Wazuh API and Active Response

[João Vitor Belmonte Rates]

Hello,

We're exploring the possibility of executing a command directly on a Wazuh agent via the Wazuh API.

Our goal is to run a command without needing a pre-existing script or executable file on the agent's filesystem, similar to how one would use SSH.

The main reason for this approach is to avoid a dependency on a local file, which could potentially be compromised, encrypted, or deleted by malware.

Is this a supported feature, or is the use of a pre-configured Active Response script the only method for this type of action?

[Olamilekan Abdullateef Ajani]

Hello JV,

You can execute a command or the executable script directly on an agent via active response using API, but you need the script defined in the Wazuh server itself and placed on the agent. You can check out the API documentation here for more clarity:https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Active-response

 You can navigate to the server management DEVTools and place the query below:
PUT /active-response?agents_list=005
{
  "arguments": [
    "string"
  ],
  "command": "!test123",
  "alert": {
    "data": {}
  }
}

This would allow you to run the command test123 on the remotely defined agent 005.
And on the Wazuh server, you can have the command stated below:

 <command>
    <name>test123</name>
    <executable>launcher.cmd</executable>
    <extra_args>custom_remove.py</extra_args>
  </command>

Ref:
https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Active-response

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-to-configure.html#configuring-the-wazuh-server