Configuring the BlueApp for CrowdStrike Falcon

Role Availability Read-Only Investigator Analyst Manager

To configure the BlueApp for CrowdStrike Falcon in USM Anywhere, you need to have the Host URL, Client ID, and Client Secret for authorization. This information can be obtained from your Crowdstrike support team.

Set up Crowdstrike API

Follow the instructions listed in the Crowdstrike site to read more about connecting with Crowdstrike.

Important: The BlueApp for CrowdStrike Falcon requires Falcon X, Falcon Prevent, Falcon Insight, or Endpoint Detection and Response (EDR) to work properly.

Configure BlueApp for CrowdStrike Falcon in USM Anywhere

To enable the BlueApp for CrowdStrike Falcon

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. Enter the Host URL, Client ID, and Client Secret for authorization.

  7. Click Save.

BlueApp Log Collection

Once the BlueApp has been configured, you can choose to have USM Anywhere collect logs from the app on a regular basis.

To configure log collection for the BlueApp

  1. Go to Settings > Scheduler.
  2. In the Job Scheduler, search for the BlueApp on the sensor to which it was deployed.
  3. In the enabled column, click the icon for the inactive collection job.

    The icon turns green, and collection is enabled.

  4. (Optional.) Click the icon to customize the frequency of the event collection.