AI4IA-MCP-Server
Bridges AI assistants with Wazuh SIEM infrastructure, providing natural language access to security alerts, vulnerability analysis, CVE databases, and network documentation for security operations.
README
AI4IA-MCP-Server
A Model Context Protocol Server for Role-Based Learning in AI-Assisted Cybersecurity Incident Analysis with Wazuh SIEM and OpenSearch
š Overview
AI4IA-MCP is an intelligent Model Context Protocol (MCP) server that bridges AI assistants with Wazuh SIEM infrastructure. It provides natural language access to security alerts, vulnerability analysis, CVE databases, and network documentation through a comprehensive set of tools designed for security operations teams.
This server enables LLM assistants like Claude to perform complex security operations tasks including alert correlation, statistical analysis, vulnerability assessment, and incident investigation through conversational interfaces.
šļø Architecture
āāāāāāāāāāāāāāāāāāā
ā AI Assistant ā
ā (Claude) ā
āāāāāāāāāā¬āāāāāāāāā
ā MCP Protocol
ā
āāāāāāāāāā¼āāāāāāāāā
ā Wazuh AI4IA ā
ā MCP Server ā
ā (FastMCP) ā
āāāāāāāāāā¬āāāāāāāāā
ā
āāāāāāāāāāāāāāāā
ā ā
āāāāāāāāāā¼āāāāāāāāā āāāā¼āāāāāāāāāā
ā OpenSearch ā ā Local ā
ā Cluster ā ā Files ā
ā (Wazuh Data) ā ā (CVE/PDF) ā
āāāāāāāāāāāāāāāāāāā āāāāāāāāāāāāāā
⨠Key Features
šÆ Core Capabilities
- Real-time Alert Management: Query and filter Wazuh security alerts with flexible time ranges
- Intelligent Alert Correlation: Automatically discover related security events based on temporal proximity, agents, MITRE techniques, and rule patterns
- Vulnerability Analysis: Deep-dive into CVE vulnerabilities with CVSS scoring, categorization, and mitigation recommendations
- Statistical Insights: Generate comprehensive reports on alert patterns, severity distributions, and system performance
- Agent Monitoring: Track status and health of all Wazuh agents in your infrastructure
- CVE Database: Search and filter from extensive CVE datasets by severity, year, and vulnerability type
- Network Documentation: Parse and analyze network diagrams and PDF documentation
š”ļø Security Operations Use Cases
- Incident Response: Quickly correlate alerts to identify attack campaigns
- Threat Hunting: Search for specific patterns across historical security data
- Vulnerability Management: Prioritize patching based on detected vulnerabilities
- Compliance Reporting: Generate statistics for audit and compliance requirements
- Performance Monitoring: Track Wazuh system health and event processing metrics
š Installation
1. Install Dependencies
pip install -r requirements.txt
3. Configure Environment Variables
Create a .env file in the project root:
OPENSEARCH_HOST=localhost:9200
OPENSEARCH_USER=admin
OPENSEARCH_PASSWORD=your_secure_password_here
4. Prepare Data Files
Place the following files in the project directory:
cve_data.csv- CVE vulnerability databaseGOAD.pdf- Network documentation (optional)NetDiagram.png- Network diagram (optional)
š§ Configuration
OpenSearch Connection
The server connects to OpenSearch using the following indices:
wazuh-alerts-*- Security alertswazuh-monitoring-*- Agent monitoring datawazuh-statistics-*- System performance metricswazuh-states-vulnerabilities-*- Vulnerability states
CVE Database Format
The cve_data.csv should contain the following columns:
vulnerability.id- CVE identifier (e.g., CVE-2024-12345)vulnerability.severity- Severity level (low, medium, high, critical)vulnerability.description- Detailed vulnerability description
š Available Tools
1. get_alerts
Retrieve Wazuh security alerts with flexible filtering.
# Example usage
get_alerts(
time_range="2h", # Last 2 hours
rule_level=10, # Critical alerts only
agent_name="server-01",
size=100
)
Parameters:
time_range: Time window (e.g., "2h", "90m", "30m") - max 6 hoursrule_level: Filter by severity level (1-15)agent_name: Filter by specific agentsize: Number of results to return (default: 100)
2. correlate_alerts
Find related alerts that may indicate a coordinated attack.
