Agent Client Collector Security Incident Response (ACC-SIR) enables you to automate security incident enrichment data collection and response actions using the Agent Client Collector. This functionality is measured by the Security Operations Security Incident Response (SIR).

Select from a list of actions (capabilities) that come with the base system, to run on security incidents. The Agent Client Collector Security Incident Response functionality uses the util.command.agent and util.osquery.agent check definitions (run by Agent Client Collector Spoke) to run commands and OS queries on security incidents. Capabilities are part of existing system subflows in the Agent Client Collector Security Incident Response integration app. You can also add customized commands and OSquery sql queries to run on the security incidents.