sb-siem-mcp is an MCP server that connects LLMs (like Claude) to Wazuh SIEM, enabling natural language threat hunting, alert analysis, compliance checks, and incident response through 28 security-focused tools. Built with defense-in-depth security, RBAC, and audit logging.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"wazuh": {
"cwd": "/path/to/sb-siem-mcp/src",
"env": {
"WAZUH_API_URL": "https://192.168.56.102:55000",
"WAZUH_INSECURE": "true",
"WAZUH_PASSWORD": "your-api-password",
"WAZUH_USERNAME": "wazuh-wui",
"WAZUH_INDEXER_PASS": "your-indexer-password"
},
"args": [
"-m",
"wazuh_mcp.server"
],
"command": "python"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Note: Independent, third-party project — not affiliated with or endorsed > by Wazuh Inc. Actively developed and tested against live Wazuh instances; > review and test before production deployment.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'sb-siem-mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked sb-siem-mcp against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml / security
Dynamic problem-solving through sequential thought chains
Workspace template + MCP server for Claude Code, Codex CLI, Cursor & Windsurf. Multi-agent knowledge engine (ag-refresh / ag-ask) that turns any codebase into a queryable AI assistant.
Persistent memory using a knowledge graph
Privacy-first. MCP is the protocol for tool access. We're the virtualization layer for context.
MCP Security Weekly
Get CVE alerts and security updates for Sb Siem Mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Note: Independent, third-party project — not affiliated with or endorsed by Wazuh Inc. Actively developed and tested against live Wazuh instances; review and test before production deployment.
28 MCP tools. 9 domains. Tested on Wazuh 4.14.5 against live instances. AI-powered security operations for Wazuh SIEM/XDR.
"Show me all critical alerts in the last 6 hours, cross-reference with MITRE ATT&CK, and check if any affected hosts have unpatched CVEs."
One prompt. Your AI assistant queries 7,514 alerts, checks 5,038 FIM records, scans 12 CVEs, cross-references 750 MITRE techniques, audits CIS compliance, and triggers incident response — all through your Wazuh infrastructure.
You already have Wazuh running somewhere. The MCP server is a local process that your AI client spawns as a child — just like a language server or linter.
Your Machine Your Wazuh Server
┌────────────────────┐ ┌──────────────────┐
│ Zed / Claude │ │ │
│ │ │ │ Wazuh API │
│ ▼ │ │ :55000 │
│ python -m │───────HTTPS──────▶│ │
│ wazuh_mcp.server │ │ Wazuh Indexer │
│ (child process) │───────HTTPS──────▶│ :9200 │
└────────────────────┘ └──────────────────┘
No Docker required. No containers. No agents to install. Just point it at your existing Wazuh and start asking questions in natural language.
confirm=True + expiring token for active response toolsviewer, analyst, admin, soc with hierarchical accesswazuhmcp userWAZUH_INSECURE:9090/metrics for SOC monitoring (latency, errors, rate limits)/docs, raw spec at /openapi.json┌──────────────────────────┐ ┌──────────────────────────┐
│ Your AI Client │ │ Wazuh Infrastructure │
│ (Zed / Claude / Cursor) │ │ │
│ │ │ │ Wazuh API :55000 │
│ ▼ │ │ ├─ Agents, Groups │
│ ┌──────────────────┐ │ │ ├─ SCA, FIM, MITRE
... [View full README on GitHub](https://github.com/Sbharadwaj05/sb-siem-mcp#readme)