Wazuh

wazuh is a free and open source security platform that unifies xdr and siem capabilities it protects workloads across on premises, virtualized, containerized, and cloud based environments asset setup wazuh connector supports the following basic authentication using username and password the port must be set to 55000 when connecting to wazuh capabilities the wazuh connector has the following capabilities add policies assign agent to group delete policies get key get current user info get mitre groups get mitre metadata get mitre mitigations get mitre references get mitre software get mitre tactics get mitre techniques get results get vulnerabilities list agent and so on configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add policies add a new policy, all fields need to be specified endpoint url /security/policies method post input argument name type required description pretty boolean optional parameter for add policies wait for complete boolean optional parameter for add policies name string required name of the resource policy object required parameter for add policies actions array required parameter for add policies resources array required parameter for add policies effect string required parameter for add policies output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource policy object output field policy actions array output field actions resources array output field resources effect string output field effect example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "name" "normal policy", "policy" {} } } ] assign agent to group assign an agent to a specified group endpoint url /agents/{{agent id}}/group/{{group id}} method put input argument name type required description agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters group id string required unique identifier pretty boolean optional parameter for assign agent to group wait for complete boolean optional parameter for assign agent to group force single group boolean optional parameter for assign agent to group output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "all selected agents were assigned to group3", "error" 0 } } ] delete policies delete a list of policies or all policies in the system, roles linked to policies are not going to be removed endpoint url /security/policies method delete input argument name type required description policy ids array required unique identifier pretty boolean optional parameter for delete policies wait for complete boolean optional parameter for delete policies output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items id number unique identifier name string name of the resource policy object output field policy actions array output field actions resources array output field resources effect string output field effect roles array output field roles total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "all specified policies were deleted", "error" 0 } } ] get current user information get the information of the current user endpoint url /security/users/me method get input argument name type required description pretty boolean optional parameter for get current user information wait for complete boolean optional parameter for get current user information output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items id number unique identifier username string name of the resource allow run as boolean output field allow run as roles array output field roles id number unique identifier name string name of the resource rule object output field rule find object output field find policies array output field policies id number unique identifier name string name of the resource policy object output field policy total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "current user information was returned", "error" 0 } } ] get key return the key of an agent endpoint url /agents/{{agent id}}/key method get input argument name type required description agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters pretty boolean optional parameter for get key wait for complete boolean optional parameter for get key output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items id string unique identifier key string output field key total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "obtained keys for all selected agents", "error" 0 } } ] get mitre groups return the groups from mitre database endpoint url /mitre/groups method get input argument name type required description group ids array optional list of mitre's group ids (separated by comma) pretty boolean optional parameter for get mitre groups wait for complete boolean optional parameter for get mitre groups offset number optional parameter for get mitre groups limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning select string optional select which fields to return (separated by comma) use ' ' for nested fields q string optional query to filter results by for example q="status=active" distinct boolean optional parameter for get mitre groups output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items mitre version string output field mitre version deprecated number output field deprecated description string output field description name string name of the resource id string unique identifier modified time string time value created time string time value software array output field software techniques array output field techniques references array output field references url string url endpoint for the request description string output field description source string output field source external id string unique identifier total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "mitre groups information was returned", "error" 0 } } ] get mitre metadata return the metadata from mitre database endpoint url /mitre/metadata method get input argument name type required description pretty boolean optional parameter for get mitre metadata wait for complete boolean optional parameter for get mitre metadata output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items key string output field key value string value for the parameter total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "mitre metadata information was returned", "error" 0 } } ] get mitre mitigations return the mitigations from mitre database endpoint url /mitre/mitigations method get input argument name type required description mitigation ids array optional unique identifier pretty boolean optional parameter for get mitre mitigations wait for complete boolean optional parameter for get mitre mitigations offset number optional parameter for get mitre mitigations limit number optional parameter for get mitre mitigations sort string optional parameter for get mitre mitigations search string optional parameter for get mitre mitigations select string optional parameter for get mitre mitigations q string optional parameter for get mitre mitigations distinct boolean optional parameter for get mitre mitigations output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items mitre version string output field mitre version deprecated number output field deprecated description string output field description name string name of the resource id string unique identifier modified time string time value created time string time value techniques array output field techniques references array output field references url string url endpoint for the request source string output field source external id" string unique identifier total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "mitre mitigations information was returned", "error" 0 } } ] get mitre references return the references from mitre database endpoint url /mitre/references method get input argument name type required description reference ids array optional list of