Edition: This feature is available in the Standard and Premium editions of USM Anywhere.
- LevelBlue Agent: This data source parses events from the agent except for Microsoft Windows events.
- LevelBlue Agent - Windows EventLog: This data source parses Windows events sent through the agent.
- Go to Activity > Events.
- Locate the Data Source section.
- Click an event and the result of your search displays.
LevelBlue Agent Queries
USM Anywhere enables you to run a user-initiated LevelBlue Agent query based on the events sent by connected agents. There are several ad-hoc queries, which are in your environment by default. These queries, listed below, generate events that can be used for a forensic investigation, so you can focus on fast response and remediation.To run a user-initiated agent query from the Agents page
To run a user-initiated agent query from the Agents page
- Go to Data Sources > Agents.
-
Click Run Agent Query.
All Assets With Agent
You can select the operating system (OS):- All
- Windows
- Linux
- macOS
Single Asset
Select the asset in which you want to run the agent query. You can enter the asset name or browse assets. - Select a query in the Action field.
- Click Run.
Note: The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.
To run a user-initiated agent query from the details view of an alarm
To run a user-initiated agent query from the details view of an alarm
- Go to Activity > Alarms.
- Click the alarm to display its details.
- Select Select Action > Agent Query.
- Select an action.
- Click Run. A dialog box opens confirming the action has been initiated.
-
Click OK.
Or click Create rule for similar events if you want to create a new rule. See Response Action Rules from the Orchestration Rules Page for more details.
When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.
Note: The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.
To run a user-initiated agent query from the details view of an event
To run a user-initiated agent query from the details view of an event
- Go to Activity > Events.
- Click the event to display its details.
- Select Select Action > Agent Query.
- Select an action.
- Click Run. A dialog box opens confirming the action has been initiated.
-
Click OK.
Or click Create rule for similar events if you want to create a new rule. See Response Action Rules from the Orchestration Rules Page for more details.
When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.
Note: The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.
To run a user-initiated agent query from the details view of an asset
To run a user-initiated agent query from the details view of an asset
- Go to Environment > Assets.
-
Search the asset, click the blue chevron icon (
) located next to the asset name on which you want to run the agent query, and select Full Details.
- Select Actions > Agent Query.
- Select the query you want to run.
- Click Run. A message displays at the top of the page to inform you the query is in progress. When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.
To run a user-initiated agent query from the Orchestration Rules page
To run a user-initiated agent query from the Orchestration Rules page
- Go to Settings > Rules > Orchestration Rules.
- Select Create Orchestration Rule > Create Response Action Rules.
- Enter a name for the rule.
- Select Agent Query as the Action Type.
- Select a query in the Action field.
-
Click Add Condition and select the property values you want to include in the rule to create a matching condition.
Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.
-
(Optional) Click Add Group to group your conditions.
Note: See Operators in the Orchestration Rules for more information.
- In the Occurrences text box, enter the number of event occurrences that you want to produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrows to scroll the value up or down. You can enter a number between 1 and 100.
-
In the Length text box, specify the timespan that you want to use to identify a match for multiple occurrences. Enter the number in the text box, and then use the drop-down menu to select a value of seconds, minutes, or hours.
This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.
Note: Your defined length and occurrences function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an for an attempt when a failed occurs three times within a five-minute window.
-
Click Save.
The created rule will display in the list of rules.
You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.
Note: Regardless of agent status, an agent query may fail if connectivity to the agent was interrupted since the last heartbeat was received.
| Query Name | Platform | Description |
|---|---|---|
| Get Docker container running processes | Linux, macOS | Get the list of processes running in each Docker container. |
| Get Docker containers details | Linux, macOS | Get a list of details for each Docker container. |
| Get Docker containers open ports | Linux, macOS | Get a list with open ports and network information for each Docker container. |
| Get file information | Linux, macOS, and Windows | Get information from the file specified in the first parameter. You must include the file path of the file. |
| Get files downloaded in the system | macOS | Generate a list of all files downloaded in the system. |
| Get IE typed URLs | Windows | Get the list of Microsoft Internet Explorer (IE)‘s entered URLs. |
| Get firewall configuration | Windows | Get a list of firewall configurations for different profiles and rules. |
| Get installed packages history | macOS | Get the list of the latest installed packages in the system. |
| Get logged-in users | Linux, macOS, and Windows | Get the list of currently logged-in users. |
| Get listening processes | Linux, macOS, and Windows | Get the list of the processes with listening sockets. |
| Get network connections | Linux, macOS, and Windows | Get the list of the current network connections. |
| Get network connection information | Linux | Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address. |
| Get network shares | Windows | Get the list of network-shared resources from the system. |
| Get persistence registry keys | Windows | Get registry key values commonly used for persistence by attackers. |
| Get recent files | Windows | Get the list of recent files. |
| Get recent items | macOS | Get the list of recently opened files. |
| Get running processes | Linux, macOS, and Windows | Get the list of running processes. |
| Get running services | Windows | Get the list of running services. |
| Get SSH authorized keys | Linux, macOS | Get the list of SSH-authorized keys allowed in the system. |
| Get users launched services | macOS | Get the list of LaunchAgents and LaunchDaemons services installed in the system. |
| Get Wi-Fi connection status | macOS | Get information from the current Wi-Fi connection. |
| Get Wi-Fi preferred connections | macOS | Get information from the preferred Wi-Fi connections. |
| Hunt for potential library injection - .so deleted from disk | Linux | Hunt for the potential library injection of a memory map with a deleted shared object on disk and rwxp memory. |
| Hunt for potential library injection - no .so on disk and rwxp memory | Linux | Hunt for the potential library injection of a memory map with no shared object on disk and rwxp memory. |
| Hunt for potential library injection - no common .so isolation | Linux | Hunt for the potential library injection of a shared library loaded from an uncommon location. |
| Hunt for running processes with no binary on disk | Linux, macOS, and Windows | Hunt for running processes that do not have a matching binary on disk. |
| Hunt for traffic to remote IP | Linux, macOS, and Windows | Hunt for non-web traffic to remote IP addresses not using port 0, 80, or 443. |