Wazuh Active Response.

83 views
Skip to first unread message

DIWAHAR RAHAWID

unread,
Jul 9, 2026, 3:05:23 AM (10 days ago) Jul 9
to Wazuh | Mailing List

Hi Wazuh Support Team,

I am facing an issue with the Windows Software Policy / Application Whitelisting Active Response after upgrading our Wazuh environment to v4.14.5.

We have implemented the application whitelisting solution based on the following repository and documentation:

The implementation was working correctly before the upgrade. After upgrading to Wazuh v4.14.5, the detection rule still triggers successfully, but the Active Response no longer suspends or terminates the unauthorized application.

Environment
  • Wazuh Manager: v4.14.5
  • Wazuh Windows Agent: v4.14.5
  • Sysmon: v15.14
  • Windows Servers
Configuration Implemented 1. Sysmon

Sysmon is installed and configured to generate Event ID 1 (Process Create) events.

2. Wazuh Rules

The Software Policy rules are configured as described in the repository. Unauthorized applications correctly trigger Rule ID 100500, and alerts are generated in the Wazuh Dashboard.

3. Active Response Configuration

The following Active Response configuration is present in the agent configuration:

<command>
<name>pssuspend</name>
<executable>pssuspend.cmd</executable>
<timeout_allowed>no</timeout_allowed>
</command>

<active-response>
<disabled>no</disabled>
<level>10</level>
<command>pssuspend</command>
<location>local</location>
<rules_group>software_policy</rules_group>
</active-response>
4. Active Response Script

The pssuspend.cmd (PowerShell) script provided in the repository is configured to:

  • Receive the Wazuh Active Response alert JSON.
  • Extract the Process ID and Image Path from the Sysmon event.
  • Verify that the running process matches the alert.
  • Display a notification to the logged-in user.
  • Suspend the process using PsSuspend.
  • Wait for 3 seconds.
  • Terminate the process using PsKill.
Current Behavior
  • Sysmon Event ID 1 is generated.
  • Wazuh detects the event.
  • Rule 100500 is triggered.
  • Alerts are visible in the Wazuh Dashboard.
  • The Active Response does not suspend or terminate the application.
  • The unauthorized application continues to run.
Issue Observed

This exact configuration worked as expected before upgrading to Wazuh v4.14.5. No changes were made to the Active Response configuration or the PowerShell script. The only change in the environment was the Wazuh upgrade.

Could you please confirm whether there were any changes in Wazuh v4.14.x related to:

  • Active Response execution on Windows agents
  • Active Response JSON format
  • Rule group handling
  • Active Response command execution
  • Windows agent behavior or permissions
  • Any known issues affecting the wazuh-windows-software-policy implementation

If there are any required changes to make this solution compatible with Wazuh v4.14.5, kindly provide the recommended approach or updated documentation.

We appreciate your assistance in resolving this issue.

Thank you.

Regards,
Diwahar S V


Stuti Gupta

unread,
Jul 9, 2026, 3:58:39 AM (10 days ago) Jul 9
to Wazuh | Mailing List

Hi Diwahar,

Could you first confirm whether you upgraded the Wazuh manager as well? Please make sure the manager is running the same version as the agent (v4.14.5) or a newer version.

There are no known changes in Wazuh v4.14.x related to Active Response that would require changes to your existing configuration. If the rule is triggering and the Active Response configuration and script have not changed, it should continue to work after the upgrade.

Since the rule is already triggering, the detection part seems to be working. The next step is to verify whether the Active Response is being executed.

Could you please check the following?

  • The Windows agent log:

    C:\Program Files (x86)\ossec-agent\ossec.log
  • The Active Response log:

    C:\Program Files (x86)\ossec-agent\active-response\active-responses.log

Also, please confirm that pssuspend.cmd is present in:

C:\Program Files (x86)\ossec-agent\active-response\bin\

These logs should help identify why the Active Response is not being executed.

DIWAHAR RAHAWID

unread,
Jul 9, 2026, 6:09:15 AM (10 days ago) Jul 9
to Wazuh | Mailing List
Hi Stuti Gupta, 

pssuspend.cmd is added to the given directory. 

C:\Program Files (x86)\ossec-agent\ossec.log
C:\Program Files (x86)\ossec-agent\active-response\active-responses.log

No data regarding Active response is running on the agent when i try to run unauthorized applications. 

