Google Cloud Platform Custom Response Integration

Google Cloud Platform Custom Response Integration

This article shows how to leverage the Lumu Defender API and Google Cloud Platform API to mitigate security risks.

Requirements

  • Google Cloud Platform
    • You need a Google Cloud admin user to perform the configuration steps required to deploy the integration
  • Lumu Defender API key
    • To retrieve an API token, please refer to the Defender API document.
  • Script host.
    • A scripting host is required to deploy the integration. This host must have Internet visibility over Lumu Defender API endpoints and Google Cloud. According to the deployment model you select, you will need a host with:
      • Python 3.10+
        or
      • A Docker-enabled host.
  • Script package
    • Contact the Lumu Support Team to request the package we created to deploy the required files.

Contacted hosts

Allow all traffic to the following hosts. These are required for the operation of this integration:
  • Google Cloud IPs
  • defender.lumu.io

Integration’s overview

The integration leverages the Firewall policies feature in the Network Security - Cloud NGFW module, supporting IP addresses and FQDNs. It manages IP addresses and Domains related to Lumu-detected adversarial contacts within a Firewall policy. Then, you associate the Lumu-related firewall policy object to the VPCs Networks in the project
Notes
The Firewall Policy object supports a maximum of 10,000 IP addresses and 100 FQDN distributed in all the firewall rules.
Notes
The Firewall Policy can be associated with a Shared VPC Network. This association must be done in the host project, not with its associated child projects.

Configure Google Cloud Platform

Follow these steps to set up your Google Cloud console for Lumu integration.

Configure the Google Cloud projects

Notes
You can integrate more than one Google Cloud Project at a time. Make sure you run these steps for all the projects you want to integrate Lumu with.
  • Go to the IAM & Admin > Manage Resources module and identify the project you will integrate.

  1. List the available projects by clicking on the project list at the top of the screen, next to the Google Cloud image.

Notes
Copy the ID of the projects you want to integrate Lumu with. This information will be asked later to configure the integration
Notes
The next steps must be executed for each project you want to integrate to Lumu

Enable the Compute Engine API

Select the Google Cloud project before running these steps

1, Click on the API & Services > Enabled API & Services module in the navigation bar.
2. Look for the Compute Engine API and click on the link.
3. Click on the ENABLE button in the Compute Engine API window.

Create a Custom Integration Role

To maintain the lowest privilege for Lumu integration, you must create a Custom role for each Google Cloud project.

1. Click on the IAM & Admin module > Roles module in the navigation bar.
2. Click on the CREATE ROLE button in the Roles window.
3. Create a new role with the following permissions.

Permissions

cloudasset.assets.listComputeFirewallPolicies

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.update

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.list

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.update

compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.list

Create a Service Account

Notes
You can create a service account at the organization level and assign it access to each project you want to integrate to Lumu. If you choose to create a service account at the project level, you must create a service account per project.
Now, you must create a service account attached to the created role

1. Click on the APIs & Services> Credentials module in the navigation bar
2. Click on the CREATE CREDENTIALS button in the Credentials window. Select Service Account.
3. Fill in the required data:
a. In the Service account details, fill in the Name and Description fields
b. Continue and Grant the Service Account access to project by assigning the role created above. 
4. Save the new service account by clicking on the Done button

Add a key to the Service Account

Lumu integration needs a key to use the created service account. To create it, follow these steps under the Google Cloud Console:

1. Access to the created service account. Then click on the KEYS tab.
2. Click on the ADD KEY button. Select the Create new key option
3. Select JSON as the Key type. Finally, click on the CREATE button

After creating the key, the browser will download its definition in JSON format. The Service Account Authentication file looks like the following.
Notes
Save the Service Account Authentication in a safe place. It will be required later to configure the integration.

Identify The Network Firewall Policies

For each project to integrate with Lumu, you must identify the Firewall Policies you want the integration to manage.
Notes
Take note of the policy name. It will required to configure the integration

Collect the required data from Lumu portal

The integration set-up process needs you to collect this information from Lumu portal:
  • Lumu Defender API key
  • Company UUID
Log in to your Lumu portal and run the following procedures to collect these data.

Collect the Lumu Defender API key

To collect the Lumu Defender API key, please refer to the Defender API document.

