> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Viewing Forensics and Response Events and Alarms

The BlueApp for LevelBlue Forensics and Response translates the data it retrieves into <Tooltip tip="Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types.">normalized</Tooltip> events for analysis. After you enable this BlueApp, <Tooltip tip="Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.">events</Tooltip> are displayed in the [Events page](../../user-guide/events/events-list-view), where you can view information about the collected forensic information. These events can trigger <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">alarms</Tooltip> to alert your team about a system compromise.

**To view BlueApp for LevelBlue Forensics and Response events**

1. Select **Activity > Events** to open the events page.

2. If the Search & Filters panel is not displayed, click the <img src="https://mintcdn.com/levelblue-5324744e/L0uo3frxKf03lkfc/images/central-any-app/buttons/to-open-filter-sidebar.svg?fit=max&auto=format&n=L0uo3frxKf03lkfc&q=85&s=a2b105a32651fb994bfbbba0d85db9e1" style={{ height: "1em", verticalAlign: "middle", display: "inline-block", margin: "0 0.25em" }} width="20" height="20" data-path="images/central-any-app/buttons/to-open-filter-sidebar.svg" /> icon to expand it.

   USM Anywhere includes several filters displayed by default.

3. Scroll down to the Data Source filter and select **LevelBlue Forensics and Response App** to display only those events on the page.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/saQsJL5uxJZR1Kxa/images/usm-anywhere/alienapps/forensics-resp/forensics-resp-plugin-filter-att.webp?fit=max&auto=format&n=saQsJL5uxJZR1Kxa&q=85&s=3da53c663379d312533968b5a405cac5" width="345" height="361" data-path="images/usm-anywhere/alienapps/forensics-resp/forensics-resp-plugin-filter-att.webp" />
   </Frame>

   If this filter is not displayed, click the **Configure filters** link, which is in the upper left corner of the page, to configure filters for the page. See [Managing Filters](../../user-guide/asset-management/asset-administration/managing-filters) for more information about configuring filters for pages.

4. Select an event in the list to view detailed information.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/saQsJL5uxJZR1Kxa/images/usm-anywhere/alienapps/forensics-resp/forensics-resp-event-details.webp?fit=max&auto=format&n=saQsJL5uxJZR1Kxa&q=85&s=b33ad1699613f06632187899d8e28ed2" width="661" height="491" data-path="images/usm-anywhere/alienapps/forensics-resp/forensics-resp-event-details.webp" />
   </Frame>

USM Anywhere includes built-in correlation rules that generate an alarm from one or more of these events. These rules analyze the events for patterns that indicate a code injection or Sticky Keys compromise for an asset. You can view the specifics of these rules on the [Correlation Rules](../../user-guide/rules-management/correlation-rules) page by entering `forensics` in the Search field.

<Frame>
  <img src="https://mintcdn.com/levelblue-5324744e/saQsJL5uxJZR1Kxa/images/usm-anywhere/alienapps/forensics-resp/forensics-resp-correlation-rules_525x191.webp?fit=max&auto=format&n=saQsJL5uxJZR1Kxa&q=85&s=65b608d62e988a30f56ffb6ae0d5e7d3" width="525" height="191" data-path="images/usm-anywhere/alienapps/forensics-resp/forensics-resp-correlation-rules_525x191.webp" />
</Frame>

If you want to generate an alarm for other types of Forensics and Response events, you can [create your own custom alarm rules](../../user-guide/rules-management/alarm-rules) and define the matching conditions to fit your criteria.