USM Anywhere™

Advanced AlienApps

Advanced AlienApps can do one or more of the following:

Log collection
OrchestrationIn USM Anywhere, you can create orchestration rules to filter events, suppress events, create alarms, send notifications, or execute response actions.
NotificationCommunication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms.
ResponseA mechanism provided through AlienApps to execute actions in third-party applications based on risks identified in USM Anywhere.

While regular AlienApps parse syslog forwarded from third-party devices, advanced AlienApps collect logs through the third-party Representational State Transfer (REST) API. In addition, through sensors deployed in various cloud environments, advanced AlienApps can collect logs from Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) using their native tools. See the following documentation for more information:

Some advanced AlienApps provide orchestration to automate your security operations. For example, if USM Anywhere finds data associated with a malicious website, orchestration rules might stipulate that such information be sent to a third-party application for immediate action. Both the AlienApp for Carbon Black EDR and the AlienApp for Cisco Umbrella provide this functionality.

Edition: Advanced AlienApps are available in the Standard and Premium editions of USM Anywhere. See https://cybersecurity.att.com/pricing for more information about the features and support provided by each of the USM Anywhere editions.

For orchestration to work, you need to configure each AlienApp to connect with the third-party application. Find configuration instructions for the different AlienApps in these links: