> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Enforcement System Functions

Use the enforcement functions to mitigate an incident or contain a threat, such as malware, on a remote Microsoft Windows system. You can trigger actions that execute these functions directly from an <Tooltip tip="Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.">event</Tooltip> or <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">alarm</Tooltip>, and easily create a rule to execute the function for similar events or alarms that occur in the future. You can also create a scheduled job to execute one or more functions for a specific asset, such as performing a system restart at the same time each day.

<Warning>
  **Important:** These functions are supported only for Windows hosts in your USM Anywhere asset inventory.

  Target assets must have assigned credentials that are suitable for system-level access to the host. See [Configuring the BlueApp for LevelBlue Forensics and Response](requirements-blueapp-forensics-resp) for more information.
</Warning>

<AccordionGroup>
  <Accordion title="Set Registry Key to String">
    Use this function to set or update a registry key to a standard string (REG\_SZ) value on a Windows target system.

    You can run this function using the Set Registry Key to String action from the BlueApp for LevelBlue Forensics and Response page or as an action from an orchestration rule. Set the parameters according to the registry key and value.

    **Path**: Enter the path for the registry key. For example, `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion`.

    **Name**: Enter the name of the registry key. For example, `MyKey`.

    **Value**: Enter the new value for the key as a standard string format. For example, `New-Key-Value`.
  </Accordion>

  <Accordion title="Set Registry Key to DWORD">
    Use this function to set or update a registry key to a 32-bit integer string (REG\_DWORD) value on a Windows target system.

    You can run this function using the Set Registry Key to DWORD action from the BlueApp for LevelBlue Forensics and Response page or as an action from an orchestration rule. Set the parameters according to the registry key and value.

    **Path**: Enter the path for the registry key. For example, `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion`.

    **Name**: Enter the name of the registry key. For example, `MyVersionKey`.

    **Value**: Enter the new value for the key as a standard string format. For example, `108`.
  </Accordion>

  <Accordion title="Disable Networking">
    Use this function to disable all the network interfaces on a Windows target system. This is typically executed to isolate a system that has been compromised or is infected with <Tooltip tip="Generic term for a number of different types of malicious code including viruses, worms, and Trojans.">malware</Tooltip>.

    You can run this function using the Disable Networking action from the BlueApp for LevelBlue Forensics and Response page, from the Alarm or Event details, or as an action from an orchestration rule or scheduled job. You specify the asset for the function and no parameters are required.
  </Accordion>

  <Accordion title="Shutdown">
    Use this function to shut down a Windows target system. This is a typical response action in situations where a system is compromised and must be shut down in order to stop further damage.

    You can run this function using the Shutdown action from the BlueApp for LevelBlue Forensics and Response page, from the Alarm or Event details, or as an action from an orchestration rule or scheduled job. You specify the asset for the function and no parameters are required.
  </Accordion>

  <Accordion title="Stop Process">
    Use this function to stop a process on a Windows target system using the process identification (ID). This function returns information about the terminated process and USM Anywhere displays this as an event.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `stopProcess` as the value.

    **First Optional Parameter**: Enter the name for the process to be stopped. For example, `TermService`. If needed, you can determine this value by executing a Get Processes function.
  </Accordion>

  <Accordion title="Disable Local User">
    Use this function to disable a local user account on a Windows target system.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `disableLocalUser` as the value.

    **First Optional Parameter**: Enter the name of the user account to be disabled. For example, `TempUser`. If needed, you can determine this value by executing a Get Users function.
  </Accordion>

  <Accordion title="Disable AD User">
    Use this function to disable an <Tooltip tip="Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks.">Active Directory</Tooltip> user account on a Windows target system that is configured as an AD domain controller.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `disableADUser` as the value.

    **First Optional Parameter**: Enter the name of the AD user account to be disabled. For example, `TempUser`. If needed, you can determine this value by executing a Get AD Users function.
  </Accordion>

  <Accordion title="Stop Service">
    Use this function to stop a service on the target system using the service name and retrieve information about stopped service.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `stopService` as the value.

    **First Optional Parameter**: Enter the name of the service to be stopped. If needed, you can determine this value by executing a Get Running Services data collection function.
  </Accordion>

  <Accordion title="Restart Service">
    Use this function to restart a service on the target system using the service name.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `restartService` as the value.

    **First Optional Parameter**: Enter the name of the service to be stopped. If needed, you can determine this value by executing a Get Running Services data collection function.
  </Accordion>

  <Accordion title="Send Message">
    Use this function to send messages to a user connected to the target system.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `sendMessage` as the value.

    **First Optional Parameter**: Enter the username account. A value of \* sends a message to all connected users.

    **Second Optional Parameter**: Enter the message text.
  </Accordion>

  <Accordion title="Block Remote Address Outbound">
    Use this function to create a new rule in the Windows firewall to block outbound connections to a specified address. This is useful to block a command and control when a system has been compromised.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `blockRemoteAddressOutbound` as the value.

    **First Optional Parameter**: Enter the remote IP address to be blocked.
  </Accordion>

  <Accordion title="Block Remote Address Inbound">
    Use this function to create a new rule in the Windows firewall to block inbound connections from a specified address. This is useful to block the source of an attacker that is launching a <Tooltip tip="Technique or attack method, typically used with authentication, involving an exhaustive procedure that tries all possibilities (for example, to find a valid password), one-by-one.">brute force</Tooltip>, denial of service (DoS), or other attack.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `blockRemoteAddressInbound` as the value.

    **First Optional Parameter**: Enter the remote IP address to be blocked.
  </Accordion>

  <Accordion title="Block Inbound Port">
    Use this function to create a new rule in the Windows firewall to block inbound connections to a specific port.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `blockInboundPort` as the value.

    **First Optional Parameter**: Enter the port number to be blocked.
  </Accordion>

  <Accordion title="Restart">
    Use this function to restart the target system.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `restart` as the value.
  </Accordion>

  <Accordion title="Shutdown">
    Use this function to shut down the target system.

    You can run this function using the Shutdown action from the BlueApp for LevelBlue Forensics and Response page, from the Alarm or Event details, or as an action from an orchestration rule or scheduled job. You specify the asset for the function and no parameters are required.
  </Accordion>

  <Accordion title="Restore">
    Use this function to restore the target system to the specified restore point.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `restore` as the value.

    **First Optional Parameter**: Enter the ID for the restore point. If needed, you can determine this value by executing a Get Restore Points data collection function.
  </Accordion>

  <Accordion title="Enable Windows EventLog Channel">
    Use this function to enable a Windows EventLog channel on the target system.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `enableLogChannel` as the value.
  </Accordion>

  <Accordion title="Disable Windows EventLog Channel">
    Use this function to disable a Windows EventLog channel on the target system.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `disableLogChannel` as the value.
  </Accordion>

  <Accordion title="Launch a Windows Defender Scan">
    Use this function to launch a Windows Defender scan on the target system.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `launchWindowsDefenderScan` as the value.

    **First Optional Parameter**: Enter the scan type. This value can be `QuickScan`, `FullScan`, or `CustomScan`.

    **Second Optional Parameter**: If you specify the CustomScan type, enter the path to scan (for example, `C:\Directory`).
  </Accordion>

  <Accordion title="Update Windows Defender Signatures">
    Use this function to update the Windows Defender signatures on the target system from the Microsoft update server.

    You can run this function through the Launch Query action. Set these parameters for the Launch Query app action:

    **Query**: Enter `updateWindowsDefenderSignatures` as the value.
  </Accordion>
</AccordionGroup>