Acronis Cyber Protect Cloud Custom Response Integration

Acronis Cyber Protect Cloud Custom Response Integration

This article shows how to leverage Acronis Cyber Protect Cloud API and Lumu Defender API to enhance your Response capabilities.

Response integration between Acronis Cyber Protect Cloud and Lumu

Requirements

  • An Acronis Cyber Protect Cloud subscription
    • You need the Acronis Cyber Protect Standard or above subscription level 
  • An Acronis administrative user
  • Lumu Defender API key
    • To retrieve an API token, please refer to the Defender API document.
  • Script host.
    • A scripting host is required to deploy the integration. This host must have Internet visibility over Lumu Defender API endpoints and Acronis Cyber Protect Cloud. According to the deployment model you select, you will need a host with:
      • Python 3.10+
OR
      • A Docker-enabled host.

Contacted hosts

Allow all the traffic to the following hosts. These are required for the operation of this integration:

  • *.acronis.com
  • defender.lumu.io

Prepare Acronis Cyber Protect Cloud for Lumu integration

Before you deploy and implement the Lumu Integration, you need to prepare your Acronis deployment to ensure the integration works as expected.

Select the tenant you want to integrate with

If you operate Acronis on a multi-tenant deployment, you must identify the tenant you want to integrate it with. The integration script needs the tenant in the following format:

PARTNER.[FOLDER.]CLIENT

You must define the tenant in an absolute form separated by “.”. Following is an example using an Acronis sample deployment with the depicted hierarchy.

This deployment looks as follows in the Acronis Management portal

To select the Stark Industries customer, you must define this tenant string:

Lumu Technologies, Inc.Stark Industries

Now, if you want to operate with the City Company customer inside the City folder folder, use this string to describe the tenant:

Lumu Technologies, Inc.City folder.City Company

If you use a user created at the tenant level, please define the tenant string as the customer name. You don’t need to include the partner level name.

It’s recommended that you create a user with limited privileges. With this user, you will configure the integration and run the required tasks. If you create a dedicated user, follow these steps within your Acronis Management Console.

If you are operating within an Acronis MSP environment, make sure you select the required customer. If you need to manage multiple customers with the same user/API client, create the user within the required administrative scope.

1. Under the Company Management section in the left navigation pane, click on the Users menu.

2. Within the Users window, click on the New button located in the top right corner.

3. Fill in the required data. Under the Services and roles section, make sure the following services are activated and the indicated roles are assigned:

a. Management Portal: Administrator

b. Protection: Administrator


4. Save the user

Create an API client linked with the integration user

If you did not create a user for the integration, use a user with the same services and roles depicted in the previous step.

Now, you need to create an API client linked to the user. Log in to your Acronis Management Console using the user credentials created before. Then, follow these steps to create a linked API client:

1. Under the Settings section in the left navigation pane, click on the API clients menu.

2. Within the API clients window, click on the New button located in the top right corner.

3. Give a distinctive name to the new API client. Click on Next.

4. Copy the API client information from the screen, including the Data center URL, then click on Done.

Make sure you save and store this information in a safe place. This will be required in further steps for configuring the integration.

Create/select protection plans

Acronis works with protection plans to define how to protect managed devices. Before configuring the integration, you need to create or identify the protection plans you want to feed with adversarial-related information. If you need to create a new Acronis Protection plan, please refer to the Creating a protection plan documentation.

You can check the names of the protection plans by using your Cyber Protect Cloud console. Follow these steps to identify the protection plans you want to use for the integration:

1. Within your manage console, click on the Clients menu in the left navigation pane.

2. Click on the Three-dots button. Hover over the Manage service option, and click on the Protection menu. This will take you to the Cyber Protect console.

Now, within the Cyber Protect console, follow these steps:

1. Under the Management section, click on the Protection plans menu.

2. Identify and select the protection plans you will use for the integration.


Make sure the selected protection plans have the following packs enabled:

  • Antivirus & Antimalware Protection
  • URL filtering

The integration will feed information to the above packs even if they are deactivated in the Protection plan. The enforcement features will not work if they are disabled even if Lumu integration is pushing IOCs into them.

