Kaspersky Endpoint Security On-Premise Custom Response Integration

Kaspersky Endpoint Security On-Premise Custom Response Integration

This article shows how to leverage Kaspersky Endpoint Security, also known as KES, through its Kaspersky Security Center (KSC) Web Console and Lumu Defender API to enhance your Response capabilities.

Response integration between Kaspersky Endpoint Security and Lumu

Requirements

  • Kaspersky Security Center deployment
    • A Kaspersky Security Center server with versions 14.X up to 15.1.X. This deployment must have the following:
      • Web Console enabled
      • Kaspersky Endpoint Security for Windows plug-in and Web plug-in on version 12.3.0 or above
      • A Kaspersky endpoint policy for Windows and its child Web control rule
      • An Application Category Entry to feed SHA256 hashes.
Notes
Currently, the integration is not tested with other Web console versions besides the ones indicated before.. We cannot guarantee correct integration operation with this console version.
Notes
This integration works with Windows devices exclusively.
  • Lumu Defender API key
    • To retrieve an API token, please refer to the Defender API document.
  • Script host.
    • A scripting host is required to deploy the integration. This host must have Internet visibility over Lumu Defender API endpoints and KSC Win Server. According to the deployment model you select, you will need a host with:
      • A Linux-based distro: Ubuntu 20.04 or 22.04 is recommended
      • More than 4GB RAM 
      • APT packet manager (some packages might require SUDO access)
      • Python 3.10 or Python 3.12
      • Docker Engine for container-like deployment (If either Python 3.10 or Python 3.12 is not your default version)

Contacted hosts

For the integration to function properly, you must allow all traffic to the following web hosts:
  • KSC IP-Domain Server
  • defender.lumu.io

Integration overview

Kaspersky Security Center integration works by managing the content of these policy objects:
  • A Web control policy belonging to a Device policy
  • An application category
The KES custom response integration feeds IOCs (IPs, domains, and URLs) into the Web control policy. To avoid redundancy, when a parent IOC already exists inside the Web control policy, children IOCs (IOCs with the same base) will not be accepted.
  • For instance, if the parent IOC domain.com has already been added, it will not be possible to add the child domain child.domain.com.
  • In the same manner, if the parent IOC example.com/path has already been added, it will not be possible to add the child IOC example.com/path/subpath.
Hashes are managed inside the application category. You must reference the application category inside a Device policy to block the malicious hashes managed by the integration.
Notes
The maximum number of items supported per Web control policy and App Control category is 10.000 each.

Preliminary Integration Steps - Kaspersky Security Center (KSC)

Before deploying and implementing the Lumu Integration, you must prepare your Kaspersky Security Center (KSC) deployment to ensure the integration functions properly. You will find the required preliminary steps in this section.

Create a Web control rule inside your Device policy

To manage Network IOCs (IPs, domains, or URLs) with the integration, you must create a Web control rule inside the Device policy you want to integrate. To do so, follow these steps:
1. Click on the Policies & profiles menu under the Devices section in the main navigation bar. Then, click on the policy you want to manage.
Notes
Keep note of the selected Device policy name. It will be used to set up the integration.
2. Under the Policy window, click on the Application settings tab. Then, click on the Security Controls link. Finally, click on the Web control menu.

3. Enable the Web control toggle. Then, either select an existing Web control policy or create a new one. Set up its Action to Block. You can use canary.lumu.net as the base address for your rule.

4. Click on the Ok button. Finish the process by clicking on the Save button
Notes
Keep note of the name of the Web control rule that was selected as it will be used to set up the integration.
Warning
It is recommended to create at most 1000 rules of access to Web resources, as this can cause the system to become unstable.

Create an Application Category

To manage malicious hashes, you must create an Application Category. The integration will manage it. To do so, follow these steps:
1. On the KSC’s Web console navigation bar, click on the Operations > Third-party applications > Application Category menu. Then, click on the Add button.

2. Fill in a descriptive Name for the category. Under the Creation method select ”Category with content added manually. Data of executable files is manually added to the category.. Click on the Next button.

3. Add a condition by clicking on the Add button. Then:
a. Select the Hash… option.
b. From the dropdown list, select Specify manually.
c. Click on Next
d. Add the following SHA-256 hash:
      9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
e. Click on Next
f. Under the Conditions window, click on Next
g. On the Exclusions window, click on OK to create the new Application category
Warning
It is not recommended to create more than 1000~2000 conditions for KSC application resources, as this can cause the system to become unstable.

