/ Каталог / Песочница / Wazuh-MCP-Server
← Все серверы ↗ GitHub
● Сообщество gensecaihq ⚡ Сразу

Wazuh-MCP-Server

автор gensecaihq · gensecaihq/Wazuh-MCP-Server

Conversational SOC for Wazuh — query alerts, hunt threats, check vulnerabilities, and trigger active responses in plain English, with 48 tools and audit logging.

Wazuh-MCP-Server turns your Wazuh SIEM into a chat-driven SOC. 48 tools across alerts/agents/vulnerabilities/active response/compliance. Built for real SOC work: output sanitization, rate limiting, circuit breakers, per-tool RBAC, and destructive-action audit logs.

▶ Смотреть демо 📦 Установить 💡 Сценарии

Зачем использовать

Ключевые функции

Живое демо

Как выглядит на практике

wazuh.replay ▶ готово
0/0

Установка

Выберите клиент

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "wazuh": {
      "command": "uvx",
      "args": [
        "Wazuh-MCP-Server"
      ],
      "_inferred": true
    }
  }
}

Откройте Claude Desktop → Settings → Developer → Edit Config. Перезапустите после сохранения.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "wazuh": {
      "command": "uvx",
      "args": [
        "Wazuh-MCP-Server"
      ],
      "_inferred": true
    }
  }
}

Cursor использует ту же схему mcpServers, что и Claude Desktop. Конфиг проекта приоритетнее глобального.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "wazuh": {
      "command": "uvx",
      "args": [
        "Wazuh-MCP-Server"
      ],
      "_inferred": true
    }
  }
}

Щёлкните значок MCP Servers на боковой панели Cline, затем "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "wazuh": {
      "command": "uvx",
      "args": [
        "Wazuh-MCP-Server"
      ],
      "_inferred": true
    }
  }
}

Тот же формат, что и Claude Desktop. Перезапустите Windsurf для применения.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "wazuh",
      "command": "uvx",
      "args": [
        "Wazuh-MCP-Server"
      ]
    }
  ]
}

Continue использует массив объектов серверов, а не map.

~/.config/zed/settings.json
{
  "context_servers": {
    "wazuh": {
      "command": {
        "path": "uvx",
        "args": [
          "Wazuh-MCP-Server"
        ]
      }
    }
  }
}

Добавьте в context_servers. Zed перезагружается автоматически.

claude mcp add wazuh -- uvx Wazuh-MCP-Server

Однострочная команда. Проверить: claude mcp list. Удалить: claude mcp remove.

Сценарии использования

Реальные сценарии: Wazuh-MCP-Server

Triage overnight alerts in 10 minutes instead of 2 hours

👤 SOC analysts ⏱ ~20 min advanced

Когда использовать: Shift start. Hundreds of alerts overnight. You need to find the real ones without reading every row.

Предварительные требования
  • Wazuh Manager API creds — Wazuh UI > API credentials
Поток
  1. Summarize
    For last 12 hours: group alerts by rule group, count severity 10+ per group, top 5 agents with most high-sev alerts.✓ Скопировано
    → Ranked summary
  2. Investigate
    For top agent, pull the 10 most recent high-sev alerts with full details.✓ Скопировано
    → Detailed events
  3. Determine action
    Based on these events, is this a true positive? If yes, propose response: isolate agent / disable account / create ticket.✓ Скопировано
    → Verdict + action plan

Итог: Faster MTTD/MTTR without more eyeballs.

Подводные камни
  • Auto-triggering active response before confirming — Keep active response tools behind a confirmation gate

Weekly vulnerability posture report

👤 Security managers ⏱ ~30 min intermediate

Когда использовать: Friday report for leadership. How many CVEs open? Where? Trend vs last week?

Поток
  1. Pull vulnerabilities
    From Wazuh vulnerability module: total open CVEs by severity, top 10 agents by critical CVE count.✓ Скопировано
    → Numbers + top agents
  2. Compare to last week
    Compare counts to last Friday's report [paste]. What improved, what regressed?✓ Скопировано
    → Delta analysis
  3. Prioritize
    List the 5 critical CVEs affecting most hosts that should be patched this weekend.✓ Скопировано
    → Actionable patch list

Итог: Board-ready security posture summary.

Подводные камни
  • Vuln data only as fresh as last scan — Check scan timestamps before drawing conclusions
Сочетать с: notion

Isolate a compromised host on confirmation

👤 SOC on-call ⏱ ~10 min advanced

Когда использовать: Alert fires: unambiguous malware on endpoint. You need to isolate fast.

Поток
  1. Confirm scope
    For agent 'ws-4412': show active processes with parent PID, recent listening ports, and last 20 alerts. Is this clearly compromised?✓ Скопировано
    → Risk assessment
  2. Isolate
    Isolate agent ws-4412 via active response. Require my explicit confirm first.✓ Скопировано
    → Confirmation prompt, then isolation + audit log entry

Итог: Compromised host isolated within minutes.

Подводные камни
  • False-positive isolation of prod server — Double-check agent ID and classification before confirming; keep an out-of-band way to re-enable

Комбинации

Сочетайте с другими MCP — эффект x10

wazuh + notion

Weekly security digest to exec

Compose a weekly Wazuh summary and create a Notion page in 'Security Weekly'.✓ Скопировано

Инструменты

Что предоставляет этот MCP

ИнструментВходные данныеКогда вызыватьСтоимость
list_alerts filter: obj, from, to, limit Investigate by time/severity/rule 1 API call
get_agent agent_id Profile a specific endpoint 1 API call
list_vulnerabilities agent_id?, severity? Vuln posture checks 1 API call
trigger_active_response agent_id, command, arguments? Isolate / kill process / disable account — destructive; confirm 1 API call + physical effect
compliance_report framework: 'pci'|'hipaa'|'nist', scope Audit readiness 1 API call

Стоимость и лимиты

Во что обходится

Квота API
Bounded by Wazuh Manager API limits
Токенов на вызов
Alert listings can be huge — always filter by time + severity
Деньги
Free. Wazuh itself is open-source.
Совет
Use limit aggressively. Don't list a week's alerts without grouping.

Безопасность

Права, секреты, радиус поражения

Минимальные скоупы: Wazuh API user scoped read-only for inspection; elevate for active response
Хранение учётных данных: Wazuh API creds in env or Docker secrets
Исходящий трафик: Alert/event data goes to your LLM provider
Никогда не давайте: Active-response scope to a dev/eval instance

Устранение неполадок

Частые ошибки и исправления

401 from Wazuh API

Creds wrong, or JWT expired. Server auto-rotates; if persistent, check ENV.

Empty alert list despite known alerts

Indexer (Elasticsearch) not reachable from MCP container. Check docker-compose networks.

Active response failed / no effect

Confirm the active-response script is enabled on that agent (ossec.conf). Some actions are agent-side only.

Альтернативы

Wazuh-MCP-Server в сравнении

АльтернативаКогда использоватьКомпромисс
Splunk / Sentinel MCPsYou use Splunk or Sentinel insteadDifferent SIEM
Wazuh UI directlySingle-alert deep diveSlower; no LLM synthesis

Ещё

Ресурсы

📖 Читать официальный README на GitHub

🐙 Открытые задачи

🔍 Все 400+ MCP-серверов и Skills