Add quick active response function #16644
Replies: 1 comment
-
I would also be happy if Wazuh would integrate some kind of active reponse control / dashboard functionality since automating responses is a good and sensible function, but depending on the nature of the incident and quality of data as well as IOCs available that may not always be the best and surely not the "only" way, especially in the optimization phase of rulesets, decoders or reponse workflows that are yet to be refined or implemented. Ad-Hoc-Response at the push of a button would be a great addition. Of course there are always the possibilities of implementing third party SOAR systems like Shuffle and integrating it with Wazuh. But what I am referring to is something that is not necessarily of automated nature. See for example the host response dashboard that comes with Elastic Security. Automating things should always be a good solution, but sometimes having general manual reponse capabilities is necessary. Maybe the basics of that are already present in the API in form of the agent control parts? Also, in my opinion it would improve the quality of Wazuh if there were more platform-independent response capabilities pre-fabricated available with Wazuh agent. The customizability is absolutely wonderful, but raises the barrier for getting into active reponse features, when only a specific set of actions might be required in the beginning and vastly more customized actions only in a later phase. Another great thing would be a kind of automated installation wrapper that has the ability to ship several additions to the system that may be needed to extend the agent's capabilities, e. g. a Yara or CLAMAV binary and all its' dependencies, or several auditing tools whose outputs can be evaluated by Wazuh. |
Beta Was this translation helpful? Give feedback.
-
Hello, perfect tool, and it needs one small but very required option. On security events dashboard, security allerts tab you have to add a button or drop box in which we could select and activate a responce. It should write info to config and do restart. This would be very usefull for quick reaction.
Beta Was this translation helpful? Give feedback.
All reactions