| Action | Description | 
|---|---|
| Add Address to Address Group | Run this action to add the source, destination, or custom address to a group in your Panorama environment. If the group doesn’t exist in Panorama, it will be created by the action from USM Anywhere. | 
| Remove Address from Address Group | Run this action to remove the source, destination, or custom address to a group in your Panorama environment. | 
| Add Tag to Address | Run this action to add a Panorama tag to an address. You can select either an existing tag from Panorama, or create a new one. | 
| Add Tag to Address Group | Run this action to add a Panorama tag to an address group. You can select either an existing tag from Panorama, or create a new one. | 
| Add Address to URL Category | Run this action to add a source or destination address to a Palo Alto Networks Panorama URL category to allow, alert, or block the URL based on the selected existing profile. You can include optional pre-rule or post-rule policies that are based on your Panorama policy profiles. If you select an Associated Profile in the action, the user will receive an alert if the policy is violated. | 
| Add IP to External Block List | Run this action to add an IP address to the Palo Alto Networks Panorama external block list. | 
| Add Domain to External Block List from Event/Alarm | Run this action to add a domain to the Palo Alto Networks Panorama external block list from an event or alarm to restrict their access. | 
| Add Domain to External Block List | Run this action to add a domain to the Palo Alto Networks Panorama external block list to restrict their access. | 
| Add Domain to External Block List from Rule | Run this action to add a domain to the Palo Alto Networks Panorama external block list from a rule to restrict their access. | 
| Add Domain to External Block List from Orchestration Rule | Run this action to add a domain to the Palo Alto Networks Panorama external block list from an orchestration rule to restrict their access. | 
| Add IP Address to External Block List from Event/Alarm | Run this action to add an IP address to an external block list from an event or alarm to restrict their access. | 
| Add IP Address to External Block List from Orchestration Rule | Run this action to add an IP address to an external block list from an orchestration rule to restrict their access. | 
| Add URL to External Block List | Run this action to add a URL to the Palo Alto Networks Panorama external block list. | 
- In USM Anywhere, go to Data Sources > BlueApps.
- Click the Available Apps tab.
- Search for the BlueApp, and then click the tile.
- Click the Actions tab to display information for the supported actions.
- Click the History tab to display information about the executed orchestration actions.
Launch Actions from USM Anywhere
When you review the information in the Alarm Details, Event Details, or Vulnerability Details, you can easily launch an action to send a request to your connected Panorama instance to add source or destination IP address information to an existing Panorama group. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability. To launch a Panorama response action for an alarm, event, or vulnerability- Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
- Click the alarm, event, or vulnerability to open the details.
- Click Select Action.
- In the Select Action dialog box, select Run Panorama Action.
- Select the app action and fill out the fields that are populated in the window.
- Click Run. After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box. If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.
External Block List
The external block lists for IP addresses, domains, and URLs, are all contained in the BlueApp for Palo Alto Networks Panorama page (Data Sources > AlienApps > Palo Alto Panorama). For each tab, you can see the list of all the items on the block list, and you can remove individual items by clicking the icon next to the item. Each tab also contains these buttons above the list:- Add: Opens a dialog box to add an IP address, domain, or URL to the list.
- Import: Opens a dialog box to import a text file to import a list of IP addresses, domains, or URLs to the list. This enables you to take your copied block list from another sensor and apply it to the current sensor.
- Export: Exports the entire IP address, domain, or URL list as a downloadable .txt file. This enables you to copy your block list to another sensor.
- Clear: Clears the entire IP address, domain, or URL list.