AlienVault® USM Anywhere™

Running Queries from the Details View of an Asset

Role Availability Read-Only Analyst   Manager

To run a user-initiated agent query from the details view of an Asset

  1. Go to Environment > Assets.
  2. Search the asset, click the blue chevron icon () located next to the asset name you want to run the agent query and select Full Details.
  3. Select Actions > Agent Query.
  4. Menu for the Agent Query

  5. Select the query you want to run. The available queries include:
  6. List of available Agent Queries
    Query Name Platform Description
    Get Docker container running processes macOS, Linux Get the list of processes running in each Docker container.
    Get Docker containers details macOS, Linux Get a list of details for each Docker container.
    Get file information Windows, Linux, and macOS Get information from the file specified in the first parameter. You must include the file path of the file.
    Get IE typed URLs Windows Get the list of Internet Explorer typed URLs.
    Get firewall configuration Windows List firewall configurations for different profiles and rules.
    Get installed packages history macOS Get the list of latest installed packages in the system.
    Get logged-in users Windows, Linux, and macOS List the current logged-in users.
    Get listening processes Windows, Linux, and macOS List the processes with listening sockets.
    Get network connections Windows, Linux, and macOS List the current network connections.
    Get network connection information Linux Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address.
    Get network shares Windows Get the list of network shared resources from the system.
    Get persistence registry keys Windows Get registry key values commonly used for persistence by attackers.
    Get recent files Windows Get the list of recent files.
    Get recent items macOS Lists recently opened files.
    Get running processes Windows, Linux, and macOS List running processes.
    Get running services Windows List running services.
    Get SSH authorized keys macOS, Linux Get the list of SSH authorized keys allowed in the system.
    Get users launchd services macOS Get the list of LaunchAgents and LaunchDaemons services installed in the system.
    Get wifi connection status macOS Get information from the current wifi connection.
    Get wifi preferred connections macOS Get information from the preferred wifi connections.
  7. Click Run.
  8. A green message will display in the upper side of the page to inform you the query is in progress. When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

    Viewing the Query History through the Assets Details

    Note: The queries generate events when you run them. They do not generate events continuously; you have to run the query again if you want to generate new events.