Skip to main content
With the BlueApp for Carbon Black EDR, USM Anywhere can send a request to Carbon Black EDR to isolate an endpoint instantly — through a user-executed action or an automated rule — to coordinate threat detection and response in a single action. The bidirectional capabilities of the BlueApp for Carbon Black EDR enable USM Anywhere to incorporate data from Carbon Black (see Collecting Logs from Carbon Black EDR) into its threat analysis and orchestrate response actions by passing compromised endpoints identified by USM Anywhere to Carbon Black EDR.
Important: Using the BlueApp for Carbon Black EDR orchestration actions require that the BlueApp is enabled on a deployed USM Anywhere Sensor with a configured integration to the Carbon Black EDR API. See Configuring the BlueApp for Carbon Black EDR for more information.
As USM Anywhere surfaces and , your team determines which items require a response action from the BlueApp for Carbon Black EDR. Rather than manually isolating an affected endpoint within Carbon Black EDR, you can use the orchestration actions to respond to threats identified in the event or alarm. The following table lists the available actions from the BlueApp. Actions for the BlueApp for Carbon Black EDR
ActionDescription
Isolate Hosts from AlarmRun this action directly from an alarm to send a request to Carbon Black EDR to isolate the associated endpoint(s)
Isolate Hosts from Orchestration RuleRun this action in an orchestration rule to send a request to Carbon Black EDR to isolate the associated endpoint(s) for future events that trigger the rule
Isolate Hosts from Orchestration RuleRun this action in an orchestration rule to send a request to Carbon Black EDR to isolate the associated endpoint(s) for future events that trigger the rule
To view information about these actions in USM Anywhere
  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

If you want to apply an to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.
Note: Before launching a Carbon Black EDR action, the BlueApp for Carbon Black EDR must be enabled and configured. See Configuring the BlueApp for Carbon Black EDR for more information.
To launch a Carbon Black EDR action for an alarm
  1. Go to Activity > Alarms.
  2. Click the alarm to open the alarm details.
  3. Click Select Action.
  4. In the Select Action dialog box, select the Carbon Black tile. This displays the options for the selected response app.
  5. (Optional) If you have more than one sensor where the BlueApp for Carbon Black EDR is enabled and configured, select the sensor that you want to use to execute the action.
  6. Select the Location to be isolated.
  7. Click Run. After USM Anywhere initiates the action, a confirmation dialog box displays:
    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms and define the new rule. If not, click OK.
I