Creating Cisco Secure Firewall ASA Response Action Rules

Role Availability Read-Only Investigator Analyst Manager

You can create orchestration rules in USM Anywhere that automatically trigger a Cisco Secure Firewall Adaptive Security Appliance (ASA) response action when events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall., alarms Alarms provide notification of an event or sequence of events that require attention or investigation., or vulnerabilities A known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. match the criteria that you specify.

After you create a rule, if there are new events, alarms, or vulnerabilities that match the conditions, they will trigger the Cisco Secure Firewall ASA response action to create a new incident. The rule does not trigger for existing events, alarms, or vulnerabilities.

You can create a new rule as follows:

  • From the Rules page: The Rules page provides access to all of your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules, event rules, filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable or disable rules. See Orchestration Rules for more information about managing orchestration rules.

    Go to Settings > Rules and select Response Action Rules on the left navigation panel. Then click Create Response Action Rule to define the new rule.

To define a new Cisco Secure Firewall ASA response action rule

  1. Enter a name for the rule and select the sensor.

  2. Select the action to tag either a source or destination IP address and enter the Cisco Secure Firewall ASA Group Name and Group Description.

    Additionally, you can choose to clear the active IP connections with the Clear Active Connections checkbox.

    • Create a New Incident from a Vulnerability Status Update

      This is the default action if you create the rule after applying a Cisco Secure Firewall ASA response action to a vulnerability.

      Important: To match vulnerability status updates, your rule must include the following criteria: (packet_type == 'system_event' AND object_type == 'AssetVulnerabilityStatus').

      However, it is important to be aware that this will return all vulnerability status changes matching these rules. It is advisable to narrow the rule with further conditions. Additionally, you can create a similar alarm rule first to test the amount of responses it would generate when active before you use the rule to create Cisco Secure Firewall ASA rules.

      Rules for vulnerabilities tickets

  3. At the bottom of the dialog box, set the Rule Condition parameters to specify the criteria for a matching alarm or event to trigger the rule.

    Set the matching conditions for triggering the rule

    • If you create the rule from an applied action, this section provides suggested property/value pairs from the selected alarm or event that you can use as conditions for the rule. Click the icon to delete the items that you do not want to include in the matching conditions. You can also add other conditions that are not suggested.
    • If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
    • At the bottom of the dialog box, click More to display the optional multiple occurrence and window length parameters.
  4. Click Save Rule.
  5. In the confirmation dialog box, click OK.