Advanced AlienApps can do one or more of the following:

• Log collection
• OrchestrationIn USM Anywhere, you can create orchestration rules to filter events, suppress events, create alarms, send notifications, or execute response actions.
• NotificationCommunication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms.
• ResponseA mechanism provided through AlienApps to execute actions in third-party applications based on risks identified in USM Anywhere.

While regular AlienApps parse syslog forwarded from third-party devices, advanced AlienApps collect logs through the third-party Representational State Transfer (REST) API. In addition, through sensors deployed in various cloud environments, advanced AlienApps can collect logs from Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) using their native tools. See the following documentation for more information:

• AWS Log Collection
• Azure Log Collection
• GCP Log Collection

Some advanced AlienApps provide orchestration to automate your security operations. For example, if USM Anywhere finds data associated with a malicious website, orchestration rules might stipulate that such information be sent to a third-party application for immediate action. Both the AlienApp for Carbon Black EDR and the AlienApp for Cisco Umbrella provide this functionality.

For orchestration to work, you need to configure each AlienApp to connect with the third-party application. You will find configuration instructions for the different AlienApps in the left navigation menu.