Default active response scripts
This section lists out-of-the-box active response scripts for the following operating systems:
Linux, macOS, and Unix-based endpoints
The table below lists out-of-the-box active response scripts for:
Linux/Unix endpoints located in the Wazuh agent
/var/ossec/active-response/bin
directory.macOS endpoints located in the Wazuh agent
/Library/Ossec/active-response/bin
directory.
Click on the name of each active response to open its source code.
Name of script |
Description |
---|---|
Disables a user account |
|
Adds an IP address to the iptables deny list. |
|
Adds an IP address to the firewalld drop list. Requires firewalld installed on the endpoint. |
|
Adds an IP address to the |
|
Custom Wazuh block, easily modifiable for a custom response. |
|
Firewall-drop response script created for IPFW. Requires IPFW installed on the endpoint. |
|
Firewall-drop response script created for NPF. Requires NPF installed on the endpoint. |
|
Posts notifications on Slack. Requires a slack hook URL passed as an |
|
Firewall-drop response script created for PF. Requires PF installed on the endpoint. |
|
Restarts the Wazuh agent or manager. |
|
Restarts the Wazuh agent or manager. |
|
Adds an IP address to a null route. |
|
Integration of Wazuh agents with Kaspersky endpoint security. This uses Kaspersky Endpoint Security for Linux CLI to execute relevant commands based on a trigger. |
Windows endpoints
The table below lists out-of-the-box scripts for Windows endpoints, located in the Wazuh agent C:\Program Files (x86)\ossec-agent\active-response\bin
directory. Click on the name of each script to see its source code.
Name of script |
Description |
---|---|
Blocks an IP address using |
|
Restarts the Wazuh agent. |
|
Adds an IP address to null route. |