Wazuh Docs
    Wazuh Docs
    • Product
    • Blog
    • Cloud
    • Services
    • Community
    • Contact us
      • Getting started
        • Components
          • Wazuh agent
          • Wazuh server
          • Elastic Stack
        • Architecture
        • Use cases
          • Log data analysis
          • File integrity monitoring
          • Rootkits detection
          • Active response
          • Configuration assessment
          • System inventory
          • Vulnerability detection
          • Cloud security monitoring
          • Containers security monitoring
          • Regulatory compliance
      • Installation guide
        • Requirements
        • Wazuh server
          • All-in-one deployment
            • Unattended installation
            • Step-by-step installation
          • Distributed deployment
            • Unattended installation
              • Elasticsearch & Kibana unattended installation
              • Wazuh server unattended installation
            • Step-by-step installation
              • Elasticsearch cluster
              • Wazuh cluster
              • Kibana
        • Wazuh agent
          • Linux
          • Windows
          • macOS
          • AIX
          • HP-UX
          • Solaris
          • Deployment variables
            • Linux
            • Windows
            • macOS
            • AIX
        • Packages list
        • More installation alternatives
          • Wazuh with Elastic Stack basic license
            • All-in-one deployment
              • Unattended installation
              • Step-by-step installation
            • Distributed deployment
              • Unattended installation
              • Step-by-step installation
          • Wazuh with Splunk
            • Wazuh cluster installation
            • Install Splunk in single-instance mode
            • Installing & Configuring Splunk Cluster
            • Install the Wazuh app for Splunk
            • Setting up reverse proxy configuration for Splunk
            • Customize agents status indexation
          • Wazuh installation from sources
            • Installing Wazuh server from sources
            • Installing Wazuh agent from sources
      • Upgrade guide
        • Upgrading the Wazuh manager
        • Upgrade Elasticsearch, Filebeat and Kibana
          • Upgrading Open Distro for Elasticsearch
          • Upgrading Elastic Stack basic license
        • Upgrading the Wazuh agent
        • Upgrading from a legacy version
          • Upgrading the Wazuh server
            • Upgrading the Wazuh server from 2.x to 3.x
              • Restore the Wazuh alerts from Wazuh 2.x
            • Upgrading the Wazuh server from 1.x to 2.x
          • Upgrading Elastic Stack
            • Upgrading Elastic Stack from 6.8 to 7.x
            • Upgrading Elastic Stack from 6.x to 6.8
            • Upgrading Elastic Stack from 2.x to 5.x
          • Upgrading the Wazuh agent
            • Upgrading the Wazuh agent from 2.x to 3.x
            • Upgrading the Wazuh agent from 1.x to 2.x
        • Compatibility matrix
      • User manual
        • Overview
        • Wazuh server administration
          • Remote service
          • Defining an alert level threshold
          • Integration with external APIs
          • Configuring syslog output
          • Configuring database output
          • Generating automatic reports
          • Configuring email alerts
            • SMTP server with authentication
        • Certificates deployment
        • Registering Wazuh agents
          • Registering the Wazuh agents using the command line (CLI)
          • Registering the Wazuh agents using the Wazuh API
          • Registration service with password authorization
          • Registration service with host verification
          • Registering Wazuh agents - additional information
          • Registering Wazuh agents - Troubleshooting
        • Agent management
          • Agent life cycle
          • Listing agents
            • Listing agents using the CLI
            • Listing agents using the Wazuh API
            • Listing agents using the Wazuh app
          • Removing agents
            • Remove agents using the CLI
            • Remove agents using the Wazuh API
          • Checking connection with Manager
          • Grouping agents
          • Remote upgrading
            • Upgrading agent
            • Agent upgrade module
            • Adding a custom repository
            • Custom WPK packages creation
              • WPK
              • Generate WPK packages manually
            • Installing a custom WPK package
            • WPK List
        • Deploying a Wazuh cluster
          • Basics
          • Agents connections
          • Cluster management
        • Capabilities
          • Log data collection
            • How it works
            • How to collect Windows logs
            • Configuration
            • FAQ
          • File integrity monitoring
            • How it works