mitre's references ids (separated by comma) pretty boolean optional parameter for get mitre references wait for complete boolean optional parameter for get mitre references offset number optional first element to return in the collection and this will be >= 0 limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order use ' ' for nested fields search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning select string optional select which fields to return (separated by comma) use ' ' for nested fields q string optional query to filter results by for example q="status=active" output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items url string url endpoint for the request description string output field description source string output field source id string unique identifier type string type of the resource total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "mitre references information was returned", "error" 0 } } ] get mitre software return the software from mitre database endpoint url /mitre/software method get input argument name type required description software ids array optional list of mitre's software ids (separated by comma) pretty boolean optional parameter for get mitre software wait for complete boolean optional parameter for get mitre software offset number optional first element to return in the collection and this will be >= 0 limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning select string optional select which fields to return (separated by comma) use ' ' for nested fields q string optional query to filter results by for example q="status=active" distinct boolean optional parameter for get mitre software output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items mitre version string output field mitre version deprecated number output field deprecated description string output field description name string name of the resource id string unique identifier modified time string time value created time string time value groups array output field groups techniques array output field techniques references array output field references url string url endpoint for the request description string output field description source string output field source external id string unique identifier total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "mitre software information was returned", "error" 0 } } ] get mitre tactics return the tactics from mitre database endpoint url /mitre/tactics method get input argument name type required description tactic ids array optional list of mitre's tactics ids (separated by comma) pretty boolean optional parameter for get mitre tactics wait for complete boolean optional parameter for get mitre tactics offset number optional first element to return in the collection and this will be >=0 limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning select string optional select which fields to return (separated by comma) use ' ' for nested fields q string optional query to filter results by for example q="status=active" distinct boolean optional parameter for get mitre tactics output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items description string output field description name string name of the resource id string unique identifier modified time string time value created time string time value short name string name of the resource techniques array output field techniques references array output field references url string url endpoint for the request source string output field source external id string unique identifier total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "all tactics information was returned", "error" 0 } } ] get mitre techniques return the techniques from mitre database endpoint url /mitre/techniques method get input argument name type required description technique ids array optional list of mitre's techniques ids (separated by comma) pretty boolean optional parameter for get mitre techniques wait for complete boolean optional parameter for get mitre techniques offset number optional first element to return in the collection and this will be >=0 limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning select string optional select which fields to return (separated by comma) use ' ' for nested fields q string optional query to filter results by for example q="status=active" distinct boolean optional parameter for get mitre techniques output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items mitre version string output field mitre version network requirements number output field network requirements remote support number output field remote support mitre detection string output field mitre detection id string unique identifier modified time string time value deprecated number output field deprecated created time string time value name string name of the resource description string output field description tactics array output field tactics mitigations array output field mitigations software array output field software groups array output field groups references array output field references source string output field source description string output field description url string url endpoint for the request external id string unique identifier total affected items number output field total affected items total failed items number output field total failed items example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "mitre techniques information was returned", "error" 0 } } ] get results return the rootcheck database of an agent endpoint url /rootcheck/{{agent id}} method get input argument name type required description agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters pretty boolean optional parameter for get results wait for complete boolean optional parameter for get results offset number optional first element to return in the collection and this will be >=0 limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning select string optional select which fields to return (separated by comma) use ' ' for nested fields q string optional query to filter results by for example q="status=active" distinct boolean optional parameter for get results status string optional status value pci dss string optional filter by pci dss requirement name cis string optional filter by cis requirement output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items date first string output field date first log string output field log date last string output field date last status string status value total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "all selected rootcheck information was returned", "error" 0 } } ] get vulnerabilities return the vulnerabilities of an agent endpoint url /vulnerability/{{agent id}} method get input argument name type required description agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters pretty boolean optional parameter for get vulnerabilities wait for complete boolean optional parameter for get vulnerabilities offset number optional first element to return in the collection and this will be >=0 limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning select array optional select which fields to return (separated by comma) use ' ' for nested fields q string optional query to filter results by for example q="status=active" distinct boolean optional parameter for get vulnerabilities architecture string optional parameter for get vulnerabilities cve string optional parameter for get vulnerabilities name string optional name of the resource version string optional parameter for get vulnerabilities type string optional filter by cve type status string optional filter by cve status severity string optional parameter for get vulnerabilities output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items severity string output field