Documentation Center
AlienVault® USM Anywhere™

Using the AlienApp for Forensics and Response Actions

With the AlienApp for Forensics and Response, USM Anywhere can execute system-level functions instantly — through a user-executed actionIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. or an automated rule or job — to coordinate forensics and response in a single action. Rather than manually connecting to each host and executing system-level tasks for investigation and protection purposes, you can use the AlienApp for Forensics and Response actions to gather forensic information or make system changes on assets monitored in USM Anywhere.

Important: Running the AlienApp for Forensics and Response actions requires that the target assets have assigned credentials that are suitable for administrative access to the host. For more information, see AlienApp for Forensics and Response Requirements.

Supported Actions

Each action that you run executes one or more functions on the host system for the target asset. Some of these functions collect system data and some perform enforcement operations. You can run an action manually from an event or alarm, or you can run an action from the AlienApp for Forensics and Response page for a specified asset. To automate these actions, you can schedule jobs to run an action for a specified asset, or you can create a response action rule to trigger an action from future events or alarms that meet your specified criteria.

Review the information in Data Collection Functions and Enforcement System Functions for detailed information about the functions supported by the AlienApp for Forensics and Response actions.

Forensic Profile Actions

The AlienApp for Forensics and Response provides multiple actions that you can use to perform an investigation of the target system, by running a group of data collection functions. Each of these actions is designed to provide a level of forensic profile for the target asset.

USM Anywhere generates an event for each executed function included in the forensic profile. For more information about accessing these events, see Viewing Forensics and Response Events and Alarms.

Single Function Actions

For many of the most common functions, the AlienApp for Forensics and Response provides actions to launch a simple execution of that function.

Action Description Availability
Disable Networking Executes the Disable Networking enforcement function

AlienApp for Forensics and Response page

Event or Alarm

Scheduled Job

Orchestration Rule

Get Active Directory Information Executes the Get Active Directory (AD)Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. Assets data collection function

Scheduled Job

Get Established Connections Executes the Get Established Connections data collection function

AlienApp for Forensics and Response page

Event or Alarm

Scheduled Job

Orchestration Rule

Get Users Executes the Get Users data collection function

AlienApp for Forensics and Response page

Event or Alarm

Scheduled Job

Orchestration Rule

Get Logged On Users Executes the Get Logged On Users data collection function

AlienApp for Forensics and Response page

Event or Alarm

Scheduled Job

Orchestration Rule

Get Processes with Hashes Executes the Get Processes with Hashes data collection function

AlienApp for Forensics and Response page

Event or Alarm

Scheduled Job

Orchestration Rule

Get Running Services Executes the Get Running Services data collection function

AlienApp for Forensics and Response page

Event or Alarm

Scheduled Job

Orchestration Rule

Get System Info Executes the Get System Info data collection function

AlienApp for Forensics and Response page

Event or Alarm

Scheduled Job

Orchestration Rule

Shutdown Executes the Shutdown enforcement function

AlienApp for Forensics and Response page

Event or Alarm

Scheduled Job

Orchestration Rule

Set Registry Key to String Executes the Set Registry Key to String enforcement function

AlienApp for Forensics and Response page

Event or Alarm

Orchestration Rule

Set Registry Key to DWORD Executes the Set Registry Key to DWORD enforcement function

AlienApp for Forensics and Response page

Event or Alarm

Orchestration Rule

Launch Query

Executes the specified data collection or enforcement function

See Defining a Launch Query Action.

AlienApp for Forensics and Response page

Event or Alarm

Scheduled Job

Orchestration Rule

Running an Action

  Role Availability   Read-Only   Analyst   Manager

The AlienApp for Forensics and Response page provides an easy way to manually run a single Forensics and Response action. However, if it is an action that you want to run regularly for a specific asset, you should define a scheduled job to run the action. If you want to run the action as a response to certain events or alarms, you should define an orchestration rule.

To run a Forensics and Response action

  1. In USM Anywhere, go to DATA SOURCES > INTEGRATIONS.
  2. Click the AlienApps tab.

    Access the AlienApps page

  3. In the AlienApps page, click the Forensics and Response tile.

    Click the Forensics and Response tile

  4. If you have more than one deployed USM Anywhere Sensor, select the Sensor that you want to use to run the Forensics and Response action.

    This should be the Sensor that is associated with the asset that you want to specify as the target for the action.

    Select a deployed sensor used to run the app

  5. Select the ACTIONS tab.

  6. Review the list of actions to determine which action you want to run.

    Refer to the Data Collection Functions and Enforcement System Functions topics for detailed information about each of the supported functions. If the needed function does not have a specific action, you can use the generic Launch Query action to specify the function parameters.

  7. Next to the action that you want to use, click Run.

    Click Run to launch the Forensics and Response action

    This opens the Select Action dialog with the Select App, Select Sensor, and App Action options already set for running the action.

    Specify the asset to run the Forensics and Response action

  8. Specify the Asset that you want to use as a target for the action.

    You can start typing the name or IP address of the asset in the field to display matching items that you can select. Or you can click the Browse Assets link to open the Select Asset dialog and browse the asset list to make your selection.

  9. Click Run.