Documentation Center
AlienVault® USM Anywhere™

AlienApp for Cisco Umbrella Orchestration

With the AlienApp for Cisco Umbrella, USM Anywhere can pass malicious domains to Cisco Umbrella instantly – through a user-executed action or an automated rule – to coordinate threat detection and response in a single action. The bidirectional capabilities of the AlienApp for Cisco Umbrella enable USM Anywhere to incorporate data from Cisco Umbrella (see Collecting Logs from Cisco Umbrella) into its threat analysis and orchestrate response actions by passing malicious domains identified by USM Anywhere to Cisco Umbrella.

Note: Cisco Umbrella provides the Enforcement API for the top (Platform) product package tier. If you are using the lowest (Professional) or mid (Insights) tier package, your Cisco Umbrella package does not support this type of integration. For more information about the Cisco Umbrella product packages, refer to their website.

Important: Using the AlienApp for Cisco Umbrella orchestration actions requires that the AlienApp is enabled on a deployed USM Anywhere Sensor with a configured integration to your Cisco Umbrella account. For more information, see Configuring the AlienApp for Cisco Umbrella for Orchestration.

As USM Anywhere surfaces events and alarms, your team determines which items require a response action. Rather than manually updating the domains list within Cisco Umbrella for enforcement purposes, you can use the AlienApp for Cisco Umbrella orchestration actions to enforce protection based on domains associated with the event or alarm.

Action Function

Report names found on an alarmAlarms provide notification of an event or sequence of events that require attention or investigation.

Run this action to send the alarm information to your Cisco Umbrella environment.

This action is available only when you launch an app action directly from an alarm.

Report by a HTTP hostname found on an eventAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall.

Run this action to send the HTTP hostname associated with an event to your Cisco Umbrella environment.

This action is available when you launch an app action in an orchestration rule.

Report by an URL found on an event

Run this action to send the URL associated with an event to your Cisco Umbrella environment.

This action is available when you launch an app action in an orchestration rule.

Report by a DNS record found on an event

Run this action to send the DNS associated with an event to your Cisco Umbrella environment.

This action is available when you launch an app action in an orchestration rule.

If it passes validation (for example, it’s unknown and safe to block), Cisco Umbrella adds it to a destination list associated with that custom integration and surfaces the item within the Umbrella dashboard as a custom security category.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to DATA SOURCES > INTEGRATIONS.
  2. Click the AlienApps tab.

    Access the AlienApps page

  3. On the AlienApps page, click the Cisco Umbrella tile.

    Click the Cisco Umbrella tile

  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

    View the history of executed Cisco Umbrella orchestration actions