Defining a Launch Query Action

Role Availability Read-Only Investigator Analyst Manager

The BlueApp for LevelBlue Forensics and Response supports an extensive list of system-level functions that you can execute on a host system. Many of the most common data collection functions are included in the forensic profile actions or as standalone actions. You can also use the Launch Query action to specify any of the supported functions and any needed parameters for the function.

You can use the Launch Query action when you need to perform one of the following tasks:

See the information in Data Collection Functions and Enforcement System Functions to determine the query syntax and parameters for the function you want to run using the Launch Query action.

To define a query for the BlueApp for LevelBlue Forensics and Response

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Actions tab.
  5. Locate the Launch Query action and click Run.

    This opens the Select Action dialog box.

  6. If needed, select the sensor on which the BlueApp is enabled to display more options.
  7. Specify the asset that you want to use as a target for the action.

    You can enter the name or IP address of the asset in the field to display matching items that you can select. Or you can click Browse Assets to open the Select Asset dialog box and browse the asset list to make your selection.

  8. In the Query field, enter the function to perform.

    Specify function and parameters to run the Launch Query action

  9. (Optional.) If the function requires parameters, use the Parameter fields to enter the values in order.