To run a user-initiated agent query from the details view of an
- Go to Activity >
- Click the
alarmto display its details.
- Select Select Action > Agent Query.
- The asset related to the
alarmis already selected. Select an action.
- Click Run.
- Click OK.
|Get Docker container running processes||macOS, Linux||Get the list of processes running in each Docker container.|
|Get Docker containers details||macOS, Linux||Get a list of details for each Docker container.|
|Get file information||Windows, Linux, and macOS||Get information from the file specified in the first parameter. You must include the file path of the file.|
|Get IE typed URLs||Windows||Get the list of Internet Explorer typed URLs.|
|Get firewall configuration||Windows||List firewall configurations for different profiles and rules.|
|Get installed packages history||macOS||Get the list of latest installed packages in the system.|
|Get logged-in users||Windows, Linux, and macOS||List the current logged-in users.|
|Get listening processes||Windows, Linux, and macOS||List the processes with listening sockets.|
|Get network connections||Windows, Linux, and macOS||List the current network connections.|
|Get network connection information||Linux||Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address.|
|Get network shares||Windows||Get the list of network shared resources from the system.|
|Get persistence registry keys||Windows||Get registry key values commonly used for persistence by attackers.|
|Get recent files||Windows||Get the list of recent files.|
|Get recent items||macOS||Lists recently opened files.|
|Get running processes||Windows, Linux, and macOS||List running processes.|
|Get running services||Windows||List running services.|
|Get SSH authorized keys||macOS, Linux||Get the list of SSH authorized keys allowed in the system.|
|Get users launchd services||macOS||Get the list of LaunchAgents and LaunchDaemons services installed in the system.|
|Get wifi connection status||macOS||Get information from the current wifi connection.|
|Get wifi preferred connections||macOS||Get information from the preferred wifi connections.|
A popup window displays.
Or click Create rule for similar events if you want to create a new rule. See Response Action Rules from the Orchestration Rules Page for more details.
When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.
Note: The queries generate events when you run them. They do not generate events continuously; you have to run the query again if you want to generate new events.