Data Collection Functions

Use the data collection functions to collect forensic information from a remote Microsoft Windows or Linux machine and use it for your incident response processes. When you execute these collection functions, BlueApp for LevelBlue Forensics and Response retrieves and ingests data for analysis in USM Anywhere. It produces an event Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. for each completed function and you can review the information on the Events page. See Viewing Forensics and Response Events and Alarms for more information about accessing these events.

Some of the most common functions are available as a singular query action. See the following table for details. For other functions, you can use the Launch Query action to specify the parameters and execute the function for an asset.

Important: These functions require that the target assets have assigned credentials that are suitable for system-level access to the host. See Configuring the BlueApp for LevelBlue Forensics and Response for more information.

System function Collected data Actions

Get System Info

Windows

Information about the target system, including the operating system version, network interfaces, and hotfixes.

To execute this function using the Launch Query action, specify getSystemInfo as the Query parameter.

Basic Forensic Info

Moderate Forensic Info

Full Forensic Info

Get Users

Windows and Linux

A list of the local accounts in the target system, including privileges and the last login time.

To execute this function using the Launch Query action, specify getUsers as the Query parameter.

Basic Forensic Info

Moderate Forensic Info

Full Forensic Info

Get Users

Get Running Services

Windows and Linux (non-RHEL)

A list of all currently running services on the target system.

To execute this function using the Launch Query action, specify getRunningServices as the Query parameter.

Basic Forensic Info

Moderate Forensic Info

Full Forensic Info

Get Running Services

Get Running Services RedHat

Linux (RHEL only)

A list of all currently running services on the target system.

To execute this function using the Launch Query action, specify getRunningServices.rhel as the Query parameter.

Get Services

Windows

A list of all services on the target system.

To execute this function using the Launch Query action, specify getServices as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get SMB Sessions

Windows

Information about the Server Message Block (SMB Application-layer network protocol mostly used on Windows computers to provide shared access to files, printers, and serial ports, and also facilitate miscellaneous communications between nodes on a network.) sessions that are currently established on the target system.

To execute this function using the Launch Query action, specify getSMBSessions as the Query parameter.

Basic Forensic Info

Moderate Forensic Info

Full Forensic Info

Get TCP Listening Ports

Windows and Linux

A list of the listening TCP ports on the target system.

To execute this function using the Launch Query action, specify getTCPListeningPorts as the Query parameter.

Basic Forensic Info

Moderate Forensic Info

Full Forensic Info

Get UDP Listening Ports

Windows and Linux

A list of the listening UDP ports on the target system.

To execute this function using the Launch Query action, specify getUDPListeningPorts as the Query parameter.

Basic Forensic Info

Moderate Forensic Info

Full Forensic Info

Get Established Connections

Windows and Linux

A list of the opened connections on the target system, including information about the port and the address.

To execute this function using the Launch Query action, specify getEstablishedConnections as the Query parameter.

Basic Forensic Info

Moderate Forensic Info

Full Forensic Info

Get Established Connections

Get Installed Applications

Windows

A list of the applications installed on the target system.

To execute this function using the Launch Query action, specify getInstalledApplications as the Query parameter.

Basic Forensic Info

Moderate Forensic Info

Full Forensic Info

Get Logged On Users

Windows

A list of the user accounts that are currently logged in to the target system.

To execute this function using the Launch Query action, specify getLoggedOnUsers as the Query parameter.

Basic Forensic Info

Moderate Forensic Info

Full Forensic Info

Get Logged On Users

Get Network Configuration

Windows

A list of the active network interfaces on the target system and their properties, including IP addresses and DHCP Network protocol used to dynamically distribute network configuration parameters, such as IP addresses, for interfaces and services. information.

To execute this function using the Launch Query action, specify getNetConfig as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Antivirus

Windows

Information about antivirus tools installed on the target system, including the status.

To execute this function using the Launch Query action, specify getAntivirus as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Start Up Items

Windows

An enumerated list of autorun artifacts on the target system that may be used by legitimate programs or malware to achieve persistence.

To execute this function using the Launch Query action, specify getStartUpItems as the Query parameter.

Moderate Forensic Info

Get All Start Up Items

Windows

A complete, enumerated list of autorun artifacts on the target system that may be used by legitimate programs or malware to achieve persistence.

To execute this function using the Launch Query action, specify getStartUpItemsAll as the Query parameter.

Full Forensic Info

Get Processes

Windows and Linux

A list of processes running on the target system.

To execute this function using the Launch Query action, specify getProcesses as the Query parameter.

Basic Forensic Info

Get Processes With Hashes

Windows

A list of processes running on the target system, along with the associated hash.

To execute this function using the Launch Query action, specify getProcessesWithHashes as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Processes With Hashes

Get Shares

Windows

A list of the shared folders on the target system.