Regards
Diwahar

Stuti Gupta

unread,
Jul 10, 2026, 12:06:06 AM (10 days ago) Jul 10
to Wazuh | Mailing List
Hi 

Please share the latest logs from: C:\Program Files (x86)\ossec-agent\logs\2026\Jun



Could you first confirm whether you upgraded the Wazuh manager as well? Please make sure the manager is running the same version as the agent (v4.14.5) or a newer version.

If possible, please try to run the script manually. Please open PowerShell as Administrator and execute the script by providing a test Active Response JSON (or a previously captured payload) through standard input. Also, verify that pssuspend64.exe, pskill64.exe, and psexec64.exe can all be executed successfully from the paths referenced in your script. You can test it by creating a sample test.json:

  Get-Content .\test.json | pwsh.exe -ExecutionPolicy Bypass -File "C:\Program Files\Sysinternals\pssuspend.ps1"

Also share the output from the following command;
 run this command as the manager side :
cat /var/ossec/logs/alerts/alerts.json | grep software_policy


DIWAHAR RAHAWID

unread,
Jul 10, 2026, 6:29:14 AM (9 days ago) Jul 10
to Wazuh | Mailing List
Hi Stuti, 

Please find the output  cat /var/ossec/logs/alerts/alerts.json | grep software_policy

