mcp-netwrixaccessanalayzer

{ "dxt_version": "0.1", "name": "mcp-server-naa", "version": "0.1.0", "display_name": "Netwrix Access Analyzer MCP Server", "description": "Discover and protect sensitive data", "long_description": "This MCP server provides an integration with Netwrix Access Analyzer, helping you to discover and protect sensitive data.", "author": { "name": "Netwrix Corporation" }, "keywords": [ "netwrix", "security", "access", "analyzer" ], "license": "MIT", "icon": "assets/icon.png", "server": { "type": "python", "entry_point": "run.py", "mcp_config": { "command": "uv", "args": [ "run", "--directory", "${__dirname}", "python", "${__dirname}/run.py" ], "env": { "DB_SERVER": "${user_config.db_server}", "DB_NAME": "${user_config.db_name}", "DB_USER": "${user_config.db_user}", "DB_PASSWORD": "${user_config.db_password}", "DB_USE_WINDOWS_AUTH": "${user_config.db_use_windows_auth}", "DB_TRUST_SERVER_CERTIFICATE": "${user_config.db_trust_server_certificate}" } } }, "tools": [ { "name": "Connect-Database", "description": "Connects to a specified MSSQL database server, overriding environment settings", "parameters": { "type": "object", "properties": { "server": { "type": "string", "description": "The database server hostname or IP address" }, "database_name": { "type": "string", "description": "The name of the database to connect to" }, "username": { "type": "string", "description": "The username for database authentication (optional)" }, "password": { "type": "string", "description": "The password for database authentication (optional)" }, "trusted_connection": { "type": "boolean", "description": "Whether to use Windows authentication (default: false)" } }, "required": ["server", "database_name"] } }, { "name": "Show-ConnectionStatus", "description": "Shows the current database connection status", "parameters": { "type": "object", "properties": {}, "required": [] } }, { "name": "Show-TableSchema", "description": "Provides the schema definition (columns, types, keys) for a given table", "parameters": { "type": "object", "properties": { "table_name": { "type": "string", "description": "The name of the table to examine" } }, "required": ["table_name"] } }, { "name": "get_table_schema", "description": "Alias for Show-TableSchema. Provides the schema for a given table", "parameters": { "type": "object", "properties": { "table_name": { "type": "string", "description": "The name of the table to examine" } }, "required": ["table_name"] } }, { "name": "Discover-SensitiveData", "description": "Discovers where sensitive data exists based on DLP matches. Returns a list of shares, criteria, and match counts", "parameters": { "type": "object", "properties": {}, "required": [] } }, { "name": "Get-OpenShares", "description": "Discovers open shares (accessible to broad groups like 'Everyone' or 'Domain Users'). Returns a list of shares and the count of folders directly within them marked as exceptions", "parameters": { "type": "object", "properties": {}, "required": [] } }, { "name": "Get-TrusteeAccess", "description": "Finds filesystem resources where a specific trustee (Domain\\Name) has access. Filters by levels down from the share root (0 = share level only)", "parameters": { "type": "object", "properties": { "trustee": { "type": "string", "description": "The trustee in Domain\\Name format" }, "levels_down": { "type": "integer", "description": "Number of levels down from the share root (default: 0)" } }, "required": ["trustee"] } }, { "name": "Get-TrusteePermissionSource", "description": "For a given trustee (Domain\\Name) and network resource path (UNC), finds the source of their access", "parameters": { "type": "object", "properties": { "trustee": { "type": "string", "description": "The trustee in Domain\\Name format" }, "resource_path": { "type": "string", "description": "The UNC path to the resource" } }, "required": ["trustee", "resource_path"] } }, { "name": "Get-ResourceAccess", "description": "Gets the effective access list for a specific resource path (UNC)", "parameters": { "type": "object", "properties": { "resource_path": { "type": "string", "description": "The UNC path to the resource" } }, "required": ["resource_path"] } }, { "name": "Get-UnusedAccess", "description": "For a specified share path, identifies users whose last activity was more than N days ago (default 90)", "parameters": { "type": "object", "properties": { "resource_path": { "type": "string", "description": "The UNC path to the share" }, "days_inactive": { "type": "integer", "description": "Number of days to check for inactivity (default: 90)" } }, "required": ["resource_path"] } }, { "name": "Get-RunningJobs", "description": "Gets currently running Netwrix Access Auditor jobs from SA_JobStatsTbl", "parameters": { "type": "object", "properties": {}, "required": [] } }, { "name": "Get-ShadowAccess", "description": "Retrieves details about shadow access (potential ungoverned access routes). Returns