Important: To protect against unintended consequences, BlueApp for Cisco Secure Endpoint only isolates single hosts; running the action against events or alarms with multiple hosts will not isolate any hosts.
| Action | Description | 
|---|---|
| Isolate Hosts Using FileHash | Run this action to isolate a host based on the FileHash identified. | 
| Isolate Hosts Using Source IP | Run this action to isolate a host based on the source IP address identified. | 
| Isolate Hosts Using Destination IP | Run this action to isolate a host based on the destination IP address identified. | 
| Unisolate Hosts Using FileHash | Run this action to unisolate a host based on the FileHash identified. | 
| Unisolate Hosts Using Source IP | Run this action to unisolate a host based on the source IP address identified. | 
| Unisolate Hosts Using Destination IP | Run this action to unisolate a host based on the destination IP address identified. | 
Note: Before launching a Cisco Secure Endpoint response action or creating a Cisco Secure Endpoint response action rule, the BlueApp for Cisco Secure Endpoint must be enabled and connected to your Cisco Secure Endpoint instance. See Configuring the BlueApp for Cisco Secure Endpoint for more information.
- In USM Anywhere, go to Data Sources > BlueApps.
- Click the Available Apps tab.
- Search for the BlueApp, and then click the tile.
- Click the Actions tab to display information for the supported actions.
- Click the History tab to display information about the executed orchestration actions.
Launch Actions from USM Anywhere
If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability. To launch a Cisco Secure Endpoint response action for an alarm, event, or vulnerability- Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
- Click the alarm, event, or vulnerability to open the details.
- Click Select Action.
- In the Select Action dialog box, select Run Cisco Secure Endpoint Action. Additional fields will be populated based on the action you’ve selected. Fill out the necessary fields for the app action.
- 
Modify the information for the action for the following fields:
- Sensor
- App Action
 
- Click Run. After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box. If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.