> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Applying Actions to Alarms

<Icon icon="users" iconType="solid" /> Role Availability | ❌ Read-Only ❌ Investigator ✔️ Analyst ✔️ Manager

USM Anywhere enables you to respond to the <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">alarm</Tooltip>. Use this button to associate the item with an <Tooltip tip="In USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured BlueApp.">action</Tooltip>. Depending on the USM Anywhere <Tooltip tip="Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation.">Sensor</Tooltip> you have installed, you will see different actions:

* **Get** <Tooltip tip="Process and method of investigation, including the collection, recording, and analysis of events to discover the source of network attacks and other potentially malicious or harmful activities.">**Forensics**</Tooltip> **Information**: This option enables you to run pre-defined Linux and Windows scripts to get more info from the system. These scripts are already defined in USM Anywhere. The Basic, Moderate, and Full Forensic Info options get elemental, limited, and complete forensic information from assets. Keep in mind that the Full Forensic Info option will take more time for including all options. See [Scheduling a Forensics and Response Job](https://cybersecurity.att.com/documentation/usm-anywhere/alienapps-guide/forensics-response/log-collect-blueapp-forensics-resp.htm) for more information.
* \*\*Scan (unauthenticated): \*\*You can launch an unauthenticated scan of an <Tooltip tip="An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers.">asset</Tooltip>. See [Running Asset Scans](https://cybersecurity.att.com/documentation/usm-anywhere/user-guide/asset-management/asset-administration/running-asset-scan.htm) for more information.
* \*\*Scan (authenticated): \*\*You can launch an <Tooltip tip="Authenticated scans are performed from inside the machine using a user account with appropriate privileges.">authenticated scans</Tooltip> of an asset. See [Performing Vulnerability Scans](https://cybersecurity.att.com/documentation/usm-anywhere/user-guide/vulnerability-assessment/perf-vulnerability-scans.htm) for more information.
* **Report Domain**: See [BlueApp for Cisco Umbrella Actions](https://cybersecurity.att.com/documentation/usm-anywhere/alienapps-guide/cisco-umbrella/actions-alienapp-cisco-umbrella.htm) for more information.
* **Agent Query**: You can run an agent query in response to any alarm. See for more information.