Enforcement System Functions

Use the enforcement functions to mitigate an incident or contain a threat, such as malware, on a remote Microsoft Windows system. You can trigger actions that execute these functions directly from an or , and easily create a rule to execute the function for similar events or alarms that occur in the future. You can also create a scheduled job to execute one or more functions for a specific asset, such as performing a system restart at the same time each day.

Important: These functions are supported only for Windows hosts in your USM Anywhere asset inventory.Target assets must have assigned credentials that are suitable for system-level access to the host. See Configuring the BlueApp for LevelBlue Forensics and Response for more information.

Set Registry Key to String

Use this function to set or update a registry key to a standard string (REG_SZ) value on a Windows target system.You can run this function using the Set Registry Key to String action from the BlueApp for LevelBlue Forensics and Response page or as an action from an orchestration rule. Set the parameters according to the registry key and value.Path: Enter the path for the registry key. For example, HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion.Name: Enter the name of the registry key. For example, MyKey.Value: Enter the new value for the key as a standard string format. For example, New-Key-Value.

Set Registry Key to DWORD

Use this function to set or update a registry key to a 32-bit integer string (REG_DWORD) value on a Windows target system.You can run this function using the Set Registry Key to DWORD action from the BlueApp for LevelBlue Forensics and Response page or as an action from an orchestration rule. Set the parameters according to the registry key and value.Path: Enter the path for the registry key. For example, HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion.Name: Enter the name of the registry key. For example, MyVersionKey.Value: Enter the new value for the key as a standard string format. For example, 108.

Disable Networking

Use this function to disable all the network interfaces on a Windows target system. This is typically executed to isolate a system that has been compromised or is infected with .You can run this function using the Disable Networking action from the BlueApp for LevelBlue Forensics and Response page, from the Alarm or Event details, or as an action from an orchestration rule or scheduled job. You specify the asset for the function and no parameters are required.

Shutdown

Use this function to shut down a Windows target system. This is a typical response action in situations where a system is compromised and must be shut down in order to stop further damage.You can run this function using the Shutdown action from the BlueApp for LevelBlue Forensics and Response page, from the Alarm or Event details, or as an action from an orchestration rule or scheduled job. You specify the asset for the function and no parameters are required.

Stop Process

Use this function to stop a process on a Windows target system using the process identification (ID). This function returns information about the terminated process and USM Anywhere displays this as an event.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter stopProcess as the value.First Optional Parameter: Enter the name for the process to be stopped. For example, TermService. If needed, you can determine this value by executing a Get Processes function.

Disable Local User

Use this function to disable a local user account on a Windows target system.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter disableLocalUser as the value.First Optional Parameter: Enter the name of the user account to be disabled. For example, TempUser. If needed, you can determine this value by executing a Get Users function.

Disable AD User

Use this function to disable an user account on a Windows target system that is configured as an AD domain controller.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter disableADUser as the value.First Optional Parameter: Enter the name of the AD user account to be disabled. For example, TempUser. If needed, you can determine this value by executing a Get AD Users function.

Stop Service

Use this function to stop a service on the target system using the service name and retrieve information about stopped service.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter stopService as the value.First Optional Parameter: Enter the name of the service to be stopped. If needed, you can determine this value by executing a Get Running Services data collection function.

Restart Service

Use this function to restart a service on the target system using the service name.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter restartService as the value.First Optional Parameter: Enter the name of the service to be stopped. If needed, you can determine this value by executing a Get Running Services data collection function.

Send Message

Use this function to send messages to a user connected to the target system.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter sendMessage as the value.First Optional Parameter: Enter the username account. A value of * sends a message to all connected users.Second Optional Parameter: Enter the message text.

Block Remote Address Outbound

Use this function to create a new rule in the Windows firewall to block outbound connections to a specified address. This is useful to block a command and control when a system has been compromised.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter blockRemoteAddressOutbound as the value.First Optional Parameter: Enter the remote IP address to be blocked.

Block Remote Address Inbound

Use this function to create a new rule in the Windows firewall to block inbound connections from a specified address. This is useful to block the source of an attacker that is launching a , denial of service (DoS), or other attack.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter blockRemoteAddressInbound as the value.First Optional Parameter: Enter the remote IP address to be blocked.

Block Inbound Port

Use this function to create a new rule in the Windows firewall to block inbound connections to a specific port.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter blockInboundPort as the value.First Optional Parameter: Enter the port number to be blocked.

Restart

Use this function to restart the target system.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter restart as the value.

Shutdown

Use this function to shut down the target system.You can run this function using the Shutdown action from the BlueApp for LevelBlue Forensics and Response page, from the Alarm or Event details, or as an action from an orchestration rule or scheduled job. You specify the asset for the function and no parameters are required.

Restore

Use this function to restore the target system to the specified restore point.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter restore as the value.First Optional Parameter: Enter the ID for the restore point. If needed, you can determine this value by executing a Get Restore Points data collection function.

Enable Windows EventLog Channel

Use this function to enable a Windows EventLog channel on the target system.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter enableLogChannel as the value.

Disable Windows EventLog Channel

Use this function to disable a Windows EventLog channel on the target system.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter disableLogChannel as the value.

Launch a Windows Defender Scan

Use this function to launch a Windows Defender scan on the target system.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter launchWindowsDefenderScan as the value.First Optional Parameter: Enter the scan type. This value can be QuickScan, FullScan, or CustomScan.Second Optional Parameter: If you specify the CustomScan type, enter the path to scan (for example, C:\Directory).

Update Windows Defender Signatures

Use this function to update the Windows Defender signatures on the target system from the Microsoft update server.You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:Query: Enter updateWindowsDefenderSignatures as the value.

USM Anywhere™

USM Central™

Automated Policy Manager

Enforcement System Functions