ESET Endpoint Security On-premise Custom Response Integration

ESET Endpoint Security On-premise Custom Response Integration

This article shows how to leverage ESET Endpoint Security through its ESET Protect Web Console and Lumu Defender API to enhance your Response capabilities.

Response integration between ESET Endpoint and Lumu

Requirements

  • ESET PROTECT deployment
    • An ESET PROTECT Advanced or above subscription is required with an On-premise Web console on version ~11.0 (11.0.193.0)
  • Lumu Defender API key
    • To retrieve an API token, please refer to the Defender API document.
    • Integration package. Contact Lumu Support to request the specific package for this integration.
  • Script host.
    • A scripting host is required to deploy the integration. This host must have Internet visibility over Lumu Defender API endpoints and ESET Protect Web console. According to the deployment model you select, you will need a host with:
      • A Linux-based distro: Ubuntu 20.04 or 22.04 is recommended
      • + 4GB RAM
      • APT package manager (some packages might require SUDO access)
      • Python 3.10+
      • Docker Engine for container-like deployment

Contacted hosts

Allow all the traffic to the following hosts. These are required for the operation of this integration:
  • ESET Protect Server
  • defender.lumu.io

Integration overview

The ESET custom response integration feeds IOCs (IPs, domains, and URLs) into the Web control policy. To avoid redundancy, when a parent IOC already exists inside the Web control policy, children IOCs (IOCs with the same base) will not be accepted.
  • For instance, if the parent IOC domain.com has already been added, it will not be possible to add the child domain child.domain.com.
  • In the same manner, if the parent IOC example.com/path has already been added, it will not be possible to add the child IOC example.com/path/subpath.
If you want to apply IOCs group-wide, you can set your integration to create all IOCs as Global.
Notes
The maximum number of items supported per Web address list are 10.000 each, but reaching this amount would require having much better hardware resources, mainly RAM.

Prepare ESET Protect for Lumu integration

Before deploying and implementing the Lumu Integration, you must prepare your ESET Protect On-premise server to ensure the integration functions properly. You will find the required preliminary steps in this section.

Notes
It is important to keep in mind the language chosen at the login screen. It will be necessary to properly configure the integration in a further step.

Identify endpoint policies

Identify the ESET protection policies you want to feed with Lumu detections-related IOCs. These policies must be associated with one of the following products:
  • ESET Endpoint Security for Windows (V11+)
  • ESET Endpoint for Linux (V7+)
To identify the policies, you must search for them in the Policies list using the ESET Web console. To do so, head to the left navigation bar, click on the Policies menu (the one with the gear icon), click on the Add Filter button located in the upper right corner, and use the Name search box filter to find the specific policies you need.
Take note of the exact name of the policy you’ve identified, as it will be used as an input for the integration.
Notes
If you need the integration to work with more than one policy, you will need to deploy multiple instances of the integration, one for each policy.

Select or create an address list

Besides the policy, you must point the integration towards the address list to manage within the Web access protection module.
1. Click on the policy of interest and right-click to open the contextual menu. Then, click on the Edit button.

2. Under the policy you selected, go to Settings > Protections > Web Access Protections > URL list management and click on the Edit label next to the Address list label.

3. In the Address list window, identify or create a list. The list must be tagged as Blocked under the Address types field.
Warning
If you choose to create a list, make sure the name is unique for this integration. Due to the nature of permissions in ESET some Address List names might be hidden, which can cause the integration to feed IOCs to the wrong Address List.

Notes
Take note of the exact name of the address list, as it will be used as an input for the integration.

