The Cortex XDR Custom SecOps Integration allows you to poll and push adversary-related events to your Cortex XDR deployment. After configuring the integration, your Cortex deployment will be able to receive and process Lumu events. Using it lets you see adversarial activity detected by Lumu, giving your Security Operations team more visibility.
SecOps integration between Cortex XDR and Lumu
Allow all the traffic to the following hosts. These are required for the operation of this integration:
<INSTANCE>.xdr.us.paloaltonetworks.com
defender.lumu.io
The integration pushes Lumu adversary-related events into your Cortex XDR deployment after being configured by leveraging the CEF event API. As part of the integration deployment, you must define an External Alerts Mapping in your Cortex XDR console. After you define the alert mapping, your Cortex XDR deployment will see Lumu detections as alerts.
Before you deploy and implement the Lumu Integration, you must prepare your Cortex XDR deployment to ensure the integration works as expected.
To identify your instance, log in to your Cortex XDR console. Check the URL and extract your instance name. Your Cortex XDR URL must look like <INSTANCE>.xdr.us.paloaltonetworks.com. That is your instance name.
To create a new role, log in to your Cortex XDR console. Go to Settings > Configurations > Access Management > Roles, and follow these steps.
1. Click on the New Role Button2. Fill in the Role Name and Description fields3. Under the Components tab, go to the CONFIGURATIONS section. Then, change the External Alerts Mapping and Public API items to View/Edit
You need to create an API key dedicated to run the integration script. To create it, go to Settings > Configurations > Integrations > API Keys, and follow these steps.
1. Click on the New Key button2. Under the Role Name field, select the previously created role3. Under the Security Level section, select the Standard option4. Define an expiration date for the key by clicking the Enable Expiration Date checkbox
From the API Keys window, extract the ID number of the created key. This will be needed later.
The integration set-up process needs you to collect this information from Lumu portal:
Lumu Defender API key
Company UUID
Log in to your Lumu portal and run the following data collection procedures.
To collect the Lumu Defender API key, refer to the Defender API document.
To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.
There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.
Run it as a Python script executing the install.sh bash file
Creates a Python virtual run time and its dependencies for you
Installs the crontab line in the host
Run it as a Docker container.
Whichever alternative you select, you need to first unpack the integration package shared by our Support team.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.
To set up the integration, you need to add and edit a configuration file. This file contains all the parameters needed to run properly. The configuration file looks as follows:
Within the configuration file, fill in these fields:
From Lumu
COMPANY-UUID: The company ID collected from Lumu portal
DEFENDER-KEY: The Lumu Defender API key
From Cortex XDR
INSTANCE-FQDN: Cortex XDR console Fully-Qualified Domain Name. This has the format <hostname>.xdr.<location>.paloaltonetworks.com
API-KEY: Cortex XDR API key
API-KEY-ID: Cortex XDR API key ID extracted from the API Keys window
If Python is your chosen deployment method, you will need to create a Virtual environment for each integration to avoid conflicts between them and your operating system tools. Make sure you follow the steps in our Preparing Environment for Custom Integrations article
To deploy the integration as a script, you need to run the install.sh script inside the integration package.
To run the installation script, go to the app_lumu_root folder, then execute this line through CLI.
The installation script will set up the Python environment and an auxiliary cron job.
To use the script, you must locate yourself on the path selected for deployment (<app_root_path>). Use the following command to show the help command line
Usage: cortex_lumu.py [options]
Options | Description |
-h, --help | show this help message and exit |
--config CONFIG | CONFIG FILE PATH of the companies(s). (Default: companies.yml) |
-v, --verbose | Verbosity level (Default INFO) |
-l {screen,file}, --logging {screen,file} | Logging option (Default screen) |
--hours HOURS | Database maintenance time (USE IT WITH CAUTION) |
Use the following command to listen to Lumu operational events and forward alerts in your Cortex XDR instance:
The application will run reading the CONFIG file and keep the preceding HOURS tickets/incidents, by default 720 (30 days)
Use the option --logging=file to store a record of all tasks run by the script. Using this, all the script output will be redirected to a file named lumu.log in the folder where you have deployed the script.
The above samples can be combined according to your needs.
To identify failures on the script execution, use the -v flag to activate DEBUG logs.
The application runs one instance at a time. The script will block multiple attempts to run the same integration if one is already running. If this is the case, the following message appears.
Stopping the integration 240023, it might have another older instance running, check if is feasible or not
cmdline: /home/lumu/Documents/repos/lumu-cortex-xdr/venv31013/bin/python /home/lumu/Documents/repos/lumu-cortex-xdr/cortex_lumu.py
The integration can be deployed in a docker environment. To do so, run the following commands located in the integration folder:
1. Build the Docker image
2. Create and run the Docker container
For troubleshooting purposes, you can run the following commands:
To log in to your container using an interactive shell:
To collect integration logs:
Once the integration starts running, a test alert is pushed to Cortex XDR. You must use this alert to configure the External Alert Mapping for Lumu alerts. To configure this, log in to your Cortex CDR Web console and go to Settings > Configurations > Data Collection > External Alert Mapping. Follow these steps:
1. Look for the Lumu Lumu row and right click over it. Then, click on the Filter and Map option2. On the Lumu screen, you will see the sample alert. Click on the Next button.3. Fill in the mapping fields according to the following table
Name Lumu Alerts Mapping Description [Optional] Timestamp timestamp timestamp will ask for Value conversion. Leave as it is and click on the Apply button.Severity Severity Fill in the mapping values by using this guide [map the values] (Critical: Critical, High: High, Medium: Medium, Low: Low)Alert Name Name Source IP source_ip Description description External Id external_id Category category Action action Fill in the mapping values by using this guide [map the values] (Reported: Reported , Blocked: Blocked)Hostname hostname
After running the script, you will see the Lumu-related events (alerts) in the Alerts Table section.
If there are any incidents creation cause of alerts,they can be seen in the Incident section