Configuring the BlueApp for Cisco Secure Endpoint

Role Availability Read-Only Investigator Analyst Manager

To use the BlueApp for Cisco Secure Endpoint in USM Anywhere, you first need to log in to Cisco Secure Endpoint to create the API credentials.

To get the API credentials from Cisco Secure Endpoint

Follow the Cisco documentation on how to create API credentials to obtain the third-party API client identification and API key.

Connecting the Cisco Secure Endpoint App in USM Anywhere

After you obtain the credentials, you must configure the connection within USM Anywhere.

To enable the AlienApp for Cisco Secure Endpoint

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. In the EndPoint Host URL section, click the dropdown and select the appropriate URL for your region:

    • – North America region
    • – Asia Pacific, Japan, and China regions
    • – Europe region
  7. Enter your information into the following fields:

    • Client ID
    • API Key
  8. In the Event Type ID field, you can specify the event types (separated by a comma) you want the BlueApp for Cisco Secure Endpoint to collect.

    When the Event Type ID field is left blank, BlueApp for Cisco Secure Endpoint collects all event types. See the Cisco Secure Endpoint documentation for more details on event types.

  9. Click Save.
  10. Verify the connection.

    After USM Anywhere completes a successful connection to the Cisco Secure Endpoint Representational State Transfer (REST) APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Cisco Secure Endpoint connection.

Cisco Secure Endpoint Event Collection

Once the BlueApp for Cisco Secure Endpoint has been configured, you can choose to have USM Anywhere collect Cisco Secure Endpoint events from the app on an hourly basis.

To configure Cisco Secure Endpoint event collection

  1. Go to Settings > Scheduler.
  2. In the Job Scheduler, search for the Cisco Secure Endpoint app on the sensor it was deployed to.
  3. In the enabled column, click the icon for the inactive Cisco Secure Endpoint events job.

    The icon turns green and hourly event collection from Cisco Secure Endpoint is enabled.

    Job Scheduler Main Page

  4. (Optional.) Click the icon to customize the frequency of the event collection.