            • Configuration
          • Auditing who-data
            • Auditing who-data in Linux
            • Auditing who-data in Windows
            • Manual configuration of the Local Audit Policies in Windows
          • Anomaly and malware detection
            • How it works
            • Configuration
            • FAQ
          • Security Configuration Assessment
            • What is SCA
            • How SCA works
            • How to configure SCA
            • Creating custom SCA policies
            • Use case: Getting an alert when a check changes its result value
          • Monitoring security policies
            • Rootcheck
              • How it works
              • Configuration
              • FAQ
            • OpenSCAP
              • How it works
              • Configuration
              • FAQ
            • CIS-CAT integration
          • Monitoring system calls
            • How it works
            • Configuration
          • Command monitoring
            • How it works
            • Configuration
            • FAQ
          • Active response
            • How it works
            • Configuration
            • Custom Active Response
            • Use cases
              • Blocking attacks with Active Response
              • How to integrate Wazuh with YARA
              • Detecting and removing malware
            • FAQ
          • Agentless monitoring
            • How it works
            • Configuration
            • FAQ
          • Anti-flooding mechanism
          • Agent labels
          • System inventory
          • Vulnerability detection
            • How it works
            • Compatibility matrix
            • Running a vulnerability scan
            • Offline Update
            • Scan vulnerabilities on unsupported systems
            • CPE Helper
          • VirusTotal integration
            • About VirusTotal
            • How it works
          • Osquery
          • Agent key polling
          • Fluentd forwarder
          • Wazuh-Logtest
            • How it works
            • Configuration
            • FAQ
        • Ruleset
          • Getting started
          • Update ruleset
          • JSON decoder
          • Custom rules and decoders
          • Dynamic fields
          • Ruleset XML syntax
            • Decoders Syntax
            • Rules Syntax
            • Regular Expression Syntax
            • Perl-compatible Regular Expressions
            • Sibling Decoders
          • Testing decoders and rules
          • Using CDB lists
          • Enhancing with MITRE
          • Contribute to the ruleset
          • Rules classification
        • RESTful API
          • Getting started
          • Configuration
          • Securing the Wazuh API
          • Migrating from the Wazuh API 3.X
          • Role-Based Access Control
            • How it works
            • Configuration
            • Authorization Context
            • RBAC Reference
          • Filtering data using queries
          • Examples
          • Reference
        • Wazuh Kibana plugin
          • Setting up the Wazuh Kibana plugin
          • Wazuh Kibana plugin features
            • App overview
            • Ruleset
            • Settings
            • Dev tools
            • Reporting
            • Index pattern selector
            • Download as CSV
            • Query configuration
          • Troubleshooting
          • Reference
            • Configuration file
            • Elasticsearch indices
            • Configure the name of Elasticsearch indices
            • Create a custom dashboard
        • Reference
          • Local configuration (ossec.conf)
            • active-response
            • agentless
            • agent-upgrade
            • alerts
            • auth
            • client
            • client_buffer
            • cluster
            • command
            • database_output
            • email_alerts
            • global
            • integration
            • labels
            • localfile
            • logging
            • remote
            • reports
            • rootcheck
            • sca
            • rule_test
            • ruleset
            • socket
            • syscheck
            • syslog_output
            • task-manager
            • fluent-forward
            • gcp-pubsub
            • wodle name=”open-scap”
            • wodle name=”command”
            • wodle name=”cis-cat”
            • wodle name=”aws-s3”
            • wodle name=”syscollector”
            • vulnerability-detector
            • wodle name=”osquery”
            • wodle name=”docker-listener”
            • wodle name=”azure-logs”
            • wodle name=”agent-key-polling”
            • Verifying configuration
          • Centralized configuration (agent.conf)
          • Internal configuration
          • Daemons
            • wazuh-agentd
            • wazuh-agentlessd
            • wazuh-analysisd
            • wazuh-authd
            • wazuh-csyslogd
