Search Endpoints for a File, Folder, or Registry Key

To perform a centralized search for a system file, folder, or registry key on a Windows endpoint, use the
Agent Query
.
  1. Create a new query.
    1. From the ESM Console, select
      Policies
      Forensics
      Agent Query
      .
    2. Add
      a new query.
  2. Configure one or more search parameters for the query. When multiple search parameters are specified, Traps will return a result if the search matches any of the parameters.
    1. Select the search parameters, either a
      File name
      ,
      Folder name
      , or
      Registry Key
      name.
    2. Enter the matching search value, and then click
      Add
      .
      Optionally, you can use wildcards in the last portion of the file or folder name path, for example: C:\Temp\*.txt
    3. Repeat as needed to enter multiple search criteria.
  3. (
    Optional
    ) Add conditions to the query.
    Conditions specified here can restrict the scope of the query by sending it to only endpoints that match or do not match the condition.
    1. From the
      Conditions
      tab, select the condition in the Conditions list and click
      Add
      next to the appropriate include or exclude condition list.
    2. Repeat to add more conditions, if desired.
  4. (
    Optional
    ) Define the target objects to which to apply the query. By default, the ESM server sends the query to all endpoints in your organization.
    Like conditions, target objects can decrease the scope of a query by targeting specific
    Users
    ,
    Computers
    ,
    Groups
    ,
    Organizational Unit
    , or
    Existing Endpoints
    .
    Select the
    Objects
    tab, and then enter one or more target objects in the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units or identifies existing endpoints from previous communication messages.
  5. (
    Optional
    ) Review the rule name and description. The ESM Console automatically generates the rule name and description based on the rule details but permits you to change these fields, if needed.
    To override the autogenerated name, select the
    Name
    tab, clear the
    Activate automatic description
    option, and then enter a rule name and description of your choice.
  6. Save the query.
    Do either of the following:
    • Save
      the query without activating it. When you are ready to run the query, select the rule from the
      Policies
      Forensics
      Agent Query
      page and then click
      Activate
      .
    • Apply
      the query to run it immediately.
  7. Review the results of the query.
    Although the
    Agent Query
    searches in real-time, the ESM Console does not automatically refresh the page with the query results. As a result, you must refresh the page to view the current results.

Recommended For You