Wazuh Active-Response guidance

[Farid Alakbarli]

I’m planning to start using the Active Response module in Wazuh and would appreciate some roadmap-style guidance and best practices before enabling it.

My Wazuh cluster is running in a corporate production environment, so I want to proceed carefully and avoid introducing any operational risks or unexpected disruptions.

I’m mainly looking for recommendations on:

• The recommended approach to introducing Active Response in production environments
• Safe testing and validation strategies before enabling actions globally
• Common pitfalls and mistakes to avoid
• Suggested rollout phases (lab → pilot → production)
• Monitoring and rollback considerations
• Any experience with Active Response in clustered Wazuh deployments

I’d appreciate any advice, lessons learned, or documentation recommendations from the community.

Thank you.

[Md. Nazmur Sakib]

Hi Farid,

You can follow this document to configure active response.
How to configure Active Response

First, You need to define the active response script in all of your Wazuh manager’s ossec.conf
Configuring the Wazuh server

Next, you need to add the active response script to the agent/manager where you are planning to run the script. If you are configuring a custom active response.
Configuring the monitored endpoint

These are the current active response scripts present in Wazuh by default.
Default active response scripts

This document will be useful to make a custom active response script.
Custom active response scripts

You can check some use cases we have and try to configure them to have a better understanding.
Blocking SSH brute-force attack with Active Response

Restarting the Wazuh agent with Active Response

Disabling a Linux user account with Active Response

Before applying to production, deploy a test Wazuh server and an agent, and test your active response configuration and script before applying them in production.

Let me know if you need any further information.