[Wazuh] How to limit Active-Response Concurrent number

[EXP]

Hi !

     I have a scenes that it maybe trigger Active-Response about 100 hits at the same time,  eg:  syscheck files change. 

     I want to limit it under 10 ,  other 90 waiting in the queue.

     How can I do this ?  

[Chema Martinez]

HI EXP,

Unfortunately, there no exists any option to limit the active-response executions or buffering them for now. However, to control the active-response executions you could be more precise with rules associated with that AR.

You could create custom rules using the frequency and timeframe options from the ones used to fire the active response. That way you could relax the number of hits when a high load of alerts appears.

For example, here you can see one sample alert coming from the one to alert about changes of files:

<rule id="100001" level="5" frequency="8" timeframe="60">

    <if_matched_sid>550</if_matched_sid>

    <description>Sample alert for Active Response</description>

    <group>syscheck,active-response,</group> 

</rule> 

Note that 550 is the ID of the rule related to integrity checksum changes detected in FIM scans.

Apart from this suggestion, if you could detail us your use case, we can look for any other way to limit your ARs that could fit better with your needs.

I hope it helps,

Best regards,

Chema.