> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# LevelBlue Agent Events and Queries

<Tip>
  **Edition:** This feature is available in the Standard and Premium editions of USM Anywhere.
</Tip>

USM Anywhere enables you to use the LevelBlue Agent data source to filter the LevelBlue Agent-related <Tooltip tip="Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.">events</Tooltip>.

These data sources are related to the agent:

* **LevelBlue Agent:** This data source parses events from the agent except for Microsoft Windows events.
* **LevelBlue Agent - Windows EventLog:** This data source parses Windows events sent through the agent.

**To search events using the filter related to the agent**

1. Go to **Activity > Events**.
2. Locate the Data Source section.
3. Click an event and the result of your search displays.

## LevelBlue Agent Queries

USM Anywhere enables you to run a user-initiated LevelBlue Agent query based on the events sent by connected agents. There are several ad-hoc queries, which are in your environment by default. These queries, listed below, generate events that can be used for a forensic investigation, so you can focus on fast response and remediation.

<AccordionGroup>
  <Accordion title="To run a user-initiated agent query from the Agents page">
    1. Go to **Data Sources > Agents**.

    2. Click **Run Agent Query**.

           <AccordionGroup>
             <Accordion title="All Assets With Agent">
               You can select the operating system (OS):

               * All
               * Windows
               * Linux
               * macOS
             </Accordion>

             <Accordion title="Single Asset">
               Select the asset in which you want to run the agent query. You can enter the asset name or browse assets.
             </Accordion>
           </AccordionGroup>

    3. Select a query in the Action field.

    4. Click **Run**.

    <Note>
      **Note:** The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.
    </Note>
  </Accordion>

  <Accordion title="To run a user-initiated agent query from the details view of an alarm">
    1. Go to **Activity > Alarms**.

    2. Click the alarm to display its details.

    3. Select **Select Action > Agent Query**.

    4. Select an action.

    5. Click **Run**.

       A dialog box opens confirming the action has been initiated.

    6. Click **OK**.

       Or click **Create rule for similar events** if you want to create a new rule. See [Response Action Rules from the Orchestration Rules Page](../user-guide/rules-management/response-action-rule) for more details.

       When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query **In Progress**, **Processing Events**, and **Completed**), and, once the query is complete, there is the **View Results** link. This link goes to the filtered events.

           <Note>
             **Note:** The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.
           </Note>
  </Accordion>

  <Accordion title="To run a user-initiated agent query from the details view of an event">
    1. Go to **Activity > Events**.

    2. Click the event to display its details.

    3. Select **Select Action > Agent Query**.

    4. Select an action.

    5. Click **Run**.

       A dialog box opens confirming the action has been initiated.

    6. Click **OK**.

       Or click **Create rule for similar events** if you want to create a new rule. See [Response Action Rules from the Orchestration Rules Page](../user-guide/rules-management/response-action-rule) for more details.

       When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (Query In Progress, Processing Events, and Completed), and, once the query is complete, there is the View Results link. This link goes to the filtered events.

           <Note>
             **Note:** The queries generate events when you run them. They do not generate events continuously; you must run the query again if you want to generate new events.
           </Note>
  </Accordion>

  <Accordion title="To run a user-initiated agent query from the details view of an asset">
    1. Go to Environment > Assets.
    2. Search the asset, click the blue chevron icon (<img src="https://mintcdn.com/levelblue-5324744e/T1hrc0hK0aza_DCc/images/central-any-app/buttons/chevron-down.svg?fit=max&auto=format&n=T1hrc0hK0aza_DCc&q=85&s=417e8bbfd7386ba83a4b629d5a935a80" style={{ height: "1em", verticalAlign: "middle", display: "inline-block", margin: "0 0.25em" }} width="20" height="20" data-path="images/central-any-app/buttons/chevron-down.svg" />) located next to the asset name on which you want to run the agent query, and select Full Details.
    3. Select **Actions > Agent Query**.
    4. Select the query you want to run.
    5. Click **Run**.

       A message displays at the top of the page to inform you the query is in progress. When the query is complete, the results are visible in events. You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (**Query In Progress**, **Processing Events**, and **Completed**), and, once the query is complete, there is the **View Results** link. This link goes to the filtered events.
  </Accordion>

  <Accordion title="To run a user-initiated agent query from the Orchestration Rules page">
    1. Go to **Settings > Rules > Orchestration Rules**.

    2. Select **Create Orchestration Rule > Create Response Action Rules**.

    3. Enter a name for the rule.

    4. Select **Agent Query** as the Action Type.

    5. Select a query in the Action field.

    6. Click **Add Condition** and select the property values you want to include in the rule to create a matching condition.

           <Note>
             **Note:** If the field is related to the name of a country, you should use the country code defined by the [ISO 3166](https://www.iso.org/iso-3166-country-codes.html).
           </Note>

           <Note>
             **Note:** The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.
           </Note>

    7. (Optional) Click **Add Group** to group your conditions.

           <Note>
             **Note:** See [Operators in the Orchestration Rules](../user-guide/rules-management/orchestration-rules-operators) for more information.
           </Note>

    8. In the **Occurrences** text box, enter the number of event occurrences that you want to produce a match on the conditional expression to trigger the rule.

