Create an Agent Client Collector Security Incident Response OSQuery

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Define an OSQuery to gather information on a security incident's CI. OSQuery provides an SQL layer on top of OS tables, and is bundled together with the Agent Client Collector as part of the base system.

    Before you begin

    Role required: sn_si.admin

    Procedure

    1. Navigate to All > Agent Client Collector SIR Integration > ACC Integration OSQuery.
    2. Select New.
      The ACC Integration OSQuery - New Record page appears.
    3. Configure the fields on the page.
      Table 1. ACC Integration OSQuery
      Field Description
      Name A descriptive name for the query.
      Query The query string.
    4. To validate that the Query you are writing works, select Test OSQuery.
      The Test OSQuery page appears.
      Table 2. Test OSQuery
      Field Description
      Agent The specific end-point where the Query is run.
    5. Enter the specific end-point Agent where the result of the test is displayed.
    • successful If it was successful
    • large too large of an output
    • error or an Error occurred with the error message displayed to the sn_si.admin.
    1. Select Submit.
      OSQueries gather information on the target machine, where the incident commands are listed by operating system. For example, a query defined as select * from system_info gathers all information from the OSQuery system_info table.