AlienVault® USM Anywhere™

AlienVault Agent Events and Queries

Role Availability Read-Only Analyst   Manager

Edition: This feature is available in the Standard and Premium editions of USM Anywhere.

USM Anywhere enables you to use the AlienVault pluginsIntegrations specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities. to filter the AlienVault Agent-related eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall..

These Data Source Plugins are related to the agent:

  • AlienVault Agent: This plugin parses the events from the agent, with the exception of Windows events.
  • AlienVault Agent - Windows EventLog: This plugin parses Microsoft Windows events sent through the agent.

To search events using the filter related to the agent

  1. Go to Activity > Events.
  2. Locate the Data Source Plugin section.
  3. Click an event and the result of your search displays.

AlienVault Agent Queries

USM Anywhere enables you to run a user-initiated AlienVault Agent query based on the events sent by connected agents. connected. There are several ad-hoc queries, which are in your environment by default. These queries, listed below, generate events that can be used for a forensic investigation, so you can focus on fast response and remediation.

The full list of queries available is presented below.

Available AlienVault Agent Queries
Query Name Platform Description
Get Docker container running processes macOS, Linux Get the list of processes running in each Docker container.
Get Docker containers details macOS, Linux Get a list of details for each Docker container.
Get file information Windows, Linux, and macOS Get information from the file specified in the first parameter. You must include the file path of the file.
Get IE typed URLs Windows Get the list of Internet Explorer's entered URLs.
Get firewall configuration Windows List firewall configurations for different profiles and rules.
Get installed packages history macOS Get the list of latest installed packages in the system.
Get logged-in users Windows, Linux, and macOS List the current logged-in users.
Get listening processes Windows, Linux, and macOS List the processes with listening sockets.
Get network connections Windows, Linux, and macOS List the current network connections.
Get network connection information Linux Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address.
Get network shares Windows Get the list of network-shared resources from the system.
Get persistence registry keys Windows Get registry key values commonly used for persistence by attackers.
Get recent files Windows Get the list of recent files.
Get recent items macOS Lists recently opened files.
Get running processes Windows, Linux, and macOS List running processes.
Get running services Windows List running services.
Get SSH authorized keys macOS, Linux Get the list of SSH-authorized keys allowed in the system.
Get users launched services macOS Get the list of LaunchAgents and LaunchDaemons services installed in the system.
Get Wi-Fi connection status macOS Get information from the current Wi-Fi connection.
Get Wi-Fi preferred connections macOS Get information from the preferred Wi-Fi connections.