       You can enter the number of occurrences or use the arrows to scroll the value up or down. You can enter a number between 1 and 100.

    9. In the **Length** text box, specify the timespan that you want to use to identify a match for multiple occurrences. Enter the number in the text box, and then use the drop-down menu to select a value of seconds, minutes, or hours.

       This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

           <Note>
             **Note:** Your defined length and occurrences function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">alarm</Tooltip> for an <Tooltip tip="An incident-type categorization that may be a precursor to other actions or stages of an attack.">unauthorized access</Tooltip> attempt when a failed <Tooltip tip="Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP).">SSH</Tooltip> <Tooltip tip="Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password.">login</Tooltip> occurs three times within a five-minute window.
           </Note>

    10. Click **Save**.

        The created rule will display in the list of rules.

        You can also click the Agent tab in the details of the asset to see the Query History. You can see the name of the query, the date on which the query was run, the status (**Query In Progress**, **Processing Events**, and **Completed**), and, once the query is complete, there is the **View Results** link. This link goes to the filtered events.

            <Frame>
              <img src="https://mintlify.s3.us-west-1.amazonaws.com/levelblue-5324744e/images/usm-anywhere/user-guide/agent/queryhistory.webp" />
            </Frame>
  </Accordion>
</AccordionGroup>

<Note>
  **Note:** Regardless of agent status, an agent query may fail if connectivity to the agent was interrupted since the last heartbeat was received.
</Note>

The full list of queries are available in the following table.

**Available LevelBlue Agent Queries**

| Query Name                                                            | Platform                  | Description                                                                                                                                                                   |
| --------------------------------------------------------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Get Docker container running processes                                | Linux, macOS              | Get the list of processes running in each Docker container.                                                                                                                   |
| Get Docker containers details                                         | Linux, macOS              | Get a list of details for each Docker container.                                                                                                                              |
| Get Docker containers open ports                                      | Linux, macOS              | Get a list with open ports and network information for each Docker container.                                                                                                 |
| Get file information                                                  | Linux, macOS, and Windows | Get information from the file specified in the first parameter. You must include the file path of the file.                                                                   |
| Get files downloaded in the system                                    | macOS                     | Generate a list of all files downloaded in the system.                                                                                                                        |
| Get IE typed URLs                                                     | Windows                   | Get the list of Microsoft Internet Explorer (IE)'s entered URLs.                                                                                                              |
| Get firewall configuration                                            | Windows                   | Get a list of firewall configurations for different profiles and rules.                                                                                                       |
| Get installed packages history                                        | macOS                     | Get the list of the latest installed packages in the system.                                                                                                                  |
| Get logged-in users                                                   | Linux, macOS, and Windows | Get the list of currently logged-in users.                                                                                                                                    |
| Get listening processes                                               | Linux, macOS, and Windows | Get the list of the processes with listening sockets.                                                                                                                         |
| Get network connections                                               | Linux, macOS, and Windows | Get the list of the current network connections.                                                                                                                              |
| Get network connection information                                    | Linux                     | Get information from a network connection based on the remote address (first parameter) and the remote port (second parameter). You must include the port and the IP address. |
| Get network shares                                                    | Windows                   | Get the list of network-shared resources from the system.                                                                                                                     |
| Get persistence registry keys                                         | Windows                   | Get registry key values commonly used for persistence by attackers.                                                                                                           |
| Get recent files                                                      | Windows                   | Get the list of recent files.                                                                                                                                                 |
| Get recent items                                                      | macOS                     | Get the list of recently opened files.                                                                                                                                        |
| Get running processes                                                 | Linux, macOS, and Windows | Get the list of running processes.                                                                                                                                            |
| Get running services                                                  | Windows                   | Get the list of running services.                                                                                                                                             |
| Get SSH authorized keys                                               | Linux, macOS              | Get the list of SSH-authorized keys allowed in the system.                                                                                                                    |
| Get users launched services                                           | macOS                     | Get the list of LaunchAgents and LaunchDaemons services installed in the system.                                                                                              |
| Get Wi-Fi connection status                                           | macOS                     | Get information from the current Wi-Fi connection.                                                                                                                            |
| Get Wi-Fi preferred connections                                       | macOS                     | Get information from the preferred Wi-Fi connections.                                                                                                                         |
| Hunt for potential library injection - .so deleted from disk          | Linux                     | Hunt for the potential library injection of a memory map with a deleted shared object on disk and rwxp memory.                                                                |
| Hunt for potential library injection - no .so on disk and rwxp memory | Linux                     | Hunt for the potential library injection of a memory map with no shared object on disk and rwxp memory.                                                                       |
| Hunt for potential library injection - no common .so isolation        | Linux                     | Hunt for the potential library injection of a shared library loaded from an uncommon location.                                                                                |
| Hunt for running processes with no binary on disk                     | Linux, macOS, and Windows | Hunt for running processes that do not have a matching binary on disk.                                                                                                        |
| Hunt for traffic to remote IP                                         | Linux, macOS, and Windows | Hunt for non-web traffic to remote IP addresses not using port 0, 80, or 443.                                                                                                 |