Create an Integration role

For the integration to work properly, you will need to create an integration role, reducing the permissions of the integration user to the least required privileges. Follow these steps to create it on your ESET Web console.
1. Use the left navigation bar to expand the More menu (the one with an ellipsis icon - it will fold back once you select it). Then click on the Permissions Sets menu under the ACCESS RIGHTS section. Click on the NEW button

2. Fill in the information following these guidelines:
a. Fill in the Basic information. Use a descriptive name to facilitate the assignment process.

b. In the Static Groups section, click on the Select button, and select the All and the Companies options in the dialog that appears. Click Continue when you’re done.

c. Next, In the Functionality section, mark the following options
Functionality Permissions
Groups & Computers Read, Use
Policies Read, Use, Write

d. Save the role by clicking on the FINISH button


Create an Integration user

Notes Ensure you can create an Integration user without MFA enforcement. The integration will not work with a user with MFA enabled.
Now, create a dedicated user for the integration, to which you will assign the role created in the previous steps.
1. Use the left navigation bar to expand the More menu (the one with an ellipsis icon - it will fold back once you select it). Then click on the Users menu under the ACCESS RIGHTS section. Click on the ADD NEW… button and select Add New Native User.

2. Fill in the information following these guidelines
a. Fill in the Basic information. Username, password and other required fields

When you’re done filling out this section, click on the Continue button.

b. In the Permission Sets section, assign the role created during the Create an Integration Role section earlier on this document. Save the user by clicking on the FINISH button

3. The user you created should appear in the Users list.

Collect the required data from Lumu portal

The integration set-up process needs you to collect this information from Lumu portal:
  • Lumu Defender API key
  • Company UUID
Log in to your Lumu portal and run the following data collection procedures.

Collect the Lumu Defender API key

To collect the Lumu Defender API key, refer to the Defender API document.

Collect your Lumu company UUID

To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.

Preliminary Setup - Choose your integration environment

There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.
  • Run it as a Python script executing the install.sh bash file
    • Creates a Python virtual run time and its dependencies for you
    • Installs the crontab line in the host
  • Run it as a Docker container.
Whichever alternative you select, you must first unpack the integration package shared by our Support team.
Unpack the deployment package provided by Lumu in your preferred path/folder. Bear in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.
Notes
If you use the install script, use the uninstall.sh bash file to remove the integration from the host.

Set up the configuration files

To set up the integration, you need to add and edit two configuration files:
  • companies.yml: this file contains the information collected from the Lumu portal
  • integrations.yml: this file contains the information collected from your ESET Protect instance.
Notes
Inside the integration package, you will find sample files you can use to build your configuration files. These files are companies_template.yml and integration_template.yml.

Complete the companies file

The Companies file defines how the integration connects to Lumu and extracts the information of the incidents and related indicators of compromise.
Notes
All the parameters in red should be replaced with the real data necessary for your integration deployment. For example, the parameter “COMPANY-UUID” should end up as something similar to “aa11bb22bb33-123a-456b-789c-11aa22bb33cc”. Follow these indications for all similar parameters.
  1.  -
      lumu:
        uuid: "COMPANY-UUID"
        [name: "COMPANY-NAME"]
        [contact_name: "CONTACT_NAME"]
        [contact_email: "CONTACT_EMAIL"]
        defender_key: "DEFENDER_API_KEY"
        hash_type: "sha256" # sha256 | sha1 | md5
        ioc_types: # list of ioc types, option one, many or all
          - ip
          - domain
          - url
          - hash
        adversary:  # list of adversary types, option one, many or all
          - C2C
          - Malware
          - Mining
          - Spam
          - Phishing
          - Anonymizer

        days: 30 # MIN 1, MAX 30
    # - COMPANY 2
    # - COMPANY 3 
    # -  ...
Notes
The COMPANY string at the end of the Companies file is used when deploying integrations for multiple companies. If this is your case, replace the COMPANY string with the information of each of your other integration deployments, using the same format as with the first one. This can be particularly useful for LUMU MSP customers.
Warning
If your integration is not a multiple deployment, removing the “#” symbol from the COMPANY string will result in an error. Only enable the COMPANY string when you need to deploy multiple integrations.
Within this file the COMPANY_UUID and DEFENDER_API_KEY fields are mandatory. Please use the values captured in the previous steps. The ioc_types values must match with the IOC types required by the integration.

