Wazuh

the wazuh connector enables seamless integration with swimlane turbine, allowing users to automate security monitoring and threat response actions wazuh is a powerful security monitoring solution that helps organizations ensure compliance, monitor security events, and perform incident response the wazuh turbine connector allows users to integrate wazuh's capabilities directly into swimlane turbine's low code automation platform this integration empowers users to automate policy management, agent operations, and threat intelligence analysis, enhancing their security posture and response capabilities within the swimlane ecosystem prerequisites to effectively utilize the wazuh connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the wazuh api username the username for accessing the wazuh api password the password associated with the provided username wazuh is a free and open source security platform that unifies xdr and siem capabilities it protects workloads across on premises, virtualized, containerized, and cloud based environments asset setup wazuh connector supports the following basic authentication using username and password the port must be set to 55000 when connecting to wazuh capabilities the wazuh connector has the following capabilities add policies assign agent to group delete policies get key get current user info get mitre groups get mitre metadata get mitre mitigations get mitre references get mitre software get mitre tactics get mitre techniques get results get vulnerabilities list agent and so on notes more information on wazuh can be found https //documentation wazuh com/current/user manual/api/reference html configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add policies adds a new policy to wazuh with specified details, requiring both 'name' and 'policy' fields in the json body endpoint url /security/policies method post input argument name type required description parameters pretty boolean optional parameters for the add policies action parameters wait for complete boolean optional parameters for the add policies action name string optional name of the resource policy object optional parameter for add policies policy actions array required parameter for add policies policy resources array required parameter for add policies policy effect string required parameter for add policies input example {"parameters" {"pretty"\ false,"wait for complete"\ false},"json body" {"name" "normal policy","policy" {"actions" \["security\ delete"],"resources" \["agent\ id 001"],"effect" "allow"}}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource policy object output field policy policy actions array output field policy actions policy resources array output field policy resources policy effect string output field policy effect output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"name" "normal policy","policy" {"actions" \[],"resources" \[],"effect" "allow"}}} assign agent to group assign a specified agent to a group in wazuh using the agent's id and the group's id endpoint url /agents/{{agent id}}/group/{{group id}} method put input argument name type required description path parameters agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters path parameters group id string required parameters for the assign agent to group action parameters pretty boolean optional parameters for the assign agent to group action parameters wait for complete boolean optional parameters for the assign agent to group action parameters force single group boolean optional parameters for the assign agent to group action input example {"parameters" {"pretty"\ false,"wait for complete"\ false,"force single group"\ false},"path parameters" {"agent id" "001","group id" "003"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 1,"total failed items" 0,"failed items" \[]},"message" "all selected agents were assigned to group3","error" 0}} delete policies deletes specified policies from wazuh by policy ids or all system policies, excluding linked roles endpoint url /security/policies method delete input argument name type required description parameters policy ids array required parameters for the delete policies action parameters pretty boolean optional parameters for the delete policies action parameters wait for complete boolean optional parameters for the delete policies action input example {"parameters" {"policy ids" \["100"],"pretty"\ false,"wait for complete"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items id number response data data affected items name string response data data affected items policy object response data data affected items policy actions array response data data affected items policy resources array response data data affected items policy effect string response data data affected items roles array response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 1,"total failed items" 0,"failed items" \[]},"message" "all specified policies were deleted","error" 0}} get current user information retrieve details about the current user in wazuh, including roles and permissions endpoint url /security/users/me method get input argument name type required description parameters pretty boolean optional parameters for the get current user information action parameters wait for complete boolean optional parameters for the get current user information action input example {"parameters" {"pretty"\ false,"wait for complete"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items id number response data data affected items username string response data data affected items allow run as boolean response data data affected items roles array response data data affected items roles id number response data data affected items roles name string response data data affected items roles rule object response data data affected items roles rule find object response data data affected items roles policies array response data data affected items roles policies id number response data data affected items roles policies name string response data data affected items roles policies policy object response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 1,"total failed items" 0,"failed items" \[]},"message" "current user information was returned","error" 0}} get key retrieves the authentication key for a specified agent in wazuh using the agent's id endpoint url /agents/{{agent id}}/key method get input argument name type required description path parameters agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters parameters pretty boolean optional parameters for the get key action parameters wait for complete boolean optional parameters for the get key action input example {"parameters" {"pretty"\ false,"wait for complete"\ false},"path parameters" {"agent id" "002"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items id string response data data affected items key string response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 1,"total failed items" 0,"failed items" \[]},"message" "obtained keys for all selected agents","error" 0}} get mitre groups retrieve groups from the mitre database within wazuh, providing an overview of threat actor groupings endpoint url /mitre/groups method get