With the BlueApp for Cisco Umbrella, USM Anywhere can pass malicious domains to Cisco Umbrella instantly — through a user-executed action or an automated rule — to coordinate threat detection and response in a single action. The bidirectional capabilities of the BlueApp for Cisco Umbrella enable USM Anywhere to incorporate data from Cisco Umbrella (see Collecting Logs from Cisco Umbrella) into its threat analysis and orchestrate response actions by passing malicious domains identified by USM Anywhere to Cisco Umbrella.
Note: For the BlueApp to send response actions, you must have a Cisco Umbrella package that supports the Enforcement API. See the vendor website for more information about the Cisco Umbrella product packages.
Important: Using the BlueApp for Cisco Umbrella orchestration actions requires that the BlueApp is enabled on a deployed USM Anywhere Sensor with a configured integration to your Cisco Umbrella account. See Configuring the BlueApp for Cisco Umbrella for more information.
As USM Anywhere surfaces events and alarms, your team determines which items require a response action. Rather than manually updating the domains list within Cisco Umbrella for enforcement purposes, you can use the BlueApp for Cisco Umbrella orchestration actions to enforce protection based on domains associated with the event or alarm. The following table lists the available actions from the BlueApp. Actions for the BlueApp for Cisco Umbrella
ActionDescription
Report names found on an alarmRun this action to send the alarm information to your Cisco Umbrella environment.

This action is available only when you launch an app action directly from an alarm.
Report by a HTTP hostname found on an eventRun this action to send the HTTP hostname associated with an event to your Cisco Umbrella environment.

This action is available when you launch an app action in an orchestration rule.
Report by an URL found on an eventRun this action to send the URL associated with an event to your Cisco Umbrella environment.

This action is available when you launch an app action in an orchestration rule.
Report by a DNS record found on an eventRun this action to send the DNS associated with an event to your Cisco Umbrella environment.

This action is available when you launch an app action in an orchestration rule.
If it passes validation (for example, it’s unknown and safe to block), Cisco Umbrella adds it to a destination list associated with that custom integration and surfaces the item within the Umbrella dashboard as a custom security category. To view information about these actions in USM Anywhere
  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

If you want to apply an to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability. To launch a Cisco Umbrella orchestration action for an alarm or event
  1. Go to Activity > Alarms or Activity > Events.
  2. Click the alarm or event to open the details.
  3. Click Select Action.
  4. In the Select Action dialog box, select the Cisco Umbrella tile.
  5. If you have more than one sensor installed, select the sensor where the BlueApp for Cisco Umbrella is enabled.
  6. Click Run. After USM Anywhere initiates the action, it displays a confirmation dialog box.
    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.