With the BlueApp for LevelBlue Forensics and Response, USM Anywhere can execute system-level functions instantly — through a user-executed action In USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured BlueApp. or an automated rule or job — to coordinate forensics and response in a single action. Rather than manually connecting to each host and executing system-level tasks for investigation and protection purposes, you can use the BlueApp for LevelBlue Forensics and Response actions to gather forensic information or make system changes on assets monitored in USM Anywhere.
Important: Running the BlueApp for LevelBlue Forensics and Response actions requires that the target assets have assigned credentials that are suitable for administrative access to the host. See Configuring the BlueApp for LevelBlue Forensics and Response for more information.
Supported Actions
Each action that you run executes one or more functions on the host system for the target asset. Some of these functions collect system data and some perform enforcement operations. You can run an action manually from an event or alarm, or you can run an action from the BlueApp for LevelBlue Forensics and Response page for a specified asset. To automate these actions, you can schedule jobs to run an action for a specified asset, or you can create a response action rule to trigger an action from future events or alarms that meet your specified criteria.
See Data Collection Functions and Enforcement System Functions for detailed information about the functions supported by the BlueApp for LevelBlue Forensics and Response actions.
Forensic Profile Actions
The BlueApp for LevelBlue Forensics and Response provides multiple actions that you can use to perform an investigation of the target system, by running a group of data collection functions. Each of these actions is designed to provide a level of forensic profile for the target asset:
Basic Forensic Info Actions
- Get System Info
- Get Users
- Get Processes
- Get Running Services
- Get SMB Sessions
- Get TCP Listening Ports
- Get UDP Listening Ports
- Get Established Connections
- Get Installed Applications
- Get Logged On Users
Moderate Forensic Info Actions
- Get System Info
- Get Users
- Get Network Configuration
- Get Antivirus
- Get Start Up Items
- Get Processes With Hashes
- Get Services
- Get Running Services
- Get Shares
- Get SMB Sessions
- Get Mapped Drives
- Get Scheduled Tasks
- Get Scheduled Jobs
- Get TCP Listening Ports
- Get UDP Listening Ports
- Get Established Connections
- Get Installed Hotfixes
- Get Installed Applications
- Get Recent USB Drives
- Get Shadow Copies
- Get Restore Points
- Get Prefetch Files
- Get DNS Cache
- Get Failed DNS
- Get EventLog Info
- Get Firewall Config
- Get Audit Policy
- Get IE History
- Get Typed URLs
- Get Logged On Users
- Get Event Tracing for Windows (ETW) sessions
- Get Windows Defender information
Full Forensic Info Actions
- Get System Info
- Get Users
- Get Network Configuration
- Get Antivirus
- Get All StartUp Items
- Get Processes With Hashes
- Get Services
- Get Running Services
- Get Drivers
- Get Recent DLLs
- Get Shares
- Get SMB Sessions
- Get Mapped Drives
- Get Scheduled Tasks
- Get Scheduled Jobs
- Get TCP Listening Ports
- Get UDP Listening Ports
- Get Established Connections
- Get Installed Hotfixes
- Get Installed Applications
- Get Recent Links
- Get Compressed Files
- Get Encrypted Files
- Get Recent USB Drives
- Get Shadow Copies
- Get Restore Points
- Get Prefetch Files
- Get DNS Cache
- Get Failed DNS
- Get EventLog Info
- Get Firewall Config
- Get Audit Policy
- Get IE History
- Get Typed URLs
- Get Recent Executables
- Get Downloads
- Get Recently Created Files
- Get Logged On Users
- Get Event Tracing for Windows (ETW) sessions
- Get Windows Defender information
USM Anywhere then generates an event for each executed function included in the forensic profile. See Viewing Forensics and Response Events and Alarms for more information about accessing these events.
Single Function Actions
For many of the most common functions, the BlueApp for LevelBlue Forensics and Response also provides actions to launch a simple execution of that function. The table below describes what each action does:
| Action | Description | Availability |
|---|---|---|
| Disable Networking | Executes the Disable Networking enforcement function on the interfaces currently connected to the selected asset. | |
| Get Active Directory Information | Executes the Get Active Directory (AD) Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. Assets data collection function. | |
| Get Established Connections | Executes the Get Established Connections data collection function. This displays information like the TCP State and Address Family. See the Microsoft documentation for more explanation on log fields. | |
| Get Users | Executes the Get Users data collection function. | |
| Get Logged On Users | Executes the Get Logged On Users data collection function. | |
| Get Processes with Hashes | Executes the Get Processes with Hashes data collection function. | |
| Get Running Services | Executes the Get Running Services data collection function. | |
| Get System Info | Executes the Get System Info data collection function. | |
| Shutdown | Executes the Shutdown enforcement function. | |
| Set Registry Key to String | Executes the Set Registry Key to String enforcement function. | |
| Set Registry Key to DWORD | Executes the Set Registry Key to DWORD enforcement function. | |
| Launch Query |
Executes the specified data collection or enforcement function See Defining a Launch Query Action for more information regarding app actions. |
Launch Actions from USM Anywhere
The BlueApp for LevelBlue Forensics and Response page provides an easy way to manually run a single Forensics and Response action. However, if it is an action that you want to run regularly for a specific asset, you should define a scheduled job to run the action. If you want to run the action as a response to certain events or alarms, you should define an orchestration rule.
To run an action in the BlueApp for LevelBlue Forensics and Response
- In USM Anywhere, go to Data Sources > BlueApps.
- Click the Available Apps tab.
- Search for the BlueApp, and then click the tile.
- Click the Actions tab.
-
Review the list of actions to determine which action you want to run.
Additional fields will be populated based on the action you've selected. Fill out the necessary fields for the app action.
See Data Collection Functions and Enforcement System Functions topics for detailed information about each of the supported functions. If the needed function does not have a specific action, you can use the generic Launch Query action to specify the function parameters.
-
Next to the action that you want to use, click Run.
This opens the Select Action dialog box.
-
If needed, select the sensor on which the BlueApp is enabled to display more options.
-
Specify the asset that you want to use as a target for the action.
You can enter the name or IP address of the asset in the field to display matching items that you can select. Or you can click Browse Assets to open the Select Asset dialog box and browse the asset list to make your selection.
-
Click Run.
USM Anywhere generates an event for each executed function. See Viewing Forensics and Response Events and Alarms for more information about accessing these events.
USM Anywhere will generate an event for each executed function included in this action's forensic profile.
Feedback