Perform an action on a security incident
Run an Agent Client Collector Security Incident Response action to gather more information on a security incident. Actions are referred to in the system as capabilities, and are configured with the base system.
Before you begin
Add the following JSON script to your Agent Client Collector allow list, to enable running the actions that come with the base system.
{
"args": [
"--logger_min_status 1",
"--json",
"SELECT p.name, p.state, p.pid, p.parent as ppid, p.path, p.total_size, p.start_time, p.elapsed_time as run_time, p.cmdline, p.uid, p.username, u.type as owner_domain, u.uuid FROM processes as p LEFT JOIN users as u ON u.uid = p.uid",
"select name, process_open_sockets.pid, parent as ppid, processes.path, process_open_sockets.state, total_size, process_open_sockets.protocol, local_address, local_port, remote_address, remote_port from process_open_sockets, processes where process_open_sockets.pid = processes.pid",
"select * from services order by service_type",
"select computer_name, hardware_serial, hostname, name as os, build, version, mac, address from system_info, os_version, interface_details, interface_addresses where address like '%:%' and interface_addresses.type='manual' or interface_addresses.type ='dhcp' limit 1",
"select * from logged_in_users order by time"
],
"exec": "osqueryi",
"skip_arguments": false
}Role required: sn_si.admin or sn_si.basic
About this task
Procedure
-
Select the capability you want to run.
Table 1. Agent Client Collector Capabilities Field Description ACC Integration Capabilities The ACC Integration Capabilities. If the selected the capability you want is “Run OSQuery on Agent” then the data will be tabular formatted within the work notes.
ACC Integration OSQuery The ACC Integration OSQuery. For example, Selected system info columns. Transpose Data check box Transpose the data. When selected,the information is displayed with vertical columns.
When clear, the information is displayed horizontally.