Create an integration role

Create a dedicated integration role specifically for this integration, ensuring it is granted only the privileges required to operate the integration effectively.
1. Click on the Roles menu under the User & roles section in the left navigation pane. Then, click on the Add button
Notes
You can use either the Kaspersky Endpoint Security Operator or the Main Operator roles as a reference to create your new role.


2. Fill in the requested information for your new role.
  • Give it a distinctive name.
  • Under the Access rights, select the rights as follows:
Access right Action
Kaspersky Security Center Administration Server > General Features > Basic functionality Allow
Kaspersky Security Center Administration Server > System management > Software inventory Allow
Kaspersky Endpoint Security for Windows (12.3.0) > Application Control Allow
Kaspersky Endpoint Security for Windows (12.3.0) > Web Control Allow


3. Save your new role by clicking on the Save button.

Create an integration user

To ensure the separation of duties from other users, you must create a dedicated user specifically for running the integration. This user should be assigned the role created in the previous step. Follow these steps to create this user:
1. Click on the Users menu under the User & roles section. Then, click on the Add button
2. Fill in the user’s basic information. After filling this. Go to the Roles tab and assign the created role as follows. First, add the role to the Administrator Server scope. Then, add the role to the Managed devices scope.

Collect the required data from Lumu portal

The integration set-up process needs you to collect this information from the Lumu portal:
  • Lumu Defender API key
  • Company UUID
Log in to your Lumu portal and run the following data collection procedures.

Collect the Lumu Defender API key

To collect the Lumu Defender API key, refer to the Defender API document.

Collect your Lumu company UUID

To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.

Deploy the Integration

There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.
  • Run it as a Python script executing the install.sh bash file
    • Creates a Python virtual run time and its dependencies for you
    • Installs the crontab line in the host
  • Run it as a Docker container.
Whichever alternative you select, you must first unpack the integration package shared by our Support team.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.
Notes
If you use the install script, use the uninstall.sh bash file to remove the integration from the host.

Set up the Configuration Files

To set up the integration, you need to add and edit two configuration files:
  • companies.yml: this file contains the information collected from the Lumu portal
  • integrations.yml: this file contains the information collected from your KSC instance.
Notes
Inside the integration package, you will find sample files you can use to build your configuration files. These files are companies_template.yml and integration_template.yml.

Complete the Companies file

The Companies file defines how the integration connects to Lumu and extracts the information of the incidents and related indicators of compromise.
Notes
All the parameters in red should be replaced with the real data necessary for your integration deployment. For example, the parameter “COMPANY-UUID” should end up as something similar to “aa11bb22bb33-123a-456b-789c-11aa22bb33cc”. Follow these indications for all similar parameters.
  1. -
      lumu:
        uuid: "COMPANY-UUID"
        [name: "COMPANY-NAME"]
        [contact_name: "CONTACT_NAME"]
        [contact_email: "CONTACT_EMAIL"]
        defender_key: "DEFENDER_API_KEY"
        hash_type: "sha256"
        ioc_types: # list of ioc types, option one, many or all
          - ip
          - domain
          - url
          - hash
        adversary:  # list of adversary types, option one, many or all
          - C2C
          - Malware
          - Mining
          - Spam
          - Phishing
    	- Anonymizer
        days: 30 # MIN 1, MAX 30
Within this file, the COMPANY_UUID and DEFENDER_API_KEY fields are mandatory. Please use the values captured in the previous steps. The ioc_types values must match with the IOC types required by the integration.

Complete the Integrations file

The Integrations file contains the information required by the integration to connect and interact with your KSC deployment. Here are some indications on how to properly fill it out:
  1. The POLICY-NAME parameter is filled in with the name of the policy you selected in Step 1 of the Create a Web control rule inside your Device policy section of this document.
  2. The WEB-CONTROL-RULE parameter is filled in with the name of the web control rule you selected in Step 3 of the Create a Web control rule inside your Device policy section of this document.
  3. The APP-CONTROL-CATEGORY-NAME parameter is filled in with the name of the Application Category you created in the Create an Application Category section of this document.
  1. -
      lumu:
        uuid: "COMPANY_UUID"
        adversaryTypes: [ "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing" , "Anonymizer"] # ["C2C", "Malware", "DGA", "Mining", "Spam", "Phishing", "Anonymizer"] delete IOC types you do not want to send
        days: 3 
      app:
        name: "CLIENT-NAME" # Unique Account Name of the Cloud company subscription
        clean: false # false | true to delete the integration
        WebPlugIn: # Optional | null
          WebControlRule:  # ONLY APPLY for OS Windows | null
            policy: "POLICY-NAME" # Name of the policy as is in KSC
            Name: "WEB-CONTROL-RULE" # Name | null
            ioc: [ ip, domain, url ] # [ ip, domain, url ] | [] | null        
          AppControlCategory: # Optional | null
            Name: "APP-CONTROL-CATEGORY-NAME" # Name | null
            ioc: [ hash ] # [hash ] | [] | null
        api:
          hostname: "IP-HOSTNAME:PORT"
          username: "AUTH-USERNAME"
          password: "AUTH-PASSWORD"
Notes
The integration can manage Web control rules and Application control categories separately. Set them according to the needs of your organization.

