Breaking Free of Wazuh’s Active Response Limitations with Graylog and Copilot

Wazuh’s Active Response is a game-changer for automating defensive actions. However, it’s not without limitations — particularly when trying to trigger responses based on enriched threat intelligence that occurs after Wazuh evaluates an event. Today, we’ll dive into a flexible solution that combines Wazuh, Graylog, and CoPilot to overcome this challenge and unlock limitless automation possibilities.

The Challenge with Built-in Wazuh Active Response

While Wazuh offers built-in active response scripts, these can be limiting in scenarios where enrichment or correlation happens outside of Wazuh’s scope. For example:

• Threat intelligence enrichment using Graylog happens after the Wazuh manager processes an event, meaning the Wazuh manager is unaware of the enriched context.
• Wazuh’s native active response can’t easily accommodate triggers from external tools or post-enrichment insights.

This creates a gap in automation for many security teams.

The Solution: Graylog + Copilot + Wazuh Active Response API

Here’s how we close that gap:

1. Graylog enriches events after Wazuh ingests and forwards them, adding threat intelligence or external context.
2. Graylog’s alerting system detects when enriched events meet specific criteria, like a known malicious domain being queried.
3. Graylog sends an HTTP notification to Copilot, which acts as an orchestrator.
4. Copilot invokes Wazuh’s Active Response API, targeting a specific agent with a custom script.
5. The response is executed — such as a Python-based DNS sinkhole script modifying the local /etc/hosts file on the endpoint.

Step-by-Step Walkthrough

❗️ — Follow the video at the beginning of this post for a live demonstration

1. Configure Copilot with Graylog

• Add a custom API key and secret to secure communications.
• Set up an HTTP notification in Graylog to trigger the Copilot endpoint (/api/graylog/invoke).
• Test the notification to ensure connectivity.

2. Create the Custom Active Response Script

• Develop a Python script (e.g., domain_sinkhole.py) that adds the malicious domain to /etc/hosts.
• ⚠️ https://raw.githubusercontent.com/socfortress/CoPilot/refs/heads/main/backend/app/active_response/scripts/linux/domain_sinkhole.py
• Deploy the script to /var/ossec/active-response/bin on the target agent.
• Set correct permissions and ownership.

sudo chmod 750 /Library/Ossec/active-response/bin/domain_sinkhole.py
sudo chown root:wazuh /Library/Ossec/active-response/bin/domain_sinkhole.py

3. Update Wazuh Manager Configuration

• Add a custom command and active response block to ossec.conf, mapping the script and command name.

<command>
    <name>domain_sinkhole</name>
    <executable>domain_sinkhole.py</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>domain_sinkhole</command>
    <location>local</location>
    <timeout>60</timeout>
  </active-response>

• Restart the Wazuh manager to apply changes.

4. Define Graylog Alerting Rules

• Set up event definitions in Graylog to trigger based on enriched threat intel fields, such as DNS query containing a malicious domain.
• Set required fields (ACTION, COMMAND, AGENT_ID, and VALUE).

5. Testing

• Generate a test event, such as a DNS query to a known malicious domain.
• Observe Graylog enrichment and alert triggering.
• Verify that the custom active response runs on the target endpoint, effectively sinkholing the domain.

Key Takeaways

This approach removes Wazuh’s limitations by enabling custom responses after enrichment, triggered externally. It supports various types of actions beyond DNS sinkholing. The setup can accommodate complex workflows, such as integrating with CrowdStrike, firewalls, or custom threat intelligence logic.

Conclusion

By combining Graylog, Copilot, and Wazuh’s Active Response API, you can unlock a powerful, modular, and flexible response system that overcomes the limitations of Wazuh’s built-in capabilities. This solution not only improves security posture but also adapts to the needs of modern SOC operations.

Ready to give your SIEM stack a boost? Try this integration and experience the limitless power of automated responses.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html