Important: These functions require that the target assets have assigned credentials that are suitable for system-level access to the host. See Configuring the BlueApp for LevelBlue Forensics and Response for more information.
| System Function | Operating System | Collected Data | Actions |
|---|---|---|---|
| Get System Info | Windows | Information about the target system, including the operating system version, network interfaces, and hotfixes. To execute this function using the Launch Query action, specify getSystemInfo as the Query parameter. | Basic Forensic Info Moderate Forensic Info Full Forensic Info |
| Get Users | Windows and Linux | A list of the local accounts in the target system, including privileges and the last login time. To execute this function using the Launch Query action, specify getUsers as the Query parameter. | Basic Forensic Info Moderate Forensic Info Full Forensic Info |
| Get Running Services | Windows and Linux (non-RHEL) | A list of all currently running services on the target system. To execute this function using the Launch Query action, specify getRunningServices as the Query parameter. | Basic Forensic Info Moderate Forensic Info Full Forensic Info |
| Get Running Services RedHat | Linux (RHEL only) | A list of all currently running services on the target system. To execute this function using the Launch Query action, specify getRunningServices.rhel as the Query parameter. | |
| Get Services | Windows | A list of all services on the target system. To execute this function using the Launch Query action, specify getServices as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get SMB Sessions | Windows | Information about the Server Message Block sessions that are currently established on the target system. To execute this function using the Launch Query action, specify getSMBSessions as the Query parameter. | Basic Forensic Info Moderate Forensic Info Full Forensic Info |
| Get TCP Listening Ports | Windows and Linux | A list of the listening TCP ports on the target system. To execute this function using the Launch Query action, specify getTCPListeningPorts as the Query parameter. | Basic Forensic Info Moderate Forensic Info Full Forensic Info |
| Get UDP Listening Ports | Windows and Linux | A list of the listening UDP ports on the target system. To execute this function using the Launch Query action, specify getUDPListeningPorts as the Query parameter. | Basic Forensic Info Moderate Forensic Info Full Forensic Info |
| Get Established Connections | Windows and Linux | A list of the opened connections on the target system, including information about the port and the address. To execute this function using the Launch Query action, specify getEstablishedConnections as the Query parameter. | Basic Forensic Info Moderate Forensic Info Full Forensic Info |
| Get Installed Applications | Windows | A list of the applications installed on the target system. To execute this function using the Launch Query action, specify getInstalledApplications as the Query parameter. | Basic Forensic Info Moderate Forensic Info Full Forensic Info |
| Get Logged On Users | Windows | A list of the user accounts that are currently logged in to the target system. To execute this function using the Launch Query action, specify getLoggedOnUsers as the Query parameter. | Basic Forensic Info Moderate Forensic Info Full Forensic Info |
| Get Network Configuration | Windows | A list of the active network interfaces on the target system and their properties, including IP addresses and information. To execute this function using the Launch Query action, specify getNetConfig as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Antivirus | Windows | Information about antivirus tools installed on the target system, including the status. To execute this function using the Launch Query action, specify getAntivirus as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Start Up Items | Windows | An enumerated list of autorun artifacts on the target system that may be used by legitimate programs or malware to achieve persistence. To execute this function using the Launch Query action, specify getStartUpItems as the Query parameter. | Moderate Forensic Info |
| Get All Start Up Items | Windows | A complete, enumerated list of autorun artifacts on the target system that may be used by legitimate programs or malware to achieve persistence. To execute this function using the Launch Query action, specify getStartUpItemsAll as the Query parameter. | Full Forensic Info |
| Get Processes | Windows and Linux | A list of processes running on the target system. To execute this function using the Launch Query action, specify getProcesses as the Query parameter. | Basic Forensic Info |
| Get Processes With Hashes | Windows | A list of processes running on the target system, along with the associated hash. To execute this function using the Launch Query action, specify getProcessesWithHashes as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Shares | Windows | A list of the shared folders on the target system. To execute this function using the Launch Query action, specify getShares as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Mapped Drives | Windows | A list of the mapped drives on the target system. To execute this function using the Launch Query action, specify getMappedDrives as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Scheduled Tasks | Windows and Linux | A list of the scheduled tasks on the target system (malware often creates scheduled tasks to maintain persistence). To execute this function using the Launch Query action, specify getScheduledTasks as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Scheduled Jobs | Windows | A list of the scheduled jobs on the target system (malware often creates scheduled jobs to maintain