Wazuh

安装配置

{
    "mcpServers": {
        "wazuh": {
            "command": "/path/to/mcp-server-wazuh",
            "args": [],
            "env": {
                "WAZUH_API_HOST": "your_wazuh_manager_api_host",
                "WAZUH_API_PORT": "55000",
                "WAZUH_API_USERNAME": "your_wazuh_api_user",
                "WAZUH_API_PASSWORD": "your_wazuh_api_password",
                "WAZUH_INDEXER_HOST": "your_wazuh_indexer_host",
                "WAZUH_INDEXER_PORT": "9200",
                "WAZUH_INDEXER_USERNAME": "your_wazuh_indexer_user",
                "WAZUH_INDEXER_PASSWORD": "your_wazuh_indexer_password",
                "WAZUH_VERIFY_SSL": "false",
                "WAZUH_TEST_PROTOCOL": "https",
                "RUST_LOG": "info"
            }
        }
    }
}

README 摘要

# Wazuh MCP Server - Talk to your SIEM A Rust-based server designed to bridge the gap between a Wazuh Security Information and Event Management (SIEM) system and applications requiring contextual security data, specifically tailored for the Claude Desktop Integration using the Model Context Protocol (MCP). ## Overview Modern AI assistants like Claude can benefit significantly from real-time context about the user's security environment. The Wazuh MCP Server bridges this gap by providing comprehensive access to Wazuh SIEM data through natural language interactions. This server transforms complex Wazuh API responses into MCP-compatible format, enabling AI assistants to access: - **Security Alerts & Events** from the Wazuh Indexer for threat detection and incident response - **Agent Management & Monitoring** including health status, system processes, and network ports - **Vulnerability Assessment** data for risk management and patch prioritization - **Security Rules & Configuration** for detection optimization and compliance validation - **System Statistics & Performance** metrics for operational monitoring and audit trails - **Log Analysis & Forensics** capabilities for incident investigation and compliance reporting - **Cluster Health & Management** for infrastructure reliability and availability requirements - **Compliance Monitoring & Gap Analysis** for regulatory frameworks like PCI-DSS, HIPAA, SOX, and GDPR Rather than requiring manual API calls or complex queries, security teams can now ask natural language questions like "Show me critical vulnerabilities on web servers," "What processes are running on agent 001?" or "Are we meeting PCI-DSS logging requirements?" and receive structured, actionable data from their Wazuh deployment. This approach is particularly valuable for compliance teams who need to quickly assess security posture, identify gaps in monitoring coverage, validate rule effectiveness, and generate evidence for audit requirements across distributed infrastructure.  ## Example Use Cases The Wazuh MCP Server provides direct access to Wazuh security data through natural language interactions, enabling several practical use cases: ### Security Alert Analysis * **Alert Triage and Investigation:** Query recent security alerts with `get_wazuh_alert_summary` to quickly identify and prioritize threats requiring immediate attention. * **Alert Pattern Recognition:** Analyze alert trends and patterns to identify recurring security issues or potential attack campaigns. ### Vulnerability Management * **Agent Vulnerability Assessment:** Use `get_wazuh_vulnerability_summary` and `get_wazuh_critical_vulnerabilities` to assess security posture of specific agents and prioritize patching efforts. * **Risk-Based Vulnerability Prioritization:** Correlate vulnerability data with agent criticality and exposure to focus remediation efforts. ### System Monitoring and Forensics * **Process Analysis:** Investigate running processes on agents using `get_wazuh_agent_processes` for threat hunting and system analysis. * **Network Security Assessment:** Monitor open ports and network services with `get_wazuh_agent_ports` to identify potential attack vectors. * **Agent Health Monitoring:** Track agent status and connectivity using `get_wazuh_running_agents` to ensure comprehensive security coverage. ### Security Operations Intelligence * **Rule Effectiveness Analysis:** Review and analyze sec...