BlueApp for Cisco Secure Endpoint Actions

As USM Anywhere surfaces events, alarms, and vulnerabilities, you can use the information to trigger actions in your Cisco Secure Endpoint environment. Rather than manually isolating or unisolating hosts, you can use the BlueApp for Cisco Secure Endpoint response actions to automatically respond to events detected in your USM Anywhere environment to isolate potential threats. The following table lists the available actions from the BlueApp.

Important: To protect against unintended consequences, BlueApp for Cisco Secure Endpoint only isolates single hosts; running the action against events or alarms with multiple hosts will not isolate any hosts.

Actions for the BlueApp for Cisco Secure Endpoint
Action Description

Isolate Hosts Using FileHash

Run this action to isolate a host based on the FileHash identified.
Isolate Hosts Using Source IP Run this action to isolate a host based on the source IP address identified.
Isolate Hosts Using Destination IP Run this action to isolate a host based on the destination IP address identified.
Unisolate Hosts Using FileHash Run this action to unisolate a host based on the FileHash identified.
Unisolate Hosts Using Source IP Run this action to unisolate a host based on the source IP address identified.
Unisolate Hosts Using Destination IP Run this action to unisolate a host based on the destination IP address identified.

Note: Before launching a Cisco Secure Endpoint response action or creating a Cisco Secure Endpoint response action rule, the BlueApp for Cisco Secure Endpoint must be enabled and connected to your Cisco Secure Endpoint instance. See Configuring the BlueApp for Cisco Secure Endpoint for more information.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.

To launch a Cisco Secure Endpoint response action for an alarm, event, or vulnerability

  1. Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
  2. Click the alarm, event, or vulnerability to open the details.
  3. Click Select Action.

  4. In the Select Action dialog box, select Run Cisco Secure Endpoint Action.

    Additional fields will be populated based on the action you've selected. Fill out the necessary fields for the app action.

  5. Modify the information for the action for the following fields:

    • Sensor
    • App Action

  6. Click Run.

    After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.