MCP.so
ログイン

Wazuh MCP Server

@unmuktoai

Wazuh MCP Server について

AI-powered security operations for Wazuh SIEM—use any MCP-compatible client to ask security questions in plain English. Faster threat detection, incident triage, and compliance checks with real-time monitoring and anomaly spotting. Production-ready MCP server for conversational S

基本情報

カテゴリ

開発者ツール

ライセンス

MIT

ランタイム

python

トランスポート

stdio

公開者

unmuktoai

設定

以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。

{
  "mcpServers": {
    "Wazuh-MCP-Server": {
      "command": "docker",
      "args": [
        "compose",
        "up",
        "-d"
      ]
    }
  }
}

ツール

ツールは検出されませんでした

ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。

概要

What is Wazuh MCP Server?

A Model Context Protocol server that turns Wazuh SIEM workflows into natural conversation with any AI assistant. It provides 54 security tools for querying alerts, hunting threats, checking vulnerabilities, triggering active responses, and running compliance checks — through cloud LLMs like Claude or fully local LLMs via Ollama.

How to use Wazuh MCP Server?

Deploy with Docker Compose, configure WAZUH_HOST, WAZUH_USER, and WAZUH_PASS in .env, then connect any MCP-compliant client (Claude Desktop, Open WebUI, mcphost) to the /mcp endpoint. Quick start: git clone, cp .env.example .env, edit, docker compose up -d. For local LLMs, use mcphost with --model ollama/qwen2.5:7b. For multi-user SOC, add as an MCP tool server in Open WebUI Admin Settings.

Key features of Wazuh MCP Server

  • 54 security tools across alerts, agents, vulnerabilities, compliance, and active response
  • Works with cloud LLMs (Claude, GPT) and local LLMs (Llama, Qwen)
  • Fully air-gappable — data never leaves your network with local mode
  • RBAC with opt-in wazuh:write scope for state‑changing tools
  • Audit logging for every destructive action
  • Rate limiting, circuit breakers, and input validation

Use cases of Wazuh MCP Server

  • SOC analyst queries critical alerts from the last hour and blocks a malicious IP
  • Threat hunter searches for rootkit detections and isolates infected agents
  • Compliance officer runs ISO 27001 gap analysis and retrieves control details
  • Security engineer checks agent health, open ports, and running processes via chat
  • Team investigates vulnerabilities by agent and packages, then generates a security report

FAQ from Wazuh MCP Server

What are the prerequisites?

Docker 20.10+ with Compose v2, and a Wazuh deployment version 4.8.0–4.14.4 with API access enabled.

Can it run fully offline without sending data to the cloud?

Yes. Use a local LLM via Ollama with Open WebUI or mcphost. In this mode no SIEM data leaves your network — fully air-gappable.

How does security work?

RBAC enforces per‑tool scopes (fail‑closed), all destructive actions are audit‑logged, output is sanitized to prevent credential leakage, inputs are validated (regex, shell metacharacter blocking, Elasticsearch DSL), rate limiting uses a sliding window, circuit breakers auto‑recover, and the container runs with non‑root user, read‑only filesystem, and dropped capabilities.

What authentication modes are supported?

Bearer token (default), OAuth 2.0 with Dynamic Client Registration, or authless mode (read‑only unless AUTHLESS_ALLOW_WRITE=true). API keys can be scoped to wazuh:read or wazuh:write.

What Wazuh versions are supported?

Wazuh 4.8.0 through 4.14.4.

コメント

「開発者ツール」の他のコンテンツ