Isolation | Wazuh Live Response
In security incident response, the ability to quickly isolate a compromised endpoint is crucial. C-LR Isolation, a submodule of Wazuh Live Response, allows security teams to remotely isolate a Windows endpoint using Wazuh’s Active Response and the internal Windows firewall.
This guide will show how to use C-LR Isolation via the Wazuh API and DevTools.
How C-LR Isolation Works
When a security incident is detected, analysts can send an “isolate” command to an endpoint through the Wazuh API. The endpoint then applies firewall rules to block all network communication except for the Wazuh server and any other necessary hosts.
A “release” command can later be sent to remove the isolation and restore normal connectivity.
For now, it is only available for Windows endpoints.
Usage
- Copy the isolation.exe executable to the Active Response folder on the Windows agent
C:\Program Files (x86)\ossec-agent\active-response\bin\ - We can deploy a lab environment by following these instructions to conduct testing.
Isolating a Host
- ≡ > Server management > Dev Tools > Console
- Change the agent ID and the Wazuh IPs accordingly.
1 2 3 4 5 6 7 8 9 10 11 12
PUT /active-response?agents_list=001 { "command": "!isolation.exe", "arguments": ["192.168.1.1", "192.168.1.2"], "alert": { "data": { "action": "isolate", "user": "c-137labs", "debug": false } } }
- To observe the result, we can run an extended ping and monitor how the connection is lost.
- We can also find the audit event by applying the filter
data.origin.name:"C-LR"in the Discover section of the Wazuh Dashboard. - ≡ > Explorer > Discover
Releasing a Host from Isolation
To remove the isolation and restore normal connectivity
1
2
3
4
5
6
7
8
9
10
11
PUT /active-response?agents_list=001
{
"command": "!isolation.exe",
"alert": {
"data": {
"action": "release",
"user": "c-137labs",
"debug": false
}
}
}
- “release” → Removes the firewall rules and restores communication.
For more details, visit the official C-LR Isolation Docs