"systemTime":"2026-07-10T08:22:43.1540960Z","eventRecordID":"670007","processID":"3632","threadID":"5752","channel":"Microsoft-Windows-Sysmon/Operational","computer":"tst-svr-01.ccsd.cloud","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER
{"timestamp":"2026-07-10T04:24:18.070-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process Pnx.AI.Svc started but not allowed by the software policy","id":"100500","mitre":{"id":["T1036"],"tactic":["Defense Evasion"],"technique":["Masquerading"]},"firedtimes":2,"mail":true,"groups":["allowapplication"," software_policy"]},"agent":{"id":"074","name":"cc-rms-svr-02","ip":"X.X.X.X"},"manager":{"name":"nj-siem-svr-01"},"id":"1783671858.4556991423","cluster":{"name":"wazuh","node":"nj-siem-svr-01"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-07-10T08:24:15.0924795Z","eventRecordID":"598436","processID":"3608","threadID":"5540","channel":"Microsoft-Windows-Sysmon/Operational","computer":"rms-svr-02.ccsd.cloud","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER
{"timestamp":"2026-07-10T04:42:05.253-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process Google Updater (x64) started but not allowed by the software policy","id":"100500","mitre":{"id":["T1036"],"tactic":["Defense Evasion"],"technique":["Masquerading"]},"firedtimes":3,"mail":true,"groups":["allowapplication"," software_policy"]},"agent":{"id":"100","name":"HOST-XYZ","ip":"X.X.X.X"},"manager":{"name":"nj-siem-svr-01"},"id":"1783672925.4887353897","cluster":{"name":"wazuh","node":"nj-siem-svr-01"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-07-10T08:42:02.2507481Z","eventRecordID":"807730","processID":"5028","threadID":"6512","channel":"Microsoft-Windows-Sysmon/Operational","computer":"HOST-XYZ.XYZ_COMPANY.corp","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER
{"timestamp":"2026-07-10T04:42:05.256-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process Google Updater (x64) started but not allowed by the software policy","id":"100500","mitre":{"id":["T1036"],"tactic":["Defense Evasion"],"technique":["Masquerading"]},"firedtimes":4,"mail":true,"groups":["allowapplication"," software_policy"]},"agent":{"id":"100","name":"HOST-XYZ","ip":"X.X.X.X"},"manager":{"name":"nj-siem-svr-01"},"id":"1783672925.4887364904","cluster":{"name":"wazuh","node":"nj-siem-svr-01"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-07-10T08:42:02.3867367Z","eventRecordID":"807732","processID":"5028","threadID":"6512","channel":"Microsoft-Windows-Sysmon/Operational","computer":"HOST-XYZ.XYZ_COMPANY.corp","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER
{"timestamp":"2026-07-10T04:42:05.279-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process Google Updater (x64) started but not allowed by the software policy","id":"100500","mitre":{"id":["T1036"],"tactic":["Defense Evasion"],"technique":["Masquerading"]},"firedtimes":5,"mail":true,"groups":["allowapplication"," software_policy"]},"agent":{"id":"100","name":"HOST-XYZ","ip":"X.X.X.X"},"manager":{"name":"nj-siem-svr-01"},"id":"1783672925.4887378618","cluster":{"name":"wazuh","node":"nj-siem-svr-01"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-07-10T08:42:02.5137405Z","eventRecordID":"807735","processID":"5028","threadID":"6512","channel":"Microsoft-Windows-Sysmon/Operational","computer":"HOST-XYZ.XYZ_COMPANY.corp","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER
{"timestamp":"2026-07-10T05:01:05.035-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process Pnx.Phoenix.JobSvc started but not allowed by the software policy","id":"100500","mitre":{"id":["T1036"],"tactic":["Defense Evasion"],"technique":["Masquerading"]},"firedtimes":1,"mail":true,"groups":["allowapplication"," software_policy"]},"agent":{"id":"077","name":"cc-tst-svr-01","ip":"X.X.X.X"},"manager":{"name":"nj-siem-svr-01"},"id":"1783674065.5225603771","cluster":{"name":"wazuh","node":"nj-siem-svr-01"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-07-10T09:01:02.5671679Z","eventRecordID":"673600","processID":"3632","threadID":"5752","channel":"Microsoft-Windows-Sysmon/Operational","computer":"tst-svr-01.ccsd.cloud","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER
{"timestamp":"2026-07-10T05:09:11.961-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process Pnx.AI.Svc started but not allowed by the software policy","id":"100500","mitre":{"id":["T1036"],"tactic":["Defense Evasion"],"technique":["Masquerading"]},"firedtimes":2,"mail":true,"groups":["allowapplication"," software_policy"]},"agent":{"id":"081","name":"CC-rms-svr-01","ip":"X.X.X.X"},"manager":{"name":"nj-siem-svr-01"},"id":"1783674551.5385094123","cluster":{"name":"wazuh","node":"nj-siem-svr-01"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-07-10T09:09:09.1772626Z","eventRecordID":"644475","processID":"3548","threadID":"5456","channel":"Microsoft-Windows-Sysmon/Operational","computer":"rms-svr-01.ccsd.cloud","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER
{"timestamp":"2026-07-10T05:50:24.119-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process SSH, Telnet, Rlogin, and SUPDUP client started but not allowed by the software policy","id":"100500","mitre":{"id":["T1036"],"tactic":["Defense Evasion"],"technique":["Masquerading"]},"firedtimes":3,"mail":true,"groups":["allowapplication"," software_policy"]},"agent":{"id":"100","name":"HOST-XYZ","ip":"X.X.X.X"},"manager":{"name":"nj-siem-svr-01"},"id":"1783677024.6066533209","cluster":{"name":"wazuh","node":"nj-siem-svr-01"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-07-10T09:50:20.8646266Z","eventRecordID":"809539","processID":"5028","threadID":"6512","channel":"Microsoft-Windows-Sysmon/Operational","computer":"HOST-XYZ.XYZ_COMPANY.corp","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER
{"timestamp":"2026-07-10T05:57:28.462-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process SSH, Telnet, Rlogin, and SUPDUP client started but not allowed by the software policy","id":"100500","mitre":{"id":["T1036"],"tactic":["Defense Evasion"],"technique":["Masquerading"]},"firedtimes":4,"mail":true,"groups":["allowapplication"," software_policy"]},"agent":{"id":"100","name":"HOST-XYZ","ip":"X.X.X.X"},"manager":{"name":"nj-siem-svr-01"},"id":"1783677448.6189434750","cluster":{"name":"wazuh","node":"nj-siem-svr-01"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-07-10T09:57:25.4037849Z","eventRecordID":"809709","processID":"5028","threadID":"6512","channel":"Microsoft-Windows-Sysmon/Operational","computer":"HOST-XYZ.XYZ_COMPANY.corp","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER
{"timestamp":"2026-07-10T05:57:42.922-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process SSH, Telnet, Rlogin, and SUPDUP client started but not allowed by the software policy","id":"100500","mitre":{"id":["T1036"],"tactic":["Defense Evasion"],"technique":["Masquerading"]},"firedtimes":5,"mail":true,"groups":["allowapplication"," software_policy"]},"agent":{"id":"100","name":"HOST-XYZ","ip":"X.X.X.X"},"manager":{"name":"nj-siem-svr-01"},"id":"1783677462.6193128067","cluster":{"name":"wazuh","node":"nj-siem-svr-01"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-07-10T09:57:39.8635349Z","eventRecordID":"809713","processID":"5028","threadID":"6512","channel":"Microsoft-Windows-Sysmon/Operational","computer":"HOST-XYZ.XYZ_COMPANY.corp","severityValue":"INFORMATION","message":"\"Process Create:\r\USER: USER

