How to Retrieve Disk Space, Antivirus, and Firewall Details Using Posture Anomaly Detection Queries

Product Version: 6.5.0.0

Overview

The Posture Anomaly (PA) tool in Saner CVEM enables users to perform detailed endpoint assessments through a variety of detection queries. These queries can be customized to gather specific system information, such as disk space usage, antivirus status, and firewall configuration. This article provides step-by-step instructions to create and execute custom detection queries in the Posture Anomaly tool to retrieve these system details.

Steps to Retrieve Disk Space, Antivirus, and Firewall Information

1. Accessing the Posture Anomaly Tool

1. Log in to your Saner CVEM console.

2. Navigate to the desired Account/Site section.

3. Select the Posture Anomaly (PA) tool from the left menu.

4. Once the tool loads, click on Custom Rules.
   

5. In the Detection and Response window, ensure the Detection tab is selected.
   

You can now search and use predefined queries or create your own custom detection rules.

2. Creating Custom Queries

a. Fetching Disk Space Information

1. In the Detection Queries panel, search for Partitions.

2. Drag and drop the query into the Action Box.

3. Click And to build your query.

4. From the dropdown, select parameters such as:

   • Disk Name

   • Disk Type

   • Total Space

   • Used Space

   • Available Space

5. Select the target devices and click Deploy.

6. In the Deploy Package popup, provide a Query Name and click Create.
   

7. The query will now appear under Custom Detection Rules in the PA module.

8. Click Run under the Action column to execute the query.
   

9. Once devices respond, click Fetch to retrieve results, and then click More to view detailed disk information.
   

b. Fetching Antivirus Information

1. Follow the same process as above.

2. Search for Antivirus Information in the query list.

3. Drag and drop it into the Action Box.

4. Update the value to true to detect active antivirus software.
   

5. Deploy and execute the query as described in the previous section.
   

6. Use the Fetch option to view antivirus details from the target systems.

c. Fetching Firewall Status

1. Follow the same procedure as above.

2. Search for Firewall in the query list.

3. Drag and drop it into the Action Box.

4. Update the value to enabled to detect active firewall services.
   

5. Deploy and execute the query as described earlier.
   

6. Once devices respond, fetch and view the results to confirm the firewall status.

Conclusion

By leveraging the Posture Anomaly (PA) tool in Saner CVEM, administrators can quickly create and deploy custom detection queries to retrieve crucial system information such as disk usage, antivirus presence, and firewall status. These insights help in monitoring endpoint health, ensuring security compliance, and maintaining an up-to-date infrastructure overview.