# Wazuh (SIEM) MCP

> Wazuh (SIEM) connects security operations and endpoint monitoring directly to any AI agent. Instantly list agents, check compliance reports, and pull manager logs using natural conversation. It lets you run complex security queries—like checking File Integrity Monitoring or mapping MITRE ATT&CK tactics—without ever leaving your chat interface.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** siem, threat-detection, vulnerability-management, endpoint-security, incident-response

## Description

Managing a Security Information and Event Management (SIEM) system usually means jumping between dashboards, running command-line tools, and filtering massive amounts of data. This MCP changes that process entirely. You connect it to any AI agent through Vinkius, giving your client the ability to speak directly to your Wazuh environment.

Instead of writing complex queries or navigating deep menu structures, you simply ask questions about your infrastructure. Your agent handles everything from checking if cluster nodes are healthy to retrieving security configuration assessment results across all endpoints. This means you get immediate answers on agent status, threat intelligence mappings, and audit data without ever needing to log into the Wazuh UI.

## Tools

### list_cluster_nodes
Retrieves a list of all nodes currently running in your Wazuh cluster.

### create_agent
Enrolls and adds a brand new agent to the monitored network using specified details.

### create_security_role
Defines and creates a specific security role within the Wazuh system for resource management.

### list_decoders
Lists all currently loaded decoders, allowing you to see how log sources are interpreted.

### delete_agents
Removes specified Wazuh agents from the monitoring system using a defined query filter.

### list_agents
Provides a list of all monitored agents, supporting filters to narrow down results.

### get_logtest
Tests specific security rules and decoders against sample log data to see if they trigger correctly.

### get_manager_logs
Retrieves the latest operational logs from the Wazuh manager daemon for review.

### get_manager_status
Checks and reports on the current running status of the main Wazuh manager service.

### get_mitre
Fetches structured data mapping security findings to MITRE ATT&CK framework identifiers.

### restart_agents
Initiates a restart command for selected or all monitored agents.

### restart_cluster
Forces a full restart of the entire Wazuh cluster to resolve deep-seated service issues.

### get_rootcheck
Runs and returns results from Rootcheck, which verifies system file integrity against known baselines.

### list_rules
Lists all active security rules configured in Wazuh, with support for filtering.

### get_sca
Runs and returns results from Security Configuration Assessment (SCA), checking system hardening policies.

### list_security_users
Lists all user accounts that have API access credentials within Wazuh.

### get_syscheck
Pulls the results from File Integrity Monitoring (Syscheck), showing changes to critical system files.

### get_syscollector
Retrieves the current inventory of installed software and hardware components across monitored agents.

### update_rule_file
Allows you to programmatically push updates or changes to a specific Wazuh rule file.

### update_security_config
Updates the overall security configuration settings for the Wazuh manager system.

### upgrade_agents
Initiates a controlled upgrade process for monitored agents to ensure they run the latest software version.

## Prompt Examples

**Prompt:** 
```
List all Wazuh agents that are currently active.
```

**Response:** 
```
I've retrieved the agent list. You have 12 active agents, including 'web-server-01' (Ubuntu) and 'db-master' (CentOS). Would you like to check the status of a specific one?
```

**Prompt:** 
```
Show me the latest Security Configuration Assessment (SCA) results.
```

**Response:** 
```
Fetching SCA data... I found several failed checks related to SSH hardening and password policies on 3 agents. Should I list the specific failed policy IDs?
```

**Prompt:** 
```
Check the Wazuh manager logs for any recent errors.
```

**Response:** 
```
Inspecting manager logs... I found a few 'connection refused' warnings from 10 minutes ago related to agent enrollment. The rest of the daemons are running normally.
```

## Capabilities

### Audit System Compliance
Fetch detailed compliance reports from modules like Rootcheck or Security Configuration Assessment (SCA) to confirm endpoint hardening.

### Manage Endpoint Agents
List, enroll, restart, or upgrade all agents across the network using simple commands in your AI client.

### Analyze Threat Data
Retrieve MITRE ATT&CK mappings and run log decoders to validate threat detection capabilities against specific attack vectors.

### Inspect Core Logs & Status
Pull live logs from the manager daemon or check the overall health of the cluster nodes instantly.

### Refine Security Rules
List, update, or test security rules and decoders against sample log data to improve detection accuracy.

## Use Cases

### Investigating a potential breach
An incident hits the network. Instead of logging into three different dashboards, the analyst asks their agent to check `get_syscheck` for file changes and then run `get_mitre` to see if those changes match known attack patterns. The results come back together in one chat window.

### Quarterly compliance audit
The auditor needs proof that all agents meet minimum security standards. The DevSecOps engineer simply calls `get_sca` and runs the report through the agent, getting a consolidated list of failures across hundreds of endpoints.

### Cluster troubleshooting
Agents start failing randomly. Instead of logging into the cluster manager to check services, the engineer asks the MCP to run `get_manager_status` and then `list_cluster_nodes`. The AI client pinpoints which specific node is offline.

### Tuning detection rules
A new log format comes in. Instead of writing a complex decoder, the analyst uses `get_logtest` to feed sample logs and test if existing rules are interpreting the data correctly before deploying changes using `update_rule_file`.

## Benefits

- Stop manual dashboard diving. Instead of clicking through tabs to check agent status, just ask your AI client to `list_agents`. You get the list instantly in plain text.
- Accelerate incident response. When you need to know if a system was tampered with, use `get_syscheck` to pull File Integrity Monitoring reports immediately, without running console commands.
- Improve compliance posture checks. Instead of manually checking dozens of policies, ask for the latest Security Configuration Assessment (SCA) results using `get_sca`, and get actionable failure points.
- Automate maintenance. Need to update a bunch of machines? Run `upgrade_agents` or use `restart_agents`. It's one simple command instead of coordinating multiple SSH sessions.
- Deepen threat hunting. Use the MCP to pull MITRE ATT&CK mappings via `get_mitre`, which lets you instantly map observed attacker behavior to industry-standard tactics.

## How It Works

The bottom line is that this connection lets your AI client treat complex security infrastructure like a simple API endpoint, turning manual console work into conversational queries.

1. First, you subscribe to this MCP on Vinkius and provide your specific Wazuh API URL, username, and password.
2. Next, you activate the connection within your preferred AI client (Claude, Cursor, etc.).
3. Finally, tell your agent what you need—like 'Show me all failed SCA checks for agents in the finance department.' The MCP executes the query and returns structured data.

## Frequently Asked Questions

**How do I use the Wazuh (SIEM) MCP to check endpoint compliance?**
To audit security posture, ask your agent to run `get_sca`. This executes the Security Configuration Assessment and provides a list of policies that are failing across your monitored agents.

**Can I find out which agents are online using Wazuh (SIEM) MCP?**
Yes, simply ask your agent to run `list_agents`. It uses the system's filtering capabilities to give you a current list of all monitored endpoints.

**What is the best way to test new security rules with Wazuh (SIEM) MCP?**
Use the `get_logtest` tool. You can provide sample logs and let the agent run them against your current set of rules and decoders to validate if they trigger correctly.

**How do I check the overall health of my Wazuh cluster?**
Check manager status using `get_manager_status`. If that looks okay, you can also run `list_cluster_nodes` to verify every node is communicating correctly.

**What if I need to update a rule file after finding an issue with Wazuh (SIEM) MCP?**
You use the `update_rule_file` tool. After troubleshooting, you can push changes directly to your rules without manual API calls.