input argument name type required description parameters group ids array optional list of mitre's group ids (separated by comma) parameters pretty boolean optional parameters for the get mitre groups action parameters wait for complete boolean optional parameters for the get mitre groups action parameters offset number optional parameters for the get mitre groups action parameters limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements parameters sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order parameters search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning parameters select string optional select which fields to return (separated by comma) use ' ' for nested fields parameters q string optional query to filter results by for example q="status=active" parameters distinct boolean optional parameters for the get mitre groups action input example {"parameters" {"group ids" \["intrusion set 00f67a77 86a4 4adf be26 1a54fc713340"],"pretty"\ false,"wait for complete"\ false,"offset" 0,"limit" 500,"sort" "field1 field2","search" " search","select" "field1 field2","q" "status=active","distinct"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items mitre version string response data data affected items deprecated number response data data affected items description string response data data affected items name string response data data affected items id string response data data affected items modified time string response data data affected items created time string response data data affected items software array response data data affected items techniques array response data data affected items references array response data data affected items references url string response data data affected items references description string response data data affected items references source string response data data affected items references external id string response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 111,"total failed items" 0,"failed items" \[]},"message" "mitre groups information was returned","error" 0}} get mitre metadata retrieve metadata from the mitre database using the wazuh connector endpoint url /mitre/metadata method get input argument name type required description parameters pretty boolean optional parameters for the get mitre metadata action parameters wait for complete boolean optional parameters for the get mitre metadata action input example {"parameters" {"pretty"\ false,"wait for complete"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items key string response data data affected items value string response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 2,"total failed items" 0,"failed items" \[]},"message" "mitre metadata information was returned","error" 0}} get mitre mitigations retrieve a list of mitigation strategies from the mitre database using wazuh endpoint url /mitre/mitigations method get input argument name type required description parameters mitigation ids array optional parameters for the get mitre mitigations action parameters pretty boolean optional parameters for the get mitre mitigations action parameters wait for complete boolean optional parameters for the get mitre mitigations action parameters offset number optional parameters for the get mitre mitigations action parameters limit number optional parameters for the get mitre mitigations action parameters sort string optional parameters for the get mitre mitigations action parameters search string optional parameters for the get mitre mitigations action parameters select string optional parameters for the get mitre mitigations action parameters q string optional parameters for the get mitre mitigations action parameters distinct boolean optional parameters for the get mitre mitigations action input example {"parameters" {"mitigation ids" \["course of action 02f0f92a 0a51 4c94 9bda 6437b9a93f22"],"pretty"\ false,"wait for complete"\ false,"offset" 0,"limit" 500,"sort" "field1 field2","search" " search","select" "field1 field2","q" "status=active","distinct"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items mitre version string response data data affected items deprecated number response data data affected items description string response data data affected items name string response data data affected items id string response data data affected items modified time string response data data affected items created time string response data data affected items techniques array response data data affected items references array response data data affected items references url string response data data affected items references source string response data data affected items references external id" string response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 266,"total failed items" 0,"failed items" \[]},"message" "mitre mitigations information was returned","error" 0}} get mitre references retrieve mitre database references to enhance threat intelligence and inform security strategies endpoint url /mitre/references method get input argument name type required description parameters reference ids array optional list of mitre's references ids (separated by comma) parameters pretty boolean optional parameters for the get mitre references action parameters wait for complete boolean optional parameters for the get mitre references action parameters offset number optional first element to return in the collection and this will be >= 0 parameters limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements parameters sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order use ' ' for nested fields parameters search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning parameters select string optional select which fields to return (separated by comma) use ' ' for nested fields parameters q string optional query to filter results by for example q="status=active" input example {"parameters" {"reference ids" \["attack pattern 0042a9f5 f053 4769 b3ef 9ad018dfa298"],"pretty"\ false,"wait for complete"\ false,"offset" 0,"limit" 500,"sort" "field1 field2","search" " search","select" "field1 field2","q" "status=active"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items url string response data data affected items description string response data data affected items source string response data data affected items id string response data data affected items type string response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 5212,"total failed items" 0,"failed items" \[]},"message" "mitre references information was returned","error" 0}} get mitre software retrieve software details from the mitre database using wazuh, providing insights into known tools and techniques endpoint url /mitre/software method get input argument name type required description parameters software ids array optional list of mitre's software ids (separated by comma) parameters pretty boolean optional parameters for the get mitre software action parameters wait for complete boolean optional parameters for the get mitre software action parameters offset number optional first element to return in the collection and this will be >= 0 parameters limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements