All Collections
Integration Guide
USM Anywhere Integration
USM Anywhere Integration
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

About USM Anywhere

USM Anywhere centralizes security monitoring of networks and devices in the cloud, on-premises, and in remote locations, helping you to detect threats virtually anywhere.

Combining USM Anywhere with SIRP creates a potent integration of real-time data ingestion, allowing security analysts to swiftly identify potential threats and prioritize them based on their risk level.

Supported Actions

1

Get Alarms

Ingests Alarms into SIRP from USM

2

Add Label

Adds Label to Alarm in USM

3

Remove Label

Changes Label in Alarm in USM

4

Change Status

Changes the status of the Alarm in USM

Enable and Configure the USM Anywhere App

CreateUSM API Credentials

  • Log in to your USM instance.

  • Access Profile > API Clients, from the bottom left of the navigation pane.

  • Click on the New Client, under the API Client,

  • Add Client ID and click Create Client.

  • Copy the Client ID and the Secret token onto a notepad, it will be needed when configuring the USM app in SIRP.

Configure The SIRP App

  • Next, log in to SIRP, then go to Apps from the left navigation bar

  • Locate the USM Anywhere App.

  • Click on the Toggle button to enable the app.

  • As soon as you enable the App, you will get an option to add the configuration details.

  • Add the following details and click Save:

    • Configuration Name <Enter a unique name for the configuration>

    • URL <The URL used to access your USM Anywhere instance>

    • Client-ID <Enter the Client ID created in the last step>

    • Client-Secret <Enter the Secret token created in the last step>

Configure Ingestion Source

In order to start ingesting Alarms from USM through API, you need to create a new ingestion source and enable it.

  • Go to the Administration section from the left-hand navigation bar

  • Go to Apps > Ingestion Sources

  • Click on Add Source

  • Fill the fields in the popup form as shown in the image above:

    • Ingestion Method: API

    • Format: JSON

    • Frequency: Every 5 min (SIRP will call USM API every 5 minutes to check for new Alarms)

    • Name: USM Anywhere (This can be any name used to distinguish this ingestion source)

    • Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)

    • Is Auto Assign: No (Set to No, unless ingested alerts are to be assigned to a particular Analyst

    • Frequency: Every 5 min (SIRP will call USM Anywhere API every 5 minutes to check for new offenses)

    • Opened By: Not Mandatory

    • Applications: Select USM Anywhere application

    • Configuration: Select the configuration name

    • Actions: Select GET ALARMS

  • Click Create button to create the new ingestion source

  • The last step after creating an ingestion source is mapping the data fields ingested from USM with the fields available in SIRP. After you create the ingestion source, you will get a new configuration icon under the Actions column. Click on the icon to configure the fields.

Once fields are configured and the Ingestion Source is enabled, you will be able to see new alarms ingested i the Incident Management module.

Did this answer your question?