AlienVault® USM Anywhere™

AlienApp for Cisco AMP Orchestration

As USM Anywhere surfaces events, alarms, and vulnerabilities, you can use the information to trigger actions in your Cisco Advance Malware Protection (AMP) environment. Rather than manually isolating or unisolating hosts, you can use the AlienApp for Cisco AMP response actions to automatically respond to events detected in your USM Anywhere environment to isolate potential threats.

Important: To protect against unintended consequences, AlienApp for Cisco AMP only isolates single hosts; running the action against events or alarms with multiple hosts will not isolate any hosts.

Example of Alarms Generated from the AlienApp for Cisco AMP
Action Function

Isolate Hosts Using FileHash

Run this action to isolate a host based on the FileHash identified.

Isolate Hosts Using Source IP Run this action to isolate a host based on the source IP identified.
Isolate Hosts Using Destination IP Run this action to isolate a host based on the destination IP identified.
Unisolate Hosts Using FileHash Run this action to unisolate a host based on the FileHash identified.
Unisolate Hosts Using Source IP Run this action to unisolate a host based on the source IP identified.
Unisolate Hosts Using Destination IP Run this action to unisolate a host based on the destination IP identified.

Note: Before launching a Cisco AMP response action or creating a Cisco AMP response action rule, the AlienApp for Cisco AMP must be enabled and connected to your Cisco AMP instance. See Configuring the Cisco AMP App for more information.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the AlienApps tab.

    Available Apps tab

  3. On the AlienApps page, click the Cisco AMP tile.

  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed actions.