Wazuh SIEM Agent System

Wazuh SIEM Agent System

A Claude-powered MCP tool suite for interacting with a Wazuh SIEM manager, enabling triage, health monitoring, threat hunting, rule management, and active response execution.

Category
Visit Server

README

Wazuh SIEM Agent System

A Claude-powered MCP tool suite for interacting with a Wazuh SIEM manager. Exposes Wazuh REST API capabilities as MCP tools so Claude can triage alerts, monitor agent health, hunt threats, manage rules, and propose/execute active responses.

Architecture

wazuh-agent/
├── mcp/
│   └── wazuh_mcp_server.py   # MCP server — all tools registered here
├── agents/
│   ├── orchestrator.py        # Routes queries to the right specialist agent
│   ├── triage.py              # Alert severity analysis & MITRE mapping
│   ├── health.py              # Fleet connectivity & health checks
│   ├── hunting.py             # IOC search & behavioural pattern detection
│   ├── rules.py               # Rule analysis & coverage gaps
│   └── response.py            # Active response proposals & gated execution
├── config.py                  # Connection settings (credentials via env vars)
└── requirements.txt

The MCP server imports analysis functions from each agent module and exposes them as MCP tools. Claude (via Claude Code or another client) uses these tools to reason over real-time Wazuh data.

Setup

1. Install dependencies

pip install -r requirements.txt

2. Set credentials

Create a .env file (never commit this):

WAZUH_USER=your_api_user
WAZUH_PASSWORD=your_api_password

Or set environment variables directly in your shell.

3. Register the MCP server with Claude Code

Add to your Claude Code MCP settings (claude_desktop_config.json or .claude/settings.json):

{
  "mcpServers": {
    "wazuh": {
      "command": "python",
      "args": ["G:/claudeai/wazuh-agent/mcp/wazuh_mcp_server.py"],
      "env": {
        "WAZUH_USER": "${WAZUH_USER}",
        "WAZUH_PASSWORD": "${WAZUH_PASSWORD}"
      }
    }
  }
}

Available MCP Tools

Raw API tools

Tool Description
get_agents List all agents by status
get_agent_details Details for a specific agent
get_alerts Recent alerts with optional level/agent filter
get_manager_info Manager version and status
get_manager_stats Events/alerts per hour
get_agent_processes Running processes (syscollector)
get_agent_ports Open ports (syscollector)
get_agent_packages Installed packages (syscollector)
get_agent_vulnerabilities CVEs by agent and severity
get_rules Search detection rules
get_rule_by_id Look up a specific rule

Analysis tools

Tool Description
triage_alerts Severity buckets, top rules, MITRE tactic counts
check_health Fleet health: disconnected/stale agents, unknowns
hunt_ioc Search all alerts for an IP, hash, domain, or username
hunt_patterns Detect brute-force, lateral movement, priv-esc patterns
analyze_rules Rule coverage summary and category breakdown
propose_response Ranked active-response options (no execution)
execute_active_response Execute a response — requires confirmed=True

Known Agents

ID Name Notes
000 wazuh Manager
001 kali
002 Area-51
003 Prism
004 DESKTOP-GPLJ6GT
005 vert-server
006 pve610 Disconnected
007 pve720XD
008 pve720

Safety — Active Response

Active response commands modify target systems immediately and some are irreversible.

The workflow is always:

  1. Call propose_response(agent_id, threat_summary) → review options
  2. Present proposals to the user and get explicit approval
  3. Call execute_active_response(..., confirmed=True) only after approval

execute_active_response called without confirmed=True returns a blocked status and never touches the Wazuh API.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured