This article shows how to leverage adversarial information from Lumu and feed destination lists to Crowdstrike.
Option 1: pip :
Option 2: easy_install :
First, contact the Lumu support team to request the package we created to deploy the required files.
Once you receive the Python package provided by Lumu, unpack the file in your preferred path/folder. Keep in mind that this location will be required for further configurations. This folder will be referred from now on as: <crowdstrike_lumu_root> .
For using the script, you must locate yourself on the path selected for deployment (<crowdstrike_lumu_root>). Use the following command to show all options available for the package:
This is a reference of the options you have access to through this script:
We provide here some examples of how to use the script:
Task: query and add all adversarial data for the last 30 days
Use the following command for querying and posting to CrowdStrike all adversarial data found in your organization by Lumu in the last 30 days:
For control purposes, the script stores the latest runtime in a file called timestamp.stmp . If it is the first time you run the script, you will automatically get all the data of the last 30 days. The next time you run this query, it will get the latest runtime timestamp from the timestamp.stmp file.
To ignore the saved timestamp, remove the --use-saved-timestamp flag.
Task: query and add all adversarial data of the last X hours
Use the following command to query all adversarial data from your Lumu subscription for the specified numbers of hours:
Task: query and add all adversarial data since a specific date
For filtering data from a specific date, use the flag --from followed by a date string in the standard format published in RFC 3339 and ISO 8601: YYYY-MM-DDTHH:mm:ss:sssZ.
Task: filter adversarial types
To query filtered adversarial types before adding them to your Palo Alto Dynamic Address Group or Custom URL Category, use the parameter --adversary-types followed by a list of the adversarial types separated by commas.
For this particular example, the adversary types to filter are C&C , Phishing , and DGA :
Task: d efine severity for created IoCs
Use the parameter --severity followed by the desired severity level ("informational", "low", "medium", "high", "critical") to be used for the creation of the Custom IoCs.
Task: d efine action for created IoCs
Use the parameter --action followed by the desired severity ("no_action", "detect") to define the action to create the Custom IoCs.
Task: define covered platforms for created IoCs
Use the parameter --platforms followed by the combination of the desired platforms separated by commas ("mac", "windows", "linux") to define coverage of the created IoCs on specific platforms. By default, the script will cover all three platforms if you don't use the parameter.
Task: save output to file
For each script run, it is expected that the IoC Manager GUI will be populated with more indicators, as in the following example:
To run this script on a timely-basis, consider implementing a scheduled job in Windows or a cron task in Unix-based systems. We recommend using the --use-saved-timestamp flag to query and add different adversarial data for each runtime.
Use the -v flag to investigate errors on the script. This will provide you with details for identifying failures in the script execution.