BlueApp for CrowdStrike Falcon Actions

The BlueApp for CrowdStrike Falcon provides a set of orchestration actions that you can use to ingest incident and detection logs from your Crowdstrike app into your USM Anywhere environment. The following table lists the available actions from the BlueApp.

Actions for the BlueApp for CrowdStrike Falcon
Action Description
Contain a host Contain a host within your environment, stopping any network communications as defined in your Crowdstrike containment policy
Lift containment Restores network communications to a previously-contained host

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from Alarms and Events

You can launch an action directly from alarms or events. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an Alarm or an Event.

To launch a Crowdstrike response action for an Alarm or Event

  1. Go to Activity > Alarms or Activity > Events
  2. Click the Alarm or Event to open the details.
  3. Click Select Action.
  4. In the Select Action dialog box, select Run Crowdstrike Action.

  5. Select the app action and fill out the fields that are populated below.

  6. Click Run.

    After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.