Claude Code for Wazuh SIEM Workflow Tutorial

Security Information and Event Management (SIEM) systems like Wazuh are essential for modern security operations, but managing alerts, analyzing logs, and responding to threats manually can overwhelm even experienced security teams. This tutorial shows you how to use Claude Code to automate Wazuh SIEM workflows, from alert triage to incident response and reporting.

Setting Up Claude Code with Wazuh

Before diving into workflows, ensure Claude Code can communicate with your Wazuh deployment. You’ll need API access to your Wazuh manager.

Configuring Wazuh API Access

First, create a dedicated API user for Claude Code with read-only permissions initially:

# On your Wazuh manager
cd /var/ossec/api/configuration/auth

# Create API user (adjust based on your Wazuh version)
sudo htpasswd -bc user.passwd claude_api 'SecurePassword123!'

Configure API settings in /var/ossec/etc/ossec.conf:

<ossec_config>
  <api>
    <enabled>yes</enabled>
    <host>0.0.0.0</host>
    <port>55000</port>
    <use_only_authd>no</use_only_authd>
    <skip_repository>no</skip_repository>
    <https>yes</https>
    <cpu_level>2</cpu_level>
    <max_memory>2048</max_memory>
    <poll_quantity>50</poll_quantity>
    <interval>10</interval>
    <exports/>
  </api>
</ossec_config>

Creating a Wazuh Skill for Claude

Create a custom skill that provides Claude with Wazuh-specific capabilities:

---
name: wazuh-siem
description: "Automate Wazuh SIEM operations including alert analysis, threat hunting, and incident response"
---

## Available Actions

When invoked, you can perform these Wazuh operations:

### Query Alerts
Use the Wazuh API to fetch alerts with filters:
- `/api/v1/alerts` - Get recent alerts
- `/api/v1/alerts?rule.id=<rule_id>` - Filter by rule
- `/api/v1/alerts?agent.name=<agent>` - Filter by agent

### Threat Hunting
Search across indexed logs:
- `/api/v1/logs/collector` - Query distributed logs
- Use exact field matches for precise hunting

### Agent Management
- `/api/v1/agents` - List all agents
- `/api/v1/agents/<agent_id>/restart` - Restart agent

Automated Alert Triage Workflow

One of the most valuable Claude Code integrations is automated alert triage. Instead of manually reviewing every alert, Claude can prioritize and categorize them.

Step 1: Fetch and Categorize Alerts

Create a bash script that fetches recent alerts:

#!/bin/bash
# fetch-wazuh-alerts.sh

WAZUH_API="https://wazuh-manager:55000"
API_KEY="your-api-key"
LIMIT=50

curl -s -k -X GET \
  "${WAZUH_API}/api/v1/alerts?limit=${LIMIT}&sort=-timestamp" \
  -H "Authorization: Bearer ${API_KEY}" \
  -H "Content-Type: application/json" | jq '.data.affected_items[] | {
    id: .id,
    rule: .rule.id,
    description: .rule.description,
    agent: .agent.name,
    timestamp: .timestamp,
    severity: .rule.level
  }' > /tmp/wazuh-alerts.json

Step 2: Claude Analyzes and Prioritizes

Once you have the alerts in JSON format, instruct Claude to analyze them:

Review the alerts in /tmp/wazuh-alerts.json and categorize them:

1. CRITICAL (severity >= 15): Immediate action required - potential breaches, ransomware indicators
2. HIGH (severity 10-14): Significant threats - unauthorized access attempts, privilege escalation
3. MEDIUM (severity 7-9): Moderate threats - policy violations, suspicious processes
4. LOW (severity < 7): Informational - system events, false positive candidates

For each category, summarize:
- Count of alerts
- Common patterns or IOCs
- Recommended response actions
- Whether human escalation is required

Claude will analyze the alerts, identify patterns, and provide actionable summaries. This dramatically reduces the time security analysts spend on initial triage.

Threat Hunting Workflow

Proactive threat hunting with Claude Code amplifies your security posture. Claude can help construct queries and analyze results.

Building Hunt Queries

Ask Claude to help build Wazuh queries based on threat intelligence:

I need to hunt for potential lateral movement indicators. Create a Wazuh query that searches for:
- Unusual outbound connections from workstations
- RDP/SMB connections to unexpected internal IPs
- New service installations
- Changes to privileged user groups

Also identify what Wazuh rules would trigger on each indicator.

