USM Anywhere™

AlienApp for Cisco AMP Orchestration

As USM Anywhere surfaces events, alarms, and vulnerabilities, you can use the information to trigger actions in your Cisco Advance Malware Protection (AMP) environment. Rather than manually isolating or unisolating hosts, you can use the AlienApp for Cisco AMP response actions to automatically respond to events detected in your USM Anywhere environment to isolate potential threats. The following table lists the available actions from the AlienApp.

Important: To protect against unintended consequences, AlienApp for Cisco AMP only isolates single hosts; running the action against events or alarms with multiple hosts will not isolate any hosts.

Actions for the AlienApp for Cisco AMP
Action Function

Isolate Hosts Using FileHash

Run this action to isolate a host based on the FileHash identified.

Isolate Hosts Using Source IP Run this action to isolate a host based on the source IP address identified.
Isolate Hosts Using Destination IP Run this action to isolate a host based on the destination IP address identified.
Unisolate Hosts Using FileHash Run this action to unisolate a host based on the FileHash identified.
Unisolate Hosts Using Source IP Run this action to unisolate a host based on the source IP address identified.
Unisolate Hosts Using Destination IP Run this action to unisolate a host based on the destination IP address identified.

Note: Before launching a Cisco AMP response action or creating a Cisco AMP response action rule, the AlienApp for Cisco AMP must be enabled and connected to your Cisco AMP instance. See Configuring the AlienApp for Cisco AMP for more information.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.