Documentation Center
AlienVault® USM Anywhere™

AlienApp™ for Carbon Black Orchestration

With the AlienApp for Carbon Black, USM Anywhere can send a request to Cb Response to isolate an endpoint instantly – through a user-executed action or an automated rule – to coordinate threat detection and response in a single action. The bidirectional capabilities of the AlienApp for Carbon Black enable USM Anywhere to incorporate data from Carbon Black (see Collecting Logs from Carbon Black) into its threat analysis and orchestrate response actions by passing compromised endpoints identified by USM Anywhere to Cb Response.

Important: Using the AlienApp for Carbon Black orchestration actions requires that the AlienApp is enabled on a deployed USM Anywhere Sensor with a configured integration to the Cb Response API. For more information, see Configuring the AlienApp for Carbon Black.

This capability is not available if you are using the Cb Protection and/or Cb Defense products, but not the Cb Response product.

As USM Anywhere surfaces eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation., your team determines which items require a response action. Rather than manually isolating an affected endpoint within Cb Response, you can use the AlienApp for Carbon Black orchestration actions to respond to threats identified in the event or alarm.

Action Function

Isolate hosts from an alarm

Run this app action directly from an alarm to send a request to Cb Response to isolate the associated endpoint(s).

Isolate hosts from an orchestration rule

Run this app action in an orchestration rule to send a request to Cb Response to isolate the associated endpoint(s) for future events that trigger the rule.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the AlienApps tab.

    Access the AlienApps page

  3. On the AlienApps page, click the Carbon Black tile.

    Click the Carbon Black tile

  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

    View the history of executed Carbon Black orchestration actions