parameters sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order parameters search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning parameters select string optional select which fields to return (separated by comma) use ' ' for nested fields parameters q string optional query to filter results by for example q="status=active" parameters distinct boolean optional parameters for the get mitre software action input example {"parameters" {"software ids" \["007b44b6 e4c5 480b b5b9 56f2081b1b7b"],"pretty"\ false,"wait for complete"\ false,"offset" 0,"limit" 500,"sort" "field1 field2","search" " search","select" "field1 field2","q" "status=active","distinct"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items mitre version string response data data affected items deprecated number response data data affected items description string response data data affected items name string response data data affected items id string response data data affected items modified time string response data data affected items created time string response data data affected items groups array response data data affected items techniques array response data data affected items references array response data data affected items references url string response data data affected items references description string response data data affected items references source string response data data affected items references external id string response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 444,"total failed items" 0,"failed items" \[]},"message" "mitre software information was returned","error" 0}} get mitre tactics retrieve a list of tactics from the mitre att\&ck database using the wazuh integration endpoint url /mitre/tactics method get input argument name type required description parameters tactic ids array optional list of mitre's tactics ids (separated by comma) parameters pretty boolean optional parameters for the get mitre tactics action parameters wait for complete boolean optional parameters for the get mitre tactics action parameters offset number optional first element to return in the collection and this will be >=0 parameters limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements parameters sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order parameters search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning parameters select string optional select which fields to return (separated by comma) use ' ' for nested fields parameters q string optional query to filter results by for example q="status=active" parameters distinct boolean optional parameters for the get mitre tactics action input example {"parameters" {"tactic ids" \["x mitre tactic 7141578b e50b 4dcc bfa4 08a8dd689e9e"],"pretty"\ false,"wait for complete"\ false,"offset" 0,"limit" 500,"sort" "field1 field2","search" " search","select" "field1 field2","q" "status=active","distinct"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items description string response data data affected items name string response data data affected items id string response data data affected items modified time string response data data affected items created time string response data data affected items short name string response data data affected items techniques array response data data affected items references array response data data affected items references url string response data data affected items references source string response data data affected items references external id string response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 14,"total failed items" 0,"failed items" \[]},"message" "all tactics information was returned","error" 0}} get mitre techniques retrieve mitre att\&ck techniques from the wazuh platform's integrated database endpoint url /mitre/techniques method get input argument name type required description parameters technique ids array optional list of mitre's techniques ids (separated by comma) parameters pretty boolean optional parameters for the get mitre techniques action parameters wait for complete boolean optional parameters for the get mitre techniques action parameters offset number optional first element to return in the collection and this will be >=0 parameters limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements parameters sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order parameters search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning parameters select string optional select which fields to return (separated by comma) use ' ' for nested fields parameters q string optional query to filter results by for example q="status=active" parameters distinct boolean optional parameters for the get mitre techniques action input example {"parameters" {"technique ids" \["attack pattern 9d48cab2 7929 4812 ad22 f536665f0109"],"pretty"\ false,"wait for complete"\ false,"offset" 0,"limit" 500,"sort" "field1 field2","search" " search","select" "field1 field2","q" "status=active","distinct"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items mitre version string response data data affected items network requirements number response data data affected items remote support number response data data affected items mitre detection string response data data affected items id string response data data affected items modified time string response data data affected items deprecated number response data data affected items created time string response data data affected items name string response data data affected items description string response data data affected items tactics array response data data affected items mitigations array response data data affected items software array response data data affected items groups array response data data affected items references array response data data affected items references source string response data data affected items references description string response data data affected items references url string response data data affected items references external id string response data data total affected items number response data data total failed items number response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 1,"total failed items" 0,"failed items" \[]},"message" "mitre techniques information was returned","error" 0}} get results retrieve the rootcheck database for a specified agent in wazuh using the agent's id endpoint url /rootcheck/{{agent id}} method get input argument name type required description path parameters agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters parameters pretty boolean optional parameters for the get results action parameters wait for complete boolean optional parameters for the get results action parameters offset number optional first element to return in the collection and this will be >=0 parameters limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements parameters sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order parameters search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning parameters select string optional select which fields to return (separated by comma) use ' ' for nested fields parameters q string optional query to filter results by for