AlienVault® USM Anywhere™

AlienApp for Microsoft Defender ATP Orchestration

The AlienApp for Microsoft Defender Advanced Threat Protection (ATP) provides a set of orchestration actions that you can use to respond to threats forwarded from your Microsoft Azure Events Hub.

As USM Anywhere surfaces eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall., vulnerabilities, and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation., your team determines which items require a response action. Rather than manually tagging threats, you can use the AlienApp for Microsoft Defender ATP orchestration actions to enforce protection based on the information associated with the event or alarm.

Alarms for the AlienApp for Microsoft Defender ATP
Action Response

Quarantine a file

Quarantine the file that appears according to the rule, or the file in the event action, and delete it from the machine.

The file name, file path and the SHA1 of the file are displayed when this action is selected.

Isolate Machine by ID Isolates the machine based on the details of the event or rule conditions.

Unisolate Machine by ID

Unisolates the machine based on the details of the event or rule conditions.

Set Indicator of Compromise

Set an indicator (sha1 hash, sha256 hash, domain, IP, or URL) to cause an alert, be blocked, or be allowed upon identification.

When Set Indicator of Compromise is selected for the App Action, a Present Statistics link appears at the bottom of the Select Action page. Click the link to display detailed statistics on the Indicator Value Type entered.

Start a Remote Scan Trigger either a quick or full Microsoft Defender scan.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the AlienApps tab.

    Available Apps tab

  3. On the AlienApps page, click the AlienApp for Microsoft Defender Advanced Threat Protection tile.

  4. If you have more than one sensor, select the sensor where the AlienApp is enabled.
  5. Click the Actions tab to display information for the supported actions.
  6. Click the History tab to display information about the executed orchestration actions.