Forcepoint Web Security Cloud service doesn't have a REST API, so this script simulates the actions run by an admin user to feed a Custom category with URLs and sites using the Forcepoint portal. If there is any change in the browsing experience, the script could stop working.
To create a dedicated contact in Forcepoint Web Security for Lumu integration, please refer to Forcepoint - Adding a contact .
First, contact the Lumu support team to request the deployment package.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <forcepoint_lumu_root> .
In the package, you will find the script required to run the integration. To use the script, you must locate yourself on the path selected for deployment ( <forcepoint_lumu_root> ). Specific directions are included in the next sections.
The file requirements.txt contains the list of requirements for this integration. After deploying the package locally, run the following command from the deployment folder:
To use the script, you must locate yourself on the path selected for deployment ( <forcepoint_lumu_root> ). Use the following command to show all options available for the package:
Usage: forcepoint_lumu.py [options]
Options |
Description |
-h, --help |
show this help message and exit |
--config CONFIG |
Load options from config file |
--company-key COMPANY_KEY --company_key COMPANY_KEY |
Lumu Company Key (Defender API). |
--proxy-host PROXY_HOST --proxy_host PROXY_HOST |
Proxy host (if required) |
--proxy-port PROXY_PORT --proxy_port PROXY_PORT |
Proxy port (if required) |
--proxy-user PROXY_USER --proxy_user PROXY_USER |
Proxy user (if required) |
--proxy-password PROXY_PASSWORD --proxy_password PROXY_PASSWORD |
Proxy password (if required) |
--logging {screen,file} |
Logging option (default screen). |
--verbose, -v |
Verbosity level. |
--username USERNAME |
Forcepoint Web Security Cloud service username. |
--password PASSWORD |
Forcepoint Web Security Cloud service password. |
--category CATEGORY |
Forcepoint Custom category name (default Lumu IOCs). |
--description DESCRIPTION |
Forcepoint Custom Category description (default Lumu IOCs). |
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing} --adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing} |
Lumu adversary types to be filtered. |
--days DAYS |
The number of days backward from now to query Lumu incidents. |
--clean |
Cleans all rules and objects created by the Lumu integration. |
--preserve-file --preserve_file |
Don't delete the intermediate CSV file. |
Use the following command to fetch and push to Forcepoint Web Security URL IOCs related to open incidents found in your organization by Lumu:
The integration creates a new custom category Lumu IOCs with the URLs. You need to add the custom category to a policy marking it to Block access . For further executions, the integration will update the site list.
Use the following command to fetch and push to a specific custom category of Forcepoint Web Security URL IOCs related to open incidents found in your organization by Lumu:
You need to add the custom category to a policy marking it to Block access . It's recommended to leave a dedicated custom category for Lumu.
Use the following command to fetch and push to Forcepoint Web Security IOCs related to open incidents found in your organization by Lumu with contacts in the last X days.
By default, the script queries open incidents of all adversary types (Phishing, Malware, DAG, Spam, others). If you need to collect specific types of incidents, you can use the argument --adversary-types ADVERSARY_TYPE . If you need to get two or more adversary types, you only need to append a new instance of the parameter.
python forcepoint_lumu.py --username <forcepoint_username> --password <forcepoint_password> --company-key <lumu_company_key> --days X --adversary-types Phishing --adversary-types Malware
|
If you need to delete the Custom category created by this integration, use the --clean flag with the authentication arguments and its name using the --name CATEGORY argument.
The script creates and deletes the intermediate CSV file site_list_tmp.csv to upload sites to the Custom category. If you want to preserve it, append --preserve-file to the command line.
The file site_list_tmp.csv will be located in the script root path for further reference. Have in mind this will be overwritten after each iteration of the integration.
By default, you will see the execution log on the screen console. Use the argument --logging file to store a record of all tasks run in the lumu.log file in the script root path.
This file is useful for scheduled tasks or processes running in the background. When you open this file, you will see the following. The information displayed aids in checking the execution progress.
According to your needs, you can combine the examples shown.
You will see a new
Custom category (account level)
at the Forcepoint Web Security service as follows:
The details of the category will show you the uploaded sites:
After the Custom category has been created and maintained by the integration, you need to use it inside a Forcepoint Policy. For doing this, please go to the
Web
menu and click on the
Policies
link.
Choose the desired policy and click on its name. Look for the
Web Categories
tab and click on it. Select the Custom category under the
Account Custom Categories
branch under the categories tree on the left side of the page. On the right side, the
Action
form will display. Click the
Block access
button and select the
Access blocked
option under the drop-down list. When you finish the configuration, click on the
Save
button.
To run the script on a timely basis, consider implementing a Scheduled task in Windows or a Cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.
Following, you have an example of how this
Cron job
should look using the recommended time.
It’s recommended to add the --logging file parameter to any scheduled task. It will record all the output in the log file for further reference
If you need to work with another scheduling time, you can use the crontab guru service.
To avoid race conditions, you can run only one instance. If you have one running, the second one will be canceled immediately.
To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
If you receive the following error.
If the previous validation indicates that another instance is running, please, check its progress using the integration’s log lumu.log .