Active Response in Wazuh

Active Response in Wazuh


What is active response?

Active response is an essential feature of any security system, and Wazuh provides powerful capabilities for active response. Active response is the process of responding automatically to security events, such as blocking IP addresses or terminating malicious processes. In this blog post, we will explore the active response capabilities of Wazuh and how they can help organizations improve their security posture.

Overview of Active Response in Wazuh

Wazuh provides several active response capabilities, including blocking IP addresses, terminating processes, and creating firewall rules. These active response capabilities can be configured to trigger automatically when specific security events occur. This helps organizations to respond quickly to security incidents and minimize the impact of attacks.

Custom Active Response Scripts

In addition to the built-in active response capabilities, Wazuh also supports custom active response scripts. This enables organizations to create their own scripts to perform specific actions based on security events. For example, an organization might create a custom script to disable a user account when Wazuh detects that the user has attempted to log in with incorrect credentials multiple times.

Default active-responses on endpoint

For windows endpoint:

Netsh

Blocks an IP address using netsh

Restart-wazuh

Restart the wazuh agent.

Route-null

Adds an IP address to null route.

For linux endpoint:

Disable-account

Disables a user account

Firewall-drop

Adds an IP address to the iptables deny list.

Firewalld-drop

Adds an IP address to the firewall drop list. Requires firewall installed on the endpoint.

Host-deny

Adds an IP address to the /etc/hosts.deny file.

IP-customblock

Custom Wazuh block, easily modifiable for a custom response.

IPFW

Firewall-drop response script created for IPFW. Requires IPFW installed on the endpoint.

NPF

Firewall-drop response script created for NPF. Requires NPF installed on the endpoint.

Wazuh-slack

Posts notifications on Slack. Requires a slack hook URL passed as an extra_args.

PF

Firewall-drop response script created for PF. Requires PF installed on the endpoint.

Restart.sh

Restarts the Wazuh agent or manager.

Restart-wazuh

Restarts the Wazuh agent or manager.

Route-null

Adds an IP address to a null route.

Kaspersky

Integration of Wazuh agents with Kaspersky endpoint security. This uses Kaspersky Endpoint Security for Linux CLI to execute relevant commands based on a trigger.

Conclusion

Active response is a critical component of any security system, and Wazuh provides powerful capabilities for active response. Blocking IP addresses, terminating processes, and creating firewall rules are just a few of the active response capabilities provided by Wazuh. These features can be configured to trigger automatically when specific security events occur, enabling organizations to respond quickly to security incidents and minimize the impact of attacks. Additionally, custom active response scripts provide flexibility for organizations to create their own scripts to perform specific actions based on security events. By leveraging the active response capabilities of Wazuh, organizations can improve their security posture and protect their assets from threats.



Solutions

Solutions

Services

Services