Run an Agent Client Collector Security Incident Response OSQuery

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Run an OSQuery on a machine referenced by an incident to retrieve information on each incident's CI. For example, if you run a select * from system_info query on an incident, the query gathers all information from the OSQuery system_info table.

    Before you begin

    Role required: sn_si.admin or sn_si.basic

    Procedure

    1. Navigate to All > Security Incident > Incidents > Show All Incidents.
    2. Select an incident.
    3. In the Related Links section, go to the Configuration Items list and select each incident's CIs that you want to retrieve the information.
    4. From the right-click menu, select Run ACC OSQuery
      The OSQuery to run dialog box opens.
    5. Select the name of the query you want to run.
      The available queries are those configured on the ACC Integration OSQuery page, as described in Create an Agent Client Collector Security Incident Response OSQuery. Options are selectable according to their Name value.
    6. Select Submit.
      The query runs on each of the selected security incident's CIs.