To use the Harmony Email & Collaboration API, you need an
Application ID
and a
Secret key
. If you were not provided with them when you sign-up to the service, please contact
Check Point support
. You must include in your request the portal name. This can be collected after logging in to your Check Point portal, hovering over a link, and checking the status bar of your browser.
First, contact the Lumu support team to request the deployment package.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <harmony_lumu_root> .
In the package, you will find the script required to run the integration. To use the script, you must locate yourself on the path selected for deployment ( <harmony_lumu_root> ). Specific directions are included in the next sections.
The file requirements.txt contains the list of requirements for this integration. After deploying the package locally, run the following command from the deployment folder:
To use the script, you must locate yourself on the path selected for deployment ( <harmony_lumu_root> ). Use the following command to show all options available for the package:
Usage: harmony_lumu.py [options]
Options |
Description |
-h, --help |
show this help message and exit |
--config CONFIG |
Load options from config file |
--company-key COMPANY_KEY --company_key COMPANY_KEY
|
Lumu Company Key (Defender API). |
--proxy-host PROXY_HOST --proxy_host PROXY_HOST |
Proxy host (if required) |
--proxy-port PROXY_PORT --proxy_port PROXY_PORT |
Proxy port (if required) |
--proxy-user PROXY_USER --proxy_user PROXY_USER |
Proxy user (if required) |
--proxy-password PROXY_PASSWORD --proxy_password PROXY_PASSWORD |
Proxy password (if required) |
--logging {screen,file} |
Logging option (default screen). |
--verbose, -v |
Verbosity level. |
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing} --adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing} |
Lumu adversary types to be filtered. |
--days DAYS |
The number of days backward from now to query Lumu incidents (default 30). |
--test, -t |
Runs a test with one incident only. |
--clean |
Cleans all rules and objects created by the Lumu integration. |
--application-id APPLICATION_ID --application_id APPLICATION_ID |
Check Point Harmony Email & Collaboration application ID. |
--secret-key SECRET_KEY --secret_key SECRET_KEY |
Check Point Harmony Email & Collaboration secret key. |
--region {USA,Europe,Canada,Australia} |
Check Point Harmony Email & Collaboration region code (default USA). |
--threaded |
Set if you want the integration to operate with multi-threading. |
--threads THREADS |
Number of threads to use for the multi-threaded mode USE WITH CAUTION (default 20). |
--timeout TIMEOUT |
Indicates to the Harmony client the number of seconds to wait for a response (default 3.0 seconds) |
--ioc-types {url,hash} --ioc_types {url,hash} |
IOC types to be collected and processed by the integration. |
--base-name BASE_NAME --base_name BASE_NAME |
Harmony blacklist comment (default Lumu IOC). |
Use the following command to fetch and push to Harmony Email & Collaboration URLs and hashes IOCs related to incidents found in your organization by Lumu in the last 30 days:
python harmony_lumu.py --application-id <harmony_application_id> --secret-key <harmony_seret_key> --company-key <lumu_company_key>
|
The integration creates new blocklist entries in the Anti-Phishing Block-list module. All the blocklists uploaded will have the comment Lumu IOC for easier identification.
To push a specific type of IOCs (URLs or hashes) to your Harmony Email & Collaboration subscription, use the argument --ioc-types IOC_TYPE . IOC_TYPE can have the value url , or hash :
This example will push URLs IOCs in the blocklist items added to Harmony .
Use the following command to fetch and push to your Harmony Email & Collaboration subscription IOCs related to incidents found in your organization by Lumu with contacts in the last X days.
python harmony_lumu.py --application-id <harmony_application_id> --secret-key <harmony_seret_key> --company-key <lumu_company_key> --days X
|
By default, the script queries open and closed incidents of all adversary types (Phishing, Malware, DAG, Spam, others). If you need to collect specific types of incidents, you can use the argument --adversary-types ADVERSARY_TYPE . If you need to get two or more adversary types, you only need to append a new instance of the argument.
python harmony_lumu.py --application-id <harmony_application_id> --secret-key <harmony_seret_key> --company-key <lumu_company_key> --adversary-types Phishing --adversary-types Malware
|
In this example, the adversary types queried are Phishing and Malware .
To accelerate the integration process, the script supports a multi-threaded mode. This is useful if you have to operate with multiple IOCs at a time. To run the integration in this mode, append the flag --threaded to the command line.
python harmony_lumu.py --application-id <harmony_application_id> --secret-key <harmony_seret_key> --company-key <lumu_company_key> --threaded
|
If you need to delete all objects created by this integration in your Harmony Email & Collaboration subscription, use the --clean flag with the authentication arguments.
python harmony_lumu.py --application-id <harmony_application_id> --secret-key <harmony_seret_key> --company-key <lumu_company_key> --clean
|
By default, you will see the execution log on the screen console. Use the argument --logging file to store a record of all tasks run in the lumu.log file in the script root path.
python harmony_lumu.py --application-id <harmony_application_id> --secret-key <harmony_seret_key> --company-key <lumu_company_key> --logging file
|
This file is useful for scheduled tasks or processes running in the background. When you open this file, you will see the following. The information displayed aids in checking the execution progress.
You can run the integration using a configuration file where you can save the required arguments in form of <argument_name>=<value> , one argument per line. In the integration root path, save a file named .config with your configuration. Following, you have a sample of the format of the file.
- ## Configuration file # Lumu company_key=<lumu-company-key> # Harmony application_id=<harmony-application-id> secret_key=<secret-key> # Misc # Optional parameters ioc-types=<ioc_type1> # Logging logging=file
According to your needs, you can combine the examples shown.
All the uploaded IOCs in form of blocklists will appear in the
Anti-Phishing Block-List
module under the Harmony Email & Collaboration configuration.
After the IOCs are uploaded in your Harmony Email & Security subscription, further events will be detected and marked as
Phishing
attempts in the Check Point portal.
The uploaded IOCs will enhance the current visibility of your Harmony Email & Collaboration subscription. All detections must be addressed according to your policies.
To run the script on a timely basis, consider implementing a Scheduled task in Windows or a Cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.
Following, you have an example of how this Cron job should look using the recommended time.
*/30 * * * * python3 harmony_lumu.py --application-id <harmony_application_id> --secret-key <harmony_seret_key> --company-key <lumu_company_key>
|
It’s recommended to add the --logging file argument to any scheduled task. It will record all the output in the log file for further reference. If you have created a configuration file, your crontab entry doesn’t need any arguments. It should look as follows:
If you need to work with another scheduling time, you can use the crontab guru service.
To avoid race conditions, you can run only one instance. If you have one running, the second one will be canceled immediately.
To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
If you receive the following error.
There could be another instance running. To check this, open the
pid.pid
file in the integration’s folder. This file stores the process id if it’s running. Search for this process in your system. The following pictures show the process in Windows and Linux.
If the previous validation indicates that another instance is running, please, check its progress using the integration’s log lumu.log.