Creating Cisco Umbrella Response Action Rules

Role Availability Read-Only Investigator Analyst Manager

The BlueApp for Cisco Umbrella allows you to create orchestration rules that automatically send suspicious domains to your Cisco Umbrella environment. There are four actions you can trigger with orchestration rules to report domains to Cisco Umbrella when matching events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. or alarms Alarms provide notification of an event or sequence of events that require attention or investigation. occur:

  • Report by HTTP hostname on an event
  • Report by URL on an event
  • Report by Domain Name System (DNS) record on an event
  • Report names found on an alarm
Before you can create an orchestration rule that triggers one of these actions, the BlueApp for Cisco Umbrella must be enabled and configured for a deployed USM Anywhere Sensor. For more information, see Configuring the BlueApp for Cisco Umbrella.

All rules include a rule name and conditional expression. They can also include optional multiple occurrence and window length parameters. There are multiple methods for creating a new BlueApp for Cisco Umbrella orchestration rule in USM Anywhere:

  • On the Rules tab of the BlueApp page: This tab provides various tools that you can use to create and manage the orchestration rules that use the BlueApp for Cisco Umbrella actions. For easy rule creation, you can use a suggested rule as the basis for the new orchestration rule. This tab also provides a method to easily create a new rule based on your own matching criteria where the sensor and app are already selected, and displays all rules associated with the BlueApp so that you can easily enable or disable rules as needed.

  • From an Applied Response Action: You can automatically create a rule using the response action that you apply to an existing alarm or event. This makes it easy to set the matching conditions for the rule based on the existing item and use the same settings that you applied to that item.

    In the confirmation dialog box, click Create rule for similar alarms or Create rule for similar events.

    You can create a rule to launch a Cisco Umbrella response action for similar alarms

  • From the Rules page: The Rules page provides access to all of your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules, event rules, filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable or disable rules. See Orchestration Rules for more information about managing orchestration rules.

    In the left navigation menu, go to Settings > Rules > Orchestration Rules. Then click Create Orchestration Rule > Response Action Rule to define the new rule.

    Create a new response action rule

Depending on your Cisco Umbrella configuration and how it processes the domain information, these actions will result in events that USM Anywhere retrieves through Cisco Umbrella log collection.