To run a user-initiated agent query from the Orchestration Rules page
- Go to Settings > Rules.
- Select Create Orchestration Rule > Create Response Action Rule.
- Enter a name for the rule.
- Select Agent Query as Action Type.
- Select the specific asset.
- Select a query in the Action field:
- Click Add Condition and select the property values you want to include in the rule to create a matching condition.
- (Optional.) Click Add Group Of Conditions to group your conditions.
(Optional.) To include a multiple occurrence parameter, click the More link.
These options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized accessAn incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through SCP.loginLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five minute window. These are the two options that you can modify:
- Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
Length: Specify the length of the window used to identify a match for multiple occurrences. Enter the number and choose a time-unit value of seconds, minutes, or hours.
This duration identifies the amount of time that transpires from the first to last. If the number of occurrences is not met within this period, the rule is not a match.
In this example, the rule applies when the configured conditions happen five times every three hours.
- Click Save Rule.
|Get Docker container running processes||macOS, Linux||Get the list of processes running in each Docker container.|
|Get Docker containers details||macOS, Linux||Get a list of details for each Docker container.|
|Get file information||Windows, Linux, and macOS||Get information from the file specified in the first parameter. You must include the file path of the file.|
|Get IE typed URLs||Windows||Get the list of Internet Explorer typed URLs.|
|Get firewall configuration||Windows||List firewall configurations for different profiles and rules.|
|Get installed packages history||macOS||Get the list of latest installed packages in the system.|
|Get logged-in users||Windows, Linux, and macOS||List the current logged-in users.|
|Get listening processes||Windows, Linux, and macOS||List the processes with listening sockets.|
|Get network connections||Windows, Linux, and macOS||List the current network connections.|
|Get network connection information||Linux||Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address.|
|Get network shares||Windows||Get the list of network shared resources from the system.|
|Get persistence registry keys||Windows||Get registry key values commonly used for persistence by attackers.|
|Get recent files||Windows||Get the list of recent files.|
|Get recent items||macOS||Lists recently opened files.|
|Get running processes||Windows, Linux, and macOS||List running processes.|
|Get running services||Windows||List running services.|
|Get SSH authorized keys||macOS, Linux||Get the list of SSH authorized keys allowed in the system.|
|Get users launchd services||macOS||Get the list of LaunchAgents and LaunchDaemons services installed in the system.|
|Get wifi connection status||macOS||Get information from the current wifi connection.|
|Get wifi preferred connections||macOS||Get information from the preferred wifi connections.|
Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.
Note: Keep in mind that the Sources or Destinations field needs to match the UUID (Universally Unique Identifier) of the event or alarm. You can use Source Name or Destination Name instead.
Note: See Operators in the Orchestration Rules for more information.
The created rule will display in the list of rules.
You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.