Documentation Center
AlienVault® USM Anywhere™

Running Queries from the Response Action Rules

  Role Availability   Read-Only   Analyst   Manager

To run a user-initiated agent query from the Orchestration Rules page

  1. Navigate to SETTINGS > RULES.
  2. Click Create Orchestration Rule > Create Response Action Rule.
  3. Type a name for the rule.
  4. Select Agent Query as Action Type.
  5. Select the specific asset.
  6. Select a query in the Action field
  7. List of available Agent Queries
    Query Name Platform Description
    Get Docker container running processes macOS, Linux Get the list of processes running in each Docker container
    Get Docker containers details macOS, Linux Get a list of details for each Docker container
    Get file information Windows, Linux, and macOS Get information from the file specified in the first parameter. You must include the file path of the file
    Get IE typed URLs Windows Get the list of Internet Explorer typed URLs
    Get firewall configuration Windows List firewall configurations for different profiles and rules
    Get installed packages history macOS Get the list of latest installed packages in the system
    Get logged-in users Windows, Linux, and macOS List the current logged-in users
    Get listening processes Windows, Linux, and macOS List the processes with listening sockets
    Get network connections Windows, Linux, and macOS List the current network connections
    Get network connection information Linux Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address
    Get network shares Windows Get the list of network shared resources from the system
    Get persistence registry keys Windows Get registry key values commonly used for persistence by attackers
    Get recent files Windows Get the list of recent files
    Get recent items macOS Lists recently opened files
    Get running processes Windows, Linux, and macOS List running processes
    Get running services Windows List running services
    Get SSH authorized keys macOS, Linux Get the list of SSH authorized keys allowed in the system
    Get users launchd services macOS Get the list of LaunchAgents and LaunchDaemons services installed in the system
    Get wifi connection status macOS Get information from the current wifi connection
    Get wifi preferred connections macOS Get information from the preferred wifi connections
  8. Click Add Condition and select the property values you want to include in the rule to create a matching condition.
  9. Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

    Note: Keep in mind that the Sources or Destinations field needs to match the UUID (Universally Unique Identifier) of the event or alarm. You can use Source Name(s) or Destination Name(s) instead.

  10. You can click Add Group Of Conditions to group your conditions.
  11. Note: See Operators in the Orchestration Rules for further information.

  12. (Optional) To include a multiple occurrence parameter, click the More... link.

    These options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized accessAn incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through SCP.loginLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five minute window.

    • Occurrences — Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
    • Length — Specify the length of the window used to identify a match for multiple occurrences. Enter the number and choose a time unit value of seconds, minutes, or hours.

      This duration identifies the amount of time that transpires from the first occurrence to the last occurrence. If the number of occurrences is not met within this period, the rule is not a match.

    Specify multiple occurances to match for the rule

    In this example, the rule will apply when the configured conditions happen five times every three hours.

  13. Click Save Rule.

    The created rule will display in the list of rules.

    You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

    Viewing the Query History through the Assets Details