USM Anywhere™

AlienVault Agent Events and Queries

Role Availability Read-Only Analyst   Manager

Edition: This feature is available in the Standard and Premium editions of USM Anywhere.

USM Anywhere enables you to use the AlienVault Agent data source to filter the AlienVault Agent-related events Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall..

These Data Source are related to the agent:

  • AlienVault Agent: This data source parses the events from the agent, with the exception of Windows events.
  • AlienVault Agent - Windows EventLog: This data source parses Microsoft Windows events sent through the agent.

To search events using the filter related to the agent

  1. Go to Activity > Events.
  2. Locate the Data Source section.
  3. Click an event and the result of your search displays.

AlienVault Agent Queries

USM Anywhere enables you to run a user-initiated AlienVault Agent query based on the events sent by connected agents. connected. There are several ad-hoc queries, which are in your environment by default. These queries, listed below, generate events that can be used for a forensic investigation, so you can focus on fast response and remediation.

The full list of queries available is presented below.

Available AlienVault Agent Queries
Query Name Platform Description
Get Docker container running processes Linux, macOS Get the list of processes running in each Docker container.
Get Docker containers details Linux, macOS Get a list of details for each Docker container.
Get Docker containers open ports Linux, macOS Get a list with open ports and network information for each Docker container.
Get file information Linux, macOS, and Windows Get information from the file specified in the first parameter. You must include the file path of the file.
Get files downloaded in the system macOS Generate a list of all files downloaded in the system.
Get IE typed URLs Windows Get the list of Microsoft Internet Explorer's entered URLs.
Get firewall configuration Windows Get a list of firewall configurations for different profiles and rules.
Get installed packages history macOS Get the list of the latest installed packages in the system.
Get logged-in users Linux, macOS, and Windows Get the list of the current logged-in users.
Get listening processes Linux, macOS, and Windows Get the list of the processes with listening sockets.
Get network connections Linux, macOS, and Windows Get the list of the current network connections.
Get network connection information Linux Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address.
Get network shares Windows Get the list of network-shared resources from the system.
Get persistence registry keys Windows Get registry key values commonly used for persistence by attackers.
Get recent files Windows Get the list of recent files.
Get recent items macOS Get the list of recently opened files.
Get running processes Linux, macOS, and Windows Get the list of running processes.
Get running services Windows Get the list of running services.
Get SSH authorized keys Linux, macOS Get the list of SSH-authorized keys allowed in the system.
Get users launched services macOS Get the list of LaunchAgents and LaunchDaemons services installed in the system.
Get Wi-Fi connection status macOS Get information from the current Wi-Fi connection.
Get Wi-Fi preferred connections macOS Get information from the preferred Wi-Fi connections.
Hunt for potential library injection - .so deleted from disk Linux Hunt for the potential library injection of a memory map with a deleted shared object on disk and rwxp memory.
Hunt for potential library injection - no .so on disk and rwxp memory Linux Hunt for the potential library injection of a memory map with no shared object on disk and rwxp memory.
Hunt for potential library injection - no common .so isolation Linux Hunt for the potential library injection of a shared library loaded from an uncommon location.
Hunt for running processes with no binary on disk Linux, macOS, and Windows Hunt for running processes that do not have a matching binary on disk.
Hunt for traffic to remote IP Linux, macOS, and Windows Hunt for non-web traffic to remote IP addresses not using port 0, 80, or 443.