When you review the information in the Alarm Details, you can easily launch an action to send a request to Cb Response to isolate a compromised host. If you want to apply an action to similar events that occur in the future, you can also create an orchestration rule directly from the alarm.
Note: Before launching a Carbon Black response action, the AlienApp for Carbon Black must be enabled and configured. For more information, see Configuring the AlienApp for Carbon Black .
To launch a Carbon Black response action for an alarm
- Navigate to ACTIVITY > ALARMS.
- Click the alarm to open the alarm details.
Click Select Action.
In the Select Action dialog, select the Carbon Black tile.
This displays the options for the selected response app.
- (Optional) If you have more than one sensor where the AlienApp for Carbon Black is enabled and configured, select the sensor that you want to use to execute the action.
Choose the Location to be isolated.
- Source — Use this option to isolate the source endpoint of the alarm.
- Destination — Use this option to isolate the destination endpoint of the alarm.
- Any — Use this option to let the system search for the Carbon Black endpoints using the IP addresses in the alarm and isolate those that are identified.
After USM Anywhere initiates the action, this displays a confirmation dialog.
If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms and define the new rule. If not, click OK.