Active response on a specific agent referenced by its agent's name instead of its agent's id

[Sylmarch]

Hello Wazuh team!

We want to trigger an active response on a specific agent (let's call it "target-agent") when an alert is generated on another agent.

I see in documentation that it is possible to reference "target-agent" by its agent's ID.

Is it possible to reference it by its agent's name?

I think it's not possible for the moment but it would be great as the agent's name can be fixed in configuration (e.g. in an Ansible configuration) whereas the agent's ID is dynamically generated and is not predictable (i.e. an interaction with the Wazuh server must be done to retrieve the agent's ID).

Thanks in advance for your reply.

[Juan Carlos Tello]

Hello Sylmarch,

You're right, active-response can currently be configured to be triggered at a specific agent but only by it's ID.

You can give an agent a predictable ID when registering it by using the add agent full API endpoint (for reference: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.insert_agent ) for example:

Get your API token:
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

Then generate a random key for the agent

key=$(openssl rand -hex 32)

Then add the agent using the manager's API:

 curl -k -X POST "https://localhost:55000/agents/insert" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d'
 {
   "name": "AR-agent",
   "ip": "any",
   "id": "003",
   "key": "'$key'"
 }' 

Which will output something similar to:

{"data": {"id": "003", "key": "MDAzIEFSLWFnZW50IGFueSA2MmQ5NDRmZjIxYjY5NDRkMTEyOGU2NTAwMGI0MDFkMWZlYjBjYWEwYTJlODIyMWE0MTU4NzRlYjAwM2NmM2Y1"}, "error": 0}

Using they key provided there you may then provide the registration information to the agent by running:

/var/ossec/bin/manage_agents -i MDAzIEFSLWFnZW50IGFueSA2MmQ5NDRmZjIxYjY5NDRkMTEyOGU2NTAwMGI0MDFkMWZlYjBjYWEwYTJlODIyMWE0MTU4NzRlYjAwM2NmM2Y1

An alternative is to configure a custom integration that queries the wazuh API for the agent's name and executes the active response using the API as well, specifically the active-response endpoint: https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Active-response

Thank you for your feedback and please let us know if you have any other questions.

Best Regards,

Juan Carlos Tello

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ff4fb63f-3df0-403d-9254-c480065e6311n%40googlegroups.com.

[Sylmarch]

Thank you Juan Carlos,

I have additionnal questions about active responses and centralized agent configuration.

First, a quick description of our use-case. We have :

• Multiple frontend servers, that belong to agent group "frontend-servers"
  
• Multiple WAF servers, that belong to agent group "waf-servers"

Received requests by frontend servers are load-balanced to the WAF servers.

When a WAF server blocks a request, a Wazuh alert is generated and associated with the Wazuh agent on this WAF. As a consequence, we want to:

• either only block the client's IP on the relevant frontend (but this may imply to adjust WAF log to capture the relevant frontend ; e.g. adding X-Forwarded-For header in WAF log)
  
• more easily, block the client's IP on ALL frontend servers, i.e. asking all the Wazuh agents that belong to "frontend-servers" to block the client's IP.
  

Could you confirm that:

1. it is not possible to declare active responses for a specific agent group, in the agent.conf file for this group? I.e. active responses can only be declared globally in the ossec.conf file on the manager and they are then declared on all agents.
   
2. it is not possible to trigger an active response on all agents that belong to an agent group? E.g: Trigger a firewall drop on all agents that belong to the agent group "frontend-servers".
   

For the 1st point, it is annoying that, if we add a new frontend server, we have to update Wazuh manager configuration too even if the server is added in Wazuh agent group "frontend-servers" (i.e. to declare the active response for this server based on its agent's ID).

For the 2nd point, an improvement could be to add in ossec.conf file :

• a value "defined-agent-group" for <location> option (based on "defined-agent" value).
• an <agent_group> option  (based on <agent_id>).

As far as I understand, the only way to handle an active response on all agents that belong to an agent group is to create an external API that :

1. will be invoked by Wazuh server on some conditions, using a custom integration
   
2. will query Wazuh API to get the list of IDs for all agents than belongs to a specific agent group
   
3. will ask the Wazuh API to run an active response for this list of agents

Is that right?

[Juan Carlos Tello]

Hi Sylmarch,

You're right on all accounts:

• It is not possible to declare active responses for a specific agent group.
• It is not possible to trigger an active response on all agents that belong to an agent group.
• The workaround to use a custom integration is as you have described it: the integration must be configured to run for these events and it must then query the API to retrieve the list of agents to then use this list to execute the Active Response on them.
  

Finally, the Active Response could be executed on all agents depending on your needs.

I will mention this use case to the development team so it may be considered for future development.

Best Regards,

Juan Carlos Tello

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/945735d2-b7f6-4f6e-b0de-62fac8c8c41en%40googlegroups.com.