Claude will generate appropriate Lucene queries and map them to existing Wazuh rules:

## Lateral Movement Query Example

rule.id: 100012 AND (data.dstport:3389 OR data.dstport:445) 
AND NOT agent.group:"servers"

## Detection Mappings
- Rule 100012: Suspicious outbound connection
- Rule 100025: RDP brute force
- Rule 100053: New service detected

Automated IOC Extraction

After hunt results are obtained, ask Claude to extract indicators of compromise:

Analyze /tmp/hunt-results.json and extract all potential IOCs:
- IP addresses (source and destination)
- File hashes (MD5, SHA1, SHA256)
- Domain names
- File paths
- Registry keys (Windows)

For each IOC, indicate:
- Type
- Context (what triggered it)
- Risk assessment (benign, suspicious, malicious)
- Recommended action

Incident Response Automation

When a security incident is confirmed, Claude Code can orchestrate initial response actions.

Automated Containment Workflow

Create a response playbook:

#!/usr/bin/env python3
# incident-response.py

import requests
import json
import sys

WAZUH_API = "https://wazuh-manager:55000"
API_KEY = os.environ.get("WAZUH_API_KEY")

def isolate_agent(agent_id, reason):
    """Isolate an endpoint from the network"""
    response = requests.post(
        f"{WAZUH_API}/api/v1/agents/{agent_id}/group/sg_isolated",
        headers={"Authorization": f"Bearer {API_KEY}"},
        json={"reason": reason}
    )
    return response.json()

def collect_forensics(agent_id, evidence_types):
    """Collect forensic data from endpoint"""
    for evidence in evidence_types:
        requests.post(
            f"{WAZUH_API}/api/v1/agents/{agent_id}/collect",
            headers={"Authorization": f"Bearer {API_KEY}"},
            json={"type": evidence}
        )

def create_incident_ticket(incident_data):
    """Create incident record"""
    # Integrate with your ticketing system
    pass

if __name__ == "__main__":
    action = sys.argv[1]
    agent_id = sys.argv[2]
    
    if action == "isolate":
        isolate_agent(agent_id, "Automated containment - confirmed threat")
    elif action == "collect":
        collect_forensics(agent_id, ["memory", "processes", "network"])

Claude-Driven Response

When Claude identifies a critical threat, it can execute the response:

A critical alert (Rule 100200 - Ransomware Indicator) triggered on 
workstation WS-ENG-04. The alert shows file encryption activity 
and suspicious PowerShell execution.

Automated Response Actions:
1. Isolate WS-ENG-04 from network
2. Collect memory dump and process list
3. Create incident ticket in ServiceNow
4. Notify security team via Slack

Execute the containment using /scripts/incident-response.py

Building Custom Wazuh Rules

Claude can also help you create custom detection rules based on your specific environment and threats.

Rule Development Workflow

Help me create a Wazuh custom rule to detect:
- Repeated failed login attempts (5+ in 10 minutes)
- From the same source IP
- Targeting multiple accounts

Also:
- Include proper classification (PCI-DSS, HIPAA as needed)
- Set appropriate severity levels
- Add MITRE ATT&CK mappings
- Provide tuning recommendations to reduce false positives

Claude will generate a rule like:

<rule id="100500" level="10">
  <if_sid>18101</if_sid>
  <match>authentication failed</match>
  <same_source_ip>yes</same_source_ip>
  <different_fields>user_name</different_fields>
  <field name="user_name">.*</field>
  <options>track_by_sip,count</options>
  <count>5</count>
  <timeframe>600</timeframe>
  <description>Multiple failed logins from single IP targeting multiple accounts</description>
  <mitre>
    <id>T1110</id>
    <technique>Brute Force</technique>
  </mitre>
  <group>pci_dss_11.2,hipaa_164.312.b</group>
</rule>

Best Practices for Claude-Wazuh Integration

Security Considerations

• Use API keys, not basic auth - Rotate keys regularly
• Implement least privilege - Create dedicated API users with minimal permissions
• Log all Claude actions - Maintain audit trail for compliance
• Review automated decisions - Never fully automate critical responses without human oversight

Performance Optimization

• Cache frequently queried data - Alert histories don’t change
• Use appropriate time ranges - Don’t query more data than needed
• Implement rate limiting - Respect Wazuh API limits
• Schedule off-peak queries - Reduce impact on SIEM performance

Continuous Improvement

• Tune false positives - Use Claude’s analysis to identify recurring false alarms
• Update threat intelligence - Regularly update IOC feeds
• Refine response playbooks - Learn from each incident
• Monitor Claude effectiveness - Track alert reduction and response times

Conclusion

Integrating Claude Code with Wazuh SIEM transforms your security operations from reactive to proactive. By automating alert triage, empowering threat hunting, and orchestrating incident response, your security team can focus on sophisticated threats while Claude handles the repetitive analysis.

Start with simple alert categorization, then progressively add more complex automation as you build confidence in the workflows. The key is maintaining the human-in-the-loop for critical decisions while letting Claude amplify your team’s capabilities.

Related Reading

• Claude Code for Beginners: Complete Getting Started Guide
• Best Claude Skills for Developers in 2026
• Claude Skills Guides Hub

Built by theluckystrike — More at zovo.one