USM Anywhere™

Configuring the AlienApp for Salesforce

Role Availability Read-Only Analyst Manager

To use the AlienApp for Salesforce in USM Anywhere, you first need to log in to Salesforce to create the connected app and obtain the appropriate credentials. Because the account used to create the app will be responsible for creating all the Salesforce cases and will potentially be used by multiple users, it is recommenced that you create a separate, dedicated "service account" user. This user should have only enough permissions to allow the user to create cases. Do not reuse an admin account. Multiple accounts or users on different sensors may result in duplicated cases or cause confusion.

Important: Because of the way the Salesforce API implements event log processing, events can take at least three to six hours to be processed, potentially more.

Warning: The AlienApp for Salesforce uses the Salesforce hourly event log API to pull events from your Salesforce instance on an hourly basis to minimize the latency of your important security event data. This is a paid feature and not enabled in a production Salesforce instance by default. Please ask your Salesforce Account Executive to enable it in your account if you have not done so already. The hourly event log feature is not required to use the case creation actions. USM Anywhere does not currently support importing events from the Salesforce Daily Event Log API.

To create the connected app in Salesforce

  1. Log in to Salesforce with your username and password.
  2. Go to the Settings Console by clicking the Settings icon.

  3. In the Platform Tools menu on the left, go to Apps > App Manager.
  4. Click the New Connected App button at the top of the Lightning Experience App Manager header.

    The New Connected App modal displays.

  5. Fill out the required Basic Information fields:

    • Connected App Name
    • API Name
    • Contact Email
  6. In the API (Enable OAuth Settings) section, select the Enable OAuth Settings checkbox.

    The section expands with further options.

  7. Leave the Enable for Device Flow checkbox checked, do not deselect it.

    The Callback URL field automatically populates the https://login.salesforce.com/services/oauth2/success link.

  8. In the Available OAuth Scopes section, select the following options and click Add for each:

    • Access and manage your data (api)
    • Perform requests on your behalf at any time (refresh_token, offline_access)
  9. Select the Require Secret for Web Server Flow checkbox.
  10. Click Save to complete the app creation process and then click Continue.

Note: It takes time before the Salesforce app is completely created and recognized. AT&T Cybersecurity recommends that you wait at least 20 minutes before entering the credentials in USM Anywhere.

To obtain your credentials and configure the Salesforce app

  1. In the Salesforce Settings page, go to Platform Tools > Apps > Connected Apps > Manage Connected Apps.
  2. Click the app you just created.

    The page displays the Consumer ID (which you will enter in USM Anywhere as the Client ID), and the Consumer Key (which is the Client Key in USM Anywhere).

  3. In OAuth Policies, make sure All users may self-authorize is selected for Permitted Users, and make sure Enforce IP Restrictions is selected for IP Relaxation.

    Both should be set by default, but if not, click the Edit Policies button to change them.

  4. In the menu tree on the left of the screen, select Settings > Security > Network Access.
  5. On the Network Access page, in the Trusted IP Ranges section, click New.
  6. Enter the global trusted IP range that contains the public IP address of the USM Anywhere Sensor you are using, enter a description, and click Save.

Connecting the Salesforce App in USM Anywhere

After you obtain the OAuth, you must configure the connection within USM Anywhere.

To enable the AlienApp for Salesforce

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  6. Enter the Client ID, Client Secret, Username, and Password for the Salesforce app you created.
  7. In the Event Types field, you can specify the event types you want the AlienApp for Salesforce to collect.

    The AlienApp for Salesforce collects a default set of event types when the field is left blank. If you enter your own list of event types into the Event Types field, then USM Anywhere will collect those event types instead of the default set.

    The default event types are as follows:

    ApexCallout, ApexRestApi, ApexSoap, API, AsynchronousReportRun, DocumentAttachmentDownoads, InsecureExternalAssets, Login, LoginAs,TransactionSecurity, Search

    Some event types may require an upgraded Salesforce subscription. A full list of Salesforce's supported event types and details on purchasing them can be found on their EventLogFile Supported Event Types documentation page.

  8. Click Save.
  9. Verify the connection.

    After USM Anywhere completes a successful connection to the Salesforce APIs, a icon displays in the Health column.

    If the icon appears, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Salesforce connection.