> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tracecat.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Wazuh

> Reference for the Tracecat Wazuh integration: registered actions, required secrets, expected inputs, and example workflow usage.

## Run command

Action ID: `tools.wazuh.active_response`

Run an Active Response command on Wazuh agents.

Reference: [https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.active\_response\_controller.run\_command](https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.active_response_controller.run_command)

### Secrets

Required secrets:

* `wazuh_wui`: required values `WAZUH_WUI_USERNAME`, `WAZUH_WUI_PASSWORD`.

### Input fields

<ParamField path="agents_list" type="string | null" required>
  List of agent IDs (separated by comma), all agents selected by default if not specified.
</ParamField>

<ParamField path="command" type="string" required>
  Command running in the agent. If this value starts with !, then it refers to a script name instead of a command name.
</ParamField>

<ParamField path="auth_token_exp_timeout" type="integer">
  Change the token base duration

  Default: `900`.
</ParamField>

<ParamField path="base_url" type="string | null">
  URL for the Wazuh WUI API.

  Default: `null`.
</ParamField>

<ParamField path="verify_ssl" type="boolean">
  If False, disables SSL verification for internal networks.

  Default: `true`.
</ParamField>

## Update agents

Action ID: `tools.wazuh.update_agents`

Identifies outdated Wazuh agents and updates them.

Reference: [https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent\_controller.put\_upgrade\_agents](https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.put_upgrade_agents)

### Secrets

Required secrets:

* `wazuh_wui`: required values `WAZUH_WUI_USERNAME`, `WAZUH_WUI_PASSWORD`.

### Input fields

<ParamField path="auth_token_exp_timeout" type="integer">
  Change the token base duration

  Default: `900`.
</ParamField>

<ParamField path="base_url" type="string | null">
  URL for the Wazuh WUI API.

  Default: `null`.
</ParamField>

<ParamField path="verify_ssl" type="boolean">
  If False, disables SSL verification for internal networks.

  Default: `true`.
</ParamField>