severity updated string output field updated version string output field version type string type of the resource name string name of the resource external references array output field external references condition string output field condition detection time string time value cvss3 score number score value published string output field published architecture string output field architecture cve string output field cve status string status value title string output field title cvss2 score number score value total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "all selected vulnerabilities were returned", "error" 0 } } ] list agents return information about all available agents or a list of them endpoint url /agents method get input argument name type required description pretty boolean optional parameter for list agents wait for complete boolean optional parameter for list agents agents list array optional list of agent ids (separated by comma), all agents selected by default if not specified offset number optional first element to return in the collection and this will be >=0 limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements select array optional select which fields to return (separated by comma) use ' ' for nested fields sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning status array optional filter by agent status (use commas to enter multiple statuses) q string optional query to filter results by for example q="status=active" older than string optional filter out agents whose time lapse from last keep alive signal is longer than specified time in seconds, ‘\[n days]d’, ‘\[n hours]h’, ‘\[n minutes]m’ or ‘\[n seconds]s’ for never connected agents, uses the register date os platform string optional parameter for list agents os version string optional parameter for list agents os name string optional name of the resource manager string optional filter by manager hostname where agents are connected to version string optional filter by agents version using one of the following formats 'x y z', 'vx y z', 'wazuh x y z' or 'wazuh vx y z' group string optional parameter for list agents node name string optional name of the resource name string optional name of the resource ip string optional filter by the ip used by the agent to communicate with the manager if it's not available, it will have the same value as registerip registerip string optional filter by the ip used when registering the agent group config status string optional agent groups configuration sync status distinct boolean optional parameter for list agents output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items os object output field os arch string output field arch codename string name of the resource major string output field major minor string output field minor name string name of the resource platform string output field platform uname string name of the resource version string output field version lastkeepalive string output field lastkeepalive id string unique identifier dateadd string output field dateadd configsum string output field configsum manager string output field manager group array output field group registerip string output field registerip ip string output field ip name string name of the resource status string status value mergedsum string output field mergedsum version string output field version example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "all selected agents information was returned", "error" 0 } } ] list policies get all policies in the system, including the administrator policy endpoint url /security/policies method get input argument name type required description policy ids array optional unique identifier limit number optional parameter for list policies offset number optional parameter for list policies pretty boolean optional parameter for list policies search string optional parameter for list policies select array optional parameter for list policies sort string optional parameter for list policies wait for complete boolean optional parameter for list policies q string optional parameter for list policies distinct boolean optional parameter for list policies output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items id number unique identifier name string name of the resource policy object output field policy actions array output field actions resources array output field resources effect string output field effect roles array output field roles total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "all specified policies were returned", "error" 0 } } ] logout current user this method should be called to invalidate all the current user's tokens endpoint url /security/user/authenticate method delete output parameter type description status code number http status code of the response reason string response reason phrase data object response data message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {} } } ] restart agent restart the specified agent endpoint url /agents/{{agent id}}/restart method put input argument name type required description agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters pretty boolean optional parameter for restart agent wait for complete boolean optional parameter for restart agent output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "restart command sent to all agents", "error" 0 } } ] run scan run rootcheck scan in all agents or a list of them endpoint url /rootcheck method put input argument name type required description pretty boolean optional parameter for run scan wait for complete boolean optional parameter for run scan agents list array optional list of agent ids (separated by comma), all agents selected by default if not specified output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "rootcheck scan was restarted on returned agents", "error" 0 } } ] run vulnerability detector scan run a vulnerability detector scan in all nodes endpoint url /vulnerability method put input argument name type required description pretty boolean optional parameter for run vulnerability detector scan wait for complete boolean optional parameter for run vulnerability detector scan output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "a vulnerability detector scan was requested in all nodes", "error" 0 } } ] update policies modify a policy, at least one property must be indicated endpoint url /security/policies/{{policy id}} method put input argument name type required description policy id string required specify a policy id pretty boolean optional parameter for update policies wait for complete boolean optional parameter for update policies name string optional policy name and this will be <= 64 characters policy object required parameter for update policies actions array required parameter for update policies resources array required parameter for update policies effect array required parameter for update policies output parameter type description status code number http status code of the response reason string response reason phrase data object response data affected items array output field affected items id number unique identifier name string name of the resource policy object output field policy actions array output field actions resources array output field resources effect string output field effect roles array output field roles total affected items number output field total affected items total failed items number output field total failed items failed items array output field failed items message string response message error number error message if any example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "policy was successfully updated", "error" 0 } } ] notes more information on wazuh can be found here https //documentation wazuh com/current/user manual/api/reference html