| Action | Description |
|---|---|
| Unquarantine Devices from Rule | This action unquarantines a VMware Carbon Black device from a rule. |
| Update Policy from Rule | This action updates a Carbon Black Cloud policy to a new policy from a rule. |
| Create a Note for an Alert | This action creates or deletes a note for an alert from an event, alarm, or rule. |
| Disable Bypass of Device | This action disables the bypass of a VMware Carbon Black device from an event or alarm. |
| Quarantine Devices | This action quarantines a specified device from an event or alarm. This action is not available on devices running a Linux operating system. |
| Create a Note for Threat | This action creates a note for a threat from an event, alarm, or rule. |
| Delete a Note from a Threat | This action deletes a note for a threat from an event or alarm. |
| Update Tags from Rule | This action adds tags to a threat from a rule. |
| Enable Bypass of Device | This action enables the bypass of a VMware Carbon Black device from an event or alarm. |
| Disable Bypass from Rule | This action disables the bypass of a VMware Carbon Black device from a rule. |
| Quarantine Devices from Rule | This action quarantines VMware Carbon Black devices from a rule. |
| Enable Bypass from Rule | This action enables the bypass of a VMware Carbon Black device from a rule. |
| Unquarantine Devices | This action unquarantines a specified quarantined device from an event or alarm. This action is not available on devices running a Linux operating system. |
| Delete a Note from an Alert | This action deletes a note for an alert from an event or alarm. |
| Update Tags | This action adds tags to a threat from an event or alarm. |
| Update Policy | This action moves VMware Carbon Black device to a new policy from an event or alarm. |
| Delete a Tag | This action deletes a tag for a threat from an event or alarm. |
- In USM Anywhere, go to Data Sources > BlueApps.
- Click the Available Apps tab.
- Search for the BlueApp, and then click the tile.
- Click the Actions tab to display information for the supported actions.
- Click the History tab to display information about the executed orchestration actions.
Launch Actions from Alarms and Events
You can launch an action directly from alarms or events. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an alarm or an event. To launch a Carbon Black Cloud response action for an Alarm or Event- Go to Activity > Alarms or Activity > Events.
- Click the alarm or event to open the details.
- Click Select Action.
- In the Select Action dialog box, select Run Carbon Black Cloud Action.
- Select the app action and fill out the fields that are populated below.
- Click Run. After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box. If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.