AI4IA-MCP-Server
Provides tools to query and analyze security alerts, vulnerability data, and system metrics from an OpenSearch cluster used by Wazuh SIEM.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@AI4IA-MCP-Servershow me critical alerts from the last hour"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
AI4IA-MCP-Server
A Model Context Protocol Server for Role-Based Learning in AI-Assisted Cybersecurity Incident Analysis with Wazuh SIEM and OpenSearch
🔍 Overview
AI4IA-MCP is an intelligent Model Context Protocol (MCP) server that bridges AI assistants with Wazuh SIEM infrastructure. It provides natural language access to security alerts, vulnerability analysis, CVE databases, and network documentation through a comprehensive set of tools designed for security operations teams.
This server enables LLM assistants like Claude to perform complex security operations tasks including alert correlation, statistical analysis, vulnerability assessment, and incident investigation through conversational interfaces.
Related MCP server: Wazuh MCP Server
🏗️ Architecture
┌─────────────────┐
│ AI Assistant │
│ (Claude) │
└────────┬────────┘
│ MCP Protocol
│
┌────────▼────────┐
│ Wazuh AI4IA │
│ MCP Server │
│ (FastMCP) │
└────────┬────────┘
│
├──────────────┐
│ │
┌────────▼────────┐ ┌──▼─────────┐
│ OpenSearch │ │ Local │
│ Cluster │ │ Files │
│ (Wazuh Data) │ │ (CVE/PDF) │
└─────────────────┘ └────────────┘✨ Key Features
🎯 Core Capabilities
Real-time Alert Management: Query and filter Wazuh security alerts with flexible time ranges
Intelligent Alert Correlation: Automatically discover related security events based on temporal proximity, agents, MITRE techniques, and rule patterns
Vulnerability Analysis: Deep-dive into CVE vulnerabilities with CVSS scoring, categorization, and mitigation recommendations
Statistical Insights: Generate comprehensive reports on alert patterns, severity distributions, and system performance
Agent Monitoring: Track status and health of all Wazuh agents in your infrastructure
CVE Database: Search and filter from extensive CVE datasets by severity, year, and vulnerability type
Network Documentation: Parse and analyze network diagrams and PDF documentation
🛡️ Security Operations Use Cases
Incident Response: Quickly correlate alerts to identify attack campaigns
Threat Hunting: Search for specific patterns across historical security data
Vulnerability Management: Prioritize patching based on detected vulnerabilities
Compliance Reporting: Generate statistics for audit and compliance requirements
Performance Monitoring: Track Wazuh system health and event processing metrics
🚀 Installation
1. Install Dependencies
pip install -r requirements.txt3. Configure Environment Variables
Create a .env file in the project root:
OPENSEARCH_HOST=localhost:9200
OPENSEARCH_USER=admin
OPENSEARCH_PASSWORD=your_secure_password_here4. Prepare Data Files
Place the following files in the project directory:
cve_data.csv- CVE vulnerability databaseGOAD.pdf- Network documentation (optional)NetDiagram.png- Network diagram (optional)
🔧 Configuration
OpenSearch Connection
The server connects to OpenSearch using the following indices:
wazuh-alerts-*- Security alertswazuh-monitoring-*- Agent monitoring datawazuh-statistics-*- System performance metricswazuh-states-vulnerabilities-*- Vulnerability states
CVE Database Format
The cve_data.csv should contain the following columns:
vulnerability.id- CVE identifier (e.g., CVE-2024-12345)vulnerability.severity- Severity level (low, medium, high, critical)vulnerability.description- Detailed vulnerability description
📖 Available Tools
1. get_alerts
Retrieve Wazuh security alerts with flexible filtering.
# Example usage
get_alerts(
time_range="2h", # Last 2 hours
rule_level=10, # Critical alerts only
agent_name="server-01",
size=100
)Parameters:
time_range: Time window (e.g., "2h", "90m", "30m") - max 6 hoursrule_level: Filter by severity level (1-15)agent_name: Filter by specific agentsize: Number of results to return (default: 100)
2. correlate_alerts
Find related alerts that may indicate a coordinated attack.
