Documentation Center
AlienVault® USM Anywhere™

Launching a Forensics and Response Action from an Event or Alarm

  Role Availability   Read-Only   Analyst   Manager

When you review the information in the Alarm Details or Event Details, you can easily launch a Forensics and Response action. If you want to apply the action to similar items that occur in the future, you can also create an orchestration rule directly from the executed action.

Review the information in Supported Actions to determine the action that you want to launch.

To launch a Forensics and Response action from an alarm or event

  1. Navigate to ACTIVITY > ALARMS or ACTIVITY > EVENTS.
  2. Click the alarm or event to open the details.
  3. Click Select Action.

    Click Select Action in the alarm details

  4. In the Select Action dialog, select the Get Forensics Information tile.

    Select the action type to run for the alarm

    This displays the options for the selected action type.

  5. If you have more than one deployed USM Anywhere Sensor, select the Sensor associated with the asset that you want to use as the target for the action.
  6. Click the App Action list and select the action you want to run for the asset(s).

    Select the Forensics and Response app action to run

  7. Specify the Asset that you want to use as a target for the action.

    You can start typing the name or IP address of the asset in the field to display matching items that you can select. Or you can click the Browse Assets link to open the Select Asset dialog and browse the asset list to make your selection.

  8. Click Run.

    After USM Anywhere initiates the action, it displays a confirmation dialog.

    Create a rule to launch a Forensics and Response action for similar alarms

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar eventsand define the new rule. If not, click OK.