Wazuh has active-response functionality. The source code for the same is open source, well tested, and is available here. The three params required for the script are action, IP, and user.
We have created an osquery extension (https://github.com/sttor/osquery-wazuh-response) that executes the active-response scripts using osquery queries. You can also create your custom .sh,.cmd, and .py scripts and can execute via the osquery queries.
The syntax for executing the queries are select * from active_response where rule='host-deny.sh' and action='add' and ip='-' and user='-';
Below are the rules and compatible platforms, You can find more on https://documentation.wazuh.com/3.7/user-manual/capabilities/active-response/how-it-works.html
You can create any python script, .sh and .cmd file, simply add it in the extension folder and include it in the
active_response_extension.py file. We have added a template file in the Github repo.
Refer kill_process.py structure
import the custom file in active_response_extension.py like import kill_process.
Add the filename in ActiveResponse.PYTHON_RULE or ActiveResponse.WAZUH_RULE or ActiveResponse.BASH_RULE
In query add args as a JSON of arguments required.
The previous installation steps have included the extension installation for Linux and mac by default. For Windows, you have to follow additional steps as follows.
Open a browser and browse to https://www.python.org/ftp/python/3.8.1/python-3.8.1-amd64.exe
Check “Install launcher for all users”
Check “Add Python to PATH”
Select “Install Now”
Open a Powershell instance
pip install osquery
On Powershell as an administrator,
cd 'C:\Program Files\osquery'
icacls .\extensions /setowner Administrators /t
icacls .\extensions /grant Administrators:f /t
icacls .\extensions /inheritance:r /t
icacls .\extensions /inheritance:d /t
Open osquery.flags in a notepad as an administrator. Append below line
sc.exe stop osqueryd
sc.exe start osqueryd