USM Anywhere™

AlienApp for Microsoft Defender ATP Orchestration

The AlienApp for Microsoft Defender Advanced Threat Protection (ATP) provides a set of orchestration actions that you can use to respond to threats forwarded from your Microsoft Azure Events Hub.

As USM Anywhere surfaces eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall., vulnerabilities, and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation., your team determines which items require a response action. Rather than manually tagging threats, you can use the AlienApp for Microsoft Defender ATP orchestration actions to enforce protection based on the information associated with the event or alarm. The following table lists the available actions from the AlienApp.

Actions for the AlienApp for Microsoft Defender ATP
Action Response

Start a Remote Scan

Start a full scan on the host.

Set Indicator of Compromise

Create a policy for an Indicator of Compromise (IOC) in response to File, URL, or IP address.

You can target your response to the IOC and create a rule to Allow, Block, or Report instances of the IOC.

An IOC event or alarm generated by AlienApp for Microsoft Defender ATP will also contain a link to get statistics on the details of the IOC.

Isolate Machine Cut off network traffic (except for the agent) based on the details of the event or rule conditions.
Release Machine Unisolates the machine based on the details of the event or rule conditions.
Quarantine a file

Quarantine the file that appears and delete it from the machine.

The file name, file path, and the SHA1 of the file are displayed when this action is selected.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.