Active reponse - add agent to group

[M G]

Hello,

Is it possible for an active response to add an agent to a certain group for one hour? For example, when the agent (id. 7) had an event with rule.id 202, agent.id 7 was added to the "exclusion" group. Is the only solution a script containing access data written in plain text?

regards

Mateusz

[Pablo Ariel Gonzalez]

Mateusz:

According to the official documentation, it’s currently not possible to move an agent to a group temporarily using Active Response directly. The best alternative is to leverage the Wazuh API to automate this action.

One approach would be to have a script that, when triggered by a specific rule, adds the agent to the exclusion group and schedules a task (for example with cron or at) to remove it from that group one hour later.

Depending on your environment, you could implement this in two ways:

• From the manager → using the server option in Active Response. In this case, you can reuse the service token already generated by the manager (no need to create a dedicated user), usually available at:

  /var/ossec/api/configuration/auth/token

• From another server with an agent → using the defined-agent option, so that host acts as a scheduler and executes the API calls.

In both approaches, if you prefer to use dedicated credentials instead of the local service token, you can rely on secret management tools to avoid storing them in plain text. Two well-known open source options are:

• HashiCorp Vault OSS

• Pass (Password Store)