LevelBlue Agent Events and Queries

1. Go to Data Sources > Agents.
2. Click Run Agent Query.
All Assets With Agent
You can select the operating system (OS):
• All
• Windows
• Linux
• macOS
Single Asset

Select the asset in which you want to run the agent query. You can enter the asset name or browse assets.

3. Select a query in the Action field.
4. Click Run.

Note: The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.

1. Go to Activity > Alarms.
2. Click the alarm to display its details.
3. Select Select Action > Agent Query.
4. Select an action.
5. Click Run.

A dialog box opens confirming the action has been initiated.

6. Click OK.

Or click Create rule for similar events if you want to create a new rule. See Response Action Rules from the Orchestration Rules Page for more details.

When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

Note: The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.

1. Go to Activity > Events.
2. Click the event to display its details.
3. Select Select Action > Agent Query.
4. Select an action.
5. Click Run.

A dialog box opens confirming the action has been initiated.

6. Click OK.

Or click Create rule for similar events if you want to create a new rule. See Response Action Rules from the Orchestration Rules Page for more details.

When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

Note: The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.

1. Go to Environment > Assets.
2. Search the asset, click the blue chevron icon () located next to the asset name on which you want to run the agent query, and select Full Details.
3. Select Actions > Agent Query.
4. Select the query you want to run.

5. Click Run.

   A message displays at the top of the page to inform you the query is in progress. When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

1. Go to Settings > Rules > Orchestration Rules.
2. Select Create Orchestration Rule > Create Response Action Rules.
3. Enter a name for the rule.
4. Select Agent Query as the Action Type.
5. Select a query in the Action field.
6. Click Add Condition and select the property values you want to include in the rule to create a matching condition.

Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.

7. (Optional.) Click Add Group to group your conditions.

   Note: See Operators in the Orchestration Rules for more information.

8. In the Occurrences text box, enter the number of event occurrences that you want to produce a match on the conditional expression to trigger the rule.

   You can enter the number of occurrences or use the arrows to scroll the value up or down. You can enter a number between 1 and 100.

9. In the Length text box, specify the timespan that you want to use to identify a match for multiple occurrences. Enter the number in the text box, and then use the drop-down menu to select a value of seconds, minutes, or hours.

   This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

Note: Your defined length and occurrences function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

10. Click Save.

The created rule will display in the list of rules.

You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.