MCP.so
登录
服务器

Wazuh MCP Server

@unmuktoai

AI-powered security operations for Wazuh SIEM—use any MCP-compatible client to ask security questions in plain English. Faster threat detection, incident triage, and compliance checks with real-time monitoring and anomaly spotting. Production-ready MCP server for conversational S

概览

What is Wazuh MCP Server?

A Model Context Protocol server that turns Wazuh SIEM workflows into natural conversation with any AI assistant. It provides 54 security tools for querying alerts, hunting threats, checking vulnerabilities, triggering active responses, and running compliance checks — through cloud LLMs like Claude or fully local LLMs via Ollama.

How to use Wazuh MCP Server?

Deploy with Docker Compose, configure WAZUH_HOST, WAZUH_USER, and WAZUH_PASS in .env, then connect any MCP-compliant client (Claude Desktop, Open WebUI, mcphost) to the /mcp endpoint. Quick start: git clone, cp .env.example .env, edit, docker compose up -d. For local LLMs, use mcphost with --model ollama/qwen2.5:7b. For multi-user SOC, add as an MCP tool server in Open WebUI Admin Settings.

Key features of Wazuh MCP Server

  • 54 security tools across alerts, agents, vulnerabilities, compliance, and active response
  • Works with cloud LLMs (Claude, GPT) and local LLMs (Llama, Qwen)
  • Fully air-gappable — data never leaves your network with local mode
  • RBAC with opt-in wazuh:write scope for state‑changing tools
  • Audit logging for every destructive action
  • Rate limiting, circuit breakers, and input validation

Use cases of Wazuh MCP Server

  • SOC analyst queries critical alerts from the last hour and blocks a malicious IP
  • Threat hunter searches for rootkit detections and isolates infected agents
  • Compliance officer runs ISO 27001 gap analysis and retrieves control details
  • Security engineer checks agent health, open ports, and running processes via chat
  • Team investigates vulnerabilities by agent and packages, then generates a security report

FAQ from Wazuh MCP Server

What are the prerequisites?

Docker 20.10+ with Compose v2, and a Wazuh deployment version 4.8.0–4.14.4 with API access enabled.

Can it run fully offline without sending data to the cloud?

Yes. Use a local LLM via Ollama with Open WebUI or mcphost. In this mode no SIEM data leaves your network — fully air-gappable.

How does security work?

RBAC enforces per‑tool scopes (fail‑closed), all destructive actions are audit‑logged, output is sanitized to prevent credential leakage, inputs are validated (regex, shell metacharacter blocking, Elasticsearch DSL), rate limiting uses a sliding window, circuit breakers auto‑recover, and the container runs with non‑root user, read‑only filesystem, and dropped capabilities.

What authentication modes are supported?

Bearer token (default), OAuth 2.0 with Dynamic Client Registration, or authless mode (read‑only unless AUTHLESS_ALLOW_WRITE=true). API keys can be scoped to wazuh:read or wazuh:write.

What Wazuh versions are supported?

Wazuh 4.8.0 through 4.14.4.

标签

来自「开发工具」的更多内容