USM Anywhere™

AlienApp for Cisco Umbrella Actions

With the AlienApp for Cisco Umbrella, USM Anywhere can pass malicious domains to Cisco Umbrella instantly — through a user-executed action or an automated rule — to coordinate threat detection and response in a single action. The bidirectional capabilities of the AlienApp for Cisco Umbrella enable USM Anywhere to incorporate data from Cisco Umbrella (see Collecting Logs from Cisco Umbrella) into its threat analysis and orchestrate response actions by passing malicious domains identified by USM Anywhere to Cisco Umbrella.

Note: For the AlienApp to send response actions, you must have a Cisco Umbrella package that supports the Enforcement API. See the vendor website for more information about the Cisco Umbrella product packages.

Important: Using the AlienApp for Cisco Umbrella orchestration actions requires that the AlienApp is enabled on a deployed USM Anywhere Sensor with a configured integration to your Cisco Umbrella account. See Configuring the AlienApp for Cisco Umbrella for more information.

As USM Anywhere surfaces events and alarms, your team determines which items require a response action. Rather than manually updating the domains list within Cisco Umbrella for enforcement purposes, you can use the AlienApp for Cisco Umbrella orchestration actions to enforce protection based on domains associated with the event or alarm. The following table lists the available actions from the AlienApp.

Actions for the AlienApp for Cisco Umbrella
Action Function

Report names found on an alarm Alarms provide notification of an event or sequence of events that require attention or investigation.

Run this action to send the alarm information to your Cisco Umbrella environment.

This action is available only when you launch an app action directly from an alarm.

Report by a HTTP hostname found on an event Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall.

Run this action to send the HTTP hostname associated with an event to your Cisco Umbrella environment.

This action is available when you launch an app action in an orchestration rule.

Report by an URL found on an event

Run this action to send the URL associated with an event to your Cisco Umbrella environment.

This action is available when you launch an app action in an orchestration rule.

Report by a DNS record found on an event

Run this action to send the DNS associated with an event to your Cisco Umbrella environment.

This action is available when you launch an app action in an orchestration rule.

If it passes validation (for example, it’s unknown and safe to block), Cisco Umbrella adds it to a destination list associated with that custom integration and surfaces the item within the Umbrella dashboard as a custom security category.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

If you want to apply an action In USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.

To launch a Cisco Umbrella orchestration action for an alarm or event

  1. Go to Activity > Alarms or Activity > Events.
  2. Click the alarm or event to open the details.
  3. Click Select Action.

    Click Select Action in the alarm details

  4. In the Select Action dialog box, select the Cisco Umbrella tile.

    Select the Cisco Umbrella response action to run for the alarm

    This displays the options for the selected response app. It automatically sets the App Action to Report names found on an alarm.

    Additional fields will be populated based on the action you've selected. Fill out the necessary fields for the app action.

  5. If you have more than one sensor installed, select the sensor where the AlienApp for Cisco Umbrella is enabled.

    Select the sensor and run the app response action

  6. Click Run.

    After USM Anywhere initiates the action, it displays a confirmation dialog box.

    You can create a rule to launch a Cisco Umbrella response action for similar alarms

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.