Scheduling a Forensics and Response Job

Role Availability Read-Only Investigator Analyst Manager

The BlueApp for LevelBlue Forensics and Response provides easy access to define a scheduler job to retrieve your Microsoft Windows or Linux system data. You can also create a scheduler job to execute system-level enforcement functions on Windows hosts, such as Shutdown, Restart, and Stop Process. Review the information in Supported Actions to determine the action that you want to use for your scheduled job.

After you create the new job, you can make changes to the parameters for the scheduled job or review its history in the Scheduler page. See USM Anywhere Scheduler for more information about working with scheduled jobs.

To schedule a Forensics and Response job

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Scheduling tab.

  5. On the right side of the page, click New Job.

    Add a scheduled job for the BlueApp for LevelBlue Forensics and Response

    This opens the Schedule New Job dialog box.

  6. Enter the name and description for the job.

    The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.

  7. Select Sensor as the source for your new job.
  8. Click the Action drop-down and select the command you want to run.

    Select the app action to run for the Forensics and Response app job

  9. Specify the asset that you want to use as a target for the action.

    You can enter the name or IP address of the asset in the field to display matching items that you can select. Or you can click Browse Assets to open the Select Asset dialog box and browse the asset list to make your selection.

  10. (Optional.) Set the required parameters.

    Some enforcement actions take one or more parameters in order to execute to system function on the target system. See Enforcement System Functions if you need more information about these parameters for a specific function.

  11. In the Schedule section, specify when USM Anywhere runs the job:

    1. Select the increment as Minute, Hour, Day, Week, Month, or Year.

      Warning: After a frequency change, monitor the system to check its performance. For example, you can check the system load and CPU. See USM Anywhere System Monitor for more information.

    2. Set the interval options for the increment.

      The selected increment determines the available options. For example, on a weekly increment, you can select the days of the week to run the job.

      Set the schedule for the job to run each week

      Or on a monthly increment, you can specify a date or a day of the week that occurs within the month.

      Set the schedule for the job to run each month

    3. Important: USM Anywhere restarts the schedule on the first day of the month if the option "Every x days" is selected.

    4. Set the start time.

      This is the time that the job starts at the specified interval. It uses the time zone configured for your USM Anywhere instance (the default is Coordinated Universal Time [UTC]).

  12. Click Save.