Potential errors in KSC consoles

Notes
Please follow the steps indicated in this section before contacting us for integration errors. If you are operating with a KSC console on a different version than the ones indicated under Requirements​, these steps could solve any issues.
You can find errors when operating the integration in versions not tested before. You could circumvent these conditions by collecting the Policy ID and the Application category ID from the KSC console to add them to the integrations.yml configuration file.

To collect the IDs follow these steps:

Collecting the Policy ID

To collect the Policy ID, open your KSC Web console and:
1. Head to the left navigation bar, and expand the Devices section. Click on the Policies & profiles menu.

2. In the Devices / Policies & profiles window, look for the policy you want to integrate. Click on the selected policy. For this example, we will use KSC_LumuTestPol.

3. Look at the address bar in your Web browser. The number at the end of the URL is the Policy ID. Extract it.

4. Add the Policy ID to your configuration file. Use the following configuration step as an example. The highlighted text shows how the ID must be added.
  1.       WebControlRule:
        policy: "POLICY-NAME"
        policy_id: 12
        Name: "WEB-CONTROL-RULE"
        ioc: [ ip, domain, url ]

Collecting the Application category ID

To collect the Application category ID, open your KSC Web console and:
1. Head to the left navigation bar, and expand the Operations section. Click on the Application categories menu under the Third-party applications section.

2. In the Operations / Third-party applications / Application categories window, look for the application category you want to integrate. Click on the selected category. For this example, we will use the Lumu category.

3. Look at the address bar in your Web browser. The number at the end of the URL is the Application category ID. Extract it.


4. Add the Policy ID to your configuration file. Use the following configuration step as an example. The highlighted text shows how the ID must be added.
  1.       AppControlCategory:
        Name: "APP-CONTROL-CATEGORY-NAME"
        app_category_id: 3
        ioc: [ hash ]

Deploy Integration as Script

To deploy the integration as a script, you need to run the install.sh script inside the integration package.
Notes
Make sure the install.sh script has the execution permission before running it.
To run the installation script, locate yourself in the app_lumu_root folder, then execute this line through CLI.

/install.sh all

The installation script will set up the Python environment and two different cron jobs.
Notes
If you want to modify the default running interval set up by the installation script, you can modify the latest cron job entries based on your environment requirements.
Notes
If you want to restart or uninstall the integration run the ./restart all and ./uninstall all commands respectively.

Script Details

To use the script, you must locate yourself on the path selected for deployment (<app_lumu_root>). Use the following command to show all options available for the package:
python run.py -h

Usage: kaspersky_lumu [-h] [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH] [-v] [-c] [-l {screen,file}] [--hours HOURS]

Options Description
-h, --help show this help message and exit
--config CONFIG default: integrations.yml, CONFIG FILE PATH of the companies, follow the nex YML template.
--ioc-manager-db-path IOC_MANAGER_DB_PATH default path: ./ioc.db, PATH where the integration goes to read the Lumu Incidents
--logging {screen,file} Logging option (default screen).
-c, --clean the flag means Clean all integration and override the yml clean field
--verbose, -v Verbosity level.
--hours HOURS keep db log record from [x hours], for auto maintenance local db purpose

Usage Examples

  • Task: query IOC related to Lumu incidents with default options
To query all the IOC related to Lumu incidents triggered in the last 30 days, run the following command.
python3 run.py
Notes
You must remove the integrations.yml file to run the integration with the default options. If the file exists, the integration script will use the parameters in it.
  • Task: query IOC related to specific parameters
By default, the integration script will query incidents related to all adversary types. If you need to filter the query to specific adversary types, you can use the --adversary-types flag as follows

python3 run.py --config integrations.yml --ioc-manager-db-path /<ioc-manager-path>/ioc.db
  • Task: Clean Records
To clean the existing records in KSC, just set up the clean flag in the integrations.yml file to true.
clean: true

Then, run the integration script as follows:
python3 run.py [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH]

Or you can run the clean command directly to clean all the companies
python3 run.py –clean [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH]
Notes
The records not manipulated by the integration will be preserved.
  1. Other Tasks
According to your needs, you can combine the examples shown. If you need more details on the steps executed by the integration script, you can add the –logging {file, screen} and –verbose arguments. These arguments can be used for troubleshooting.

