AlienVault® USM Anywhere™

Running Queries from the Response Action Rules

Role Availability Read-Only Analyst   Manager

To run a user-initiated agent query from the Orchestration Rules page

  1. Go to Settings > Rules.
  2. Select Create Orchestration Rule > Create Response Action Rule.
  3. Enter a name for the rule.
  4. Select Agent Query as Action Type.
  5. Select the specific asset.
  6. Select a query in the Action field:
  7. List of available Agent Queries
    Query Name Platform Description
    Get Docker container running processes macOS, Linux Get the list of processes running in each Docker container.
    Get Docker containers details macOS, Linux Get a list of details for each Docker container.
    Get file information Windows, Linux, and macOS Get information from the file specified in the first parameter. You must include the file path of the file.
    Get IE typed URLs Windows Get the list of Internet Explorer typed URLs.
    Get firewall configuration Windows List firewall configurations for different profiles and rules.
    Get installed packages history macOS Get the list of latest installed packages in the system.
    Get logged-in users Windows, Linux, and macOS List the current logged-in users.
    Get listening processes Windows, Linux, and macOS List the processes with listening sockets.
    Get network connections Windows, Linux, and macOS List the current network connections.
    Get network connection information Linux Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address.
    Get network shares Windows Get the list of network shared resources from the system.
    Get persistence registry keys Windows Get registry key values commonly used for persistence by attackers.
    Get recent files Windows Get the list of recent files.
    Get recent items macOS Lists recently opened files.
    Get running processes Windows, Linux, and macOS List running processes.
    Get running services Windows List running services.
    Get SSH authorized keys macOS, Linux Get the list of SSH authorized keys allowed in the system.
    Get users launchd services macOS Get the list of LaunchAgents and LaunchDaemons services installed in the system.
    Get wifi connection status macOS Get information from the current wifi connection.
    Get wifi preferred connections macOS Get information from the preferred wifi connections.
  8. Click Add Condition and select the property values you want to include in the rule to create a matching condition.
  9. Note: Use the country code defined by the ISO 3166 if the field is related to the name of a country.

    Note: Keep in mind that the Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.

  10. (Optional.) Click Add Group Of Conditions to group your conditions.
  11. Note: See Operators in the Orchestration Rules for more information.

  12. (Optional.) Click the More link to include a multiple occurrence parameter.

    These options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized accessAn incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). loginLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window. You can modify these two options:

    • Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. Enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
    • Length: Specify the length of the window used to identify a match for multiple occurrences. Enter the number and choose a time-unit value of seconds, minutes, or hours.

      This duration identifies the amount of time that transpires from the first to last. If the number of occurrences is not met within this period, the rule is not a match.

      Specify multiple occurances to match for the rule

    In this example, the rule applies when the configured conditions happen five times every three hours.

  13. Click Save Rule.

    The created rule will display in the list of rules.

    You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

    Viewing the Query History through the Assets Details