Documentation Center
AlienVault® USM Anywhere™

Running Queries from the Details View of an Event

  Role Availability   Read-Only   Analyst   Manager

To run a user-initiated agent query from the details view of an Event

  1. Go to ACTIVITY > EVENTS.
  2. Click the event to display its details.
  3. Click Select Action > Agent Query.
  4. Select Action: Agent Query

  5. The asset related to the event is already selected. Select an action
  6. List of available Agent Queries
    Query Name Platform Description
    Get Docker container running processes macOS, Linux Get the list of processes running in each Docker container
    Get Docker containers details macOS, Linux Get a list of details for each Docker container
    Get file information Windows, Linux, and macOS Get information from the file specified in the first parameter. You must include the file path of the file
    Get IE typed URLs Windows Get the list of Internet Explorer typed URLs
    Get firewall configuration Windows List firewall configurations for different profiles and rules
    Get installed packages history macOS Get the list of latest installed packages in the system
    Get logged-in users Windows, Linux, and macOS List the current logged-in users
    Get listening processes Windows, Linux, and macOS List the processes with listening sockets
    Get network connections Windows, Linux, and macOS List the current network connections
    Get network connection information Linux Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address
    Get network shares Windows Get the list of network shared resources from the system
    Get persistence registry keys Windows Get registry key values commonly used for persistence by attackers
    Get recent files Windows Get the list of recent files
    Get recent items macOS Lists recently opened files
    Get running processes Windows, Linux, and macOS List running processes
    Get running services Windows List running services
    Get SSH authorized keys macOS, Linux Get the list of SSH authorized keys allowed in the system
    Get users launchd services macOS Get the list of LaunchAgents and LaunchDaemons services installed in the system
    Get wifi connection status macOS Get information from the current wifi connection
    Get wifi preferred connections macOS Get information from the preferred wifi connections
  7. Click Run.
  8. A popup window displays

    Run an agent query from the details of an alarm

  9. Click OK.
  10. Or click Create rule for similar events if you want to create a new rule. See Response Action Rules from the Orchestration Rules Page for further details.

    When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

    Note: The queries generate events when you run them. They do not generate events continuously; you have to run the query again if you want to generate new events.