            • wazuh-dbd
            • wazuh-execd
            • wazuh-logcollector
            • wazuh-maild
            • wazuh-monitord
            • wazuh-remoted
            • wazuh-reportd
            • wazuh-syscheckd
            • wazuh-clusterd
            • wazuh-modulesd
            • wazuh-db
            • Tables available for wazuh-db
            • wazuh-integratord
          • Tools
            • agent-auth
            • agent_control
            • manage_agents
            • wazuh-control
            • wazuh-logtest
            • clear_stats
            • wazuh-regex
            • update_ruleset
            • verify-agent-conf
            • agent_groups
            • agent_upgrade
            • cluster_control
            • fim_migrate
          • Unattended Installation
          • Statistics files
            • wazuh-agentd.state
            • wazuh-remoted.state
            • wazuh-analysisd.state
            • wazuh-logcollector.state
        • Elasticsearch tuning
        • Uninstalling the Wazuh components
          • Uninstalling Wazuh with Open Distro for Elasticsearch
          • Uninstalling Wazuh with Elastic Stack
      • Cloud service
        • Getting started
          • Sign up for a trial
          • Access Wazuh WUI
          • Register agents
          • Cloud service FAQ
        • Your environment
          • Authentication and authorization
          • Cancellation
          • Monitor usage
          • Forward syslog events
          • Agents without Internet access
          • SMTP configuration
          • Technical FAQ
        • Account and billing
          • Edit user settings
          • Add your billing details
          • See your billing cycle and history
          • Update billing and operational contacts
          • Stop charges for an environment
          • Billing FAQ
        • Cold storage
          • Configuration
          • Filename format
          • Access
        • Wazuh Cloud API
          • Authentication
          • Reference
        • CLI
        • Glossary
      • Development
        • Client keys file
        • Standard OSSEC message format
        • Makefile options
        • Wazuh Cluster
        • Wazuh packages generation guide
          • AIX
          • Debian
          • HPUX
          • Wazuh Kibana plugin
          • macOS
          • RPM
          • Solaris
          • Splunk App
          • Virtual machine
          • Windows
          • WPK
        • Wazuh-Logtest
      • Containers
        • Docker
          • Docker installation
          • Wazuh Docker deployment
          • Wazuh Docker utilities
          • Upgrade Guide (3.x to 4.0)
          • FAQ
        • Deploying with Kubernetes
          • Kubernetes configuration
          • Upgrade Wazuh installed in Kubernetes
          • Clean Up
          • Deployment on local environment
      • Deployment
        • Deploying with Puppet
          • Set up Puppet
            • Installing Puppet master
            • Installing Puppet agent
            • PuppetDB installation (Optional)
            • Setting up Puppet certificates
          • Wazuh Puppet module
            • Wazuh agent class
            • Wazuh manager class
        • Deploying with Ansible
          • Installation Guide
            • Install Ansible
            • Install Wazuh Manager
            • Install Elastic Stack Server
            • Install Wazuh Agent
          • Remote Hosts Connection
          • Roles
            • Wazuh Manager
            • Filebeat
            • Elasticsearch
            • Kibana
            • Wazuh Agent
          • Variables references
        • Virtual Machine (OVA)
      • Compliance
        • Using Wazuh for PCI DSS
          • Log analysis
          • Policy monitoring
          • Rootkit detection
          • File integrity monitoring
          • Active response
          • Elastic Stack
        • Using Wazuh for GDPR
          • GDPR II, Principles <gdpr_II>
          • GDPR III, Rights of the data subject <gdpr_III>
          • GDPR IV, Controller and processor <gdpr_IV>
      • Monitoring with Wazuh
        • Using Wazuh to monitor AWS
          • Monitoring AWS instances
          • Monitoring AWS based services
            • Prerequisites
              • Configuring an S3 Bucket
              • Configuring AWS credentials
              • Installing dependencies
              • Considerations for configuration
            • Supported services
              • AWS CloudTrail
              • Amazon VPC
              • AWS Config
              • Amazon ALB
              • Amazon CLB
              • Amazon NLB
              • AWS Key Management Service
              • Amazon Macie
              • AWS Trusted Advisor
              • Amazon GuardDuty
              • Amazon WAF
              • Amazon Inspector
              • AWS CloudWatch Logs
              • Cisco Umbrella
            • Troubleshooting
        • Using Wazuh to monitor Microsoft Azure
          • Monitoring Instances
