USM Anywhere™

AlienApp for Cisco Secure Firewall ASA Actions

With the AlienApp for CiscoSecure Firewall Adaptive Security Appliance (ASA) configured with USM Anywhere, you can respond to threats or suspicious activity by sending IP addresses directly to your Cisco environment. The following table lists the available actions from the AlienApp.

Actions for the AlienApp for Cisco Secure Firewall ASA
Action Function

Tag Source IP Address

Run this action to tag the source IP address in Cisco Secure Firewall ASA from a rule, action, or event.

Tag Destination IP Address Run this action to tag the destination IP address in Cisco Secure Firewall ASA from a rule, action, or event.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.

When reviewing an alarm originated from a Cisco Secure Firewall ASA event, should you conclude that the Cisco Secure Firewall ASA user account has been compromised, you can launch an action to inactivate the Cisco Secure Firewall ASA user account associated with that alarm. If you want to apply the action to similar alarms that occur in the future, you can create an orchestration rule after you apply the action.

To launch a Cisco Secure Firewall ASA response action

  1. Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
  2. Click the alarm, event, or vulnerability to open the details.
  3. Click Select Action.
  4. In the Select Action dialog box, select Run Cisco Secure Firewall ASA Action and enter the Cisco Secure Firewall ASA Group Name and Group Description.

    Additional fields will be populated based on the action you've selected. Fill out the necessary fields for the app action.

    Additionally, you can choose to clear the active IP connections by selecting the Clear Active Connections checkbox.

  5. Click Run.

    After USM Anywhere initiates the action for the alarm, it displays a confirmation dialog box.