Some exciting new features and functionality have been added to USM Anywhere, and there’s more to come! Three Advanced AlienApps have recently launched, and the platform’s new Custom App and Log Parser features give customers the ability to ingest logs from any third-party application.

You can keep up with our regular product releases by reading the release notes in the USM Anywhere Product Forum, and you can direct any questions or support issues to the AT&T Cybersecurity Success Center.

Last year, we began an initiative to update and improve the functionality of all AlienApp integrations in the USM Anywhere platform. Since mid-2022, we have completed updates on the Sophos Central, Google Workspace, Microsoft 365, Okta, and SentinelOne AlienApps. Updates to the Qualys and Crowdstrike apps are currently underway. Our key goals in this refresh project are as follows:

We expect to complete 5-8 app refreshes per quarter and will continue to provide updates to our customers on this project.

Great news – Custom apps and custom log parsers are now available to all customers. These two features allow customers to create their own API-driven log ingestion applications and create parsers for any S3 or syslog-driven log collection needs. Custom Apps allow you to configure your log data from any of your third-party applications and enable log collection, orchestration, and notification for your specific environment. You can find a video on the new Custom App feature here.

For additional information or assistance with configuring your Custom Apps or Custom Log Parsers, please visit the USM Documentation page or Intercom.

A note to our managed customers: The operations team is working to ensure this feature is set up to deliver a premium user experience for the AT&T SOC analysts and end users.

Playbooks are now in general availability! Playbooks streamline remediation by arming security analysts with quick and repeatable processes for addressing different alarm types. The fully customizable playbooks feature removes the need for analysts to reference documents or try and remember the steps they took to triage similar alarms several months ago. Once a playbook has been built and assigned to an alarm type, it can be selected when analysts encounter future alarms. With the click of a button, they can run their custom playbook to quickly execute the designed set of actions.

Playbooks allow for a combination of actions to be taken together that can include system actions such as adding an alarm to an investigation, changing alarm status, additional manual actions to be performed by the analyst, and AlienApp response actions supported by the installed apps in an instance. Additionally, playbooks can be set up to show up in a single alarm type, multiple alarm types, or all alarms. Each action in the playbook is manually initiated by the user but allows analysts to take quick action on alarms, removing the need to reference documentation or remember which steps they took to triage a similar alarm several months back.

This video provides a basic walkthrough of the playbooks feature.

Cisco Meraki – The Cisco Meraki Advanced AlienApp has been released and is now available in all USM instances for any Cisco Meraki customer to use. The app works to collect all event types from Meraki and supports response actions such as changing device network configuration and updating security policies. The app also allows for asset discovery and syncs Meraki device inventory information with USM.

Sophos – The Sophos Advanced AlienApp has been improved to include the following response actions:

ServiceNow – You can now generate ServiceNow change requests within the USM Anywhere platform to streamline your incident response workflow. When threats and vulnerabilities are detected in USM Anywhere, you can open an incident ticket or a change request in ServiceNow, automatically or manually from an alarm or an investigation.

Visit our Documentation Center to get more information on how to deploy and configure these Advanced AlienApps.

Cisco Duo – This AlienApp will give the ability to import Cisco Duo users into USM Anywhere and collect events from the Duo cloud. Orchestration actions such as enabling and disabling Cisco Duo users and adding or removing users from a group will also be enabled and can be accomplished manually or via an orchestration rule.

Cisco Firepower Manager – The Cisco Firepower Manager app will import events from Firepower Manager, whether in the cloud or on premises. You will be able to manage external block lists and add or remove a URL or IP from security policy groups through the orchestration actions or using an orchestration rule.

So far this year, we have released five Threat Feed Updates that include 105 improvements and 36 new elements. The releases include user interface improvements and parts of our AlienApp refresh including Google Workspace, Okta, Palo Alto Networks Panorama, Cisco Duo, SentinelOne, and many more.

Here are a few examples of improvements made:

Please visit the Success Center for a full list of improvements, new elements, issues found, and tasks created.

Alien Labs Open Threat Exchange

Alien Labs Open Threat Exchange (OTX) is among the largest open threat intelligence communities in the world. We have more than 200,000 members who contributed near-real time threat intelligence to OTX, which is then enriched by AT&T Alien Labs. In March alone, Alien Labs generated over 100 OTX pulses to provide coverage for the latest threats and campaigns. You can go here to find out more about the new pulses or sign up to be part of the community.

To have Release Notes emailed to you automatically, follow these steps:

1. Log in to the AT&T Cybersecurity Success Center.

2. Click on the announcement for the product you wish to follow.

3. Select the “Follow” button on the right-hand side.

4. Select the drop-down menu on the right-hand side and choose “Every Post” to enable receiving emails from leading security and IT tools.