Default active response scripts

This section lists out-of-the-box active response scripts for the following operating systems:

Linux, macOS, and Unix-based endpoints

The table below lists out-of-the-box active response scripts for:

  • Linux/Unix endpoints located in the Wazuh agent /var/ossec/active-response/bin directory.

  • macOS endpoints located in the Wazuh agent /Library/Ossec/active-response/bin directory.

Click on the name of each active response to open its source code.

Name of script

Description

disable-account

Disables a user account

firewall-drop

Adds an IP address to the iptables deny list.

firewalld-drop

Adds an IP address to the firewalld drop list. Requires firewalld installed on the endpoint.

host-deny

Adds an IP address to the /etc/hosts.deny file.

ip-customblock

Custom Wazuh block, easily modifiable for a custom response.

ipfw

Firewall-drop response script created for IPFW. Requires IPFW installed on the endpoint.

npf

Firewall-drop response script created for NPF. Requires NPF installed on the endpoint.

wazuh-slack

Posts notifications on Slack. Requires a slack hook URL passed as an extra_args.

pf

Firewall-drop response script created for PF. Requires PF installed on the endpoint.

restart.sh

Restarts the Wazuh agent or manager.

restart-wazuh

Restarts the Wazuh agent or manager.

route-null

Adds an IP address to a null route.

kaspersky

Integration of Wazuh agents with Kaspersky endpoint security. This uses Kaspersky Endpoint Security for Linux CLI to execute relevant commands based on a trigger.

Windows endpoints

The table below lists out-of-the-box scripts for Windows endpoints, located in the Wazuh agent C:\Program Files (x86)\ossec-agent\active-response\bin directory. Click on the name of each script to see its source code.

Name of script

Description

netsh.exe

Blocks an IP address using netsh.

restart-wazuh.exe

Restarts the Wazuh agent.

route-null.exe

Adds an IP address to null route.