Return the policy monitoring alerts for a given policy.
External DocumentationTo learn more, visit the Wazuh Server documentation.

Basic Parameters

ParameterDescription
Agent IDThe agent ID.
CommandThe command to filter by.
DescriptionThe description of the policy to filter by.
DistinctSelect to look for distinct values.
FieldsA comma-separated list, without any whitespace before or after the commas, of fields to return.

Note: Use ’.’ for nested fields, for example: field1 , field2.nestedField1, field3
LimitMaximum number of elements to return.
OffsetThe offset of the first element to return.
Policy IDThe policy ID to filter by.
PrettySelect to show results in human-readable format.
QueryA query to filter the results by.

For example: status=active
Return All PagesAutomatically fetch all resources, page by page.
Search TextA string used to filter elements containing the specified text.

Note: To obtain a complementary search, use - at the beginning.
SortA comma-separated list, without any whitespace before or after the commas, of fields to sort by. Use +/- at the beginning to list in ascending or descending order. Use . for nested fields.
TitleThe title to filter by.
Wait For CompleteSelect to disable timeout response.

Advanced Parameters

ParameterDescription
ConditionFilter by condition.
DirectoryFilter by directory.
FileFilter by full path.
ProcessFilter by process name.
RationaleThe rationale to filter by.
ReasonFilter by reason.
ReferencesFilter by references.
RegistryFilter by registry.
RemediationFilter by remediation.
ResultFilter by result.

Example Output

{
	"data": {
		"affected_items": [
			{
				"description": "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.",
				"id": 19000,
				"reason": "Invalid path or wrong permissions to run command 'modprobe -n -v cramfs'",
				"command": "modprobe -n -v cramfs,lsmod",
				"rationale": "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.",
				"condition": "all",
				"title": "Ensure mounting of cramfs filesystems is disabled.",
				"result": "not applicable",
				"policy_id": "cis_ubuntu20-04",
				"remediation": "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs",
				"compliance": [
					{
						"value": "1.1.1.1",
						"key": "cis"
					},
					{
						"value": "5.1",
						"key": "cis_csc"
					},
					{
						"value": "2.2.5",
						"key": "pci_dss"
					},
					{
						"value": "CC6.3",
						"key": "tsc"
					}
				],
				"rules": [
					{
						"type": "command",
						"rule": "c:modprobe -n -v cramfs -> r:^install /bin/true"
					},
					{
						"type": "numeric",
						"rule": "not c:lsmod -> r:cramfs"
					}
				]
			}
		],
		"total_affected_items": 191,
		"total_failed_items": 0,
		"failed_items": []
	},
	"message": "All selected SCA/policy information was returned",
	"error": 0
}

Workflow Library Example

Get Policy Checks with Wazuh Server and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop