Active Response in Wazuh
On November 8, 2023
What is active response?
Active response is an essential feature of any security system, and Wazuh provides powerful capabilities for active response. Active response is the process of responding automatically to security events, such as blocking IP addresses or terminating malicious processes. In this blog post, we will explore the active response capabilities of Wazuh and how they can help organizations improve their security posture.
Overview of Active Response in Wazuh
Wazuh provides several active response capabilities, including blocking IP addresses, terminating processes, and creating firewall rules. These active response capabilities can be configured to trigger automatically when specific security events occur. This helps organizations to respond quickly to security incidents and minimize the impact of attacks.
Custom Active Response Scripts
In addition to the built-in active response capabilities, Wazuh also supports custom active response scripts. This enables organizations to create their own scripts to perform specific actions based on security events. For example, an organization might create a custom script to disable a user account when Wazuh detects that the user has attempted to log in with incorrect credentials multiple times.
Default active-responses on endpoint
For windows endpoint:
Netsh
Blocks an IP address using netsh
Restart-wazuh
Restart the wazuh agent.
Route-null
Adds an IP address to null route.
For linux endpoint:
Disable-account
Disables a user account
Firewall-drop
Adds an IP address to the iptables deny list.
Firewalld-drop
Adds an IP address to the firewall drop list. Requires firewall installed on the endpoint.
Host-deny
Adds an IP address to the /etc/hosts.deny file.
IP-customblock
Custom Wazuh block, easily modifiable for a custom response.
IPFW
Firewall-drop response script created for IPFW. Requires IPFW installed on the endpoint.
NPF
Firewall-drop response script created for NPF. Requires NPF installed on the endpoint.
Wazuh-slack
Posts notifications on Slack. Requires a slack hook URL passed as an extra_args.
PF
Firewall-drop response script created for PF. Requires PF installed on the endpoint.
Restart.sh
Restarts the Wazuh agent or manager.
Restart-wazuh
Restarts the Wazuh agent or manager.
Route-null
Adds an IP address to a null route.
Kaspersky
Integration of Wazuh agents with Kaspersky endpoint security. This uses Kaspersky Endpoint Security for Linux CLI to execute relevant commands based on a trigger.
Conclusion
Active response is a critical component of any security system, and Wazuh provides powerful capabilities for active response. Blocking IP addresses, terminating processes, and creating firewall rules are just a few of the active response capabilities provided by Wazuh. These features can be configured to trigger automatically when specific security events occur, enabling organizations to respond quickly to security incidents and minimize the impact of attacks. Additionally, custom active response scripts provide flexibility for organizations to create their own scripts to perform specific actions based on security events. By leveraging the active response capabilities of Wazuh, organizations can improve their security posture and protect their assets from threats.