persistence). To execute this function using the Launch Query action, specify getScheduledJobs as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Installed Hotfixes | Windows | A list of the hotfixes installed on the target system. To execute this function using the Launch Query action, specify getInstalledHotfixes as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Recent USB Drives | Windows | A list of the USB devices recently used on the target system. To execute this function using the Launch Query action, specify getRecentUSBDrives as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Shadow Copies | Windows | A list of shadow copies on the target system. Shadow copies are used to perform manual or automatic backup copies or snapshots of computer files or volumes. To execute this function using the Launch Query action, specify getShadowCopies as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Restore Points | Windows | A list of the restore points available on the target system. To execute this function using the Launch Query action, specify getRestorePoints as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Prefetch Files | Windows | A list of the prefetch files on the target system. Windows creates a prefetch file when an application runs from a particular location for the very first time. To execute this function using the Launch Query action, specify getPrefetchFiles as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get DNS Cache | Windows | A list of the contents of the DNS client cache on the target system. To execute this function using the Launch Query action, specify getDNSCache as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Failed DNS | Windows | A list of the 50 most recent DNS resolutions that failed on the target system. To execute this function using the Launch Query action, specify getFailedDNS as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get EventLog Info | Windows | A list of all the event log sources on the target system, including the size and last modification time. To execute this function using the Launch Query action, specify getEventLogInfo as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Firewall Config | Windows | The firewall configuration on the target system. To execute this function using the Launch Query action, specify getFirewallConfig as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Audit Policy | Windows | The local audit policy information on the target system. To execute this function using the Launch Query action, specify getAuditPolicy as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get IE History | Windows | The history from Internet Explorer on the target system, including a list of recently visited web sites. To execute this function using the Launch Query action, specify getIEHistory as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Typed URLs | Windows | A list of the most recent URLs typed by the user in Internet Explorer on the target system. To execute this function using the Launch Query action, specify getTypedURLs as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Event Tracing for Windows (ETW) Sessions | Windows | A list of the running Microsoft Event Tracing for Windows (ETW) sessions on the target system. To execute this function using the Launch Query action, specify getETWSessions as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Windows Defender Information | Windows | Information about Windows Defender on the target system. To execute this function using the Launch Query action, specify getWindowsDefenderStatus as the Query parameter. | Moderate Forensic Info Full Forensic Info |
| Get Drivers | Windows | A list of drivers on the target system, including the location, hash, and digital signature. To execute this function using the Launch Query action, specify getDrivers as the Query parameter. | Full Forensic Info |
| Get Recently Created Files | Windows | A list of files created on the target system within the last 24 hours. To execute this function using Launch Query action, specify getRecentlyCreatedFiles as the Query parameter. | Full Forensic Info |
| Get Recent DLLs | Windows | A list of DLLs created on the target system within the last 24 hours. To execute this function using the Launch Query action, specify getRecentDLLs as the Query parameter. | Full Forensic Info |
| Get Recent Links | Windows | A list of the link files created on the target system within the last seven days. To execute this function using the Launch Query action, specify getRecentLinks as the Query parameter. | Full Forensic Info |
| Get Recent Executables | Windows | A list of executable files created on the target system within the last 24 hours. To execute this function using the Launch Query action, specify getRecentExecutables as the Query parameter. | Full Forensic Info |
| Get Compressed Files | Windows | A list of the compressed files created on the target system within the last seven days. To execute this function using the Launch Query action, specify getCompressedFiles as the Query parameter. | Full Forensic Info |
| Get Encrypted Files | Windows | A list of the encrypted files created on the target system within the last seven days. To execute this function using the Launch Query action, specify getEncryptedFiles as the Query parameter. | Full Forensic Info |
| Get Downloads | Windows | A list of the downloaded files created on the target system. To execute this function using the Launch Query action, specify getDownloads as the Query parameter. | Full Forensic Info |
| Get Windows Defender Detections | Windows | Information about threats on the target system detected by Windows Defender. To execute this function using the Launch Query action, specify getWindowsDefenderDetections as the Query parameter. | Full Forensic Info |