Complete the integrations file

Notes
The integration supports the following Web console languages. You can specify which by filling in the appropriate string under the Language parameter in the Integration file. Select them according to the language you chose in the Prepare ESET Protect for Lumu integration step:
  1. English: Use the string English
  2. Español (América Latina): Use the string SpanishLatam
  3. Español (España): Use the string SpanishSpain

The integration file contains the information required for the integration to connect and interact with your ESET Protect deployment. Here are some guidelines to properly fill it out:

  1. The POLICY NAME parameter is filled with the name of the Policy you created in the Identify Endpoint Policies section at the beginning of this document.
  2. The List of blocked addresses parameter is filled with the name of the Address List used in the Select or Create an Address List section earlier in this document.

  1. -
      lumu:
        uuid: "COMPANY_UUID"
        adversaryTypes: [ "C2C", "Malware", "DGA", "Mining", "Spam", "Phishing", "Anonymizer"] # ["C2C", "Malware", "DGA", "Mining", "Spam", "Phishing"]
        days: 10 # INTEGER=(get incidents from X days of the ioc manager local db)
      app:
        name: "<CLIENT-NAME>" # Unique Account Name of the Cloud company subscription
        clean: false # false | true
        Language: English # English, SpanishLatam, SpanishSpain
        Policy: # ONLY APPLIES for OS Windows, Linux workstations
          Name: "POLICY-NAME"      
    AddressListName: "List of blocked addresses" # Name | null, default "List of blocked addresses"
          ioc: [ ip, domain, url ] # [ ip, domain, url ] | [] | null
          
        api:
          hostname: "IP-HOSTNAMEPORT"
          username: "AUTH-USERNAME"
          password: "AUTH-PASSWORD"
    # - INTEGRATION 2
    # - INTEGRATION 3 
    # -  ...
Notes
The INTEGRATION string at the end of the integrations file is used when deploying multiple integrations. If this is your case, replace the INTEGRATION string with the information of each of your other integration deployments, using the same format as with the first one. This can be particularly useful for LUMU MSP customers.
Warning
If your integration is not a multiple deployment, removing the “#” symbol from the INTEGRATION string will result in an error. Only enable the INTEGRATION string when you need to deploy multiple integrations.

Deploy Integration as script

To deploy the integration as script, you need to run the install.sh script inside the integration package.
Notes
Make sure the install.sh script has the execution permission before running it.
To run the installation script, locate yourself in the app_lumu_root folder, then execute this line through CLI.
./install.sh all

The installation script will set up the Python environment and two different cron jobs.
Notes
If you want to modify the default running interval set up by the installation script, you can modify the latest crob job entries based on your environment requirements.
Notes
If you want to restart or uninstall the integration run the ./restart all and ./uninstall all respectively

Script details

To use the script, you must locate yourself on the path selected for deployment (<app_lumu_root>). Use the following command to show all options available for the package:

python run.py -h

Usage: eset_lumu [-h] [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH] [-v] [-c] [-l {screen,file}] [--hours HOURS]

Options Description
-h, --help show this help message and exit
--config CONFIG default: integrations.yml, CONFIG FILE PATH of the companies, follow the nex YML template.
--ioc-manager-db-path IOC_MANAGER_DB_PATH default path: ./ioc.db, PATH where the integration goes to read the Lumu Incidents
--logging {screen,file} Logging option (default screen).
-c, --clean the flag means Clean all integration and override the yml clean field
--verbose, -v Verbosity level.
--hours HOURS keep db log record from [x hours], for auto maintenance local db purpose

Usage Examples

  • Task: query IOC related to Lumu incidents with default options
To query all the IOC related to Lumu incidents triggered in the days defined in your configuration files, run the following command.
python3 run.py
  • Task: query IOC related to specific parameters
By default, the integration script will query incidents related to all adversary types. If you need to filter the query to specific adversary types, you can use the adversaryTypes parameter inside your integrations.yml file and run the command as follows
python3 run.py --config integrations.yml --ioc-manager-db-path /<ioc-manager-path>/ioc.db
  • Task: Clean records
To clean the existing records in ESET Protect, just set up the clean flag in the integrations.yml file to true.
clean: true

Then, run the integration script as follows:
python3 run.py [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH]

Or you can run the clean command directly to clean all the companies
python3 run.py –clean [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH]
Notes
The records not manipulated by the integration will be preserved.
Other tasks

According to your needs, you can combine the examples shown. If you need more details on the steps executed by the integration script, you can add the –logging {file, screen} and –verbose arguments. These arguments can be used for troubleshooting.