Collect the required data from Lumu Portal

The integration set-up process needs you to collect this information from Lumu portal:

  • Lumu Defender API key
  • Company UUID

Log in to your Lumu portal and run the following procedures to collect these data.

Collect the Lumu Defender API key

To collect the Lumu Defender API key, refer to the Defender API document.

Collect your Lumu company UUID

To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.

Deploy the integration

There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.

  • Run it as a Python script executing the install.sh bash file
    • Creates a Python virtual run time and its dependencies for you
    • Installs the crontab line in the host
  • Run it as a Docker container.

Whichever alternative you select, first you need to unpack the integration package shared by our Support team.

Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.

If you use the install script, use the uninstall.sh bash file to remove the integration from the host

Set up the configuration files

To set up the integration, you need to add and edit two configuration files:

  • companies.yml: this file contains the information collected from the Lumu portal
  • integrations.yml: this file contains the information collected from your Acronis Cyber Protect Cloud portal

Inside the integration package, you will find sample files you can use to build your configuration files. These files are companies_template.yml and integration_template.yml.

Complete the companies file

The companies file defines how the integration connects to Lumu and extracts the information of the incidents and related indicators of compromise.

  1. -
      lumu:
        uuid: "<COMPANY-UUID>"
        [name: "<COMPANY-NAME>"]
        [contact_name: "<CONTACT_NAME>"]
        [contact_email: "<CONTACT_EMAIL>"]
        defender_key: "<DEFENDER_API_KEY>"
        hash_type: "md5" # sha256 | sha1 | md5
        ioc_types: # list of ioc types, option one, many or all
          - ip
          - domain
          - url
          - hash
        adversary:  # list of adversary types, option one, many or all
          - C2C
          - Malware
          - Mining
          - Spam
          - Phishing
        days: 30 # MIN 1, MAX 30

Within this file, COMPANY_UUID and DEFENDER_API_KEY fields are mandatory. Please use the values captured in the previous steps. The ioc_types values must match with the IOC types required by the integration.

Remember, Acronis supports hashes in MD5 format.

If you configure multiple companies, the first polling process will be executed in time increments for each. This prevents lock conditions. Real-time updates in Lumu portal related to adversarial contacts will be collected since the integration begins to operate.

Complete the integrations file

The integration file contains the information required for the integration to connect and interact with your Acronis deployment:

  1. -
      lumu:
        uuid: "<COMPANY_UUID>"
        days: 30 # INTEGER=(get incidents from X days of the ioc manager local db)
      app:
        name: "<CLIENT-NAME>" # Name of the headquarters, branch, office, client
        clean: false # either clean the instance IOC or not
        ioc: # ["ip", "domain", "hash"] list of one, many or all ioc types
          - ip
          - domain
          - hash
        api:
          hostname: "<HOST>-cloud.acronis.com"
          client_id: "<ACRONIS_CLIENT_ID>"
          secret: "<ACRONIS_CLIENT_SECRET>"
          tenant: "<ACRONIS_TENANT_NAME>" # If you need to navigate through management tenant, folder and tenant, use . as separator between them
          policies: # You can define multiple policies
          - "<ACRONIS_TOTAL_PROTECTION_POLICY_NAME_1>"
          - "<ACRONIS_TOTAL_PROTECTION_POLICY_NAME_N>"

Deploy Integration as a script

To deploy the integration as a script, you need to run the install.sh script inside the integration package.

Make sure the install.sh script has the execution permission before running it.

To run the installation script, locate yourself in the app_lumu_root folder, then execute this line through CLI.

./install.sh all

The installation script will set up the Python environment and two different cron jobs.

