LevelBlue Agent Events and Queries

Role Availability Read-Only Investigator Analyst Manager

Edition: This feature is available in the Standard and Premium editions of USM Anywhere.

USM Anywhere enables you to use the LevelBlue Agent data source to filter the LevelBlue Agent-related events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall..

These data sources are related to the agent:

  • LevelBlue Agent: This data source parses events from the agent except for Microsoft Windows events.
  • LevelBlue Agent - Windows EventLog: This data source parses Windows events sent through the agent.

To search events using the filter related to the agent

  1. Go to Activity > Events.
  2. Locate the Data Source section.
  3. Click an event and the result of your search displays.

LevelBlue Agent Queries

USM Anywhere enables you to run a user-initiated LevelBlue Agent query based on the events sent by connected agents. There are several ad-hoc queries, which are in your environment by default. These queries, listed below, generate events that can be used for a forensic investigation, so you can focus on fast response and remediation.

  1. Go to Data Sources > Agents.
  2. Click Run Agent Query.

    3. You can select the operating system (OS):

    • All
    • Windows
    • Linux
    • macOS

    Select the asset in which you want to run the agent query. You can enter the asset name or browse assets.

  3. Select a query in the Action field.
  4. Click Run.

Note: The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.

  1. Go to Activity > Alarms.
  2. Click the alarm to display its details.
  3. Select Select Action > Agent Query.
  4. Select an action.
  5. Click Run.

    6. A dialog box opens confirming the action has been initiated.

  6. Click OK.

    7. Or click Create rule for similar events if you want to create a new rule. See Response Action Rules from the Orchestration Rules Page for more details.

    When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

    Note: The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.

  1. Go to Activity > Events.
  2. Click the event to display its details.
  3. Select Select Action > Agent Query.
  4. Select an action.
  5. Click Run.

    6. A dialog box opens confirming the action has been initiated.

  6. Click OK.

    7. Or click Create rule for similar events if you want to create a new rule. See Response Action Rules from the Orchestration Rules Page for more details.

    When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

    Note: The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.

  1. Go to Environment > Assets.
  2. Search the asset, click the blue chevron icon () located next to the asset name on which you want to run the agent query, and select Full Details.
  3. Select Actions > Agent Query.
  4. Select the query you want to run.

  5. Click Run.

    A message displays at the top of the page to inform you the query is in progress. When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

  1. Go to Settings > Rules > Orchestration Rules.
  2. Select Create Orchestration Rule > Create Response Action Rules.
  3. Enter a name for the rule.
  4. Select Agent Query as the Action Type.
  5. Select a query in the Action field.
  6. Click Add Condition and select the property values you want to include in the rule to create a matching condition.

    7. Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

    Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.

  7. (Optional.) Click Add Group to group your conditions.

    Note: See Operators in the Orchestration Rules for more information.

  8. In the Occurrences text box, enter the number of event occurrences that you want to produce a match on the conditional expression to trigger the rule.

    You can enter the number of occurrences or use the arrows to scroll the value up or down. You can enter a number between 1 and 100.

  9. In the Length text box, specify the timespan that you want to use to identify a match for multiple occurrences. Enter the number in the text box, and then use the drop-down menu to select a value of seconds, minutes, or hours.

    This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

    10. Note: Your defined length and occurrences function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

  10. Click Save.

    The created rule will display in the list of rules.

    You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

    Viewing the Query History through the Assets Details

Note: Regardless of agent status, an agent query may fail if connectivity to the agent was interrupted since the last heartbeat was received.

The full list of queries are available in the following table.

Available LevelBlue Agent Queries
Query Name Platform Description
Get Docker container running processes Linux, macOS Get the list of processes running in each Docker container.
Get Docker containers details Linux, macOS Get a list of details for each Docker container.
Get Docker containers open ports Linux, macOS Get a list with open ports and network information for each Docker container.
Get file information Linux, macOS, and Windows Get information from the file specified in the first parameter. You must include the file path of the file.
Get files downloaded in the system macOS Generate a list of all files downloaded in the system.
Get IE typed URLs Windows Get the list of Microsoft Internet Explorer (IE)'s entered URLs.
Get firewall configuration Windows Get a list of firewall configurations for different profiles and rules.
Get installed packages history macOS Get the list of the latest installed packages in the system.
Get logged-in users Linux, macOS, and Windows Get the list of currently logged-in users.
Get listening processes Linux, macOS, and Windows Get the list of the processes with listening sockets.
Get network connections Linux, macOS, and Windows Get the list of the current network connections.
Get network connection information Linux Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address.
Get network shares Windows Get the list of network-shared resources from the system.
Get persistence registry keys Windows Get registry key values commonly used for persistence by attackers.
Get recent files Windows Get the list of recent files.
Get recent items macOS Get the list of recently opened files.
Get running processes Linux, macOS, and Windows Get the list of running processes.
Get running services Windows Get the list of running services.
Get SSH authorized keys Linux, macOS Get the list of SSH-authorized keys allowed in the system.
Get users launched services macOS Get the list of LaunchAgents and LaunchDaemons services installed in the system.
Get Wi-Fi connection status macOS Get information from the current Wi-Fi connection.
Get Wi-Fi preferred connections macOS Get information from the preferred Wi-Fi connections.
Hunt for potential library injection - .so deleted from disk Linux Hunt for the potential library injection of a memory map with a deleted shared object on disk and rwxp memory.
Hunt for potential library injection - no .so on disk and rwxp memory Linux Hunt for the potential library injection of a memory map with no shared object on disk and rwxp memory.
Hunt for potential library injection - no common .so isolation Linux Hunt for the potential library injection of a shared library loaded from an uncommon location.
Hunt for running processes with no binary on disk Linux, macOS, and Windows Hunt for running processes that do not have a matching binary on disk.
Hunt for traffic to remote IP Linux, macOS, and Windows Hunt for non-web traffic to remote IP addresses not using port 0, 80, or 443.