Default active response scripts
This section lists out-of-the-box active response scripts for the following operating systems:
Linux, macOS, and Unix-based endpoints
The table below lists out-of-the-box active response scripts for:
- Linux/Unix endpoints located in the Wazuh agent - /var/ossec/active-response/bindirectory.
- macOS endpoints located in the Wazuh agent - /Library/Ossec/active-response/bindirectory.
Click on the name of each active response to open its source code.
| Name of script | Description | 
|---|---|
| Disables a user account | |
| Adds an IP address to the iptables deny list. | |
| Adds an IP address to the firewalld drop list. Requires firewalld installed on the endpoint. | |
| Adds an IP address to the  | |
| Custom Wazuh block, easily modifiable for a custom response. | |
| Firewall-drop response script created for IPFW. Requires IPFW installed on the endpoint. | |
| Firewall-drop response script created for NPF. Requires NPF installed on the endpoint. | |
| Posts notifications on Slack. Requires a slack hook URL passed as an  | |
| Firewall-drop response script created for PF. Requires PF installed on the endpoint. | |
| Restarts the Wazuh agent or manager. | |
| Restarts the Wazuh agent or manager. | |
| Adds an IP address to a null route. | |
| Integration of Wazuh agents with Kaspersky endpoint security. This uses Kaspersky Endpoint Security for Linux CLI to execute relevant commands based on a trigger. | 
Windows endpoints
The table below lists out-of-the-box scripts for Windows endpoints, located in the Wazuh agent C:\Program Files (x86)\ossec-agent\active-response\bin directory. Click on the name of each script to see its source code.
| Name of script | Description | 
|---|---|
| Blocks an IP address using  | |
| Restarts the Wazuh agent. | |
| Adds an IP address to null route. |