VMWare Carbon Black EDR Response Integration with Lumu Defender API

VMWare Carbon Black EDR Response Integration with Lumu Defender API

This article shows how to leverage adversarial information from Lumu and feed Carbon Black Reports to VMWare Carbon Black EDR.
Data collection setup from VMWare Carbon Black EDR to Lumu Figure 1 - Data collection setup from VMWare Carbon Black EDR to Lumu


The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Endpoint Detection and Response (EDR); incident response systems; and more.
This article is just an example of how this integration can be carried out and is delivered as is, so please use it at your own discretion. 

To get started with the Lumu Defender API, consult our get started documentation .

The VMWare Carbon Black EDR response integration allows users to query incidents detected by Lumu, format them as Carbon Black Reports , and push them into a Carbon Black Feed . This feed must be used as a Watchlist to identify further adversarial information inside Carbon Black.

Requirements

  1. VMWare Carbon Black Enterprise EDR subscription.
  2. (Recommended) A custom role for managing feeds and watchlists through API: the following permissions are required:
    1. Manage Watchlist Feeds.
    2. Manage Watchlists.
    3. View Watchlist Feeds.
    4. View Watchlists.
  1. Carbon Black API with API access level assigned. If you have created a custom role for the integration, please use it when provisioning the API access.
  2. Host to deploy scripting code.
  3. Python 3.6+.
  4. The host selected for deploying the script code must reach both Carbon Black’s URL and Lumu Defender’s API host:  https://defender.lumu.io

Deploy the script

First, contact the Get in touch with Lumu  to request the deployment package.

Script location

Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <cp_lumu_root> .

Install requirements

The file requirements.txt contains the list of prerequisites for this integration. After deploying the package locally, run the following command from the deployment folder:

[sudo] pip install -r ./requirements.txt

Script details

For using the script, you must locate yourself on the path selected for deployment ( <cp_lumu_root> ). Use the following command to show all options available for the package:
python lumu-to-cb.py --help

This is a reference list of the options you have access to through this script:
lumu-to-cb.py [options]


Options
Description
-h, --help
show this help message and exit
--config=CONFIG
Load options from config file.
--url=URL
Carbon Black URL.
--org-key=ORG_KEY

--org_key=ORG_KEY
Carbon Black organization key to work with.
--token=TOKEN
Carbon Black Token (API key/API ID).
--feed=FEED




Carbon Black Feed name (default "Lumu Feed").
--score=SCORE
Score for each report [1-10] (default 10).
--company-key=COMPANY_KEY
--company_key=COMPANY_KEY
Lumu Defender API key.
--group-name=GROUP_NAME
Host group name to populate with IP IOCs.
--include-subdomains ,
--include_subdomains
Indicates if we must include subdomains for IOCs.
--include-subdirectories,
--include_subdirectories
Indicates if we must include subdirectories for IOCs.
--company-key=COMPANY_KEY,
--company_key=COMPANY_KEY
Lumu Defender API key.
--logging=LOGGING
Logging option (default screen).
-v, --verbose
Verbosity of the log.
-t, --use-saved-timestamp
Indicates the script to use the saved timestamp from the latest detected incident if any.
--from=FROM
To specify a specific “from” date
--to=TO
To specify a specific “to” date
--adversary-types=ADVERSARY-TYPES
To specify the adversary type to filter (case-sensitive). Possible values are: C2C, Malware, DGA, Mining, Spam, Phishing

The script creates and maintains a Carbon Black Feed. You must subscribe to the feed created by the script to complete the integration. This is a one-time task.

Usage examples

Here are some examples of how to use the script:

Task: query and add all incident data for the last 30 days

Use the following command for querying and posting all incident data found in your organization by Lumu in the last 30 days:

python lumu-to-cb.py --url "https://defense.conferdeploy.net/" --token "KEYAUUFhObpyxuqyAPvsDpxX/IDkCarPbbp" --org-key "OrgKey00" --company-key "LumuKeybtVLJrgupZxxNOYyVCAmmRGZa"

Task: query and add all incident data since the last runtime

For control purposes, the script stores the latest runtime in a file called timestamp.stmp. The first time you run the script, you will retrieve all the data of the last 30 days. The next time you run this query, it will collect data from the last runtime timestamp in the timestamp.stmp file.

python lumu-to-cb.py --url "https://defense.conferdeploy.net/" --token "KEYAUUFhObpyxuqyAPvsDpxX/IDkCarPbbp" --org-key "OrgKey00" --company-key "LumuKeybtVLJrgupZxxNOYyVCAmmRGZa" --use-saved-timestamp

To ignore the saved timestamp, remove the --use-saved-timestamp flag.

