The BlueApp for Sophos Central provides a set of orchestration actions that you can use to integrate your BlueApp for Sophos Central in your USM Anywhere environment. The following table lists the available actions from the BlueApp.

Actions for the BlueApp for Office 365

Action	Description
Lift Isolation of Endpoint	Run this action to lift the isolation of an endpoint from alarms, events, and investigations
Initiate Scans	Run this action to initiate scans from alarms, events, and investigations
Isolation of Endpoint	Run this action to isolate an endpoint from alarms, events, and investigations
Turn On Tamper-Protection for Endpoint	Run this action to turn on tamper protection for an endpoint from alarms, events, and investigations
Update Checks	Run this action to update checks from alarms, events, and investigations
Turn Off Tamper-Protection for Endpoint	Run this action to turn off tamper protection for an endpoint from alarms, events, and investigations

To view information about these actions in USM Anywhere

1. In USM Anywhere, go to Data Sources > BlueApps.
2. Click the Available Apps tab.
3. Search for the BlueApp, and then click the tile.
4. Click the Actions tab to display information for the supported actions.
5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from Alarms, Events, or Investigations

You can launch an action directly from alarms, events, or investigations. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an alarm, event, or investigation.

To launch a BlueApp for Sophos Central response action for an alarm, event, or investigation

1. Go to Activity > Alarms, Activity > Events, or Investigations.
2. Click the alarm, event, or investigation to open the details.
3. Click Select Action.

4. In the Select Action dialog box, select Run BlueApp for Sophos Central Action.

5. Select the app action and fill out the fields that are populated below.

6. Click Run.

   After USM Anywhere initiates the action for an alarm, event, or investigation it displays a confirmation dialog box.

   If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar investigations, Create rule for similar alarms, or Create rule for similar events and define the new rule. If not, click OK.