> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.
# BlueApp for Microsoft Defender ATP Actions
The BlueApp for Microsoft Defender Advanced Threat Protection (ATP) provides a set of orchestration actions that you can use to respond to threats forwarded from your Microsoft Azure Events Hub.
As USM Anywhere surfaces events, vulnerabilities, and alarms, your team determines which items require a response action. Rather than manually tagging threats, you can use the BlueApp for Microsoft Defender ATP orchestration actions to enforce protection based on the information associated with the event or alarm. The following table lists the available actions from the BlueApp.
**Actions for the BlueApp for Microsoft Defender ATP**
| Action | Description |
| ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Collect Alert from Microsoft Defender ATP | Run this action to collect Microsoft Defender ATP alerts |
| Initiate Remote Scan | Run this action to initiate a Remote Scan for Microsoft Defender ATP |
| Start Remote Scan | Run this action to start a full scan on the host |
| Start Remote Scan | Run this action to start a remote scan from an orchestration rule |
| Set Indicator of Compromise | Run this action to create a policy for an Indicator of Compromise (IOC) in response to File, URL, or IP address.
You can target your response to the IOC and create a rule to Allow, Block, or Report instances of the IOC.
An IOC event or alarm generated by BlueApp for Microsoft Defender ATP will also contain a link to get statistics on the details of the IOC. |
| Isolate Machine | Run this action to cut off network traffic (except for the agent) based on the details of the event or rule conditions |
| Isolate a Machine using Rule | Run this action to isolate a machine using a rule |
| Release a Machine | Run this action to unisolates the machine based on the details of the event, alarm, or rule conditions |
| Release a Machine | Run this action to release a machine from an event or alarm |
| Quarantine a File | Run this action to quarantine the file that appears and delete it from the machine.
The file name, file path, and the SHA1 of the file are displayed when this action is selected |
| Quarantine a File | Run this action to quarantine a file from an event, alarm, or rule |
**To view information about these actions in USM Anywhere**
1. In USM Anywhere, go to **Data Sources > BlueApps**.
2. Click the **Available Apps** tab.
3. Search for the BlueApp, and then click the tile.
4. Click the **Actions** tab to display information for the supported actions.
5. Click the **History** tab to display information about the executed orchestration actions.
## Launch Actions from USM Anywhere
You can launch an action directly from alarms or events. If you want to apply an action to similar events that occur in the future, you can also [create orchestration rules](rules-alienapp-microsoft-defender-atp) directly from the action applied to an alarm or event.
**To launch a Microsoft Defender ATP orchestration action for an alarm**
1. Go to **Activity > Alarms** or **Acitvity > Events**.
2. Click the alarm or event to open the details.
3. Click **Select Action**.
4. In the Select Action dialog box, select the **Microsoft Defender ATP** tile.
5. For the App Action, select the action you want to launch.
Additional fields will be populated based on the action you've selected. Fill out the necessary fields for the app action.
You can launch an action to tag the alarm destination host or source host.
6. Enter the Microsoft Defender ATP name that you want applied.
7. Click **Run**.
After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.
If you want to create a rule to apply the action to similar items that occur in the future, click **Create rule for similar alarms** or **Create rule for similar events** and [define the new rule](rules-alienapp-microsoft-defender-atp). If not, click **OK**.