Documentation Center
AlienVault® USM Anywhere™

Running Queries from the Details View of an Event

  Role Availability   Read-Only   Analyst   Manager

To run a user-initiated agent query from the details view of an Event

  1. Go to ACTIVITY > EVENTS.
  2. Click the event to display its details.
  3. Click Select Action > Agent Query.
  4. Select Action: Agent Query

  5. The asset related to the event is already selected. Select an action
    • Get file information. Get information from the file specified in the first parameter. You must include the file path of the file.
    • Get network connection information. Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address.
    • List listening processes. List the processes with listening sockets.
    • List logged-in users. List the current logged-in users.
    • List network connections. List the current network connections.
    • List running processes. List running processes.

    Important: The Get network connection information query is only available for the Linux agents.

  6. Click Run.
  7. A popup window displays

    Run an agent query from the details of an alarm

  8. Click OK.
  9. Or click Create rule for similar events if you want to create a new rule. See Response Action Rules from the Orchestration Rules Page for further details.

    When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

    Note: The queries generate events when you run them. They do not generate events continuously; you have to run the query again if you want to generate new events.