Default active response scripts
This section lists out-of-the-box active response scripts for the following operating systems:
Linux, macOS, and Unix-based endpoints
The table below lists out-of-the-box active response scripts for:
Linux/Unix endpoints located in the ThreatLockDown agent
/var/ossec/active-response/bindirectory.macOS endpoints located in the ThreatLockDown agent
/Library/Ossec/active-response/bindirectory.
Click on the name of each active response to open its source code.
Name of script |
Description |
|---|---|
Disables a user account |
|
Adds an IP address to the iptables deny list. |
|
Adds an IP address to the firewalld drop list. Requires firewalld installed on the endpoint. |
|
Adds an IP address to the |
|
Custom ThreatLockDown block, easily modifiable for a custom response. |
|
Firewall-drop response script created for IPFW. Requires IPFW installed on the endpoint. |
|
Firewall-drop response script created for NPF. Requires NPF installed on the endpoint. |
|
Posts notifications on Slack. Requires a slack hook URL passed as an |
|
Firewall-drop response script created for PF. Requires PF installed on the endpoint. |
|
Restarts the ThreatLockDown agent or manager. |
|
Restarts the ThreatLockDown agent or manager. |
|
Adds an IP address to a null route. |
|
Integration of ThreatLockDown agents with Kaspersky endpoint security. This uses Kaspersky Endpoint Security for Linux CLI to execute relevant commands based on a trigger. |
Windows endpoints
The table below lists out-of-the-box scripts for Windows endpoints, located in the ThreatLockDown agent C:\Program Files (x86)\ossec-agent\active-response\bin directory. Click on the name of each script to see its source code.
Name of script |
Description |
|---|---|
Blocks an IP address using |
|
Restarts the ThreatLockDown agent. |
|
Adds an IP address to null route. |