Documentation Center
AlienVault® USM Anywhere™

Launching a Carbon Black Action from an Alarm

Role Availability Read-Only Analyst   Manager

When you review the information in the Alarm Details, you can easily launch an action to send a request to Cb Response to isolate a compromised host. If you want to apply an action to similar events that occur in the future, you can also create an orchestration rule directly from the alarm.

Note: Before launching a Carbon Black response action, the AlienApp for Carbon Black must be enabled and configured. See Configuring the AlienApp for Carbon Black for more information.

To launch a Carbon Black response action for an alarm

  1. Go to Activity > Alarms.
  2. Click the alarm to open the alarm details.
  3. Click Select Action.

    Click Select Action in the alarm details

  4. In the Select Action dialog box, select the Carbon Black tile.

    Select the Carbon Black response action to run for the alarm

    This displays the options for the selected response app.

  5. (Optional.) If you have more than one sensor where the AlienApp for Carbon Black is enabled and configured, select the sensor that you want to use to execute the action.
  6. Select the Location to be isolated.

    Set options to launch the Carbon Black response action for the alarm

    • Source: Use this option to isolate the source endpoint of the alarm.
    • Destination: Use this option to isolate the destination endpoint of the alarm.
    • Any: Use this option to let the system search for the Carbon Black endpoints using the IP addresses in the alarm and isolate those that are identified.
  7. Click Run.

    After USM Anywhere initiates the action, a confirmation dialog box displays:

    You can create a rule to launch a Carbon Black response action for similar alarms

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms and define the new rule. If not, click OK.