The BlueApp for Zscaler provides a set of orchestration actions that you can use to identify and categorize items to block as a response to threats identified by USM Anywhere and add them to the lists maintained in your Zscaler Internet Access (ZIA).

As USM Anywhere surfaces events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall., vulnerabilities, and alarms Alarms provide notification of an event or sequence of events that require attention or investigation., your team determines which items require a response action. Rather than manually tagging threats, you can use the BlueApp for Zscaler orchestration actions to enforce protection based on the information associated with the event or alarm. The following table lists the available actions from the BlueApp.

Actions for the BlueApp for Zscaler

Action	Description
Add Items to Block List from Event/Alarm	Run this action to add a source or destination to the Zscaler blocked list from an event or alarm to restrict their access
Add Items to Allowed List Using Event/Alarm	Run this action to add a source or destination to the Zscaler allowed list from an event or alarm to grant authorized access
Remove Items from Allowed List Using Event/Alarm	Run this action to remove items from an allowlist using an event or alarm
Add to Custom Category	Run this action to add a source or destination to a Zscaler category. Typing a category will bring up autocomplete suggestions of existing categories. When selecting this action, the Select Action window will also display two additional links at the bottom on the window. Click Search for existing categories to see if the IP address is currently associated with any categories. Click URL Lookup to obtain further information about the IP address such as the type of address and whether or not Zscaler has any registered security alerts associated with it.
Remove Items from Block List from Event/Alarm	Run this action to remove items from a block list from an event or alarm to restrict their access
Add Items to Allowed List Using Rule	Run this action to add items to an allowlist using a rule to grant authorized access
Remove Items from Allowed List	Run this action to remove items from an allowlist using a rule
Remove Items from Allowed List Using Vulnerability	Run this action to remove items from an allowlist using a vulnerability
Add Items to Block List Using Rule	Run this action to add items to a blocked list using a rule to restrict their access
Add Items to Allowed List Using Vulnerability	Run this action to add items to an allowlist using a vulnerability
Add Items to Block List Using Vulnerability	Run this action to add items to a blocked list using a vulnerability to restrict their access
Remove Items from Blocked List Using Rule	Run this action to remove items from blocked list using a rule
Remove Items from Blocked List Using Vulnerability	Run this action to remove items from blocked list using a vulnerability

To view information about these actions in USM Anywhere

1. In USM Anywhere, go to Data Sources > BlueApps.
2. Click the Available Apps tab.
3. Search for the BlueApp, and then click the tile.
4. Click the Actions tab to display information for the supported actions.
5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

You can launch an action directly from alarms or events. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an alarm or event.

To launch a Zscaler orchestration action for an alarm

1. Go to Activity > Alarms or Activity > Events.
2. Click the alarm or event to open the details.

3. Click Select Action.

4. In the Select Action dialog box, select the Zscaler tile.

5. For the App Action, select the action you want to launch.

   You can launch an action to add or remove an IP address to the allowed list, add an IP address to the blocked list, or add the IP address to a custom category.

   Additional fields will be populated based on the action you've selected. Fill out the necessary fields for the app action.

6. Click Run.

   After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.

   If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.