Viewing Forensics and Response Events and Alarms

Role Availability Read-Only Investigator Analyst Manager

The BlueApp for LevelBlue Forensics and Response translates the data it retrieves into normalized Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. events for analysis. After you enable this BlueApp, events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. are displayed in the Events page, where you can view information about the collected forensic information. These events can trigger alarms Alarms provide notification of an event or sequence of events that require attention or investigation. to alert your team about a system compromise.

To view BlueApp for LevelBlue Forensics and Response events

  1. Select Activity > Events to open the events page.
  2. If the Search & Filters panel is not displayed, click the icon to expand it.

    USM Anywhere includes several filters displayed by default.

  3. Scroll down to the Data Source filter and select LevelBlue Forensics and Response App to display only those events on the page.

    Select the Forensics and Response App data source to filter the events

    If this filter is not displayed, click the Configure filters link, which is in the upper left corner of the page, to configure filters for the page. See Managing Filters for more information about configuring filters for pages.

  4. Select an event in the list to view detailed information.

    Review the details for the Forensics and Response event

USM Anywhere includes built-in correlation rules that generate an alarm from one or more of these events. These rules analyze the events for patterns that indicate a code injection or Sticky Keys compromise for an asset. You can view the specifics of these rules on the Correlation Rules page by entering forensics in the Search field.

Filter the correlation rules list to view the built-in rules that trigger for Forensics and Response events

If you want to generate an alarm for other types of Forensics and Response events, you can create your own custom alarm rules and define the matching conditions to fit your criteria.