Wazuh MCP Server
@unmuktoai
Wazuh MCP Server について
AI-powered security operations for Wazuh SIEM—use any MCP-compatible client to ask security questions in plain English. Faster threat detection, incident triage, and compliance checks with real-time monitoring and anomaly spotting. Production-ready MCP server for conversational S
基本情報
設定
以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。
{
"mcpServers": {
"Wazuh-MCP-Server": {
"command": "docker",
"args": [
"compose",
"up",
"-d"
]
}
}
}ツール
ツールは検出されませんでした
ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。
概要
What is Wazuh MCP Server?
A Model Context Protocol server that turns Wazuh SIEM workflows into natural conversation with any AI assistant. It provides 54 security tools for querying alerts, hunting threats, checking vulnerabilities, triggering active responses, and running compliance checks — through cloud LLMs like Claude or fully local LLMs via Ollama.
How to use Wazuh MCP Server?
Deploy with Docker Compose, configure WAZUH_HOST, WAZUH_USER, and WAZUH_PASS in .env, then connect any MCP-compliant client (Claude Desktop, Open WebUI, mcphost) to the /mcp endpoint. Quick start: git clone, cp .env.example .env, edit, docker compose up -d. For local LLMs, use mcphost with --model ollama/qwen2.5:7b. For multi-user SOC, add as an MCP tool server in Open WebUI Admin Settings.
Key features of Wazuh MCP Server
- 54 security tools across alerts, agents, vulnerabilities, compliance, and active response
- Works with cloud LLMs (Claude, GPT) and local LLMs (Llama, Qwen)
- Fully air-gappable — data never leaves your network with local mode
- RBAC with opt-in
wazuh:writescope for state‑changing tools - Audit logging for every destructive action
- Rate limiting, circuit breakers, and input validation
Use cases of Wazuh MCP Server
- SOC analyst queries critical alerts from the last hour and blocks a malicious IP
- Threat hunter searches for rootkit detections and isolates infected agents
- Compliance officer runs ISO 27001 gap analysis and retrieves control details
- Security engineer checks agent health, open ports, and running processes via chat
- Team investigates vulnerabilities by agent and packages, then generates a security report
FAQ from Wazuh MCP Server
What are the prerequisites?
Docker 20.10+ with Compose v2, and a Wazuh deployment version 4.8.0–4.14.4 with API access enabled.
Can it run fully offline without sending data to the cloud?
Yes. Use a local LLM via Ollama with Open WebUI or mcphost. In this mode no SIEM data leaves your network — fully air-gappable.
How does security work?
RBAC enforces per‑tool scopes (fail‑closed), all destructive actions are audit‑logged, output is sanitized to prevent credential leakage, inputs are validated (regex, shell metacharacter blocking, Elasticsearch DSL), rate limiting uses a sliding window, circuit breakers auto‑recover, and the container runs with non‑root user, read‑only filesystem, and dropped capabilities.
What authentication modes are supported?
Bearer token (default), OAuth 2.0 with Dynamic Client Registration, or authless mode (read‑only unless AUTHLESS_ALLOW_WRITE=true). API keys can be scoped to wazuh:read or wazuh:write.
What Wazuh versions are supported?
Wazuh 4.8.0 through 4.14.4.
「開発者ツール」の他のコンテンツ
MCP-Scan: An MCP Security Scanner
invariantlabs-aiSecurity scanner for AI agents, MCP servers and agent skills.
nuxt-mcp / vite-plugin-mcp
antfuMCP server helping models to understand your Vite/Nuxt app better.
TalkToFigma
sonnylazuardiTalkToFigma: MCP integration between AI Agent (Cursor, Claude Code, Codex) and Figma, allowing Agentic AI to communicate with Figma for reading designs and modifying them programmatically.
Deepwiki MCP Server
regenrek📖 MCP server for fetch deepwiki.com and get latest knowledge in Cursor and other Code Editors
OpenSumi
opensumiA framework helps you quickly build AI Native IDE products. MCP Client, supports Model Context Protocol (MCP) tools via MCP server.
コメント