Crowdstrike Custom Response Integration with Lumu Defender API

Crowdstrike Custom Response Integration with Lumu Defender API

Before going through this article, check our  Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.
The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Endpoint Detection and Response (EDR); incident response systems; and more.
To get started with the Lumu Defender API, consult our get started documentation .

This article shows how to leverage adversarial information from Lumu and feed destination lists to Crowdstrike.

Typical setup of Crowdstrike with Lumu Defender API Typical setup of Crowdstrike with Lumu Defender API
This article is just an example of how this integration can be carried out and is delivered as is, so please use it at your own discretion. 


  1. An active subscription to CrowdStrike Falcon Insights or Falcon Prevent.
  2. A Crowdstrike Client API configured with an IoC (Indicators of Compromise) management scope. To learn more about Crowdstrike’s custom IoC APIs, refer to vendor's official documentation .
  3. A CrowdStrike base URL configured for the API. You can access this feature through the Support - API Clients and Keys menu.
  4. A host to deploy the scripting code. This host must be able to reach both Crowdstrike endpoints and Lumu Defender API host ( ).
  5. Python 3.6+.
  6. Requests module for Python from PyPI .

Install Requests module

The ‘Requests’ module must be installed in the script host you selected. This module allows you to send HTTP requests using Python. The following commands can be used to install the ‘Requests’ package for Python libraries. Use the one that best suits you .

Option 1: pip :

[sudo] pip install requests

Option 2: easy_install :

[sudo] easy_install requests

Deploy the script

First, contact the Lumu support team to request the package we created to deploy the required files.

Script location

Once you receive the Python package provided by Lumu, unpack the file in your preferred path/folder. Keep in mind that this location will be required for further configurations. This folder will be referred from now on as: <crowdstrike_lumu_root> .

Script details

For using the script, you must locate yourself on the path selected for deployment (<crowdstrike_lumu_root>). Use the following command to show all options available for the package:

<crowdstrike_lumu_root>$python --help

This is a reference of the options you have access to through this script: [option]



-h, --help

show the help message and exit


Load options from config file


Crowdstrike client API ID


Crowdstrike client key


Crowdstrike base URL to be used (presented in Support > API Clients and Keys)

-r, --retrodetects 

Indicates if the custom IoCs must be created with the retrodetect option


Ignore warnings and add all IoCs


No filter adversaries for existent Custom IoCs


Severity to give to the IoCs ['informational', 'low', 'medium', 'high', 'critical']


The platforms that the indicator applies to ['mac', 'windows', 'linux']


Action to take when a host observes the custom IoC ['no_action', 'detect']


Lumu Defender API key


Logging option (default screen)

-v, --verbose

Verbosity of the log

-t, --use-saved-timestamp

Indicates the script to use the saved timestamp from the latest adversary contact, if any


To specify a number of past hours


To specify a specific “from” date


To specify the adversary type to filter (case-sensitive). Possible values are: C2C, Malware, DGA, Mining, Spam, Phishing

Usage examples

We provide here some examples of how to use the script:

Task: query and add all adversarial data for the last 30 days

Use the following command for querying and posting to CrowdStrike all adversarial data found in your organization by Lumu in the last 30 days:

<crowdstrike_lumu_root>/python --url https://<crowdstrike_api_host>  --client-id XXXXXXX --client-secret YYYYYYYY --company-key ZZZZZZZZZ
Task: query and add all adversarial data since the last runtime

For control purposes, the script stores the latest runtime in a file called timestamp.stmp . If it is the first time you run the script, you will automatically get all the data of the last 30 days. The next time you run this query, it will get the latest runtime timestamp from the timestamp.stmp file.

<crowdstrike_lumu_root>/python --url https://<crowdstrike_api_host>  --client-id XXXXXXX --client-secret YYYYYYYY --company-key ZZZZZZZZZ --use-saved-timestamp

To ignore the saved timestamp, remove the --use-saved-timestamp flag.

