How to configure active response

The following steps describe how to configure the active response module to perform an action on a monitored endpoint.

Configuring the ThreatLockDown server

  1. Check the configuration of the <command> block in the ThreatLockDown server /var/ossec/etc/ossec.conf configuration file. Add one if it doesn’t exist already.

    The <command> block sets the script to run in response to a trigger. When using out-of-the-box active response scripts, the <command> blocks for them are present in the ThreatLockDown server /var/ossec/etc/ossec.conf by default, and you don’t need to add them. But when using custom active response scripts, you need to add the required <command> blocks for them in between the <ossec_config> tags of the ThreatLockDown server configuration file. For example:

    <command>
      <name>host-deny</name>
      <executable>host-deny</executable>
      <timeout_allowed>yes</timeout_allowed>
    </command>
    

    Where:

    • <name>: Sets a name for the command. In this case, host-deny.

    • <executable>: Specifies the active response script or executable that must run upon a trigger. You don't need to specify the file name extension unless you have multiple scripts sharing the same name. In this case, it’s the host-deny executable.

    • <timeout_allowed>: Allows a timeout after a period of time. Setting this value to yes reverts the action after a period of time. Check stateful active response below for more details.

    Refer to the command section for more information and options used to create a command.

  2. Add an <active-response> block within the <ossec_config> tag in the same ThreatLockDown server /var/ossec/etc/ossec.conf file. The <active-response> block defines when and where a command executes. For example, when an alert meets response criteria, such as a specific rule ID, alert level, or rule group. This configuration further defines if the command action specified in the previous step executes on the ThreatLockDown agent, ThreatLockDown server, or everywhere. For example:

    <active-response>
      <command>host-deny</command>
      <location>local</location>
      <level>7</level>
      <timeout>600</timeout>
    </active-response>
    

    Where:

    • <command>: Specifies the command to configure. This is the command name defined in the previous step.

    • <location>: Specifies where the command must execute. The options are:

      • local: It runs the script on the monitored endpoint that generated the alert.

      • server: It runs the script on the ThreatLockDown server.

      • defined-agent: It runs the script on a predefined agent. Use the <agent_id> tag to specify the ID of the ThreatLockDown agent that must run the script regardless of where the event occurred. For example:

        <ossec_config>
          <active-response>
            <disabled>no</disabled>
            <command>host-deny</command>
            <location>defined-agent</location>
            <agent_id>001</agent_id>
            <level>10</level>
            <timeout>180</timeout>
          </active-response>
        </ossec_config>
        
      • all: Every ThreatLockDown agent in the environment must run the script. Use this option with caution. Incorrect configuration can cause problems in your environment.

    • <timeout>: Specifies how long the active response action is effective, in seconds.

    Refer to the active response configuration section for more information on the supported options.

  3. Restart the ThreatLockDown manager to apply all the changes made:

    $ sudo systemctl restart wazuh-manager
    

Configuring the monitored endpoint

Using out-of-the-box active response scripts

No configuration is required. Check out the Default active response scripts section for more information on out-of-the-box active response scripts.

Using custom active response scripts

Linux/Unix

  1. Add your custom active response script or executable to the /var/ossec/active-response/bin directory on Linux/Unix endpoints.

  2. Change the script permissions and ownership as shown below:

    $ sudo chmod 750 /var/ossec/active-response/bin/<CUSTOM_SCRIPT>
    $ sudo chown root:wazuh /var/ossec/active-response/bin/<CUSTOM_SCRIPT>
    

macOS

  1. Add your custom active response script or executable to the /Library/Ossec/active-response/bin directory on Linux/Unix endpoints.

  2. Change the script permissions and ownership as shown below:

    $ sudo chmod 750 /Library/Ossec/active-response/bin/<CUSTOM_SCRIPT>
    $ sudo chown root:wazuh /Library/Ossec/active-response/bin/<CUSTOM_SCRIPT>
    

Windows

  1. Add your custom active response script or executable to the C:\Program Files (x86)\ossec-agent\active-response\bin directory on Windows endpoints.

Note

You can find the results of the execution of the active response scripts in the:

  • /var/ossec/logs/active-responses.log file on Linux endpoints.

  • /Library/Ossec/logs/active-responses.log file on macOS endpoints.

  • C:\Program Files (x86)\ossec-agent\active-response\active-responses.log file on Windows endpoints.