Response integration between Acronis Cyber Protect Cloud and Lumu
OR
Allow all the traffic to the following hosts. These are required for the operation of this integration:
Before you deploy and implement the Lumu Integration, you need to prepare your Acronis deployment to ensure the integration works as expected.
If you operate Acronis on a multi-tenant deployment, you must identify the tenant you want to integrate it with. The integration script needs the tenant in the following format:
PARTNER.[FOLDER.]CLIENT
You must define the tenant in an absolute form separated by “.”. Following is an example using an Acronis sample deployment with the depicted hierarchy.
This deployment looks as follows in the Acronis Management portal
To select the Stark Industries customer, you must define this tenant string:
Lumu Technologies, Inc.Stark Industries
Now, if you want to operate with the City Company customer inside the City folder folder, use this string to describe the tenant:
Lumu Technologies, Inc.City folder.City Company
It’s recommended that you create a user with limited privileges. With this user, you will configure the integration and run the required tasks. If you create a dedicated user, follow these steps within your Acronis Management Console.
1. Under the Company Management section in the left navigation pane, click on the Users menu.
2. Within the Users window, click on the New button located in the top right corner.
3. Fill in the required data. Under the Services and roles section, make sure the following services are activated and the indicated roles are assigned:
a. Management Portal: Administrator
b. Protection: Administrator
4. Save the user
Now, you need to create an API client linked to the user. Log in to your Acronis Management Console using the user credentials created before. Then, follow these steps to create a linked API client:
1. Under the Settings section in the left navigation pane, click on the API clients menu.
2. Within the API clients window, click on the New button located in the top right corner.
3. Give a distinctive name to the new API client. Click on Next.
4. Copy the API client information from the screen, including the Data center URL, then click on Done.
Make sure you save and store this information in a safe place. This will be required in further steps for configuring the integration.
Acronis works with protection plans to define how to protect managed devices. Before configuring the integration, you need to create or identify the protection plans you want to feed with adversarial-related information. If you need to create a new Acronis Protection plan, please refer to the Creating a protection plan documentation.
You can check the names of the protection plans by using your Cyber Protect Cloud console. Follow these steps to identify the protection plans you want to use for the integration:
1. Within your manage console, click on the Clients menu in the left navigation pane.
2. Click on the Three-dots button. Hover over the Manage service option, and click on the Protection menu. This will take you to the Cyber Protect console.
Now, within the Cyber Protect console, follow these steps:
1. Under the Management section, click on the Protection plans menu.
2. Identify and select the protection plans you will use for the integration.
Make sure the selected protection plans have the following packs enabled:
The integration set-up process needs you to collect this information from Lumu portal:
Log in to your Lumu portal and run the following procedures to collect these data.
To collect the Lumu Defender API key, refer to the Defender API document.
To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.
There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.
Whichever alternative you select, first you need to unpack the integration package shared by our Support team.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.
To set up the integration, you need to add and edit two configuration files:
The companies file defines how the integration connects to Lumu and extracts the information of the incidents and related indicators of compromise.
- -
lumu:
uuid: "<COMPANY-UUID>"
[name: "<COMPANY-NAME>"]
[contact_name: "<CONTACT_NAME>"]
[contact_email: "<CONTACT_EMAIL>"]
defender_key: "<DEFENDER_API_KEY>"
hash_type: "md5" # sha256 | sha1 | md5
ioc_types: # list of ioc types, option one, many or all
- ip
- domain
- url
- hash
adversary: # list of adversary types, option one, many or all
- C2C
- Malware
- Mining
- Spam
- Phishing
days: 30 # MIN 1, MAX 30
Within this file, COMPANY_UUID and DEFENDER_API_KEY fields are mandatory. Please use the values captured in the previous steps. The ioc_types values must match with the IOC types required by the integration.
The integration file contains the information required for the integration to connect and interact with your Acronis deployment:
- -
lumu:
uuid: "<COMPANY_UUID>"
days: 30 # INTEGER=(get incidents from X days of the ioc manager local db)
app:
name: "<CLIENT-NAME>" # Name of the headquarters, branch, office, client
clean: false # either clean the instance IOC or not
ioc: # ["ip", "domain", "hash"] list of one, many or all ioc types
- ip
- domain
- hash
api:
hostname: "<HOST>-cloud.acronis.com"
client_id: "<ACRONIS_CLIENT_ID>"
secret: "<ACRONIS_CLIENT_SECRET>"
tenant: "<ACRONIS_TENANT_NAME>" # If you need to navigate through management tenant, folder and tenant, use . as separator between them
policies: # You can define multiple policies
- "<ACRONIS_TOTAL_PROTECTION_POLICY_NAME_1>"
- "<ACRONIS_TOTAL_PROTECTION_POLICY_NAME_N>"
To deploy the integration as a script, you need to run the install.sh script inside the integration package.
To run the installation script, locate yourself in the app_lumu_root folder, then execute this line through CLI.
The installation script will set up the Python environment and two different cron jobs.
To use the script, you must locate yourself on the path selected for deployment (<app_lumu_root>). Use the following command to show all options available for the package:
usage: acronis_lumu [-h] [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH] [-v] [-c] [-l {screen,file}] [--hours HOURS]
Options | Description |
---|---|
-h, --help | show this help message and exit |
--config CONFIG | default: integrations.yml, CONFIG FILE PATH of the companies, follow the nex YML template. |
--ioc-manager-db-path IOC_MANAGER_DB_PATH | default path: ./db.sqlite, PATH where the integration goes to read the Lumu Incidents |
--logging {screen,file} | Logging option (default screen). |
-c, --clean | the flag means Clean all integration and override the yml clean field |
--verbose, -v | Verbosity level. |
--hours HOURS | keep db log record from [x hours], for auto maintenance local db purpose |
To query all the IOC related to Lumu incidents triggered in the last 30 days, run the following command.
By default, the integration script will query incidents related to all adversary types. If you need to filter the query to specific adversary types, you can use the --adversary-types flag as follows
To clean the existing records in Acronis, just set up the clean flag in the integrations.yml file to true.
Then, run the integration script as follows:
Or you can run the clean command directly to clean all the companies
According to your needs, you can combine the examples shown. If you need to understand better the steps executed by the integration script, you can add the –logging {file, screen} and –verbose arguments. These arguments can be used for troubleshooting.
If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <app_lumu_root> folder, and follow these instructions:
1. Build the container by running the following command.
docker build [--build-arg IOC_MAN_CONFIG='companies.yml'] [--build-arg APP_CONFIG='integrations.yml'] --tag python-lumu-acronis-response --file DockerfileAllInOne .Do not forget the dot "."2. Run the container by using the following command.
docker run -d --restart unless-stopped --name lumu-acronis-response python-lumu-acronis-responseWith this mode, your integration will run every 30 minutes.
For troubleshooting purposes, you can run the following commands:
To log in to your container using an interactive shell:
To collect integration logs:
After running the integration, you can see Lumu IOCs inside the Antivirus & Antimalware Protection and URL filtering packs within the configured Protection plans.
When the devices protected by the Protection plans fed by the integration try to contact an adversary or run a known malicious file, the result will be as follows:
To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
The application logs will be redirected to lumu.log file. The file errors.log stores only the errors to make them easier to find and aid the troubleshooting process.
If you receive the following error.
There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process ID if it’s running.