Key Takeaways
- The Wazuh REST API exposes the entire manager: agent queries, active-response triggering, rule and group management, and configuration. n8n's HTTP Request node can call all of it, which makes n8n a full controller for Wazuh-driven response.
- Authentication is JWT-based: n8n authenticates once to get a short-lived token, then uses it for subsequent calls. Store the API credentials as n8n secrets and scope the API user to least privilege.
- Active response is Wazuh's containment mechanism: firewall blocks, account disable, host isolation, process kill. n8n triggers these via the API, which means your SOAR layer can contain threats through Wazuh's own agents.
- The full loop: Wazuh alert triggers n8n, n8n queries the API for context, enriches, creates a TheHive case, and on approval triggers active response back through the Wazuh API, then updates the case.
- Disruptive actions stay human-gated. Auto-execute reversible containment on high-confidence indicators; require analyst approval to isolate critical hosts or disable accounts, exactly as in any sound SOAR design.
What the Wazuh API Exposes
Wazuh ships with a comprehensive REST API that is the programmatic front door to the entire manager. Anything the dashboard does, the API can do, which means an automation layer like n8n can read state and drive action without ever touching the dashboard or the command line. This is what makes Wazuh a genuine SOAR backend rather than just an alert source.
On the read side, the API exposes agent information (which agents exist, their status, OS, group membership, last keep-alive), rule and decoder details, the manager configuration, security configuration assessment results, vulnerability detection findings and more. An n8n workflow handling an alert can query the API to answer questions the alert itself does not contain: what group is this host in, when did it last check in, what other findings exist on it.
On the write side, the API can trigger active response on a specific agent, manage agents (add, remove, restart, upgrade), manage groups and their configuration, and reload rules. This write capability is what closes the response loop: a workflow that has decided a host needs containing can instruct Wazuh to execute the containment on that exact agent through the API.
The API is versioned and documented, and Wazuh maintains backward compatibility across minor versions, so workflows built against it are stable. For an n8n SOAR programme, the Wazuh API is the integration point that turns Wazuh from a detection tool into the hands that carry out automated response decisions.
Authenticating n8n to the Wazuh API Securely
The Wazuh API uses JWT authentication. A workflow first calls the authentication endpoint with API user credentials and receives a short-lived JSON Web Token; every subsequent API call carries that token in the Authorization header. The token expires after a configured lifetime, so long-running automation must re-authenticate when the token lapses rather than holding one token forever.
In n8n, implement this with an initial HTTP Request node that authenticates and captures the token, followed by the action calls that pass the token. For workflows that run frequently, a clean pattern is a small sub-workflow or cached credential that fetches and reuses a token until it nears expiry, then refreshes it, which avoids re-authenticating on every single call and respects the manager's load.
Treat the API credentials as high-value secrets, because an identity that can trigger active response can disable accounts and isolate hosts across your estate. Store them in n8n's credential store, never hard-coded in a workflow node, and restrict who can edit the workflows that hold them. The API user itself should be dedicated to the automation, not a shared admin account, so its actions are attributable and it can be rotated or revoked independently.
Apply least privilege through the Wazuh API's role-based access control. The automation user needs only the specific read and active-response permissions its workflows use, not full administrative rights. Scoping the role tightly means that even if the n8n instance is compromised, the blast radius is limited to the actions you deliberately granted, which is a meaningful containment of risk for such a powerful integration.
Need a Managed SOC Without Splunk-Level Costs?
Codesecure designs, deploys and operates open-source SOC stacks built on Wazuh, n8n, TheHive, Cortex and MISP for businesses across India, Singapore, UAE and Malaysia. ISO/IEC 27001:2022 certified delivery, named OSCP and CISSP analysts, fixed-price proposals.
See SOC Services →Triggering Active Response Through the API
Active response is Wazuh's built-in mechanism for taking action on an endpoint, and it is what n8n drives to contain threats. Active-response scripts run on the agent and can block an IP at the host firewall, disable a user account, kill a process, isolate the host from the network, or run any custom script you deploy. Wazuh ships several standard responses and you can add your own for environment-specific actions.
Triggering active response via the API means n8n decides when and where, rather than relying solely on a static rule in the manager. The workflow calls the active-response endpoint, specifying the command to run and the target agent. This decoupling is powerful: the decision logic, with all its enrichment, scoring and approval gating, lives in n8n, while the execution happens through Wazuh's agents that are already deployed everywhere.
Match the action to the threat and the asset. Blocking a known command-and-control IP at the host firewall is low-risk and reversible. Isolating a host from the network is high-impact and appropriate for confirmed compromise of a non-critical machine. Disabling an account disrupts a real user and almost always warrants a human decision. The workflow should select the response, and its gating, based on both the confidence in the threat and the criticality of the affected asset.
Build reversibility and logging into every active response. Firewall blocks and host isolation should have a defined path back, manual or time-based, so a mistaken or no-longer-needed containment does not become permanent. Every triggered response must be logged with the alert that caused it, the decision logic, the approving analyst where applicable, and the result returned by the API, so the action is fully accountable in the incident record.
Creating and Driving TheHive Cases
Automated response without a tracked case is invisible and unaccountable, so the integration writes to TheHive as it works. When an alert crosses the threshold to become an incident, the n8n workflow creates a TheHive case via TheHive API, populated with the alert detail, the enrichment results, the affected agent and the indicators as observables. The case exists before any human looks, with the full context already attached.
