Wazuh-MCP-Server
🥈SilverAI-powered security operations with Wazuh SIEM + Claude Desktop. Natural language threat detection, automated incident response & compliance. Real-time monitoring, ML anomaly detection. Transform your SOC with conversational security analysis. Production-ready MCP server.
162330Updated 2w ago
Intermediate30min to implementautomation
Saves ~300 min per use
Quick InstallView Source
git clone https://github.com/gensecaihq/Wazuh-MCP-Server.gitWorks with:
Claude
Overview
About This Skill
AI-powered security operations with Wazuh SIEM + Claude Desktop. Natural language threat detection, automated incident response & compliance. Real-time monitoring, ML anomaly detection. Transform your SOC with conversational security analysis. Production-ready MCP server.
How to Use
[{"step":"Set up the Wazuh-MCP-Server by following the [official installation guide](https://github.com/wazuh/wazuh-mcp-server). Ensure your Wazuh manager (version 4.7+) is accessible at [Wazuh_SERVER_IP] and has the necessary API credentials.","tip":"Use environment variables for sensitive data like API keys (e.g., `export WAZUH_API_KEY=your_api_key_here`). Test the connection with `wazuh-mcp-server --test-connection --server [Wazuh_SERVER_IP]`."},{"step":"Open Claude Desktop and load the Wazuh-MCP-Server tool. Use the prompt template above, replacing [PLACEHOLDERS] with your specific details (e.g., server IP, time range, threat type).","tip":"For real-time analysis, use `last 1 hour` or `last 30 minutes`. For historical analysis, use `last 7 days` to identify recurring patterns."},{"step":"Review the AI-generated output and validate the recommendations. Cross-check the severity assessment with your internal risk matrix or frameworks like NIST CSF.","tip":"If the AI suggests blocking an IP, verify it hasn’t been flagged as a false positive (e.g., a legitimate admin’s VPN). Use Wazuh’s `whois` integration to check the IP’s reputation."},{"step":"Execute the recommended actions directly from the output or via Wazuh’s API. For example, use `wazuh-control` commands or the Wazuh dashboard to apply firewall rules or update configurations.","tip":"Automate repetitive responses by configuring Wazuh’s active-response rules in `/var/ossec/etc/rules/active-response.conf`. Example: `integration = host-deny` for IP blocking."},{"step":"Document the incident and outcomes in your SOC ticketing system (e.g., Jira, ServiceNow). Update the AI’s knowledge base with new threat intelligence for future queries.","tip":"Use the AI’s output to enrich your threat intelligence platform (e.g., MISP) by exporting the alert details and mitigation steps as a structured report."}]
Tags
Setup & Installation
Quick Install
No install command available. Check the GitHub repository for manual installation instructions.
Alternative Install (Git Clone)
git clone https://github.com/gensecaihq/Wazuh-MCP-ServerRequirements
- Claude Code or compatible AI agent
- Works with: Claude
Quick Start Guide
1
Install the Skill
Copy the install command above and run it in your terminal.
2
Open Your AI Agent
Launch Claude Code, Cursor, or your preferred AI coding agent.
3
Try It Out
Use the prompt template or examples below to test the skill.
4
Customize
Adapt the skill to your specific use case and workflow.
Usage Examples
Prompt Template
Use the Wazuh-MCP-Server to analyze security alerts from [Wazuh_SERVER_IP] for the last [TIME_RANGE]. Focus on [THREAT_TYPE] events, such as brute-force attempts or suspicious process executions. For each alert, provide: 1) a severity assessment, 2) potential impact on [ASSET_OR_SYSTEM], and 3) recommended mitigation steps. Prioritize alerts that match [COMPLIANCE_FRAMEWORK] (e.g., NIST, ISO 27001).
Example Output
Analyzing Wazuh alerts from server 192.168.1.100 over the last 24 hours for brute-force SSH attempts targeting the database cluster. Detected 47 failed login attempts from IP 203.0.113.45, with 12 occurring in the last hour. Severity assessment: **High** due to repeated failed attempts and proximity to sensitive assets. Potential impact: Unauthorized access could lead to data exfiltration or lateral movement within the cluster. The attacker may attempt to exploit weak credentials or known vulnerabilities in SSH services. Recommended mitigation steps: 1. **Immediate**: Block IP 203.0.113.45 at the firewall level using Wazuh's active-response module. Execute the command: `wazuh-control -q -f /var/ossec/etc/rules/active-response/host-deny.conf '203.0.113.45'`. 2. **Short-term**: Enforce SSH key-based authentication for all database cluster nodes and disable password authentication. Update `/etc/ssh/sshd_config` to include `PasswordAuthentication no` and restart the SSH service. 3. **Compliance**: Document the incident in the SOC log for ISO 27001 compliance (Control A.12.6.1). Update the incident response playbook to include this scenario. 4. **Long-term**: Deploy Wazuh's MITRE ATT&CK integration to map this attack to T1110 (Brute Force) and set up automated alerts for similar patterns. Additional context: The database cluster (192.168.1.50-52) is running PostgreSQL 14 with default configurations. No other alerts of this nature were detected in the last 7 days.
Apply to these tools
Browse all toolsClaude
AI assistant built for thoughtful, nuanced conversation
Autom
Your one-stop shop for church and ministry supplies.
Automa
Automate your browser workflows effortlessly
Read
Auto-transcribe meetings and generate action items
ServiceNow
Enterprise workflow automation and service management platform
GPT for work
Automate your spreadsheet tasks with AI power
Compatible MCP servers
Browse all MCP servers
Find the right skills for your stack
Take a free 3-minute scan and get personalized AI skill recommendations.
Take free scan