|
Edition: This feature is available in the Standard and Premium editions of USM Anywhere.
USM Anywhere enables you to use the LevelBlue Agent data source to filter the LevelBlue Agent-related events.
These data sources are related to the agent:
- LevelBlue Agent: This data source parses events from the agent except for Microsoft Windows events.
- LevelBlue Agent - Windows EventLog: This data source parses Windows events sent through the agent.
To search events using the filter related to the agent
- Go to Activity > Events.
- Locate the Data Source section.
- Click an event and the result of your search displays.
LevelBlue Agent Queries
USM Anywhere enables you to run a user-initiated LevelBlue Agent query based on the events sent by connected agents. There are several ad-hoc queries, which are in your environment by default. These queries, listed below, generate events that can be used for a forensic investigation, so you can focus on fast response and remediation.
Note: Regardless of agent status, an agent query may fail if connectivity to the agent was interrupted since the last heartbeat was received.
The full list of queries are available in the following table.
Query Name | Platform | Description |
---|---|---|
Get Docker container running processes | Linux, macOS | Get the list of processes running in each Docker container. |
Get Docker containers details | Linux, macOS | Get a list of details for each Docker container. |
Get Docker containers open ports | Linux, macOS | Get a list with open ports and network information for each Docker container. |
Get file information | Linux, macOS, and Windows | Get information from the file specified in the first parameter. You must include the file path of the file. |
Get files downloaded in the system | macOS | Generate a list of all files downloaded in the system. |
Get IE typed URLs | Windows | Get the list of Microsoft Internet Explorer (IE)'s entered URLs. |
Get firewall configuration | Windows | Get a list of firewall configurations for different profiles and rules. |
Get installed packages history | macOS | Get the list of the latest installed packages in the system. |
Get logged-in users | Linux, macOS, and Windows | Get the list of currently logged-in users. |
Get listening processes | Linux, macOS, and Windows | Get the list of the processes with listening sockets. |
Get network connections | Linux, macOS, and Windows | Get the list of the current network connections. |
Get network connection information | Linux | Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address. |
Get network shares | Windows | Get the list of network-shared resources from the system. |
Get persistence registry keys | Windows | Get registry key values commonly used for persistence by attackers. |
Get recent files | Windows | Get the list of recent files. |
Get recent items | macOS | Get the list of recently opened files. |
Get running processes | Linux, macOS, and Windows | Get the list of running processes. |
Get running services | Windows | Get the list of running services. |
Get SSH authorized keys | Linux, macOS | Get the list of SSH-authorized keys allowed in the system. |
Get users launched services | macOS | Get the list of LaunchAgents and LaunchDaemons services installed in the system. |
Get Wi-Fi connection status | macOS | Get information from the current Wi-Fi connection. |
Get Wi-Fi preferred connections | macOS | Get information from the preferred Wi-Fi connections. |
Hunt for potential library injection - .so deleted from disk | Linux | Hunt for the potential library injection of a memory map with a deleted shared object on disk and rwxp memory. |
Hunt for potential library injection - no .so on disk and rwxp memory | Linux | Hunt for the potential library injection of a memory map with no shared object on disk and rwxp memory. |
Hunt for potential library injection - no common .so isolation | Linux | Hunt for the potential library injection of a shared library loaded from an uncommon location. |
Hunt for running processes with no binary on disk | Linux, macOS, and Windows | Hunt for running processes that do not have a matching binary on disk. |
Hunt for traffic to remote IP | Linux, macOS, and Windows | Hunt for non-web traffic to remote IP addresses not using port 0, 80, or 443. |