Deploy as a Docker Container (Optional)

If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <app_lumu_root> folder, and follow these instructions:
1. Build the container by running the following command.

docker build \ 
      --tag img-lumu-kaspersky-endpoint-response \ 
      --file DockerfileAllInOne . 

Notes
Do not forget the dot "."
2. Run the container by using the following command.
docker run -d \
      -v ./companies.yml:/app/companies.yml \
      -v ./integrations.yml:/app/integrations.yml \
      -v ./debug:/app/debug \
      --restart unless-stopped \
      --log-driver json-file \
      --log-opt max-size=30m \
      --log-opt max-file=3 \
      --name lumu-kaspersky-endpoint-response \
      img-lumu-kaspersky-endpoint-response

With this mode, your integration will run every 5~10 minutes.

Docker Container Deployment Troubleshooting

For troubleshooting purposes, you can run the following commands:
  • To log in to your container using an interactive shell:
docker exec -it lumu-kaspersky-endpoint-response bash
  • To collect integration logs:
docker logs -f lumu-kaspersky-endpoint-response

Expected Results and Validation

After running the integration, you will see new items under the Web Rule selected for the integration.

The Application Category selected for the integration will be populated with hashes.

The endpoints covered by the managed policy won’t be able to connect or execute IOCs populated into the rules and lists.

This way you will be certain that the integration has been properly deployed and that it is up and running.

Troubleshooting and known issues

To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
The application logs will be redirected to the file lumu.log. The file errors.log stores only the errors to make them easier to find and aid the troubleshooting process.

Authentication Failed

The following error indicates that either the user and its password are wrong, or that the assigned permissions to the user role are not sufficient. Ensure they are working by entering the user directly into the Kaspersky Endpoint Security Web Console to check if they work. Fix the configuration files accordingly.
Auth Failed Error

Network Connection Failed

The following error indicates that the integration component cannot reach the Kaspersky Endpoint Security Web Console. Please verify network connectivity, validate that the component can reach the portal through TCP protocol, and whether the Web console has any loading issues.
Timeout Error

ERR_NAME_NOT_RESOLVED Error

Cannot navigate to invalid URL Error

Input Parameters Validation Failed

This means that some parameters in your configuration files have been entered incorrectly. Read the information the error messages provide and fix the affected parameters.
Input should be a valid parameter Error

Policy Search Failed

The following errors indicate one of the following:
  • The policy section within the Kaspersky Endpoint Security Console is not loading
  • The selected policy was not found in the policy section of the Kaspersky Endpoint Security console
Check if the integration’s user permissions allow it to open the Policy section in the Kaspersky Endpoint Security Console and if the name of the policy included inside the configuration files matches with the Kaspersky policy, making sure it doesn’t include any invalid characters.
Search Policy Failed - Input TextBox not found - Error


search_policy not found Error

Web Rule Within Policy Search Failed

If you get this error, check whether the Web rule defined in your configuration files exists and matches the Web rule inside the Device policy. Fix the parameter in the configuration files accordingly.
Misconfiguring or Wrong Creation of rule Error

Another instance is running

If you receive the following error:
Stopping the integration 269169, it might have another older instance running, check if is feasible or not
older pid: 269061 - cwd: /home/lumu/Documents/repos/kaspersky-endpoint-response - since: 2024-05-28 15:29:17.010000
cmdline: /home/lumu/Documents/repos/kaspersky-endpoint-response/.venv31013/bin/python /home/lumu/Documents/repos/kaspersky-endpoint-response/run.py

There may be another instance running concurrently. To validate whether this is true, open the pid.pid file in the integration folder. If another instance is running, the process ID will be stored in the file.
    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • ESET Endpoint Security On-premise Custom Response Integration

          This article shows how to leverage ESET Endpoint Security through its ESET Protect Web Console and Lumu Defender API to enhance your Response capabilities. Response integration between ESET Endpoint and Lumu Requirements ESET PROTECT deployment An ...

        • Illumio Custom Response Integration

          Learn how to leverage the Lumu Defender API and Illumio API to mitigate security risks. Response integration between Illumio and Lumu Requirements An active Illumio Segmentation subscription. You need an Illumio administrator user to set up the ...

        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...

        • Trend Micro Apex Central Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...

        • Symantec Endpoint Protection Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...