This article shows how to leverage adversarial information from Lumu and feed Palo Alto Dynamic Address Groups (DAG) and Custom URL Category.
Option 1:
pip
:
Option 2:
easy_install
:
The following command install the
pan-os-python
package (using
pip
):
First, contact the
Lumu support team
to request the package we created to deploy the required files.
Once you receive the Python package provided by Lumu, unpack the file in your preferred path / folder. Keep in mind, this location will be required for further configurations. This folder will be referred from now on as
<paloalto_lumu_root>
.
For using the script, you must locate yourself on the path selected for deployment (
<paloalto_lumu_root>
). Use the following command to show all options available for the package:
This is a reference of the options you have access to through this script:
You can populate the following Custom Objects in Palo Alto configuration:
You can run the script to populate any of the above or both of them. Following, you can see the flags for each option:
Dynamic Address Group (DAG)
For populating a Dynamic Address Group, you can use the
--dag
flag together with the
--tag
parameter, as in the following example:
By default, the script feeds the Dynamic Address Groups without overwriting its content. If you want to fully overwrite the group, you can use the flag
--overwrite-dag
.
Custom URL Category
For populating URL in a Custom URL Category, you can use the
--custom-url-category
flag and define the name of the category using the
--custom-url-category-name
parameter, as in the following example:
By default, the script feeds the Custom URL Category without overwriting its content, to fully overwrite the category, you can use the flag
--overwrite-category
. To add wildcards to the URLs to block subdomains or subdirectories, combine the flags
--include-subdomains
and -
-include-subdirectories
. These flags will add the strings *. and /* in the beginning and at the end.
We provide here some examples of how to use the script:
Task: query and add all adversarial data for the last 30 days
Use the following command for querying and posting to Palo Alto all adversarial data found in your organization by Lumu in the last 30 days:
With this script, you will query the latest 30 days of contacted adversaries recorded in your Lumu Subscription. Only new IoCs will be fed in your
Dynamic Address Group
or your
Custom URL Category
.
For control purposes, the script stores the latest runtime in a file called
timestamp.stmp
. If it is the first time you run the script, you will automatically get all the data of the last 30 days. The next time you run this query, it will get the latest runtime timestamp from the
timestamp.stmp
file.
To ignore the saved timestamp, remove the
--use-saved-timestamp
flag.
Task: Query and add all adversarial data of the last X hours
Use the following command to query all adversarial data from your Lumu subscription for the specified numbers of hours:
Task: query and add all adversarial data since a specific date
For filtering data from a specific date, use the flag
--from
followed by a date string in the standard format published in RFC 3339 and ISO 8601:
YYYY-MM-DDTHH:mm:ss:sssZ.
Task: filter adversarial types
To query filtered adversarial types before adding them to your Palo Alto Dynamic Address Group or Custom URL Category, use the parameter
--adversary-types
followed by a list of the adversarial types separated by commas.
For this particular example, the adversary types to filter are
C2C
,
Phishing
, and
DGA
:
Task: save output to file
Use the parameter
--logging file
to store a record of all tasks run. With this parameter, all the script output will be redirected to a file named
lumu.log
in the root of the selected path for the deployment of the script (
<paloalto_lumu_root>
).
For each script run, it is expected that the defined Dynamic Address Group and Custom URL Category will be populated with more indicators, as in the following examples:
To run this script on a timely-basis, consider implementing a
scheduled job
in Windows or a
cron task
in Unix-based systems. We recommend using the
--use-saved-timestamp
flag to query and add different adversarial data for each runtime.
Use the -v flag to investigate errors on the script. This will provide you with details for identifying failures in the script execution.