Configuring the BlueApp for Cisco Umbrella

Role Availability Read-Only Investigator Analyst Manager

When the BlueApp for Cisco Umbrella is connected to your Cisco Umbrella environment, you can launch app actions and create orchestration rules to send data from USM Anywhere to Cisco Umbrella. See BlueApp for Cisco Umbrella Actions for more information about the orchestration actions supported by the BlueApp for Cisco Umbrella.

For example, you might create a rule where USM Anywhere automatically sends the URLs of suspicious domains that it identifies to Cisco Umbrella. See Creating Cisco Umbrella Response Action Rules for information about adding these types of orchestration rules for the BlueApp.

Note: To fully integrate USM Anywhere with your Cisco Umbrella implementation, you should also have the Cisco Umbrella log collection enabled so that USM Anywhere can retrieve and normalize raw log data from Cisco Umbrella. See Collecting Logs from Cisco Umbrella for information about raw log data retrieval.

Creating a Cisco Umbrella Integration

Before you can use the Cisco Umbrella orchestration actions within USM Anywhere, you must establish an integration point in your Cisco Umbrella console to be used by USM Anywhere.

Note: You must have a Cisco Umbrella package that supports the Enforcement API.

To add an integration in Cisco Umbrella

  1. Open your Cisco Umbrella dashboard and go to Policies > Policy Components > Integrations.
  2. At the top of the page, click the icon.
  3. Add a name for the custom integration, and click Create.
  4. Click the new custom integration to expand it and display the details.
  5. Select the Enable checkbox.
  6. Copy the customer key value displayed in the integration URL to be entered in USM Anywhere.

    In the following example, the value to copy is e2f5d5f7-3c02-4665-460c-3fb2bd9a9ec4:

    https://s-platform.api.opendns.com/1.0/events?customerKey=e2f5d5f7-3c02-4665-460c-3fb2bd9a9ec4

    Copy the key value from the integration URL

  7. Click Save.

Configuring the BlueApp for Cisco Umbrella Connection

After you create the Cisco Umbrella integration and copy the key value, you're ready to establish the BlueApp for Cisco Umbrella connection in USM Anywhere. The USM Anywhere Sensor that you use to configure the BlueApp must have connectivity to the Umbrella Enforcement API at https://s-platform.api.opendns.com.

To enable the BlueApp for Cisco Umbrella

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Paste the customerKey value you copied in the previous task into the Customer Key field.
  7. Click Next.

    Note: The Next button is only available for AWS Sensors.

  8. Enter a name to identify the job.
  9. (Optional.) Enter a description for the job.
  10. In the Bucket Name field, enter the Amazon Simple Storage Service (S3) bucket name from which you want to collect files.
  11. In the Path field, enter the path prefix within the Amazon S3 bucket from which you want to collect log files.
  12. In the Schedule field, set a frequency for the job to run.

    Job Config Dialog box

  13. Click Save.
  14. Verify the connection.

    After USM Anywhere completes a successful connection to the Cisco Umbrella APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Cisco Umbrella connection.