BlueApp for Palo Alto Networks Prisma Access Actions

The BlueApp for Palo Alto Networks Prisma Access provides a set of orchestration actions that you can use to modify your security policy, block files, and change alert statuses in your USM Anywhere environment. The following table lists the available actions from the BlueApp.

Actions for the BlueApp for Palo Alto Networks Prisma Access
Action Description
Add Tag to Address Add a tag to an address. If the tag does not already exist, a new tag will be created and added.
Remove tag from Address Remove a tag from an address.
Add Tag to Address Group Add a tag to an address group. If the tag does not already exist, a new tag will be created and added. If the address group does not already exist, a new address group will be created and tagged.
Remove Tag from Address Group Remove a tag from an address group.
Add Address to Address Group Add an address to an address group. If the address group does not already exist, a new address group will be created and the address added to it.
Remove Address from Address Group Remove an address from an address group.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from Alarms, Events, Investigations, and Rules

You can launch an action directly from alarms or events. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an Alarm, Event, Investigation, or Rule.

To launch a Prisma Access response action for an Alarm, Event, Investigation, or Rule

  1. Go to Activity > Alarms or Activity > Events, Investigations, or Settings > Rules.
  2. Click the Alarm, Event, Investigation, or Rule to open the details.
  3. Click Select Action.

  4. In the Select Action dialog box, select Run Palo Alto Prisma Access Action.

  5. Select the app action and fill out the fields that are populated below.

  6. Click Run.

    After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar investigations Create rule for similar alarms or Create rule for similar events or Create rule for similar rules and define the new rule. If not, click OK.