          • Monitoring Activity
          • Monitoring Services
        • Using Wazuh to monitor Docker
          • Monitoring Docker server
          • Monitoring containers activity
        • Using Wazuh to monitor GCP services
          • Prerequisites
            • Installing dependencies
            • Configuring GCP credentials
            • Configuring Google Cloud Pub/Sub
            • Considerations for configuration
          • Configuration
          • Supported services
      • Migrating from OSSEC
        • Migrating OSSEC server
        • Migrating OSSEC agent
      • Learning Wazuh
        • Prepare your Wazuh Lab Environment
          • Build the Wazuh Lab VPC
          • Launch the EC2 instances
          • Establish access to your EC2 instances
          • Install Wazuh server Components
          • Install the Elastic Stack
          • Configure X-Pack Security
          • Install the Linux Wazuh agents
          • Install the Windows Wazuh agent
        • Detect an SSH brute-force attack
        • Detect an RDP brute force attack
        • Expose hiding processes
        • Detect filesystem changes
        • Change the rules
        • Survive a log flood
        • Detect and react to a Shellshock attack
        • Keep watch for malicious command execution
        • Catch suspicious network traffic
        • Track down vulnerable applications
      • Release notes
        • 4.2.4 Release notes
        • 4.2.3 Release notes
        • 4.2.2 Release notes
        • 4.2.1 Release notes
        • 4.2.0 Release notes
        • 4.1.5 Release notes
        • 4.1.4 Release notes
        • 4.1.3 Release notes
        • 4.1.2 Release notes
        • 4.1.1 Release notes
        • 4.1.0 Release notes
        • 4.0.4 Release notes
        • 4.0.3 Release notes
        • 4.0.2 Release notes
        • 4.0.1 Release notes
        • 4.0.0 Release notes
        • 3.13.3 Release notes
        • 3.13.2 Release notes
        • 3.13.1 Release notes
        • 3.13.0 Release notes
        • 3.12.3 Release notes
        • 3.12.2 Release notes
        • 3.12.1 Release notes
        • 3.12.0 Release notes
        • 3.11.4 Release notes
        • 3.11.3 Release notes
        • 3.11.2 Release notes
        • 3.11.1 Release notes
        • 3.11.0 Release notes
        • 3.10.2 Release notes
        • 3.10.1 Release notes
        • 3.10.0 Release notes
        • 3.9.5 Release notes
        • 3.9.4 Release notes
        • 3.9.3 Release notes
        • 3.9.2 Release notes
        • 3.9.1 Release notes
        • 3.9.0 Release notes
        • 3.8.2 Release notes
        • 3.8.1 Release notes
        • 3.8.0 Release notes
        • 3.7.2 Release notes
        • 3.7.1 Release notes
        • 3.7.0 Release notes
        • 3.6.1 Release notes
        • 3.6.0 Release notes
        • 3.5.0 Release notes
        • 3.4.0 Release notes
        • 3.3.1 Release notes
        • 3.3.0 Release notes
        • 3.2.4 Release notes
        • 3.2.3 Release notes
        • 3.2.2 Release notes
        • 3.2.1 Release notes
        • 3.2.0 Release notes
        • 3.1.0 Release notes
        • 3.0.0 Release notes
        • 2.1 Release notes
      Open source community Professional services
      Edit on GitHub
      • Documentation
      • User manual
      • Capabilities
      • Active response

      Active response

      Active responses perform various countermeasures to address active threats, such as blocking access to an agent from the threat source when certain criteria are met.

      Active responses execute a script in response to the triggering of specific alerts based on the alert level or rule group. Any number of scripts can be initiated in response to a trigger, however, these responses should be considered carefully. Poor implementation of rules and responses may increase the vulnerability of the system.

      Contents

      • How it works
        • When is an active response triggered?
        • Where are active response actions executed?
        • Active response configuration
        • Default Active response scripts
      • Configuration
        • Basic usage
        • Windows automatic remediation
        • Block an IP with PF
        • Add an IP to the iptables deny list
        • Active response for a specified period of time
        • Active response that will not be undone
      • Custom Active Response
      • Use cases
        • Blocking attacks with Active Response
        • How to integrate Wazuh with YARA
        • Detecting and removing malware
      • FAQ
        • What’s new in Active Response?
        • Will active response continue working after upgrading to Wazuh v4.2.0?
        • Will the active response alerts continue to be the same?
        • Can I share custom Active Response scripts using centralized configuration?
        • Can I configure active responses for only one host?
        • Can an active response remove the action after a period of time?
      FAQ How it works
      © 2021 · Wazuh Inc.