Important: Running the BlueApp for LevelBlue Forensics and Response actions requires that the target assets have assigned credentials that are suitable for administrative access to the host. See Configuring the BlueApp for LevelBlue Forensics and Response for more information.
Supported Actions
Each action that you run executes one or more functions on the host system for the target asset. Some of these functions collect system data and some perform enforcement operations. You can run an action manually from an event or alarm, or you can run an action from the BlueApp for LevelBlue Forensics and Response page for a specified asset. To automate these actions, you can schedule jobs to run an action for a specified asset, or you can create a response action rule to trigger an action from future events or alarms that meet your specified criteria. See Data Collection Functions and Enforcement System Functions for detailed information about the functions supported by the BlueApp for LevelBlue Forensics and Response actions.Forensic Profile Actions
The BlueApp for LevelBlue Forensics and Response provides multiple actions that you can use to perform an investigation of the target system, by running a group of data collection functions. Each of these actions is designed to provide a level of forensic profile for the target asset:Basic Forensic Info Actions
Basic Forensic Info Actions
- Get System Info
- Get Users
- Get Processes
- Get Running Services
- Get SMB Sessions
- Get TCP Listening Ports
- Get UDP Listening Ports
- Get Established Connections
- Get Installed Applications
- Get Logged On Users
Moderate Forensic Info Actions
Moderate Forensic Info Actions
- Get System Info
- Get Users
- Get Network Configuration
- Get Antivirus
- Get Start Up Items
- Get Processes With Hashes
- Get Services
- Get Running Services
- Get Shares
- Get SMB Sessions
- Get Mapped Drives
- Get Scheduled Tasks
- Get Scheduled Jobs
- Get TCP Listening Ports
- Get UDP Listening Ports
- Get Established Connections
- Get Installed Hotfixes
- Get Installed Applications
- Get Recent USB Drives
- Get Shadow Copies
- Get Restore Points
- Get Prefetch Files
- Get DNS Cache
- Get Failed DNS
- Get EventLog Info
- Get Firewall Config
- Get Audit Policy
- Get IE History
- Get Typed URLs
- Get Logged On Users
- Get Event Tracing for Windows (ETW) sessions
- Get Windows Defender information
Full Forensic Info Actions
Full Forensic Info Actions
- Get System Info
- Get Users
- Get Network Configuration
- Get Antivirus
- Get All StartUp Items
- Get Processes With Hashes
- Get Services
- Get Running Services
- Get Drivers
- Get Recent DLLs
- Get Shares
- Get SMB Sessions
- Get Mapped Drives
- Get Scheduled Tasks
- Get Scheduled Jobs
- Get TCP Listening Ports
- Get UDP Listening Ports
- Get Established Connections
- Get Installed Hotfixes
- Get Installed Applications
- Get Recent Links
- Get Compressed Files
- Get Encrypted Files
- Get Recent USB Drives
- Get Shadow Copies
- Get Restore Points
- Get Prefetch Files
- Get DNS Cache
- Get Failed DNS
- Get EventLog Info
- Get Firewall Config
- Get Audit Policy
- Get IE History
- Get Typed URLs
- Get Recent Executables
- Get Downloads
- Get Recently Created Files
- Get Logged On Users
- Get Event Tracing for Windows (ETW) sessions
- Get Windows Defender information
Single Function Actions
For many of the most common functions, the BlueApp for LevelBlue Forensics and Response also provides actions to launch a simple execution of that function. The table below describes what each action does:| Action | Description | Availability |
|---|---|---|
| Disable Networking | Executes the Disable Networking enforcement function on the interfaces currently connected to the selected asset. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Scheduled Job Orchestration Rule |
| Get Active Directory Information | Executes the Get Assets data collection function. | Scheduled Job |
| Get Established Connections | Executes the Get Established Connections data collection function. This displays information like the TCP State and Address Family. See the Microsoft documentation for more explanation on log fields. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Scheduled Job Orchestration Rule |
| Get Users | Executes the Get Users data collection function. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Scheduled Job Orchestration Rule |
| Get Logged On Users | Executes the Get Logged On Users data collection function. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Scheduled Job Orchestration Rule |
| Get Processes with Hashes | Executes the Get Processes with Hashes data collection function. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Scheduled Job Orchestration Rule |
| Get Running Services | Executes the Get Running Services data collection function. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Scheduled Job Orchestration Rule |
| Get System Info | Executes the Get System Info data collection function. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Scheduled Job Orchestration Rule |
| Shutdown | Executes the Shutdown enforcement function. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Scheduled Job Orchestration Rule |
| Set Registry Key to String | Executes the Set Registry Key to String enforcement function. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Orchestration Rule |
| Set Registry Key to DWORD | Executes the Set Registry Key to DWORD enforcement function. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Orchestration Rule |
| Launch Query | Executes the specified data collection or enforcement function See Defining a Launch Query Action for more information regarding app actions. | BlueApp for LevelBlue Forensics and Response page Event or Alarm Scheduled Job Orchestration Rule |
Launch Actions from USM Anywhere
The BlueApp for LevelBlue Forensics and Response page provides an easy way to manually run a single Forensics and Response action. However, if it is an action that you want to run regularly for a specific asset, you should define a scheduled job to run the action. If you want to run the action as a response to certain events or alarms, you should define an orchestration rule. To run an action in the BlueApp for LevelBlue Forensics and Response- In USM Anywhere, go to Data Sources > BlueApps.
- Click the Available Apps tab.
- Search for the BlueApp, and then click the tile.
- Click the Actions tab.
- Review the list of actions to determine which action you want to run. Additional fields will be populated based on the action you’ve selected. Fill out the necessary fields for the app action. See Data Collection Functions and Enforcement System Functions topics for detailed information about each of the supported functions. If the needed function does not have a specific action, you can use the generic Launch Query action to specify the function parameters.
-
Next to the action that you want to use, click Run.
This opens the Select Action dialog box.
-
If needed, select the sensor on which the BlueApp is enabled to display more options.
- Specify the asset that you want to use as a target for the action. You can enter the name or IP address of the asset in the field to display matching items that you can select. Or you can click Browse Assets to open the Select Asset dialog box and browse the asset list to make your selection.
- Click Run. USM Anywhere generates an event for each executed function. See Viewing Forensics and Response Events and Alarms for more information about accessing these events.