example q="status=active" parameters distinct boolean optional parameters for the get results action parameters status string optional parameters for the get results action parameters pci dss string optional filter by pci dss requirement name parameters cis string optional filter by cis requirement input example {"parameters" {"pretty"\ false,"wait for complete"\ false,"offset" 0,"limit" 500,"sort" "field1 field2","search" " search","select" "field1 field2","q" "status=active","distinct"\ false,"status" "status","pci dss" "pci dss","cis" "cis"},"path parameters" {"agent id" \[23487414]}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items date first string response data data affected items log string response data data affected items date last string response data data affected items status string response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 2,"total failed items" 0,"failed items" \[]},"message" "all selected rootcheck information was returned","error" 0}} get vulnerabilities retrieve a list of vulnerabilities associated with a specified agent in wazuh using the agent's unique identifier endpoint url /vulnerability/{{agent id}} method get input argument name type required description path parameters agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters parameters pretty boolean optional parameters for the get vulnerabilities action parameters wait for complete boolean optional parameters for the get vulnerabilities action parameters offset number optional first element to return in the collection and this will be >=0 parameters limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements parameters sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order parameters search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning parameters select array optional select which fields to return (separated by comma) use ' ' for nested fields parameters q string optional query to filter results by for example q="status=active" parameters distinct boolean optional parameters for the get vulnerabilities action parameters architecture string optional parameters for the get vulnerabilities action parameters cve string optional parameters for the get vulnerabilities action parameters name string optional parameters for the get vulnerabilities action parameters version string optional parameters for the get vulnerabilities action parameters type string optional filter by cve type parameters status string optional filter by cve status parameters severity string optional parameters for the get vulnerabilities action input example {"parameters" {"pretty"\ false,"wait for complete"\ false,"offset" 0,"limit" 500,"sort" "field1 field2","search" " search","select" \["field1 field2"],"q" "status=active","distinct"\ false,"architecture" "amd64","cve" "cve","name" "binutils","version" "2 34 6ubuntu1 3","type" "package","status" "valid","severity" "high"},"path parameters" {"agent id" \[23487414]}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items severity string response data data affected items updated string response data data affected items version string response data data affected items type string response data data affected items name string response data data affected items external references array response data data affected items condition string response data data affected items detection time string response data data affected items cvss3 score number response data data affected items published string response data data affected items architecture string response data data affected items cve string response data data affected items status string response data data affected items title string response data data affected items cvss2 score number response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 2,"total failed items" 0,"failed items" \[]},"message" "all selected vulnerabilities were returned","error" 0}} list agents retrieve details on all available agents or a specified subset within the wazuh platform endpoint url /agents method get input argument name type required description parameters pretty boolean optional parameters for the list agents action parameters wait for complete boolean optional parameters for the list agents action parameters agents list array optional list of agent ids (separated by comma), all agents selected by default if not specified parameters offset number optional first element to return in the collection and this will be >=0 parameters limit number optional maximum number of elements to return although up to 100 000 can be specified, it is recommended not to exceed 500 elements parameters select array optional select which fields to return (separated by comma) use ' ' for nested fields parameters sort string optional sort the collection by a field or fields (separated by comma) use +/ at the beggining to list in ascending or descending order parameters search string optional look for elements containing the specified string to obtain a complementary search, use ' ' at the beginning parameters status array optional filter by agent status (use commas to enter multiple statuses) parameters q string optional query to filter results by for example q="status=active" parameters older than string optional filter out agents whose time lapse from last keep alive signal is longer than specified time in seconds, ‘\[n days]d’, ‘\[n hours]h’, ‘\[n minutes]m’ or ‘\[n seconds]s’ for never connected agents, uses the register date parameters os platform string optional parameters for the list agents action parameters os version string optional parameters for the list agents action parameters os name string optional parameters for the list agents action parameters manager string optional filter by manager hostname where agents are connected to parameters version string optional filter by agents version using one of the following formats 'x y z', 'vx y z', 'wazuh x y z' or 'wazuh vx y z' parameters group string optional parameters for the list agents action parameters node name string optional parameters for the list agents action parameters name string optional parameters for the list agents action parameters ip string optional filter by the ip used by the agent to communicate with the manager if it's not available, it will have the same value as registerip parameters registerip string optional filter by the ip used when registering the agent parameters group config status string optional agent groups configuration sync status parameters distinct boolean optional parameters for the list agents action input example {"parameters" {"pretty"\ false,"wait for complete"\ false,"agents list" \["001"],"offset" 0,"limit" 500,"select" \["filed1 filed2"],"sort" "field1 field2","search" " search","status" \["pending"],"q" "status=active","older than" "7d","os platform" "os platform","os version" "os version","os name" "os name","manager" "hostname","version" "4 4 0","group" "group","node name" "node","name" "wazuh","ip" "ip","registerip" "registerip","group config status" "synced","distinct"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items os object response data data affected items os arch string response data data affected items os codename string response data data affected