Task: query and add all adversarial data since a specific date

For filtering data from a specific date, use the flag --from followed by a string date in the standard format published in RFC 3339 and ISO 8601: YYYY-MM-DDTHH:mm:ss:sssZ.

python lumu-to-cb.py --url "https://defense.conferdeploy.net/" --token "KEYAUUFhObpyxuqyAPvsDpxX/IDkCarPbbp" --org-key "OrgKey00" --company-key "LumuKeybtVLJrgupZxxNOYyVCAmmRGZa" --from 2021-05-01T00:00:00.000Z

Task: filter incidents by adversarial types

To query incidents filtered by adversarial types before pushing them to the Carbon Black Feed, use the parameter --adversary-types followed by a list of the adversarial types separated by commas.
For this particular example, the adversary types to filter are C2C, Phishing, and DGA.

python lumu-to-cb.py --url "https://defense.conferdeploy.net/" --token "KEYAUUFhObpyxuqyAPvsDpxX/IDkCarPbbp" --org-key "OrgKey00" --company-key "LumuKeybtVLJrgupZxxNOYyVCAmmRGZa" --use-saved-timestamp --adversary-types C2C,Phishing,DGA

Task: save output to file

Use the parameter --logging file to store a record of all tasks run. With this parameter, the entire script output will be redirected to a file named lumu.log in the root of the selected path for the deployment of the script.

python lumu-to-cb.py --url "https://defense.conferdeploy.net/" --token "KEYAUUFhObpyxuqyAPvsDpxX/IDkCarPbbp" --org-key "OrgKey00" --company-key "LumuKeybtVLJrgupZxxNOYyVCAmmRGZa" --use-saved-timestamp --logging file

Task: use your own feed name

If you want to define your own feed name, you can use the parameter --feed with the name you want to give to your feed. Bear in mind when subscribing to the feed, you need to look for the name you have used in the script.

python lumu-to-cb.py --url "https://defense.conferdeploy.net/" --token "KEYAUUFhObpyxuqyAPvsDpxX/IDkCarPbbp" --org-key "OrgKey00" --company-key "LumuKeybtVLJrgupZxxNOYyVCAmmRGZa" --feed "My Org Feed"

Other tasks

The above samples could be combined according to your needs.

Expected results

After the first script run, you will find a new feed in your Enforce > Watchlist, button Add Watchlist. For further detections, you must subscribe to Lumu Feed and use it as a watchlist.
 
subscribe to Lumu Feed and use it as a watchlist Figure 2 - subscribe to Lumu Feed and use it as a watchlist.

For alerting any hits on behaviors related to this feed, remember to edit the watchlist to Alert on hits. All detected hits will be shown as part of the alert poll.

Edit the watchlist to Alert on hits Figure 3 - Edit the watchlist to Alert on hits.

Further considerations

To run this script on a timely basis, consider implementing a Scheduled job in Windows or a cron task in Unix-based systems. We recommend using the --use-saved-timestamp flag to query and add different adversarial data for each runtime.

Troubleshooting

For identified failures on the script, please use the -v flag. This will allow you to identify failures in the script execution.


        • Related Articles

        • Crowdstrike Response Integration with Lumu Defender API

          The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Endpoint ...
        • Palo Alto Next-Gen Firewall Integration with Lumu Defender API

          The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Endpoint ...
        • Cisco Umbrella Response Integration with Lumu Defender API

          The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Endpoint ...
        • Defender API

          Some enterprises may already be using diverse defense solutions such as Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR) technologies, etc. Lumu provides an easy-to-use and comprehensive API ...
        • ConnectWise Manage Integration with Lumu Defender API

          This article shows how to leverage ConnectWise Manage API and Lumu Defender API to enhance your SecOps capabilities, push Lumu incidents into a ConnectWise Manage deployment as Service Tickets, and sync both systems. Figure 1 - SecOps integration ...