Loading...

Wazuh | AI Builder Hub Review & Alternatives | Flaex AI

Back to MCP Directory

Wazuh

Model Context Protocol moderate risk

Wazuh

The Wazuh MCP Server provides a secure interface to query Wazuh SIEM data using natural language, enabling AI assistants to access security alerts, agent data, and more.

Connections & Capabilities

Connects To

GitHubDocker

Capabilities

readwrite

Quickstart

Config

{
  "mcpServers": {
    "wazuh": {
      "command": "/path/to/mcp-server-wazuh",
      "args": [],
      "env": {
        "WAZUH_API_HOST": "your_wazuh_manager_api_host",
        "WAZUH_API_PORT": "55000",
        "WAZUH_API_USERNAME": "your_wazuh_api_user",
        "WAZUH_API_PASSWORD": "your_wazuh_api_password",
        "WAZUH_INDEXER_HOST": "your_wazuh_indexer_host",
        "WAZUH_INDEXER_PORT": "9200",
        "WAZUH_INDEXER_USERNAME": "your_wazuh_indexer_user",
        "WAZUH_INDEXER_PASSWORD": "your_wazuh_indexer_password",
        "WAZUH_VERIFY_SSL": "false",
        "WAZUH_TEST_PROTOCOL": "https",
        "RUST_LOG": "info"
      }
    }
  }
}

Exposed MCP Tools (14)

safe

get_wazuh_alert_summary

Retrieves a summary of recent security alerts from Wazuh.

Read-only operation, no modification of data.

safe

get_wazuh_vulnerability_summary

Provides a summary of vulnerabilities detected on Wazuh agents.

Read-only operation, no modification of data.

safe

get_wazuh_critical_vulnerabilities

Lists critical vulnerabilities found on Wazuh agents.

Read-only operation, no modification of data.

safe

get_wazuh_agent_processes

Lists running processes on a specific Wazuh agent.

Read-only operation, no modification of data.

safe

get_wazuh_agent_ports

Lists open ports on a specific Wazuh agent.

Read-only operation, no modification of data.

safe

get_wazuh_running_agents

Lists currently running Wazuh agents.

Read-only operation, no modification of data.

safe

get_wazuh_rules_summary

Provides a summary of the Wazuh detection rules.

Read-only operation, no modification of data.

safe

get_wazuh_weekly_stats

Retrieves weekly statistics from the Wazuh manager.

Read-only operation, no modification of data.

safe

get_wazuh_remoted_stats

Retrieves statistics from the Wazuh remoted service.

Read-only operation, no modification of data.

safe

get_wazuh_log_collector_stats

Retrieves statistics from the Wazuh log collector.

Read-only operation, no modification of data.

safe

get_wazuh_cluster_health

Retrieves the health status of the Wazuh cluster.

Read-only operation, no modification of data.

safe

get_wazuh_cluster_nodes

Lists the nodes in the Wazuh cluster.

Read-only operation, no modification of data.

safe

search_wazuh_manager_logs

Searches the Wazuh manager logs for specific events.

Read-only operation, no modification of data.

safe

get_wazuh_manager_error_logs

Retrieves error logs from the Wazuh manager.

Read-only operation, no modification of data.

Safety Assessment

The Wazuh MCP Server is generally safe for read-only operations, such as querying alerts and agent information. However, caution should be exercised when using tools that modify Wazuh configurations, and proper access controls should be enforced on the Wazuh API to mitigate risks.

Read-only access to Wazuh data for most operations.
Configuration managed through environment variables, limiting runtime modifications.
Access to Wazuh API is controlled by Wazuh's own authentication mechanisms.
No direct shell execution or filesystem access.

Improperly configured Wazuh API credentials could lead to unauthorized data access.
Exposure of Wazuh data to an LLM client introduces a potential data leak risk.
Some tools might allow modification of Wazuh configurations, if the Wazuh API user has sufficient permissions.
Reliance on Wazuh's security posture; vulnerabilities in Wazuh could be exploited.