Task: query and add all adversarial data of the last X hours

Use the following command to query all adversarial data from your Lumu subscription for the specified numbers of hours:

<crowdstrike_lumu_root>/python --url https://<crowdstrike_api_host>  --client-id XXXXXXX --client-secret YYYYYYYY --company-key ZZZZZZZZZ --hours X

Task: query and add all adversarial data since a specific date

For filtering data from a specific date, use the flag --from followed by a date string in the standard format published in RFC 3339 and ISO 8601: YYYY-MM-DDTHH:mm:ss:sssZ.

<crowdstrike_lumu_root>/python --url https://<crowdstrike_api_host>  --client-id XXXXXXX --client-secret YYYYYYYY --company-key ZZZZZZZZZ --from 2021-05-01T00:00:00.000Z

Task: filter adversarial types

To query filtered adversarial types before adding them to your Palo Alto Dynamic Address Group or Custom URL Category, use the parameter --adversary-types followed by a list of the adversarial types separated by commas.

For this particular example, the adversary types to filter are C&C , Phishing , and DGA :

<crowdstrike_lumu_root>/python --url https://<crowdstrike_api_host>  --client-id XXXXXXX --client-secret YYYYYYYY --company-key ZZZZZZZZZ --hours 24 --adversary-types C2C,Phishing,DGA

Task: d efine severity for created IoCs 

Use the parameter --severity followed by the desired severity level ("informational", "low", "medium", "high", "critical") to be used for the creation of the Custom IoCs.

<crowdstrike_lumu_root>/python --url https://<crowdstrike_api_host>  --client-id XXXXXXX --client-secret YYYYYYYY --company-key ZZZZZZZZZ --hours 24 --adversary-types C2C,Phishing,DGA --severity low

Task: d efine action for created IoCs 

Use the parameter --action followed by the desired severity ("no_action", "detect") to define the action to create the Custom IoCs.

<crowdstrike_lumu_root>/python --url https://<crowdstrike_api_host>  --client-id XXXXXXX --client-secret YYYYYYYY --company-key ZZZZZZZZZ --hours 24 --adversary-types C2C,Phishing,DGA --action no_action
Bear in mind that other actions supported by CrowdStrike API are not supported by the script. This is because the domains and IP indicators only support the actions detect and no_action .

Task: define covered platforms for created IoCs

Use the parameter --platforms followed by the combination of the desired platforms separated by commas ("mac", "windows", "linux") to define coverage of the created IoCs on specific platforms. By default, the script will cover all three platforms if you don't use the parameter.

<crowdstrike_lumu_root>/python --url https://<crowdstrike_api_host>  --client-id XXXXXXX --client-secret YYYYYYYY --company-key ZZZZZZZZZ --hours 24 --adversary-types C2C,Phishing,DGA --severity low

Task: save output to file

Use the parameter --logging file to store a record of all tasks run. With this parameter, all the script output will be redirected to a file named lumu.log in the root of the selected path for the deployment of the script (<crowdstrike_lumu_root>) .

<crowdstrike_lumu_root>/python --url https://<crowdstrike_api_host>  --client-id XXXXXXX --client-secret YYYYYYYY --company-key ZZZZZZZZZ --hours 24 --logging file

Other tasks

The above samples could be combined according to your needs. Bear in mind that --hours and --from parameters are mutually exclusive. If both parameters are present, then --hours will be used.

Expected results

For each script run, it is expected that the IoC Manager GUI will be populated with more indicators, as in the following example:

Indicators Management Indicators Management
When checking the details of a single IoC, the GUI will display more detailed information, for example, the related user, which should be the same as the Client Id created for this specific integration:
 IOC Management IOC Management
As well as each IoC’s description recorded by the script.
Description Description

Further considerations

To run this script on a timely-basis, consider implementing a scheduled job in Windows or a cron task in Unix-based systems. We recommend using the --use-saved-timestamp flag to query and add different adversarial data for each runtime.


Use the -v flag to investigate errors on the script. This will provide you with details for identifying failures in the script execution.