Documentation Center
AlienVault® USM Anywhere™

Creating Cisco Umbrella Response Action Rules

  Role Availability   Read-Only   Analyst   Manager

The AlienApp for Cisco Umbrella allows you to create orchestration rules that automatically send suspicious domains to your Cisco Umbrella environment. There are four actions you can trigger with orchestration rules to report domains to Cisco Umbrella when matching eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. or alarmsAlarms provide notification of an event or sequence of events that require attention or investigation. occur.

  • Report by HTTP hostname on an event
  • Report by URL on an event
  • Report by DNS record on an event
  • Report names found on an alarm
Before you can create an orchestration rule that triggers one of these actions, the AlienApp for Cisco Umbrella must be enabled and configured for a deployed USM Anywhere Sensor. For more information, see Configuring the AlienApp for Cisco Umbrella for Orchestration.

All rules include a rule name and conditional expression. They can also include optional multiple occurrence and window length parameters. There are multiple methods for creating a new AlienApp for Cisco Umbrella orchestration rule in USM Anywhere.

  • On the Rules tab of the AlienApp page — This tab provides various tools that you can use to create and manage the orchestration rules that use the AlienApp for Cisco Umbrella actions. For easy rule creation, you can use a suggested rule as the basis for the new orchestration rule. This tab also provides a method to easily create a new rule based on your own matching criteria where the sensor and app are already selected, and displays all rules associated with the AlienApp so that you can easily enable/disable rules as needed.

  • From an Applied Response Action — You can automatically create a rule using the response action that you apply to an existing alarm or event. This makes it easy to set the matching conditions for the rule based on the existing item and use the same settings that you applied to that item.

    In the confirmation dialog, click Create rule for similar alarms or Create rule for similar events.

    You can create a rule to launch a Cisco Umbrella response action for similar alarms

  • From the Rules page — The Rules page provides access to all of your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules, filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable/disable rules. For more information about managing orchestration rules, see Orchestration Rules.

    Navigate to SETTINGS > RULES and select Response Action Rules on the left navigation panel. Then click Create Response Action Rule to define the new rule.

    Create a new response action rule

Depending on your Cisco Umbrella configuration and how it processes the domain information, these actions will result in events that USM Anywhere retrieves through Cisco Umbrella log collection.