With the BlueApp for Cisco Umbrella, USM Anywhere can pass malicious domains to Cisco Umbrella instantly — through a user-executed action or an automated rule — to coordinate threat detection and response in a single action. The bidirectional capabilities of the BlueApp for Cisco Umbrella enable USM Anywhere to incorporate data from Cisco Umbrella (see Collecting Logs from Cisco Umbrella) into its threat analysis and orchestrate response actions by passing malicious domains identified by USM Anywhere to Cisco Umbrella.

As USM Anywhere surfaces events and alarms, your team determines which items require a response action. Rather than manually updating the domains list within Cisco Umbrella for enforcement purposes, you can use the BlueApp for Cisco Umbrella orchestration actions to enforce protection based on domains associated with the event or alarm. The following table lists the available actions from the BlueApp.

Actions for the BlueApp for Cisco Umbrella

Action	Description
Report names found on an alarm Alarms provide notification of an event or sequence of events that require attention or investigation.	Run this action to send the alarm information to your Cisco Umbrella environment. This action is available only when you launch an app action directly from an alarm.
Report by a HTTP hostname found on an event Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.	Run this action to send the HTTP hostname associated with an event to your Cisco Umbrella environment. This action is available when you launch an app action in an orchestration rule.
Report by an URL found on an event	Run this action to send the URL associated with an event to your Cisco Umbrella environment. This action is available when you launch an app action in an orchestration rule.
Report by a DNS record found on an event	Run this action to send the DNS associated with an event to your Cisco Umbrella environment. This action is available when you launch an app action in an orchestration rule.

If it passes validation (for example, it’s unknown and safe to block), Cisco Umbrella adds it to a destination list associated with that custom integration and surfaces the item within the Umbrella dashboard as a custom security category.

To view information about these actions in USM Anywhere

1. In USM Anywhere, go to Data Sources > BlueApps.
2. Click the Available Apps tab.
3. Search for the BlueApp, and then click the tile.
4. Click the Actions tab to display information for the supported actions.
5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

If you want to apply an action In USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured BlueApp. to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.

To launch a Cisco Umbrella orchestration action for an alarm or event

1. Go to Activity > Alarms or Activity > Events.
2. Click the alarm or event to open the details.

3. Click Select Action.

   

4. In the Select Action dialog box, select the Cisco Umbrella tile.

   

   This displays the options for the selected response app. It automatically sets the App Action to Report names found on an alarm.

   Additional fields will be populated based on the action you've selected. Fill out the necessary fields for the app action.

5. If you have more than one sensor installed, select the sensor where the BlueApp for Cisco Umbrella is enabled.

   

6. Click Run.

   After USM Anywhere initiates the action, it displays a confirmation dialog box.

   

   If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.