If you want to modify the default running interval set up by the installation script, you can modify the latest crob job entries based on your environment requirements.

if you want to restart or uninstall the integration run the ./restart all and ./uninstall all respectively

Script details

To use the script, you must locate yourself on the path selected for deployment (<app_lumu_root>). Use the following command to show all options available for the package:

python acronis_lumu.py -h

usage: acronis_lumu [-h] [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH] [-v] [-c] [-l {screen,file}] [--hours HOURS]

Options

Description

-h, --helpshow this help message and exit
--config CONFIGdefault: integrations.yml, CONFIG FILE PATH of the companies, follow the nex YML template.
--ioc-manager-db-path IOC_MANAGER_DB_PATHdefault path: ./db.sqlite, PATH where the integration goes to read the Lumu Incidents
--logging {screen,file}Logging option (default screen).
-c, --cleanthe flag means Clean all integration and override the yml clean field
--verbose, -vVerbosity level.
--hours HOURSkeep db log record from [x hours], for auto maintenance local db purpose

Usage Examples

Task: query IOC related to Lumu incidents with default options

To query all the IOC related to Lumu incidents triggered in the last 30 days, run the following command.

python3 acronis_lumu.py

Task: query IOC related to specific parameters

By default, the integration script will query incidents related to all adversary types. If you need to filter the query to specific adversary types, you can use the --adversary-types flag as follows

python3 acronis_lumu.py --config integrations.yml --ioc-manager-db-path /<ioc-manager-path>/db.sqlite

Task: Clean records

To clean the existing records in Acronis, just set up the clean flag in the integrations.yml file to true.

clean: true

Then, run the integration script as follows:

python3 acronis_lumu.py [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH]

Or you can run the clean command directly to clean all the companies

python3 acronis_lumu.py –clean [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH]

The records not manipulated by the integration will be preserved

Other tasks

According to your needs, you can combine the examples shown. If you need to understand better the steps executed by the integration script, you can add the –logging {file, screen} and –verbose arguments. These arguments can be used for troubleshooting.

Deploy as a Docker container (Optional)

If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <app_lumu_root> folder, and follow these instructions:

1. Build the container by running the following command.

docker build [--build-arg IOC_MAN_CONFIG='companies.yml'] [--build-arg APP_CONFIG='integrations.yml'] --tag python-lumu-acronis-response --file DockerfileAllInOne .
Do not forget the dot "."

2. Run the container by using the following command.

docker run -d --restart unless-stopped --name lumu-acronis-response python-lumu-acronis-response

With this mode, your integration will run every 30 minutes.

Troubleshooting

For troubleshooting purposes, you can run the following commands:

To log in to your container using an interactive shell:

docker exec -it lumu-acronis-response

To collect integration logs:

docker logs -f lumu-acronis-response

Expected results

After running the integration, you can see Lumu IOCs inside the Antivirus & Antimalware Protection and URL filtering packs within the configured Protection plans.

When the devices protected by the Protection plans fed by the integration try to contact an adversary or run a known malicious file, the result will be as follows:

Troubleshooting and known issues

To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.

The application logs will be redirected to lumu.log file. The file errors.log stores only the errors to make them easier to find and aid the troubleshooting process.

Another instance is running

If you receive the following error.

Stopping the integration 695407, it might have another older instance running, check if is feasible or not
older pid: 695404 - cwd: /home/lumu/Documents/repos/acronis-response - since: 2024-02-26 11:13:15.420000
cmdline: /home/lumu/Documents/repos/acronis-response/venv3109/bin/python /home/lumu/Documents/repos/acronis-response/acronis_lumu.py -c

There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process ID if it’s running.


    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...

        • Infoblox Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...

        • Akamai SIA Custom Response Integration

          This article shows how to leverage the Lumu Defender API and Akamai SIA (ETP) Configuration API to mitigate security risks. Requirements An Akamai SIA subscription. An Akamai Control Center access is required for setting up and collecting Akamai ...

        • Malwarebytes Nebula Custom Response Integration

          This article shows how to leverage the Lumu Defender API and Malwarebytes Nebula Configuration API to mitigate security risks. Requirements A Malwarebytes subscription. Malwarebytes DNS filtering module is required. If you don’t have this module ...

        • CylanceENDPOINT Custom Response Integration

          This article shows how to leverage the Lumu Defender API and CylanceENDPOINT API to mitigate security risks. Requirements CylanceENDPOINT subscription A CylanceENDPOINT Standard subscription or above is required (formerly CylancePROTECT) Lumu ...