results from SA_ShadowAccess_Details", "parameters": { "type": "object", "properties": {}, "required": [] } }, { "name": "Get-ADEffectiveMembership", "description": "Discovers the effective membership of groups in Active Directory, with optional filters. Returns a list of groups, members, and their nesting levels matching the criteria", "parameters": { "type": "object", "properties": { "group_dn_filter": { "type": "string", "description": "Filter by group Distinguished Name" }, "group_nt_account_filter": { "type": "string", "description": "Filter by group NT Account" }, "member_dn_filter": { "type": "string", "description": "Filter by member Distinguished Name" }, "member_nt_account_filter": { "type": "string", "description": "Filter by member NT Account" }, "member_object_class_filter": { "type": "string", "description": "Filter by member object class" }, "group_sid_filter": { "type": "string", "description": "Filter by group SID" }, "member_sid_filter": { "type": "string", "description": "Filter by member SID" } }, "required": [] } }, { "name": "Get-ADExceptions", "description": "Retrieves a list of exceptions defined in the AD inventory, with optional filters. Shows exception name, description, associated principal (NT Account), and object class", "parameters": { "type": "object", "properties": { "name_filter": { "type": "string", "description": "Filter by exception name" }, "description_filter": { "type": "string", "description": "Filter by exception description" }, "principal_nt_account_filter": { "type": "string", "description": "Filter by principal NT Account" }, "object_class_filter": { "type": "string", "description": "Filter by object class" } }, "required": [] } }, { "name": "Get-ADPermissions", "description": "Retrieves Active Directory permissions from SA_ADPerms_PermissionsView, excluding deleted entries. Allows optional filtering on various permission attributes", "parameters": { "type": "object", "properties": { "access_entry_type_filter": { "type": "string", "description": "Filter by access entry type" }, "access_entry_sid_filter": { "type": "string", "description": "Filter by access entry SID" }, "principal_name_filter": { "type": "string", "description": "Filter by principal name" }, "principal_domain_filter": { "type": "string", "description": "Filter by principal domain" }, "permission_filter": { "type": "string", "description": "Filter by permission type" }, "apply_to_filter": { "type": "string", "description": "Filter by apply to scope" }, "property_name_filter": { "type": "string", "description": "Filter by property name" }, "is_inherited_filter": { "type": "string", "description": "Filter by inheritance status" }, "dn_filter": { "type": "string", "description": "Filter by Distinguished Name" }, "object_sid_filter": { "type": "string", "description": "Filter by object SID" }, "object_class_filter": { "type": "string", "description": "Filter by object class" }, "object_domain_filter": { "type": "string", "description": "Filter by object domain" }, "owner_sid_filter": { "type": "string", "description": "Filter by owner SID" }, "owner_domain_filter": { "type": "string", "description": "Filter by owner domain" } }, "required": [] } }, { "name": "Get-DomainControllers", "description": "Retrieves a list of domain controllers from the SA_AD_DCSummary_List view", "parameters": { "type": "object", "properties": {}, "required": [] } }, { "name": "Get-CertificateVulnerabilities", "description": "Retrieves a list of domain controllers from the SA_AD_DCSummary_List view", "parameters": { "type": "object", "properties": {}, "required": [] } }, { "name": "Get-ADCARights", "description": "Retrieves a list of domain controllers from the SA_AD_DCSummary_List view", "parameters": { "type": "object", "properties": {}, "required": [] } }, { "name": "Get-ADSecurityAssessment", "description": "Retrieves results from the Access Analyzer AD Security Assessment", "parameters": { "type": "object", "properties": {}, "required": [] } }, { "name": "Get-ADUsers", "description": "Retrieves Active Directory user details from SA_ADInventory_UsersView, excluding deleted users. Allows extensive optional filtering on user attributes", "parameters": { "type": "object", "properties": { "dn_filter": { "type": "string", "description": "Filter by Distinguished Name" }, "samaccountname_filter": { "type": "string", "description": "Filter by SAM Account Name" }, "userprincipalname_filter": { "type": "string", "description": "Filter by User Principal Name" }, "sid_filter": { "type": "string", "description": "Filter by Security Identifier" }, "displayname_filter": { "type": "string", "description": "Filter by Display Name" }, "description_filter": { "type": "string", "description": "Filter by Description" }, "domain_filter": { "type": "string", "description": "Filter by Domain" }, "enabled_filter": { "type": "string", "description": "Filter by enabled