Transform your security operations with AI-powered threat detection, automated incident response, and natural language security analysis.
Features โข Quick Start โข Documentation โข Contributing โข Roadmap
Wazuh MCP Server bridges the gap between traditional SIEM operations and conversational AI, enabling security teams to interact with their Wazuh infrastructure using natural language through Claude Desktop. This isn't just another integration - it's a paradigm shift in how security operations are conducted.
- ๐ 10x Faster Incident Response: Query your security data conversationally instead of writing complex queries
- ๐ง AI-Enhanced Analysis: Leverage Claude's reasoning capabilities for threat analysis and correlation
- ๐ Automated Workflows: Convert natural language requests into complex security operations
- ๐ Real-time Intelligence: Get instant insights from multiple threat intelligence sources
- ๐ Lower Learning Curve: New team members can be productive immediately without learning query languages
- Multi-dimensional Risk Scoring: Combines alert severity, frequency, vulnerability data, and behavioral patterns
- ML-based Anomaly Detection: Statistical analysis with configurable sensitivity levels
- MITRE ATT&CK Mapping: Automatic TTP identification and kill chain analysis
- Threat Correlation Engine: Cross-references alerts with external threat intelligence
Ask Claude questions like:
- "Are we under attack right now?"
- "Show me all privilege escalation attempts in the last 48 hours"
- "Which systems have critical vulnerabilities that are being actively exploited?"
- "Generate an executive report on our security posture"
- Multi-Framework Support: PCI DSS, HIPAA, GDPR, NIST, ISO 27001
- Automated Gap Analysis: Identifies missing controls and generates remediation plans
- Continuous Monitoring: Real-time compliance scoring with trend analysis
- Audit-Ready Reports: Generate compliance evidence with a single command
- VirusTotal: File hash reputation and malware analysis
- Shodan: Internet-wide scan data and exposure assessment
- AbuseIPDB: IP reputation and abuse history
- Custom Feeds: Extensible architecture for additional threat feeds
- MCP Protocol Handler: Implements the Model Context Protocol for Claude Desktop communication
- Async API Client: High-performance, non-blocking Wazuh API interactions
- Analysis Engine: Advanced security algorithms for threat detection and risk assessment
- Intelligence Aggregator: Consolidates data from multiple threat intelligence sources
- Compliance Framework: Modular compliance checking and reporting system
get_alerts- Retrieve and filter security alertsanalyze_threats- Advanced threat analysis with MLrisk_assessment- Comprehensive risk scoringdetect_anomalies- ML-based anomaly detectioncheck_agent_health- Agent health monitoringcompliance_check- Framework compliance validationcheck_ioc- IOC reputation checkingthreat_hunt- Pattern-based threat huntingcreate_incident- Incident managementvulnerability_scan- Vulnerability assessment- And 4 more...
wazuh://alerts/recent- Live security alert feedwazuh://agents/status- Agent health dashboardwazuh://vulnerabilities/critical- Critical vulnerability trackerwazuh://compliance/status- Compliance posture monitorwazuh://threats/active- Active threat campaigns
- Python 3.8+
- Wazuh 4.x deployment
- Claude Desktop application
# Clone and enter directory
git clone https://github.com/gensecaihq/wazuh-mcp-server.git
cd wazuh-mcp-server
# Run installer
./scripts/install.sh # or install.bat on Windows
# Configure credentials
cp .env.example .env
nano .env # Add your Wazuh credentials
# Test connection
python scripts/test_connection.pydocker-compose up -dAsk Claude questions like:
- "Are there any signs of compromise on our web servers?"
- "Generate a PCI DSS compliance report for our quarterly audit"
- "Hunt for signs of lateral movement in our network"
- "Check if IP 192.168.1.100 is malicious"
- "Show me critical vulnerabilities being exploited"
We're actively developing new features and would love your help! Here's what we're working on:
- Advanced ML models for threat prediction and behavioral analysis
- Custom detection rules creation via natural language
- Automated response actions for common security incidents
- Multi-tenant support for MSSPs and large organizations
- Real-time threat intelligence correlation with custom feeds
- GraphQL API for advanced integrations
- Distributed architecture for high-scale deployments
- SOAR platform integration (Phantom, Demisto, etc.)
- Advanced forensics capabilities with memory analysis
- Threat simulation and purple team automation
- Custom dashboards and visualization tools
- Mobile app for on-the-go security monitoring
Pick any item from the roadmap (or propose your own!) and start contributing. We provide mentorship for new contributors and have a welcoming community. Check our Contributing Guide to get started!
We welcome contributions from the security community! Whether you're a security researcher, developer, or SOC analyst, there's a place for you here.
- ๐ Security Researchers: Contribute new threat detection algorithms or analysis techniques
- ๐ป Developers: Add new integrations, improve performance, or enhance the codebase
- ๐ก๏ธ SOC Analysts: Share real-world use cases and help improve workflows
- ๐ Technical Writers: Improve documentation and create tutorials
- ๐งช Testers: Help us find bugs and improve reliability
- ๐จ UX Enthusiasts: Suggest improvements for better user experience
- Fork the repository
- Pick an issue labeled
good first issueorhelp wanted - Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
- Implement a new threat intelligence source integration
- Add support for your favorite compliance framework
- Create custom analysis algorithms for specific attack patterns
- Improve error handling and logging
- Add more natural language query examples
- Create video tutorials or blog posts
- Translate documentation to other languages
# Clone your fork
git clone https://github.com/gensecaihq/wazuh-mcp-server.git
cd wazuh-mcp-server
# Create virtual environment
python -m venv venv
source venv/bin/activate # or venv\Scripts\activate on Windows
# Install in development mode
pip install -e ".[dev]"
# Run tests
pytest
First time contributing to open source? No problem! We'll help you through the process. Just open an issue saying you'd like to help, and we'll find something perfect for your skill level.
MIT License - see
Built with โค๏ธ in Kolkata and Globally
"Making security operations as natural as having a conversation"