This article shows how to leverage the Lumu Defender API and Meraki Dashboard API to mitigate security risks.
Figure 1 - Response setup leveraging Lumu detections with Meraki Dashboard
To enable access to Cisco Meraki Dashboard API, please refer to Cisco Meraki Dashboard API
You need to identify the Meraki organization’s and network’s name. These parameters are required to deploy the integration script. Please log in to your Meraki Dashboard instance, and use the left navigation bar to identify both.
Figure 2 - Meraki Dashboard Network and Organization
First, contact the Lumu support team to request the deployment package.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <meraki_lumu_root>.
In the package, you will find the scripts required to run the integration. To use the scripts, you must locate yourself on the path selected for deployment (<meraki_lumu_root>). Specific directions are included in the next sections.
The file requirements.txt contains the list of requirements for this integration. After deploying the package locally, run the following command from the deployment folder:
To use the script, you must locate yourself on the path selected for deployment (<meraki_lumu_root>). Use the following command to show all options available for the package:
Options |
Description |
-h, --help
|
show this help message and exit
|
--config CONFIG
|
Load options from config file
|
--company-key COMPANY_KEY
--company_key COMPANY_KEY
|
Lumu Company Key (Defender API).
|
--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
|
Proxy host (if required)
|
--proxy-port PROXY_PORT
--proxy_port PROXY_PORT
|
Proxy port (if required)
|
--proxy-user PROXY_USER
--proxy_user PROXY_USER
|
Proxy user (if required)
|
--proxy-password PROXY_PASSWORD
--proxy_password PROXY_PASSWORD
|
Proxy password (if required)
|
--logging {screen,file}
|
Logging option (default screen).
|
--verbose, -v
|
Verbosity level.
|
--api-key API_KEY
--api_key API_KEY
|
Meraki dashboard API key.
|
--organization ORGANIZATION
|
Meraki organization to operate with.
|
--network NETWORK
|
Meraki network to operate with.
|
--feature {L3Rule,URL}
|
Meraki features to feed IOCs to: L3Rule,URL (Default "all" - L3 rules will not include hosts).
|
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing}
--adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing}
|
Lumu adversary types to be filtered.
|
--days DAYS
|
The number of days backward from now to query Lumu incidents.
|
--clean
|
Cleans all rules and objects created by the Lumu integration.
|
Use the following command to fetch and push to Meraki layer 3 rule and URL patterns of the Content filtering configuration all the IOCs (IP, URLs) related to open incidents found in your organization by Lumu:
After the integration has run, you will see a new layer 3 rule (without hosts) and new URL patterns inside the Content filtering configuration.
NOTE: URL patterns will be added instead of hosts in the layer 3 rule . The layer 3 rule will appear at the beginning of all the rules.
Use the following command to fetch and push to Meraki layer 3 rules and URL patterns of the Content filtering configuration all IOCs related to open incidents detected in your organization by Lumu with contacts in the last X days.
NOTE: All previously pushed IOC to Meraki configuration will be replaced, even if they correspond to incidents with contacts before X days.
If you need to create only a Layer 3 rule or feed URL patterns in the Content filtering configuration, you can use the argument --feature L3Rule to add a Layer 3 rule or --feature URL to add URL patterns .
NOTE: The integration will delete previous changes to the configuration. If you have added a Layer 3 rule and try to add just URL patterns, the integration will delete the Layer 3 rule from the Meraki configuration.
By default, the script queries open incidents of all adversary types (Phishing, Malware, DAG, Spam, others). If you need to collect specific types of incidents, you can use the argument --adversary-types ADVERSARY_TYPE . If you need to indicate two or more adversary types, you only need to append a new instance of the parameter.
In this example, the adversary types queried are Phishing and Malware.
If you need to clean all the configuration changes made by previous executions of the integration, use the flag --clean as follows:
The integration script will delete all the configurations made in previous executions preserving others not written by it.
By default, you will see the execution log on the screen console. Use the argument --logging file to store a record of all tasks run in the lumu.log file in the script root path.
This file is useful for scheduled tasks or processes running in the background. When you open this file, you will see the following. This aids you to check the execution progress.
Figure 3 - Lumu integration’s log file
The above samples can be combined according to your needs.
After the integration’s execution, the Firewall configuration page and the Content filtering page will be populated with a new L3 rule and a list of URL patterns.
Figure 4 - Meraki Firewall configuration page
To run the script on a timely basis, consider implementing a Scheduled task in Windows or a Cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.
To avoid race conditions, you can run only one instance of the integration at the same time. If there is another instance running, the second one will be terminated immediately.
To identify failures on the script, please use the -v flag. This will allow you to identify failures in the script execution.
If you receive the following error.
Figure 6 - Check integration process - Linux
If the previous validation indicates that another instance of the integration is running, please, check the progress of the execution using the integration’s log lumu.log .