WAZUH_API_USERNAME=wazuh-wui
WAZUH_API_PASSWORD=your-password

WAZUH_INDEXER_HOST=https://your-wazuh-indexer
WAZUH_INDEXER_PORT=9200
WAZUH_INDEXER_USERNAME=admin
WAZUH_INDEXER_PASSWORD=your-indexer-password

OPENSEARCH_HOST=https://your-wazuh-indexer:9200
OPENSEARCH_USER=admin
OPENSEARCH_PASS=your-indexer-password

3. Configure Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "wazuh": {
      "command": "python",
      "args": ["/absolute/path/to/wazuh_fastmcp/mcp_stdio_server.py"],
      "env": {
        "WAZUH_API_HOST": "https://your-wazuh-manager",
        "WAZUH_API_PORT": "55000",
        "WAZUH_API_USERNAME": "wazuh-wui",
        "WAZUH_API_PASSWORD": "your-password",
        "WAZUH_INDEXER_HOST": "https://your-wazuh-indexer",
        "WAZUH_INDEXER_PORT": "9200",
        "WAZUH_INDEXER_USERNAME": "admin",
        "WAZUH_INDEXER_PASSWORD": "your-indexer-password",
        "OPENSEARCH_HOST": "https://your-wazuh-indexer:9200",
        "OPENSEARCH_USER": "admin",
        "OPENSEARCH_PASS": "your-indexer-password"
      }
    }
  }
}

4. Test

Restart Claude Desktop and ask:

• "What Wazuh tools do you have?"
• "Show me critical alerts from the last 24 hours"
• "Find brute force attacks from 10.56.x.x subnet"

Tools

Alert Tools (4)

• wazuh_get_alerts - Get recent alerts
• wazuh_get_alert_summary - Alert summary
• wazuh_get_alert_details - Detailed alert info
• wazuh_advanced_search - Complex queries with DSL

Agent Tools (6)

• wazuh_get_agents - List all agents
• wazuh_get_agent_details - Agent details
• wazuh_get_agent_processes - Running processes
• wazuh_get_agent_ports - Open ports
• wazuh_get_agent_hardware - Hardware info
• wazuh_get_agent_groups - Agent groups

Vulnerability Tools (3)

• wazuh_get_vulnerabilities - Get vulnerabilities
• wazuh_get_critical_vulnerabilities - Critical vulns only
• wazuh_get_vulnerability_summary - Vuln summary

Rule Tools (3)

• wazuh_get_rules - Detection rules
• wazuh_get_rule_details - Rule details
• wazuh_get_decoders - Log decoders

Manager Stats (6)

• wazuh_get_analysisd_stats - Analysis daemon stats
• wazuh_get_remoted_stats - Remote daemon stats
• wazuh_get_logcollector_stats - Log collector stats
• wazuh_get_manager_stats - Overall manager stats
• wazuh_get_weekly_stats - Weekly statistics
• wazuh_get_manager_logs - Manager logs

Cluster Tools (3)

• wazuh_get_cluster_health - Cluster health
• wazuh_get_cluster_nodes - Cluster nodes
• wazuh_get_cluster_config - Cluster configuration

Compliance Tools (2)

• wazuh_get_sca_results - Security Configuration Assessment
• wazuh_get_fim_events - File Integrity Monitoring

System Tools (3)

• wazuh_restart_manager - Restart Wazuh manager
• wazuh_get_manager_health - Manager health check
• wazuh_get_manager_config - Manager configuration

Advanced Search

The wazuh_advanced_search tool supports:

18 Filter Operators

• eq, neq, gt, gte, lt, lte
• contains, in, not_in
• wildcard, regex, prefix
• exists, not_exists
• range, cidr, ip_range

Aggregations

• terms - Group by field (with configurable size)
• date_histogram - Time series (supports calendar_interval, e.g., 1d, 1h)
• stats - Numeric summary (avg, min, max, sum)
• cardinality - Unique item counting
• percentiles - Distribution analysis
• histogram - Numeric bucketing

Field Mapping

All standard Wazuh fields (agent.*, rule.*, data.*, vulnerability.*, etc.) are supported. No .keyword suffix is required for exact matching as the server handles mapping internally.

Example Queries

Brute force from subnet:

{
  "time": {"from": "now-7d", "to": "now"},
  "filters": [
    {"field": "rule.mitre.id", "op": "eq", "value": "T1110"},
    {"field": "data.srcip", "op": "cidr", "value": "10.56.0.0/16"}
  ],
  "aggregations": [
    {"name": "by_ip", "type": "terms", "field": "data.srcip"}
  ]
}

Privilege escalation:

{
  "time": {"from": "now-24h", "to": "now"},
  "filters": [
    {"field": "rule.mitre.id", "op": "in", "value": ["T1068", "T1055", "T1548"]},
    {"field": "rule.level", "op": "gte", "value": 10}
  ]
}

Testing

# Test DSL builder
python test_dsl_builder.py

# Comprehensive tests (30+ test cases)
python test_dsl_comprehensive.py

Troubleshooting

1. Connection Refused

• Ensure Wazuh API and Indexer are reachable from your host.
• Verify ports (55000 for API, 9200 for Indexer) are open.
• Check if WAZUH_VERIFY_SSL needs to be False for self-signed certificates.

2. Authentication Failed

• Double-check credentials in .env or Claude config.
• Try the wazuh_reconnect tool if your session token expires.

3. "No alerts found"

• Verify your time range. Note that now-24h might be empty if no events occurred.
• Check INDEX_ALLOWLIST in app/config.py if using custom indices.

4. Claude Desktop Errors

• Check logs in ~/Library/Logs/Claude/mcp.log.
• Ensure the path to mcp_stdio_server.py in claude_desktop_config.json is absolute.

License

MIT