| Action | Description | 
|---|---|
| Add Address to Static URL Filter | Run this action to add the source or destination address to a static URL filter in your FortiManager environment | 
| Add Address to Address Group | Run this action to add the destination address to a group in your FortiManager environment. If the group entered doesn’t exist in FortiManager, it will be created by the action from USM Anywhere. | 
| Add to Custom Category | Run this action to add an address to a group in your FortiManager environment | 
| Add Category to External Block List | Run this action to add items to an external block list using a custom category as a filter | 
| Add Domain to External Block List | Run this action to add a domain to an external block list to restrict its access | 
| Add IP Address to External Block List | Run this action to add an IP address into an external block list to restrict its access | 
| Add IP Address to External Block List | Run this action to add an IP address to an external block using a predefined rule to restrict its access | 
| Get External Block List | Run this action to retrieve the external block list | 
- In USM Anywhere, go to Data Sources > BlueApps.
- Click the Available Apps tab.
- Search for the BlueApp, and then click the tile.
- 
From here, you can click one of the following tabs to display more information.
- Actions:Displays information regarding the supported BlueApps actions.
- History:Displays information about the executed actions.
- Block List-IP Address: Displays the IP addresses in the external block list and enables you to modify them.
- Block List-Domain: Displays the domains in the external block list and enables you to modify them.
- Block List-Category: Displays the categories in the external block list and enables you to modify them.
 
Launch Actions from USM Anywhere
When you review the information in the Alarm Details, Event Details, or Vulnerability Details, you can easily launch an action to send a request to your connected FortiManager instance to add source or destination IP information from the event to existing FortiManager ADOMs. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability. To launch a FortiManager response action for an alarm, event, or vulnerability- Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
- Click the alarm, event, or vulnerability to open the details.
- Click Select Action.
- In the Select Action dialog box, select Run FortiManager Action.
- Select the app action and fill out the fields that are populated below.
- Click Run. After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box. If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.
External Block List
The external block lists for IP addresses, domains, and categories, are all contained in the BlueApp for Fortinet FortiManager page (Data Sources > AlienApps > Fortinet FortiManager). For each tab, you can see the list of all the items on the block list, and you can remove individual items by clicking the icon next to the item. Each tab also contains three buttons above the list:- Add: Opens a dialog box to add an IP address, domain, or category to the list.
- Import: Opens a dialog box to import a text file to import a list of IP addresses, domains, or categories to the list. This enables you to take your copied block list from another sensor and apply it to the current sensor.
- Export: Exports the entire IP address, domain, or category list as a downloadable .txt file. This enables you to copy your block list to another sensor.
- Clear: Clears the entire IP address, domain, or category list.