Deploy as a Docker container (Optional)

If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <app_lumu_root> folder, and follow these instructions:
1. Build the container by running the following command.
docker build \
       [--build-arg IOC_MAN_CONFIG='companies.yml'] \
       [--build-arg APP_CONFIG='integrations.yml'] \
       --tag img-lumu-eset-endpoint-response \
       --file DockerfileAllInOne .
Notes
Do not forget the dot "."

2. Run the container by using the following command.

docker run -d \
       -v ./companies.yml:/app/companies.yml \
       -v ./integrations.yml:/app/integrations.yml \
       -v ./debug:/app/debug \
       --restart unless-stopped \
       --log-driver json-file \
       --log-opt max-size=30m \
       --log-opt max-file=3 \
      --name lumu-eset-endpoint-response \
       img-lumu-eset-endpoint-response

With this mode, your integration will run every 5 minutes.

Docker container deployment Troubleshooting

For troubleshooting purposes, you can run the following commands:
  • To log in to your container using an interactive shell:
docker exec -it lumu-eset-endpoint-response bash
  • To collect integration logs:
docker logs -f lumu-eset-endpoint-response

Expected Results and Validation

After running the integration, you will see new items under the selected Address list inside the Web Access Protection configuration for the ESET Policy. Double click on the list you chose at the beginning of the setup process to see IOCs fed by the integration.



If you try to navigate to one of these IOCs by using an endpoint protected with the selected policy, you will get a blocking page like the following:


Troubleshooting and known issues

To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
The application logs will be redirected to the lumu.log file. The file errors.log stores only the errors to make them easier to find and aid the troubleshooting process.

Authentication Failed

User, passwords or permission are failing, please test them in the ESET Web Console to check if they work.

Network Connection Failed

Please check network connectivity and reachability through TCP port and check that the ESET Web portal loads and renders correctly.


Input Parameters Validation Failed

Please read one by one the error lines and correct the parameters that failed.

Policy Failed

Occurs when the policy section is not rendered or it was not found. Check if the name of the policy is unique among the others, if it has a short name and if it has invalid characters or non-ASCII code.

Blocklist Within Policy Failed

Please select an existing or create a Blocklist inside the policy for the integration

Another instance is running

If you receive the following error:

Stopping the integration 269169, it might have another older instance running, check if is feasible or not
older pid: 269061 - cwd: /home/lumu/Documents/repos/eset-endpoint-response - since: 2024-05-28 15:29:17.010000
cmdline: /home/lumu/Documents/repos/eset-endpoint-response/.venv31013/bin/python /home/lumu/Documents/repos/eset-endpoint-response/run.py

There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process ID if it’s running.


    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Kaspersky Endpoint Security On-Premise Custom Response Integration

          This article shows how to leverage Kaspersky Endpoint Security, also known as KES, through its Kaspersky Security Center (KSC) Web Console and Lumu Defender API to enhance your Response capabilities. Response integration between Kaspersky Endpoint ...

        • ESET PROTECT Cloud Custom Response Integration

          Learn how to use the Lumu Defender API and ESET PROTECT Cloud, together with the ESET Connect API, to effectively mitigate security risks. Response integration between ESET PROTECT Cloud and Lumu Requirements ESET PROTECT Cloud You need an ESET ...

        • Illumio Custom Response Integration

          Learn how to leverage the Lumu Defender API and Illumio API to mitigate security risks. Response integration between Illumio and Lumu Requirements An active Illumio Segmentation subscription. You need an Illumio administrator user to set up the ...

        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...

        • Trend Micro Apex Central Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...