Documentation Center
AlienVault® USM Anywhere™

Launching a Carbon Black Action from an Alarm

  Role Availability   Read-Only   Analyst   Manager

When you review the information in the Alarm Details, you can easily launch an action to send a request to Cb Response to isolate a compromised host. If you want to apply an action to similar events that occur in the future, you can also create an orchestration rule directly from the alarm.

Note: Before launching a Carbon Black response action, the AlienApp for Carbon Black must be enabled and configured. For more information, see Configuring the AlienApp for Carbon Black .

To launch a Carbon Black response action for an alarm

  1. Navigate to ACTIVITY > ALARMS.
  2. Click the alarm to open the alarm details.
  3. Click Select Action.

    Click Select Action in the alarm details

  4. In the Select Action dialog, select the Carbon Black tile.

    Select the Carbon Black response action to run for the alarm

    This displays the options for the selected response app.

  5. (Optional) If you have more than one sensor where the AlienApp for Carbon Black is enabled and configured, select the sensor that you want to use to execute the action.
  6. Choose the Location to be isolated.

    • Source — Use this option to isolate the source endpoint of the alarm.
    • Destination — Use this option to isolate the destination endpoint of the alarm.
    • Any — Use this option to let the system search for the Carbon Black endpoints using the IP addresses in the alarm and isolate those that are identified.

    Set options to launch the Carbon Black response action for the alarm

  7. Click Run.

    After USM Anywhere initiates the action, this displays a confirmation dialog.

    You can create a rule to launch a Carbon Black response action for similar alarms

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms and define the new rule. If not, click OK.