AlienVault® USM Anywhere™

Launching a Cisco ASA Response Action

Role Availability Read-Only Analyst   Manager

When you review the information in the Alarm Details, Event Details, or Vulnerability Details, you can easily launch an actionIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. to send a request to your connected Cisco ASA instance to create a new incident case based on that item. If you want to apply an action to similar events that occur in the future, you can also create an orchestration rule after you apply the action.

When reviewing an alarm originated from a Cisco ASA event, should you conclude that the Cisco ASA user account has been compromised, you can launch an actionIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. to inactivate the Cisco ASA user account associated with that alarm. If you want to apply the action to similar alarms that occur in the future, you can create an orchestration rule after you apply the action.

To launch a Cisco ASA response action

  1. Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
  2. Click the alarm, event, or vulnerability to open the details.
  3. Click Select Action.
  4. In the Select Action dialog box, select Run Cisco ASA Action and enter the Cisco ASA Group Name and Group Description.

    Additionally, you can choose to clear the active IP connections by selecting the Clear Active Connections checkbox.

  5. Click Run.

    After USM Anywhere initiates the action for the alarm, it displays a confirmation dialog box.

To launch a Cisco ASA action for an alarm

  1. Go to Activity > Alarms.
  2. Review the alarms generated on the Cisco ASA events, and then click the alarm to open its details.
  3. Click Select Action, and then select the Run Cisco ASA Action tile.
  4. (Optional.) If you have more than one USM Anywhere Sensor configured for the AlienApp for Cisco ASA, select the sensor that you want to use for the action.
  5. In the App Action list, select Create Cisco ASA Task.

    This displays the options for the selected action.

  6. Click Run.

    After USM Anywhere initiates the action for the alarm, it displays a confirmation dialog box.

  7. If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms and define the new rule. If not, click OK.