Creation of an active-response triggered via API
551 views
Skip to first unread message
José Raeiro
Oct 25, 2023, 6:55:20 AM10/25/23
to Wazuh | Mailing List
Hello!
I wish to create an Active Response to be solely activated via an API call, on a predetermined list of agents, through the following endpoint:
https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Active-response
How must I configure ossec.conf on the manager? Like so?
<command>
<name>Wazuh_block</name>
<executable>WazuhBlock_verbose_error_message.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>Wazuh_block</command>
<location>local</location>
<timeout>60</timeout>
</active-response>
Is this correct and can anyone guide me on how to make the PUT request? I was thinking of using something along these lines:
curl -X PUT "https://WAZUH_MANAGER/active-response?agents_list=798" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-k \
-d '{
"command": "!Wazuh_block",
"custom": true
}'
I'm able to trigger it but I don't see the results from the execution of the executable on the target system:
Active response triggered successfully. Response: {
"data": {
"affected_items": [
"798"
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "AR command was sent to all agents",
"error": 0
}
Agent 798 has the referred executable in the \active-response\bin directory.
Looking at ossec.log on the agent I see the following every time I issue the API call:
2023/10/24 15:25:20 wazuh-agent: ERROR: (1317): Could not launch command No error (0)
This executable was compiled by me using Visual Studio, so I'm not sure if that may be related.
Please help! Thank you in advance!
Kind Regards,
José Raeiro
I wish to create an Active Response to be solely activated via an API call, on a predetermined list of agents, through the following endpoint:
https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Active-response
How must I configure ossec.conf on the manager? Like so?
<command>
<name>Wazuh_block</name>
<executable>WazuhBlock_verbose_error_message.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>Wazuh_block</command>
<location>local</location>
<timeout>60</timeout>
</active-response>
Is this correct and can anyone guide me on how to make the PUT request? I was thinking of using something along these lines:
curl -X PUT "https://WAZUH_MANAGER/active-response?agents_list=798" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-k \
-d '{
"command": "!Wazuh_block",
"custom": true
}'
I'm able to trigger it but I don't see the results from the execution of the executable on the target system:
Active response triggered successfully. Response: {
"data": {
"affected_items": [
"798"
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "AR command was sent to all agents",
"error": 0
}
Agent 798 has the referred executable in the \active-response\bin directory.
Looking at ossec.log on the agent I see the following every time I issue the API call:
2023/10/24 15:25:20 wazuh-agent: ERROR: (1317): Could not launch command No error (0)
This executable was compiled by me using Visual Studio, so I'm not sure if that may be related.
Please help! Thank you in advance!
Kind Regards,
José Raeiro
Julia Magán Rodríguez
Oct 25, 2023, 8:34:51 AM10/25/23
to Wazuh | Mailing List
Hello,
The API reference says:
So, in the API request, in command, you should set the script name next to !, that is:
{ "command": "!WazuhBlock_verbose_error_message.exe", "custom": true }Also, in this section of the documentation, it is shown how to create a custom script for Windows. In case there are any problems with the script creation, you can check this documentation.
José Raeiro
Jun 11, 2024, 9:45:23 AM6/11/24
to Julia Magán Rodríguez, Wazuh | Mailing List
Hello Julia,
Thank you so very much for your kind explanation. I have implemented the suggested changes and now works like a charm.
And that was it, I was able to create a way to isolate from the network Windows hosts from Windows Vista forward with a custom application that I developed in C++ leveraging the Windows Filtering Platform(thereby bypassing any Firewall solution present in the system) via an active-response API call to the Wazuh Manager, always maintaining connection with the Wazuh Manager, being possible then to later lift the network containment.
Would that be something of interest to Wazuh's codebase?
|
Sender notified by Mailtrack | 06/11/24, 12:30:09 PM |
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/54vp9qKMVZ0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/62339dfc-f411-4d1b-8610-bf52d642e976n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages