Active Response Support - Osquery and Wazuh

[vanh20]

Hello Everyone,

I can read from here that Active Response on Wazuh seems supported already. Is it fully supported? I can read things that confuse me on the forum. Can the developers give a more precise reply, especially on where to configure it? Must the configuration be done locally (endpoint side) or does it propagate if I do it on the manager-node side?

Also, I have the same question about OSQuery.

If this has been answered via the documentation, please accept my apologies.

TIA :)

[dougburks]

I can read from here that Active Response on Wazuh seems supported already. Is it fully supported? I can read things that confuse me on the forum. Can the developers give a more precise reply, especially on where to configure it? Must the configuration be done locally (endpoint side) or does it propagate if I do it on the manager-node side?

Each Security Onion installation has its own Wazuh server. That means that if you have a Security Onion distributed deployment with manager, search nodes, and forward nodes, each one of those nodes has their own Wazuh server and those Wazuh servers are independent.

If you install a Wazuh agent on a non-Security-Onion endpoint and connect that agent to one of your Wazuh servers, you should be able to configure that agent either on the server side or on the agent side.

For more information about Wazuh, please see:
https://documentation.wazuh.com/3.13/

Also, I have the same question about OSQuery.

I don't believe osquery performs Active Response out of the box the same way that Wazuh does. For more information about osquery, please see:
https://osquery.readthedocs.io/en/stable/

[vanh20]

Hello dougburks,

Thanks for the clarification and for confirming the Active Response functionality of Wazuh. Enterprise-wise, I now know how to plan the installation and how this distributed deployment should roll out.

As per osquery, I have seen this GitHub project and it seems easy to adapt to the endpoints via the extension facility that looks native to osquery to me. If that is the case, would the changes be made over the endpoints, and would that be compatible or supported by the agent install facility done by Security Onion? Or do I need to make an independent install osquery (and configure it) on my clients?

Thanks for your expert advice.

[vanh20]

Anyway, I will just try it and if problems arise, I will just roll it back. Thanks! :)