# VM104 — Wazuh SIEM

| Item | Valor |
|------|-------|
| **IP LAN** | `10.10.10.104` |
| **SSH WAN** | `95.216.14.146:2504` |
| **Hostname** | wazuh |
| **URL** | Wazuh Dashboard (LAN / Traefik) |

## Papel

- SIEM / análise de segurança profunda
- Alertas → VM122 Desk (Spec 002)
- Deep-link desde Ops Console (Spec 019)

## No repo Git (CT130)

**Não há pasta `deploy/vm104/`** — VM104 é produto Wazuh upstream. Integração documentada em:

```
specs/002-wazuh-integration/spec.md
specs/019-ops-console-active-operations/spec.md  (deep-link Wazuh)
specs/027-desk-rbac-function-matrix/spec.md      (security_analyst, noc)
```

## Fluxo

```
Agentes → VM104 Wazuh → webhook/API → VM122 Desk → ticket/CH-*
Ops Console (VM123) → deep-link → VM104 dashboard (SIEM profundo)
```

## Roles Desk com acesso Wazuh

| Função | Wazuh |
|--------|-------|
| `security_analyst` | ✅ full |
| `noc` | ✅ read + deep-link |
| `ops_lead` | 🔗 deep-link |

## Próximo sync

- Exportar regras/decoders custom para `docs/vms/VM104-rules/` no repo
- Documentar URL Traefik Wazuh em `docs/network/`