Documentation Center
AlienVault® USM Anywhere™

Running Queries from the Response Action Rules

  Role Availability   Read-Only   Analyst   Manager

To run a user-initiated agent query from the Orchestration Rules page

  1. Navigate to SETTINGS > RULES.
  2. Click Create Orchestration Rule > Create Response Action Rule.
  3. Type a name for the rule.
  4. Select Agent Query as Action Type.
  5. Select the specific asset.
  6. Select a query in the Action field
    • Get file information. Get information from the file specified in the first parameter. You must include the file path of the file.
    • Get network connection information. Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address.
    • List listening processes. List the processes with listening sockets.
    • List logged-in users. List the current logged-in users.
    • List network connections. List the current network connections.
    • List running processes. List running processes.

    Important: The Get network connection information query is only available for the Linux agents.

  7. Click Add Condition and select the property values you want to include in the rule to create a matching condition.
  8. Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

    Note: Keep in mind that the Sources or Destinations field needs to match the UUID (Universally Unique Identifier) of the event or alarm. You can use Source Name(s) or Destination Name(s) instead.

  9. You can click Add Group to group your conditions.
  10. Note: See Operators in the Orchestration Rules for further information.

  11. (Optional) To include a multiple occurrence parameter, click the More... link.

    These options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized accessAn incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through SCP.loginLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five minute window.

    • Occurrences — Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down.
    • Length — Specify the length of the window used to identify a match for multiple occurrences. Enter the number and choose a time unit value of seconds, minutes, or hours.

      This duration identifies the amount of time that transpires from the first occurrence to the last occurrence. If the number of occurrences is not met within this period, the rule is not a match.

    Specify multiple occurances to match for the rule

    In this example, the rule will apply when the configured conditions happen three times every five minutes.

  12. Click Save Rule.

    The created rule will display in the list of rules.

    You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

    Viewing the Query History through the Assets Details