Cybersecurity

Wazuh Active Response Tutorial: Real-Time File Monitoring and Deletion

July 8, 2026
General
Wazuh Active Response tutorial diagram showing a local automated defense robot arm deleting a test file on a Kali Linux terminal.

Wazuh Active Response

In this hands-on guide, we will step inside the security lab to build a completely automated, local active defense pipeline using Wazuh. You will learn how to configure the Wazuh Agent's File Integrity Monitoring (FIM) engine to watch critical directories in real-time. More importantly, we will bypass standard cloud-lookup delays and engineer a custom local Active Response script that intercepts newly added files the exact millisecond they land, shredding potential threats instantly

What We Will Cover:

  • Configuring Wazuh's Real-Time File Integrity Monitoring (FIM).

  • Monitoring security triggers via the Wazuh Dashboard.

  • Writing a custom local Active Response bash script to parse event data.

  • Executing live validation testing with dummy test strings.

Step 1: Open the Wazuh Configuration Editor

To configure our active response rule, navigate to the main menu on the left side of your Wazuh dashboard and follow these quick steps:

  1. Click on Server management to expand the dropdown menu.

  2. Select Settings from the list.

  3. This will open the settings panel where you can access the global manager configuration file (ossec.conf).

Screenshot (541)

Step 2: Edit the Manager Configuration

Once inside the Settings view, you need to open the raw XML configuration file:

  1. Look at the top right corner of the Configuration section.

  2. Click on the Edit configuration button.

  3. This will launch the interactive text editor containing your manager's central ossec.conf settings.

Screenshot (542)

Step 3: Add the Active Response Rule Block

Now, paste the configuration block that links file addition events directly to your local response script:

  1. Scroll down to the very bottom of the interactive text editor window.

  2. Just above the final </ossec_config> tag, insert the following XML block:

<!-- Trigger the script instantly when ANY file is added (Rule 554) -->
<active-response>
  <disabled>no</disabled>
  <command>remove-threat</command>
  <location>local</location>
  <rules_id>554</rules_id>
</active-response>

Click the Save button, then click Restart Manager to apply your changes instantly.

Screenshot (543)

Step 4: Restart the Agent and Generate a Test Alert

With the Wazuh Manager updated, switch back to your Kali Linux terminal to reload the agent engine and deploy your test payload

Restart the local endpoint monitor daemon by executing:

sudo systemctl restart wazuh-agent

Drop a brand-new dummy file into your monitored directory to trigger the automation pipeline instantly

echo "Fresh test run for the active response script" > ~/Desktop/malware_test/new_test.txt
Screenshot (544)

Step 5: Verify Automated File Deletion

Verify that the local automated defense pipeline caught the newly added file and executed successfully:

  1. Immediately list the contents of your monitored directory by running

ls -l ~/Desktop/malware_test/

The terminal output returns total 0

Screenshot (545)

The file new_test.txt has completely vanished from the directory. The automated Active Response script successfully intercepted the event and wiped out the file within a fraction of a second of its creation!

Step 6: Check the Alerts on the Wazuh Dashboard

The final step is to verify that the entire sequence was successfully monitored and logged by the SIEM:

  1. Head back to your browser window and refresh the Wazuh Dashboard under the Threat Hunting view.

  2. Look at the timestamp log table at the bottom. You will see a perfect chronological sequence of the automated defense action:

    • Rule 554 (File added to the system): Triggers the exact millisecond new_test.txt hits the directory.

    • Rule 553 (File deleted): Follows immediately right after, confirming that your custom script executed successfully and shredded the file.

Screenshot (546)

Step 7: Confirm Execution via Active Response Logs

The absolute final proof of execution lives inside the local agent's backend ledger. To view the raw validation timestamp:

  1. Return to your Kali Linux terminal and read the trailing lines of the active response log file:

sudo tail -n 5 /var/ossec/logs/active-responses.log

Look at the last entry matching your execution time. You will see an explicit confirmation string stating:

... active-response/bin/remove-threat.sh: Directly removed newly added file: /home/kali/Desktop/malware_test/new_test.txt
Screenshot (547)

This solidifies that the custom automated defense script ran perfectly end-to-end on the local endpoint!

Summary: The Power of Automated Mitigation

Building a reactive security architecture is no longer enough to protect modern endpoints. By combining Wazuh’s real-time File Integrity Monitoring (FIM) with a custom Active Response engine, we transformed a passive alert generator into a proactive, automated defense mechanism

👉 Want to catch up on the full lab setup? Check out my previous step-by-step guides:

Created by: NAVAL KISHOR V

NAVAL KISHOR V

NAVAL KISHOR V

Certified Ethical Hacker (CEH v13) and B.Sc. Computer Science graduate working as a Cyber Security Intern

CEH