pssuspend.ps1 Data is as same as like shared in the Email and alert group i Have changed to 1 as per the logs and configurations. 

Regards
Diwahar

Stuti Gupta

unread,
Jul 13, 2026, 3:41:39 AM (6 days ago) Jul 13
to Wazuh | Mailing List
Your rule level is 16; you can check that in the log:

 {"timestamp":"2026-07-10T05:57:42.922-0400","rule":{"level":16,"description":"Sysmon - Event 1: Process SSH, Telne

But the active response configuration has level 10:

<command>
<name>pssuspend</name>
<executable>pssuspend.cmd</executable>
<timeout_allowed>no</timeout_allowed>
</command>

<active-response>
<disabled>no</disabled>
<level>10</level>
<command>pssuspend</command>
<location>local</location>
<rules_group>software_policy</rules_group>
</active-response>

Please change the level of either the rule from 16 to 10 in 100500 or change the level from 10 to 16 in the active response https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-to-configure.html#:~:text=rule%20ID%2C%20alert-,level,-%2C%20or%20rule%20group.

Then let me know if this works for you.

DIWAHAR RAHAWID

unread,
Jul 13, 2026, 10:24:12 AM (6 days ago) Jul 13
to Wazuh | Mailing List
Hi Stuti, 

As requested did changed those configuration but still issue is still the same. 

Regards
Diwahar

Stuti Gupta

unread,
Jul 14, 2026, 5:02:46 AM (5 days ago) Jul 14
to Wazuh | Mailing List

Hi Diwahar,

I was able to reproduce the same behavior in my test environment.

The issue was not with the Wazuh rule or the Active Response configuration. The Active Response was being triggered correctly, but the PowerShell script was failing while parsing the JSON input on recent Wazuh versions.

The original script performs ConvertFrom-Json twice unconditionally:

$INPUT_JSON = Read-Host
$INPUT_ARRAY = $INPUT_JSON | ConvertFrom-Json
$INPUT_ARRAY = $INPUT_ARRAY | ConvertFrom-Json

On newer Wazuh versions, the first ConvertFrom-Json already returns a PowerShell object, so the second conversion fails and prevents the remainder of the script from executing.

I modified the script only to 

$INPUT_JSON = Read-Host

$INPUT_ARRAY = $INPUT_JSON | ConvertFrom-Json

if ($INPUT_ARRAY -is [string]) {
    $INPUT_ARRAY = $INPUT_ARRAY | ConvertFrom-Json
}

Also make sure you have Powershell 7

DIWAHAR RAHAWID

unread,
Jul 16, 2026, 11:41:55 AM (3 days ago) Jul 16
to Wazuh | Mailing List
Hi Stuti, 

Even after changing the script as you tested still not working for me not sure what is the issue. 

I am seeing this error in log 

2026/07/16 08:39:52 sca: INFO: Security Configuration Assessment scan finished. Duration: 8 seconds.
2026/07/16 08:39:55 rootcheck: INFO: Ending rootcheck scan.
2026/07/16 08:39:56 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/07/16 08:39:56 wazuh-agent: INFO: FIM sync module started.
2026/07/16 08:39:56 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.
2026/07/16 08:40:05 wazuh-agent: INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2026/07/16 08:40:05 wazuh-agent: INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2026/07/16 08:40:05 wazuh-agent: INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2026/07/16 08:40:05 wazuh-agent: INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2026/07/16 08:40:05 wazuh-agent: INFO: Active response command not present: 'active-response/bin/restart-wazuh'. Not using it on this system.
Reply all
Reply to author
Forward
0 new messages