Connect Wazuh SIEM to Claude, ChatGPT, and other AI assistants via Model Context Protocol (MCP). Enable natural language threat detection, automated incident response, and intelligent security analysis for modern SOC teams.
Transform your security operations with Wazuh AI integration - enabling natural language queries, automated threat response, and ML-powered anomaly detection
Query and filter security alerts using natural language. Support for complex multi-field searches across all Wazuh indices with sub-second response times.
Deep search capabilities across all log sources with Wazuh Indexer integration. Support for regex patterns, time-based queries, and correlation analysis.
Execute active response commands directly through AI conversations. Supports firewall rules, process termination, and custom response scripts.
Centralized vulnerability detection with CVE mapping and CVSS scoring. Integrates with Wazuh 4.8+ vulnerability feeds and CTI sources.
Create, update, and track security incidents with full audit trails. Automated classification and priority assignment based on threat intelligence.
Generate compliance reports for PCI-DSS, GDPR, HIPAA, and custom frameworks. Automated evidence collection and gap analysis.
Enterprise-grade requirements and capabilities
Seamless integration with your existing Wazuh infrastructure
Claude Desktop, Continue.dev, Custom
FastMCP Protocol Handler
REST API v4.8+
Enhanced Analytics
Built on proven open-source foundations for enterprise-grade security operations
Open-source XDR and SIEM solution providing unified security monitoring, threat detection, and compliance management. Wazuh's comprehensive REST API enables seamless AI integration for enhanced security analytics.
Anthropic's open standard for connecting AI assistants to external tools and data sources. MCP provides secure, standardized integration between large language models and enterprise systems.
High-performance Python implementation of the Model Context Protocol, optimized for production workloads with built-in security features, connection pooling, and enterprise-grade reliability.
Help us build the future of AI-powered security operations
Found a bug or have a feature request? Open an issue on GitHub with detailed reproduction steps.
Contribute code improvements, new tools, or documentation updates. All contributions welcome!
Help security teams get started faster with better guides, examples, and integration tutorials.
Extend support for additional Wazuh modules, third-party tools, or custom response actions.
Common questions about Wazuh AI integration and Model Context Protocol
Wazuh MCP Server is an open-source integration that connects Wazuh SIEM to AI assistants like Claude and ChatGPT using the Model Context Protocol. It enables natural language queries, automated threat response, and AI-powered security analysis.
AI integration transforms SIEM operations by enabling natural language queries, automating alert triage, providing predictive threat analysis, and reducing false positives through machine learning. This significantly reduces MTTR and improves SOC efficiency.
Yes, MCP provides enterprise-grade security with authentication, encrypted communications, audit logging, and role-based access control. The protocol is designed with security-first principles for production deployments.
Wazuh MCP Server supports Wazuh Manager 4.8.0+ and has been tested up to version 4.12.0+. For enhanced features like CTI integration and centralized vulnerability detection, Wazuh Indexer 4.8.0+ is recommended.
While primarily designed for Claude Desktop, the MCP protocol is an open standard. The server can be adapted to work with other AI assistants that support MCP, including potential ChatGPT integrations and custom AI solutions.
Minimum requirements include Docker 20.10+, Python 3.8+, 512MB RAM (1GB recommended), and network access to your Wazuh infrastructure. The server supports both local (STDIO) and remote (HTTP/SSE) deployment modes.
Get running in minutes with these configurations
# Clone the repository
git clone https://github.com/gensecaihq/Wazuh-MCP-Server.git
cd Wazuh-MCP-Server
# Configure environment
export WAZUH_HOST=your-wazuh-manager.com
export WAZUH_USER=api-user
export WAZUH_PASS=secure-password
export WAZUH_INDEXER_HOST=your-indexer.com
# Start the server
docker compose up -d
# Verify deployment
python3 validate-production.py --quick{
"mcpServers": {
"wazuh": {
"command": "docker",
"args": ["exec", "wazuh-mcp-server", "./wazuh-mcp-server", "--stdio"],
"env": {
"MCP_TRANSPORT": "stdio"
}
}
}
}# Security Operations
"Show me critical alerts from the last 24 hours"
"Which agents have the most authentication failures?"
"Create an incident for the brute force attack on web-01"
# Threat Hunting
"Search for PowerShell execution with encoded commands"
"Find all file integrity changes in /etc across all agents"
"Show me network connections to known C2 servers"
# Vulnerability Management
"What critical CVEs affect my web servers?"
"Show vulnerability trends over the past month"
"Which packages need urgent patching?"