This article shows how to leverage the Lumu Defender API and Barracuda CloudGen Firewall API to mitigate security risks.
Response integration between Barracuda CloudGen Firewall and Lumu
The integration leverages the Custom External Network Objects feature in the Dynamic Network Objects module, supporting IP addresses. It manages IP addresses related to Lumu-detected adversarial contacts. Then, you attach the Lumu-related custom external object to an Access Rule in the Forwarding-Firewall configuration seccion
Follow these steps to set up your Barracuda console for Lumu integration.
We encourage you to create a specific manager account for the integration. Follow these steps inside your Barracuda Firewall Admin console to create it.
To generate the token, follow these steps inside your Barracuda Firewall Admin console:
1. Go to CONFIGURATION in the navigation menu. Click on the Box menu (the one with the appliance icon)2. Double-click on Administrators3. In the Administrators tab, click on the Accounts menu of the left4. Click Lock, then click on the Plus sign to create the user. Fill in the required data by following these guidelines:a. Give the user a distinctive nameb. Assign it the Manager rolec. Select the No OS Login under the System Level Access fieldd. Set its Authentication Level to Passworde. Select Against Local Password as the Password Validation methodf. Fill in the passwordg. (Recommended) Set the IP that will be used by the integration component under the Peer IP Restriction section5. Save your integration user by clicking the OK button. Then click on Send Changes, and finally on Activate
To Enable the Rest API Service, follow these steps inside your Barracuda Firewall Admin console:
1. Go to CONFIGURATION in the navigation menu. Click on the Box menu (the one with the appliance icon)2. Double-click on Infrastructure Services > Rest API Service3. In the Rest API Service tab, click on the General menu on the left4. In to the HTTPS Interface section set the following:a. Mark the Enable HTTPS Interface checkb. Mark the Bind to Management IPs checkc. (Optional) Change the HTTPS Portd. Generate a Private Key and a Explicit Certificate by clicking on the gear icon next to each item5. Save your configuration by clicking on the Send changes. Then on Activate
For further reference, check Barracuda's documentation.
You can authenticate API calls by generating and assigning tokens to users. To generate the token, follow these steps inside your Barracuda Firewall Admin console:
1. Go to CONFIGURATION in the navigation menu. Click on the Box menu (the one with the appliance icon)2. Double-click on Infrastructure Services > Rest API Service3. In the REST API Service tab, click on the Access Tokens menu on the left4. Click Lock, then click on the Plus sign to create a new Access Token associated with the created integration user.5. Click on the Generate new token button. Fill in the Time to live fields with the number of days you want. Copy the access token for further reference. Finally, click on the OK button6. Click on Send changes. Finally on Activate
Barracuda CloudGen Firewall has 4 Custom External Network Objects. You need to select one to exclusively manage Lumu-related IOCs. The selected object must not be managed even by using an SSH console, this could lead to overwriting and other unexpected behaviors.
To collect the Lumu Defender API key, please refer to the Defender API document.
To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.
The companies file is in charge of defining how the integration connects to Lumu and extracts the information of the incidents and related indicators of compromise.
- - lumu: uuid: "<COMPANY-UUID>" [name: "<COMPANY-NAME>"] [contact_name: "<CONTACT_NAME>"] [contact_email: "<CONTACT_EMAIL>"] defender_key: "<DEFENDER_API_KEY>" hash_type: "<HASH_ALG>" # sha256 | sha1 | md5 ioc_types: # list of ioc types, option one, many or all - ip - domain - url - hash adversary: # list of adversary types, option one, many or all - C2C - Malware - Mining - Spam - Phishing days: 30 # MIN 1, MAX 30
Within this file, COMPANY_UUID and DEFENDER_API_KEY fields are mandatory. Please use the values captured in the previous steps. The ioc_types values must match with the IOC types required by the integration, in this case, ip.
The integration file contains the information required for the integration to connect and interact with your deployment:
- - lumu: uuid: "<COMPANY_UUID>" adversaryTypes: [ "C2C", "Malware", "Mining", "Spam", "Phishing"] # ["C2C", "Malware", "Mining", "Spam", "Phishing"] days: 10 # INTEGER=(get incidents from X days of the ioc manager local db) app: name: <Unique-Name> CustomExternalNetworkObjects: 1 # Range [1 - 4] clean: false # true | false ioc: [ ip ] max: 1000 # [0 - 1000] api: server: "<IP/HOSTNAME:PORT>" # username: "<USERNAME>" password: "<PASSWORD>" # password OR token OR both token: "<TOKEN>" # password OR token OR both
If Python is your chosen deployment method, you will need to create a Virtual environment for each integration to avoid conflicts between them and your operating system tools. Make sure you follow the steps in our Preparing Environment for Custom Integrations article.
Options | Description |
---|---|
-h, --help | show this help message and exit |
--config CONFIG | default: integrations.yml, CONFIG FILE PATH of the companies, follow the nex YML template. |
--ioc-manager-db-path IOC_MANAGER_DB_PATH | default path: ./ioc.db, PATH where the integration goes to read the Lumu Incidents |
--logging {screen,file} | Logging option (default screen). |
--verbose, -v | Verbosity level. |
--hours HOURS | keep db log record from [x hours], for auto maintenance local db purpose |
To query all the hashes related to Lumu incidents triggered in the days defined in your configuration files, run the following command.
By default, the integration script will query incidents related to all adversary types. If you need to filter the query to specific adversary types, you can use the adversaryTypes parameter inside your integrations.yml file and run the command as follows
To clean the existing records in Barracuda, just set up the clean flag in the integrations.yml file to true.
Then, run the integration script as follows:
According to your needs, you can combine the examples shown, also, adding the –logging {file, screen} and –verbose argument can be used for better understanding of what can be rolling wrong.
If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <app_lumu_root> folder, and follow these instructions:
1. Build the container by running the following command.
2. Run the container by using the following command.
With this mode, your integration will run every 5 minutes.
For troubleshooting purposes, you can run the following commands:
To log in to your container using an interactive shell:
To collect integration logs:
After running the integration, you will see new items in the Dynamic Network Objects section, if there was any detection with related IP addresses.
To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
The application logs will be redirected to the lumu.log file. The file errors.log stores only the errors to make them easier to find and aid the troubleshooting process.
If you receive the following error.
There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process ID if it’s running.
Now that the integration is managing IP IOCs in the depicted Custom External Object, you must create a new Forwarding rule blocking all traffic to these destinations. Follow these steps in your Barracuda Admin console to create a Blocking forwarding rule at the top of your Firewall configuration.
1. Go to CONFIGURATION in the navigation menu. Click on the Box menu (the one with the appliance icon)2. Double-click on Assigned Services > NGFW (Firewall) > Forwarding Rules3. Click on the Access Rules menu on the left4. Click Lock, then click on the Plus sign to create a new Forwarding Rule. Fill in the rule data by following these guidelines:a. Select Block in the Actionb. Select Any as the Sourcec. Select Any in the Service fieldd. Select the Custom External Object group managed by the integration5. Click on the OK button6. Make sure your new rule is at the top of your configuration. If not, you can move it by dragging and dropping it at the top of your configuration7. Click on Send Changes. Then, click on Activate