As the workflow progresses, it drives the case. Enrichment verdicts become case fields, the proposed containment becomes a task, and when an analyst approves an action, the case records who approved it and when. After active response executes through the Wazuh API, the result is written back to the case. The case becomes a complete, automatically maintained timeline of detection, analysis, decision and action, which is exactly what incident reviews and audits need.
TheHive is also where the human-in-the-loop approval naturally lives. The workflow can create a task or wait state in the case for analyst sign-off on a disruptive action, pause, and resume only when the analyst approves through the case interface or a linked notification. This keeps the analyst's decision in the same system that holds the evidence, rather than scattered across chat messages and consoles.
Closing the loop completes the case lifecycle. When containment succeeds and the threat is handled, the workflow updates the case status, records the final outcome, and attaches the active-response results and notifications sent. For repeat campaigns, the indicators captured as observables feed back into enrichment and detection, so each handled incident makes the next one faster to resolve.
The Full Automated Response Loop, End to End
Putting the pieces together produces a complete detect-to-contain loop. A Wazuh rule fires and the manager's integrator POSTs the alert to an n8n webhook. n8n authenticates to the Wazuh API and queries for context, the agent's group, status and existing findings, then enriches the indicators through reputation, GeoIP, VirusTotal and MISP as in any enrichment workflow. The result is a fully contextualised incident object in seconds.
n8n scores the incident and creates a TheHive case. For a high-confidence, low-risk situation, a known-bad IP communicating with a non-critical host, the workflow can auto-execute a reversible containment, blocking the IP at the host firewall through the Wazuh active-response API, and record it in the case. For anything disruptive or uncertain, the workflow opens an approval task in the case and waits, presenting the analyst with everything needed to decide.
On approval, n8n triggers the chosen active response through the Wazuh API against the specific agent, isolating the host, disabling the account, killing the process, then verifies the result and updates the case. The same n8n run handles the human side too, notifying stakeholders and, where relevant, affected users. From the alert firing to the threat contained and documented, the loop runs in minutes with a human authorising only the steps that genuinely need it.
This is the payoff of the whole stack: Wazuh detects and acts, n8n decides and orchestrates, TheHive tracks and holds the human approval, and the enrichment and threat-intel sources inform every step. It is built entirely on open-source components you self-host, with no per-event licensing, and every disruptive action stays under human control. That is the architecture Codesecure deploys and operates for managed-SOC clients who want automation without surrendering judgement.
Frequently Asked Questions
What can the Wazuh API do that the dashboard cannot?
The Wazuh API exposes everything the dashboard does, but programmatically, so an automation layer like n8n can both read state (agent status, groups, findings, configuration) and drive action (trigger active response, manage agents and groups, reload rules) without human interaction. That programmatic write capability is what turns Wazuh from an alert source into a response platform that n8n can orchestrate.
How does n8n authenticate to the Wazuh API?
The Wazuh API uses JWT authentication: n8n calls the authentication endpoint with a dedicated API user's credentials, receives a short-lived token, and passes that token on subsequent calls until it expires and must be refreshed. Store the credentials in n8n's credential store, use a dedicated least-privilege API user scoped through the API's role-based access control, and never hard-code credentials in a workflow node.
What is Wazuh active response and how does n8n use it?
Active response is Wazuh's mechanism for taking action on an endpoint through its agent: blocking an IP at the host firewall, disabling an account, killing a process, isolating the host, or running a custom script. n8n triggers active response via the Wazuh API, specifying the command and target agent, so the decision logic with its enrichment and approval gating lives in n8n while execution happens through Wazuh's already-deployed agents.
Should automated incident response actions require human approval?
Disruptive or irreversible actions should. Reversible, low-risk containment such as blocking a known-bad IP on a non-critical host can auto-execute on high-confidence indicators, but isolating critical hosts, disabling user accounts and similar high-impact actions should pause for analyst approval. The workflow gates actions based on both confidence in the threat and criticality of the affected asset, and logs every action for accountability.
How does TheHive fit into the n8n and Wazuh response loop?
TheHive is the case-management and human-approval layer. n8n creates a TheHive case populated with alert detail, enrichment and indicators before a human looks, drives the case as the workflow progresses, and uses a case task or wait state for analyst sign-off on disruptive actions. After active response runs through the Wazuh API, the result is written back, so the case is a complete, automatically maintained incident timeline for reviews and audits.
Is an open-source SOAR loop with Wazuh, n8n and TheHive production-ready?
Yes. Wazuh detects and executes active response, n8n decides and orchestrates, TheHive tracks and holds human approval, and enrichment sources inform each step, all self-hosted with no per-event licensing and every disruptive action under human control. Codesecure deploys and operates exactly this stack for managed-SOC clients across India, Singapore, UAE and Malaysia who want automation without surrendering analyst judgement.
Close the Loop From Detection to Containment
Codesecure builds the full open-source response loop, Wazuh detecting, n8n orchestrating, TheHive tracking, with disruptive actions gated behind analyst approval. ISO/IEC 27001:2022 certified delivery, named OSCP and CISSP analysts, fixed-price SOAR and managed-SOC engagements across India, Singapore, UAE and Malaysia.