# Example usage
correlate_alerts(
alert_id="ABC123...",
time_window="1h",
max_alerts=50
)
Features:
- Temporal correlation
- Same agent detection
- Related rule groups
- Common MITRE ATT&CK techniques
- Correlation factor scoring
3. get_alert_statistics
Generate comprehensive statistical reports on alert patterns.
# Example usage
get_alert_statistics(
time_range="6h",
agent_name="web-server",
group="web"
)
Provides:
- Alert frequency over time
- Severity distribution
- Top alert types
- Most active agents
- MITRE technique frequency
- Rule group analysis
4. analyze_vulnerability
Deep analysis of detected vulnerabilities with CVE details.
# Example usage
analyze_vulnerability(
vulnerability_id="CVE-2024-21417",
start_time="now-12h",
limit=50
)
Includes:
- CVE details and descriptions
- CVSS scores and severity
- Detection timestamps
- Affected agents
- Category classification
- Mitigation suggestions
5. filter_network_cves
Search the CVE database with multiple filter criteria.
# Example usage
filter_network_cves(
severity="critical",
year="2024",
type="SQL Injection",
limit=100
)
6. get_agent_status
Monitor the health and status of all Wazuh agents.
# Example usage
get_agent_status()
Returns:
- Agent name and ID
- IP address
- Connection status
- Last keep-alive timestamp
- Wazuh version
7. get_statistics
Retrieve Wazuh system performance metrics.
# Example usage
get_statistics(timeframe="3h")
Metrics:
- Events received/processed/dropped
- Events per second (EDPS)
- Queue usage percentages
- Processing efficiency
- System health indicators
8. read_network_documentation
Extract text from PDF network documentation.
# Example usage
read_network_documentation(pdf_filename="GOAD.pdf")
9. process_network_diagram
Analyze network topology diagrams.
# Example usage
process_network_diagram(
png_filename="NetDiagram.png",
analysis_type="detailed"
)
ā ļø Important Limitations
Time Range Restrictions
Different tools have specific time range limitations for optimal performance:
get_alerts: Maximum 6 hourscorrelate_alerts: Maximum 6 hoursget_alert_statistics: Maximum 6 hoursget_statistics: Maximum 6 hoursanalyze_vulnerability: Maximum 12 hours
These limits prevent rate limiting and ensure responsive query performance.
š” Usage Examples
Example 1: Investigating a Security Incident
User: "Show me all critical alerts from the last 2 hours"
AI: [Uses get_alerts with rule_level=12+, time_range="2h"]
User: "What vulnerabilities were detected on affected systems?"
AI: [Uses analyze_vulnerability with affected agents]
Example 2: Vulnerability Management
User: "Find all critical CVEs from 2024"
AI: [Uses filter_network_cves with severity="critical", year="2024"]
User: "Which systems are affected by CVE-2024-12345?"
AI: [Uses analyze_vulnerability with vulnerability_id]
Example 3: Performance Monitoring
User: "How is the Wazuh system performing?"
AI: [Uses get_statistics for system metrics]
User: "Show alert trends over the last 6 hours"
AI: [Uses get_alert_statistics for trend analysis]
Common Errors
"No alerts found": Check time range and filter criteria
"CVE database not found": Ensure cve_data.csv is in the project directory
"Time range exceeds limit": Reduce time range to specified maximum
"Connection refused": Verify OpenSearch is running and accessible
š Quick Start with Claude Desktop
Configuration
-
Locate your config file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json - Linux:
~/.config/Claude/claude_desktop_config.json
- macOS:
-
Add the server configuration:
{
"mcpServers": {
"AI4IA": {
"command": "python",
"args": ["/absolute/path/to/AI4IA-MCP/mcp_server.py"]
}
}
}
š License
This project is licensed under the MIT License - see the LICENSE file for details.
Acknowledgments
- mcp-wazuh-py by @cyberbalsa - This project is based on and inspired by this work on Wazuh MCP integration
- GOAD (Game of Active Directory) by Orange Cyberdefense ā a pentesting Active Directory lab project that provides vulnerable AD environments for practicing attack techniques.
- Wazuh - Open source security platform
- FastMCP - Model Context Protocol framework
- OpenSearch - Search and analytics engine
- Anthropic - Claude AI assistant
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.