status" }, "locked_filter": { "type": "string", "description": "Filter by locked status" }, "password_expired_filter": { "type": "string", "description": "Filter by password expired status" }, "password_never_expires_filter": { "type": "string", "description": "Filter by password never expires setting" }, "user_cannot_change_password_filter": { "type": "string", "description": "Filter by user cannot change password setting" }, "smartcard_required_filter": { "type": "string", "description": "Filter by smartcard required setting" }, "trusted_for_delegation_filter": { "type": "string", "description": "Filter by trusted for delegation setting" }, "not_delegated_filter": { "type": "string", "description": "Filter by not delegated setting" }, "use_des_key_only_filter": { "type": "string", "description": "Filter by use DES key only setting" }, "dont_require_preauth_filter": { "type": "string", "description": "Filter by don't require preauth setting" }, "password_not_required_filter": { "type": "string", "description": "Filter by password not required setting" }, "trusted_to_auth_for_delegation_filter": { "type": "string", "description": "Filter by trusted to authenticate for delegation setting" } }, "required": [] } }, { "name": "Get-ADGroups", "description": "Retrieves Active Directory group details from SA_ADInventory_GroupsView. Allows optional filtering on various group attributes", "parameters": { "type": "object", "properties": { "dn_filter": { "type": "string", "description": "Filter by Distinguished Name" }, "samaccountname_filter": { "type": "string", "description": "Filter by SAM Account Name" }, "sid_filter": { "type": "string", "description": "Filter by Security Identifier" }, "displayname_filter": { "type": "string", "description": "Filter by Display Name" }, "description_filter": { "type": "string", "description": "Filter by Description" }, "domain_filter": { "type": "string", "description": "Filter by Domain" }, "group_type_filter": { "type": "string", "description": "Filter by Group Type" }, "group_scope_filter": { "type": "string", "description": "Filter by Group Scope" } }, "required": [] } }, { "name": "Get-ADComputers", "description": "Retrieves Active Directory computer details from SA_ADInventory_ComputersView, excluding deleted computers. Allows extensive optional filtering on computer attributes", "parameters": { "type": "object", "properties": { "dn_filter": { "type": "string", "description": "Filter by Distinguished Name" }, "samaccountname_filter": { "type": "string", "description": "Filter by SAM Account Name" }, "sid_filter": { "type": "string", "description": "Filter by Security Identifier" }, "displayname_filter": { "type": "string", "description": "Filter by Display Name" }, "description_filter": { "type": "string", "description": "Filter by Description" }, "domain_filter": { "type": "string", "description": "Filter by Domain" }, "operating_system_filter": { "type": "string", "description": "Filter by Operating System" }, "enabled_filter": { "type": "string", "description": "Filter by enabled status" }, "locked_filter": { "type": "string", "description": "Filter by locked status" }, "password_expired_filter": { "type": "string", "description": "Filter by password expired status" }, "password_never_expires_filter": { "type": "string", "description": "Filter by password never expires setting" }, "trusted_for_delegation_filter": { "type": "string", "description": "Filter by trusted for delegation setting" }, "not_delegated_filter": { "type": "string", "description": "Filter by not delegated setting" }, "use_des_key_only_filter": { "type": "string", "description": "Filter by use DES key only setting" }, "dont_require_preauth_filter": { "type": "string", "description": "Filter by don't require preauth setting" }, "password_not_required_filter": { "type": "string", "description": "Filter by password not required setting" }, "trusted_to_auth_for_delegation_filter": { "type": "string", "description": "Filter by trusted to authenticate for delegation setting" } }, "required": [] } } ], "user_config": { "db_server": { "type": "string", "title": "Dastabase server", "description": "The database host or IP address", "required": true }, "db_name": { "type": "string", "title": "Database name", "description": "The database name", "required": true }, "db_user": { "type": "string", "title": "Database user", "description": "The database user", "required": true }, "db_password": { "type": "string", "title": "Database password", "description": "The database password", "sensitive": true, "required": true }, "db_use_windows_auth": { "type": "boolean", "title": "Use windows authentication", "description": "Use windows authentication", "default": false }, "db_trust_server_certificate": { "type": "boolean", "title": "Trust server certificate", "description": "Trust server certificate", "default": false } }, "compatibility": { "dxt_version": ">=0.1", "runtimes": { "python": ">=3.10" } } }