AlienApp for Cisco Secure Firewall ASA Actions

With the AlienApp for Cisco Secure Firewall Adaptive Security Appliance (ASA) configured with USM Anywhere, you can respond to threats or suspicious activity by sending IP addresses directly to your Cisco environment. The following table lists the available actions from the AlienApp.

Actions for the AlienApp for Cisco Secure Firewall ASA
Action Description
Tag Source IP from Event Run this action to label the source IP address based on an event
Tag Destination IP from Event Run this action to label the destination IP address based on an event
Tag Source IP from Alarm Run this action to label the source IP address based on an alarm
Tag Destination IP from Alarm Run this action to label the destination IP address based on an alarm
Tag Source IP Address from Rule Run this action to label the source IP address based on a predefined rule
Tag Destination IP Address from Rule Run this action to label the destination IP address based on a predefined rule
Remove Tag from Source IP Address Run this action to remove a tag from the source IP address
Remove Tag from Destination IP Address Run this action to remove a tag from the destination IP address based on an event
Remove Tag from Source IP from Alarm Run this action to remove a tag from the source IP address associated with an alarm
Remove Tag from Destination IP from Alarm Run this action to remove a tag from the destination IP address associated with an alarm

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.

When reviewing an alarm originated from a Cisco Secure Firewall ASA event, should you conclude that the Cisco Secure Firewall ASA user account has been compromised, you can launch an action to inactivate the Cisco Secure Firewall ASA user account associated with that alarm. If you want to apply the action to similar alarms that occur in the future, you can create an orchestration rule after you apply the action.

To launch a Cisco Secure Firewall ASA response action

  1. Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
  2. Click the alarm, event, or vulnerability to open the details.
  3. Click Select Action.
  4. In the Select Action dialog box, select Run Cisco Secure Firewall ASA Action and enter the Cisco Secure Firewall ASA Group Name and Group Description.

    Additional fields will be populated based on the action you've selected. Fill out the necessary fields for the app action.

    Additionally, you can choose to clear the active IP connections by selecting the Clear Active Connections checkbox.

  5. Click Run.

    After USM Anywhere initiates the action for the alarm, it displays a confirmation dialog box.