To execute this function using the Launch Query action, specify getShares as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Mapped Drives

Windows

A list of the mapped drives on the target system.

To execute this function using the Launch Query action, specify getMappedDrives as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Scheduled Tasks

Windows and Linux

A list of the scheduled tasks on the target system (malware often creates scheduled tasks to maintain persistence).

To execute this function using the Launch Query action, specify getScheduledTasks as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Scheduled Jobs

Windows

A list of the scheduled jobs on the target system (malware often creates scheduled jobs to maintain persistence).

To execute this function using the Launch Query action, specify getScheduledJobs as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Installed Hotfixes

Windows

A list of the hotfixes installed on the target system.

To execute this function using the Launch Query action, specify getInstalledHotfixes as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Recent USB Drives

Windows

A list of the USB devices recently used on the target system.

To execute this function using the Launch Query action, specify getRecentUSBDrives as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Shadow Copies

Windows

A list of shadow copies on the target system.

Shadow copies are used to perform manual or automatic backup copies or snapshots of computer files or volumes.

To execute this function using the Launch Query action, specify getShadowCopies as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Restore Points

Windows

A list of the restore points available on the target system.

To execute this function using the Launch Query action, specify getRestorePoints as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Prefetch Files

Windows

A list of the prefetch files on the target system.

Windows creates a prefetch file when an application runs from a particular location for the very first time.

To execute this function using the Launch Query action, specify getPrefetchFiles as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get DNS Cache

Windows

A list of the contents of the DNS client cache on the target system.

To execute this function using the Launch Query action, specify getDNSCache as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Failed DNS

Windows

A list of the 50 most recent DNS resolutions that failed on the target system.

To execute this function using the Launch Query action, specify getFailedDNS as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get EventLog Info

Windows

A list of all the event log sources on the target system, including the size and last modification time.

To execute this function using the Launch Query action, specify getEventLogInfo as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Firewall Config

Windows

The firewall configuration on the target system.

To execute this function using the Launch Query action, specify getFirewallConfig as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Audit Policy

Windows

The local audit policy information on the target system.

To execute this function using the Launch Query action, specify getAuditPolicy as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get IE History

Windows

The history from Internet Explorer on the target system, including a list of recently visited web sites.

To execute this function using the Launch Query action, specify getIEHistory as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Typed URLs

Windows

A list of the most recent URLs typed by the user in Internet Explorer on the target system.

To execute this function using the Launch Query action, specify getTypedURLs as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Event Tracing for Windows (ETW) Sessions

Windows

A list of the running Microsoft Event Tracing for Windows (ETW) sessions on the target system.

To execute this function using the Launch Query action, specify getETWSessions as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Windows Defender Information

Windows

Information about Windows Defender on the target system.

To execute this function using the Launch Query action, specify getWindowsDefenderStatus as the Query parameter.

Moderate Forensic Info

Full Forensic Info

Get Drivers

Windows

A list of drivers on the target system, including the location, hash, and digital signature.

To execute this function using the Launch Query action, specify getDrivers as the Query parameter.

Full Forensic Info

Get Recently Created Files

Windows

A list of files created on the target system within the last 24 hours.

To execute this function using the Launch Query action, specify getRecentlyCreatedFiles as the Query parameter.

Full Forensic Info

Get Recent DLLs

Windows

A list of DLLs created on the target system within the last 24 hours.

To execute this function using the Launch Query action, specify getRecentDLLs as the Query parameter.

Full Forensic Info

Get Recent Links

Windows

A list of the link files created on the target system within the last seven days.

To execute this function using the Launch Query action, specify getRecentLinks as the Query parameter.

Full Forensic Info

Get Recent Executables

Windows

A list of executable files created on the target system within the last 24 hours.

To execute this function using the Launch Query action, specify getRecentExecutables as the Query parameter.

Full Forensic Info

Get Compressed Files

Windows

A list of the compressed files created on the target system within the last seven days.

To execute this function using the Launch Query action, specify getCompressedFiles as the Query parameter.

Full Forensic Info

Get Encrypted Files

Windows

A list of the encrypted files created on the target system within the last seven days.

To execute this function using the Launch Query action, specify getEncryptedFiles as the Query parameter.

Full Forensic Info

Get Downloads

Windows

A list of the downloaded files created on the target system.

To execute this function using the Launch Query action, specify getDownloads as the Query parameter.

Full Forensic Info

Get Windows Defender Detections

Windows

Information about malware Generic term for a number of different types of malicious code including viruses, worms, and Trojans. threats on the target system detected by Windows Defender.

To execute this function using the Launch Query action, specify getWindowsDefenderDetections as the Query parameter.

Full Forensic Info