items os major string response data data affected items os minor string response data data affected items os name string response data data affected items os platform string response data data affected items os uname string response data data affected items os version string response data data affected items lastkeepalive string response data data affected items id string response data data affected items dateadd string response data data affected items configsum string response data data affected items manager string response data data affected items group array response data data affected items registerip string response data data affected items ip string response data data affected items name string response data data affected items status string response data data affected items mergedsum string response data data affected items version string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 3,"total failed items" 0,"failed items" \[]},"message" "all selected agents information was returned","error" 0}} list policies retrieve all policies within the wazuh system, including details of the administrator policy endpoint url /security/policies method get input argument name type required description parameters policy ids array optional parameters for the list policies action parameters limit number optional parameters for the list policies action parameters offset number optional parameters for the list policies action parameters pretty boolean optional parameters for the list policies action parameters search string optional parameters for the list policies action parameters select array optional parameters for the list policies action parameters sort string optional parameters for the list policies action parameters wait for complete boolean optional parameters for the list policies action parameters q string optional parameters for the list policies action parameters distinct boolean optional parameters for the list policies action input example {"parameters" {"policy ids" \["100"],"limit" 100,"offset" 0,"pretty"\ false,"search" " search","select" \["filed1 filed2"],"sort" "field1 field2","wait for complete"\ false,"q" "status=active","distinct"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items id number response data data affected items name string response data data affected items policy object response data data affected items policy actions array response data data affected items policy resources array response data data affected items policy effect string response data data affected items roles array response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 35,"total failed items" 0,"failed items" \[]},"message" "all specified policies were returned","error" 0}} logout current user invalidates all access tokens for the current user in wazuh, ensuring secure session termination endpoint url /security/user/authenticate method delete output parameter type description status code number http status code of the response reason string response reason phrase data object response data data message string response data data error number response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"message" "user wazuh was successfully logged out","error" 0}}} restart agent initiates a restart process for a specified agent in wazuh using the agent's unique id endpoint url /agents/{{agent id}}/restart method put input argument name type required description path parameters agent id string required agent id all possible values from 000 onwards and this will be >= 3 characters parameters pretty boolean optional parameters for the restart agent action parameters wait for complete boolean optional parameters for the restart agent action input example {"parameters" {"pretty"\ false,"wait for complete"\ false},"path parameters" {"agent id" "002"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 1,"total failed items" 0,"failed items" \[]},"message" "restart command sent to all agents","error" 0}} run scan initiates a rootcheck scan across all agents or specified ones within the wazuh platform endpoint url /rootcheck method put input argument name type required description parameters pretty boolean optional parameters for the run scan action parameters wait for complete boolean optional parameters for the run scan action parameters agents list array optional list of agent ids (separated by comma), all agents selected by default if not specified input example {"parameters" {"pretty"\ false,"wait for complete"\ false,"agents list" \["001"]}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 4,"total failed items" 0,"failed items" \[]},"message" "rootcheck scan was restarted on returned agents","error" 0}} run vulnerability detector scan initiates a vulnerability detector scan across all nodes in wazuh, identifying potential security threats endpoint url /vulnerability method put input argument name type required description parameters pretty boolean optional parameters for the run vulnerability detector scan action parameters wait for complete boolean optional parameters for the run vulnerability detector scan action input example {"parameters" {"pretty"\ false,"wait for complete"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 3,"total failed items" 0,"failed items" \[]},"message" "a vulnerability detector scan was requested in all nodes","error" 0}} update policies modify an existing policy in wazuh by specifying the policy id and at least one policy property to update endpoint url /security/policies/{{policy id}} method put input argument name type required description path parameters policy id string required specify a policy id parameters pretty boolean optional parameters for the update policies action parameters wait for complete boolean optional parameters for the update policies action name string optional policy name and this will be <= 64 characters policy object optional parameter for update policies policy actions array required parameter for update policies policy resources array required parameter for update policies policy effect array required parameter for update policies input example {"parameters" {"pretty"\ false,"wait for complete"\ false},"json body" {"name" "policy name","policy" {"actions" \["security\ delete"],"resources" \["resources"],"effect" \["deny"]}},"path parameters" {"policy id" \["100"]}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data affected items array response data data affected items id number response data data affected items name string response data data affected items policy object response data data affected items policy actions array response data data affected items policy resources array response data data affected items policy effect string response data data affected items roles array response data data total affected items number response data data total failed items number response data data failed items array response data message string response message error number error message if any output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"affected items" \[],"total affected items" 1,"total failed items" 0,"failed items" \[]},"message" "policy was successfully updated","error" 0}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt