Use the data collection functions to collect forensic information from a remote Microsoft Windows or Linux machine and use it for your incident response processes. When you execute these collection functions, BlueApp for LevelBlue Forensics and Response retrieves and ingests data for analysis in USM Anywhere. It produces an event Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. for each completed function and you can review the information on the Events page. See Viewing Forensics and Response Events and Alarms for more information about accessing these events.
Some of the most common functions are available as a singular query action. See the following table for details. For other functions, you can use the Launch Query action to specify the parameters and execute the function for an asset.
Important: These functions require that the target assets have assigned credentials that are suitable for system-level access to the host. See Configuring the BlueApp for LevelBlue Forensics and Response for more information.
| System function | Collected data | Actions |
|---|---|---|
|
Get System Info Windows |
Information about the target system, including the operating system version, network interfaces, and hotfixes. To execute this function using the Launch Query action, specify getSystemInfo as the Query parameter. |
Basic Forensic Info Moderate Forensic Info Full Forensic Info |
|
Get Users Windows and Linux |
A list of the local accounts in the target system, including privileges and the last login time. To execute this function using the Launch Query action, specify getUsers as the Query parameter. |
Basic Forensic Info Moderate Forensic Info Full Forensic Info Get Users |
|
Get Running Services Windows and Linux (non-RHEL) |
A list of all currently running services on the target system. To execute this function using the Launch Query action, specify getRunningServices as the Query parameter. |
Basic Forensic Info Moderate Forensic Info Full Forensic Info Get Running Services |
|
Get Running Services RedHat Linux (RHEL only)
|
A list of all currently running services on the target system. To execute this function using the Launch Query action, specify getRunningServices.rhel as the Query parameter. |
|
|
Get Services Windows |
A list of all services on the target system. To execute this function using the Launch Query action, specify getServices as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get SMB Sessions Windows |
Information about the Server Message Block (SMB Application-layer network protocol mostly used on Windows computers to provide shared access to files, printers, and serial ports, and also facilitate miscellaneous communications between nodes on a network.) sessions that are currently established on the target system. To execute this function using the Launch Query action, specify getSMBSessions as the Query parameter. |
Basic Forensic Info Moderate Forensic Info Full Forensic Info |
|
Get TCP Listening Ports Windows and Linux |
A list of the listening TCP ports on the target system. To execute this function using the Launch Query action, specify getTCPListeningPorts as the Query parameter. |
Basic Forensic Info Moderate Forensic Info Full Forensic Info |
|
Get UDP Listening Ports Windows and Linux |
A list of the listening UDP ports on the target system. To execute this function using the Launch Query action, specify getUDPListeningPorts as the Query parameter. |
Basic Forensic Info Moderate Forensic Info Full Forensic Info |
|
Get Established Connections Windows and Linux
|
A list of the opened connections on the target system, including information about the port and the address. To execute this function using the Launch Query action, specify getEstablishedConnections as the Query parameter. |
Basic Forensic Info Moderate Forensic Info Full Forensic Info Get Established Connections |
|
Get Installed Applications Windows |
A list of the applications installed on the target system. To execute this function using the Launch Query action, specify getInstalledApplications as the Query parameter. |
Basic Forensic Info Moderate Forensic Info Full Forensic Info |
|
Get Logged On Users Windows |
A list of the user accounts that are currently logged in to the target system. To execute this function using the Launch Query action, specify getLoggedOnUsers as the Query parameter. |
Basic Forensic Info Moderate Forensic Info Full Forensic Info Get Logged On Users |
|
Get Network Configuration Windows |
A list of the active network interfaces on the target system and their properties, including IP addresses and DHCP Network protocol used to dynamically distribute network configuration parameters, such as IP addresses, for interfaces and services. information. To execute this function using the Launch Query action, specify getNetConfig as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Antivirus Windows |
Information about antivirus tools installed on the target system, including the status. To execute this function using the Launch Query action, specify getAntivirus as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Start Up Items Windows |
An enumerated list of autorun artifacts on the target system that may be used by legitimate programs or malware to achieve persistence. To execute this function using the Launch Query action, specify getStartUpItems as the Query parameter. |
Moderate Forensic Info |
|
Get All Start Up Items Windows |
A complete, enumerated list of autorun artifacts on the target system that may be used by legitimate programs or malware to achieve persistence. To execute this function using the Launch Query action, specify getStartUpItemsAll as the Query parameter. |
Full Forensic Info |
|
Get Processes Windows and Linux |
A list of processes running on the target system. To execute this function using the Launch Query action, specify getProcesses as the Query parameter. |
Basic Forensic Info |
|
Get Processes With Hashes Windows |
A list of processes running on the target system, along with the associated hash. To execute this function using the Launch Query action, specify getProcessesWithHashes as the Query parameter. |
Moderate Forensic Info Full Forensic Info Get Processes With Hashes |
|
Get Shares Windows |
A list of the shared folders on the target system. To execute this function using the Launch Query action, specify getShares as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Mapped Drives Windows |
A list of the mapped drives on the target system. To execute this function using the Launch Query action, specify getMappedDrives as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Scheduled Tasks Windows and Linux |
A list of the scheduled tasks on the target system (malware often creates scheduled tasks to maintain persistence). To execute this function using the Launch Query action, specify getScheduledTasks as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Scheduled Jobs Windows |
A list of the scheduled jobs on the target system (malware often creates scheduled jobs to maintain persistence). To execute this function using the Launch Query action, specify getScheduledJobs as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Installed Hotfixes Windows |
A list of the hotfixes installed on the target system. To execute this function using the Launch Query action, specify getInstalledHotfixes as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Recent USB Drives Windows |
A list of the USB devices recently used on the target system. To execute this function using the Launch Query action, specify getRecentUSBDrives as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Shadow Copies Windows |
A list of shadow copies on the target system. Shadow copies are used to perform manual or automatic backup copies or snapshots of computer files or volumes. To execute this function using the Launch Query action, specify getShadowCopies as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Restore Points Windows |
A list of the restore points available on the target system. To execute this function using the Launch Query action, specify getRestorePoints as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Prefetch Files Windows |
A list of the prefetch files on the target system. Windows creates a prefetch file when an application runs from a particular location for the very first time. To execute this function using the Launch Query action, specify getPrefetchFiles as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get DNS Cache Windows |
A list of the contents of the DNS client cache on the target system. To execute this function using the Launch Query action, specify getDNSCache as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Failed DNS Windows |
A list of the 50 most recent DNS resolutions that failed on the target system. To execute this function using the Launch Query action, specify getFailedDNS as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get EventLog Info Windows |
A list of all the event log sources on the target system, including the size and last modification time. To execute this function using the Launch Query action, specify getEventLogInfo as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Firewall Config Windows |
The firewall configuration on the target system. To execute this function using the Launch Query action, specify getFirewallConfig as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Audit Policy Windows |
The local audit policy information on the target system. To execute this function using the Launch Query action, specify getAuditPolicy as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get IE History Windows |
The history from Internet Explorer on the target system, including a list of recently visited web sites. To execute this function using the Launch Query action, specify getIEHistory as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Typed URLs Windows |
A list of the most recent URLs typed by the user in Internet Explorer on the target system. To execute this function using the Launch Query action, specify getTypedURLs as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Event Tracing for Windows (ETW) Sessions Windows |
A list of the running Microsoft Event Tracing for Windows (ETW) sessions on the target system. To execute this function using the Launch Query action, specify getETWSessions as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Windows Defender Information Windows |
Information about Windows Defender on the target system. To execute this function using the Launch Query action, specify getWindowsDefenderStatus as the Query parameter. |
Moderate Forensic Info Full Forensic Info |
|
Get Drivers Windows |
A list of drivers on the target system, including the location, hash, and digital signature. To execute this function using the Launch Query action, specify getDrivers as the Query parameter. |
Full Forensic Info |
|
Get Recently Created Files Windows |
A list of files created on the target system within the last 24 hours. To execute this function using the Launch Query action, specify getRecentlyCreatedFiles as the Query parameter. |
Full Forensic Info |
|
Get Recent DLLs Windows |
A list of DLLs created on the target system within the last 24 hours. To execute this function using the Launch Query action, specify getRecentDLLs as the Query parameter. |
Full Forensic Info |
|
Get Recent Links Windows |
A list of the link files created on the target system within the last seven days. To execute this function using the Launch Query action, specify getRecentLinks as the Query parameter. |
Full Forensic Info |
|
Get Recent Executables Windows |
A list of executable files created on the target system within the last 24 hours. To execute this function using the Launch Query action, specify getRecentExecutables as the Query parameter. |
Full Forensic Info |
|
Get Compressed Files Windows |
A list of the compressed files created on the target system within the last seven days. To execute this function using the Launch Query action, specify getCompressedFiles as the Query parameter. |
Full Forensic Info |
|
Get Encrypted Files Windows |
A list of the encrypted files created on the target system within the last seven days. To execute this function using the Launch Query action, specify getEncryptedFiles as the Query parameter. |
Full Forensic Info |
|
Get Downloads Windows |
A list of the downloaded files created on the target system. To execute this function using the Launch Query action, specify getDownloads as the Query parameter. |
Full Forensic Info |
|
Get Windows Defender Detections Windows |
Information about malware Generic term for a number of different types of malicious code including viruses, worms, and Trojans. threats on the target system detected by Windows Defender. To execute this function using the Launch Query action, specify getWindowsDefenderDetections as the Query parameter. |
Full Forensic Info |
Feedback