AlienVault® USM Anywhere™

Launching a Forensics and Response Action from an Event or Alarm

Role Availability Read-Only Analyst   Manager

When you review the information in the Alarm Details or Event Details, you can easily launch a Forensics and Response action. If you want to apply the action to similar items that occur in the future, you can also create an orchestration rule directly from the executed action.

Review the information in Supported Actions to determine the action that you want to launch.

To launch a Forensics and Response action from an alarm or event

  1. Go to Activity > Alarms or Activity > Events.
  2. Click the alarm or event to open the details.
  3. Click Select Action.

    Click Select Action in the alarm details

  4. In the Select Action dialog box, select the Get Forensics Information tile.

    Select the action type to run for the alarm

    This displays the options for the selected action type.

  5. If you have more than one deployed USM Anywhere Sensor, select the sensor associated with the asset that you want to use as the target for the action.
  6. Click the App Action list and select the action you want to run for the asset(s).

    Select the Forensics and Response app action to run

  7. Specify the asset that you want to use as a target for the action.

    You can start typing the name or IP address of the asset in the field to display matching items that you can select. Or you can click Browse Assets to open the Select Asset dialog box and browse the asset list to make your selection.

  8. Click Run.

    After USM Anywhere initiates the action, it displays a confirmation dialog box.

    Create a rule to launch a Forensics and Response action for similar alarms

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.