# Example usage
correlate_alerts(
alert_id="ABC123...",
time_window="1h",
max_alerts=50
)Features:
Temporal correlation
Same agent detection
Related rule groups
Common MITRE ATT&CK techniques
Correlation factor scoring
3. get_alert_statistics
Generate comprehensive statistical reports on alert patterns.
# Example usage
get_alert_statistics(
time_range="6h",
agent_name="web-server",
group="web"
)Provides:
Alert frequency over time
Severity distribution
Top alert types
Most active agents
MITRE technique frequency
Rule group analysis
4. analyze_vulnerability
Deep analysis of detected vulnerabilities with CVE details.
# Example usage
analyze_vulnerability(
vulnerability_id="CVE-2024-21417",
start_time="now-12h",
limit=50
)Includes:
CVE details and descriptions
CVSS scores and severity
Detection timestamps
Affected agents
Category classification
Mitigation suggestions
5. filter_network_cves
Search the CVE database with multiple filter criteria.
# Example usage
filter_network_cves(
severity="critical",
year="2024",
type="SQL Injection",
limit=100
)6. get_agent_status
Monitor the health and status of all Wazuh agents.
# Example usage
get_agent_status()Returns:
Agent name and ID
IP address
Connection status
Last keep-alive timestamp
Wazuh version
7. get_statistics
Retrieve Wazuh system performance metrics.
# Example usage
get_statistics(timeframe="3h")Metrics:
Events received/processed/dropped
Events per second (EDPS)
Queue usage percentages
Processing efficiency
System health indicators
8. read_network_documentation
Extract text from PDF network documentation.
# Example usage
read_network_documentation(pdf_filename="GOAD.pdf")9. process_network_diagram
Analyze network topology diagrams.
# Example usage
process_network_diagram(
png_filename="NetDiagram.png",
analysis_type="detailed"
)⚠️ Important Limitations
Time Range Restrictions
Different tools have specific time range limitations for optimal performance:
get_alerts: Maximum 6 hourscorrelate_alerts: Maximum 6 hoursget_alert_statistics: Maximum 6 hoursget_statistics: Maximum 6 hoursanalyze_vulnerability: Maximum 12 hours
These limits prevent rate limiting and ensure responsive query performance.
💡 Usage Examples
Example 1: Investigating a Security Incident
User: "Show me all critical alerts from the last 2 hours"
AI: [Uses get_alerts with rule_level=12+, time_range="2h"]
User: "What vulnerabilities were detected on affected systems?"
AI: [Uses analyze_vulnerability with affected agents]Example 2: Vulnerability Management
User: "Find all critical CVEs from 2024"
AI: [Uses filter_network_cves with severity="critical", year="2024"]
User: "Which systems are affected by CVE-2024-12345?"
AI: [Uses analyze_vulnerability with vulnerability_id]
Example 3: Performance Monitoring
User: "How is the Wazuh system performing?"
AI: [Uses get_statistics for system metrics]
User: "Show alert trends over the last 6 hours"
AI: [Uses get_alert_statistics for trend analysis]
Common Errors
"No alerts found": Check time range and filter criteria
"CVE database not found": Ensure cve_data.csv is in the project directory
"Time range exceeds limit": Reduce time range to specified maximum
"Connection refused": Verify OpenSearch is running and accessible
🚀 Quick Start with Claude Desktop
Configuration
Locate your config file:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.jsonWindows:
%APPDATA%\Claude\claude_desktop_config.jsonLinux:
~/.config/Claude/claude_desktop_config.json
Add the server configuration:
{
"mcpServers": {
"AI4IA": {
"command": "python",
"args": ["/absolute/path/to/AI4IA-MCP/mcp_server.py"]
}
}
}📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
Acknowledgments
mcp-wazuh-py by @cyberbalsa - This project is based on and inspired by this work on Wazuh MCP integration
GOAD (Game of Active Directory) by Orange Cyberdefense — a pentesting Active Directory lab project that provides vulnerable AD environments for practicing attack techniques.
Wazuh - Open source security platform
FastMCP - Model Context Protocol framework
OpenSearch - Search and analytics engine
Anthropic - Claude AI assistant
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/RezzFayyazi/AI4IA-MCP-Server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server