Collect your Lumu company UUID

To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.

Deploy the integration

There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.
  • Run it as a Python script executing the install.sh bash file
    • Creates a Python virtual run time and its dependencies for you
    • Installs the crontab line in the host
  • Run it as a Docker container.
Whichever alternative you select, you need to first unpack the integration package shared by our Support team.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.
Notes
If you use the install script, use the uninstall.sh bash file to remove the integration from the host.

Prepare Python on your environment

You must create a Virtual environment to run the Azure setup script. Follow the steps in our Preparing Environment for Custom Integrations article.

Set up the configuration files

To set up the integration, you need to add and edit two configuration files:
  • companies.yml: this file contains the information collected from the Lumu portal
  • integrations.yml: this file contains the information collected from your Google Cloud console.
Notes
Inside the integration package, you will find sample files you can use to build your configuration files. These files are companies_template.yml and integration_template.yml.

Complete the companies file

The companies file is in charge of defining how the integration connects to Lumu and extracts the information of the incidents and related indicators of compromise.

  1. - lumu: uuid: "COMPANY-UUID" [name: "COMPANY-NAME"] [contact_name: "CONTACT_NAME"] [contact_email: "CONTACT_EMAIL"] defender_key: "DEFENDER_API_KEY" hash_type: "HASH_ALG" # sha256 | sha1 | md5 ioc_types: # list of ioc types, option one, many or all - ip - domain - url - hash adversary: # list of adversary types, option one, many or all - C2C - Malware - Mining - Spam - Phishing - Anonymizer days: 30 # MIN 1, MAX 30

Within this file, COMPANY_UUID and DEFENDER_API_KEY fields are mandatory. Please use the values captured in the previous steps. The ioc_types values must match with the IOC types required by the integration, in this case, ip and domain.

Complete the integrations file

The integrations file contains the information required for the integration to connect and interact with your deployment:

  1. - lumu: uuid: "<COMPANY-UUID>" adversaryTypes: [ "C2C", "Malware", "Mining", "Spam", "Phishing"] # ["C2C", "Malware", "Mining", "Spam", "Phishing"] days: 30 # INTEGER=(get incidents from X days of the ioc manager local db) app: name: UNIQUE-NAME clean: false # true | false ProjectId: PROJECT-ID # Project ID FirewallPolicy: FW-POLICY-NAME # Global/Region Network Firewall Policy region: null # default null (Global), String(Region), Optional field ioc: [ ip, domain, ] # either of them or all ones auth_filename: "AUTH-FILE-PATH" # Google Service Account JSON file path
Notes
You must fill in the configuration data carefully. If there are any mistakes or missing data, you’ll receive errors. Please refer to the Troubleshooting and known issues section at the end of this article for further reference.

Prepare Python on your environment

Notes
If Docker is your chosen deployment method, you may skip this step.
If Python is your chosen deployment method, you will need to create a Virtual environment for each integration to avoid conflicts between them and your operating system tools. Make sure you follow the steps in our Preparing Environments for Custom Integrations article.

Deploy Integration as script

To deploy the integration as script, you need to run the install.sh script inside the integration package.
Notes
Make sure the install.sh script has the execution permission before running it.
To run the installation script, locate yourself in the app_lumu_root folder, then execute this line through CLI.

/install.sh all

The installation script will set up the Python environment and two different cron jobs.
Notes
If you want to modify the default running interval set up by the installation script, you can modify the latest crob job entries based on your environment requirements.
Notes
If you want to restart or uninstall the integration run the ./restart all and ./uninstall all respectively.

Script details

To use the script, you must locate yourself on the path selected for deployment (<app_lumu_root>). Use the following command to show all options available for the package:

python run.py -h
Usage: run [-h] [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH] [-v] [-l {screen,file}] [--hours HOURS]

Options

Description

-h, --help

show this help message and exit

--config CONFIG

default: integrations.yml, CONFIG FILE PATH of the companies, follow the integrations_template.yml template.

--ioc-manager-db-path IOC_MANAGER_DB_PATH

default path: ./ioc.db, PATH where the integration goes to read the Lumu Incidents

--logging {screen,file}

Logging option (default screen).

--verbose, -v

Verbosity level.

--hours HOURS

keep db log record from [x hours], for auto maintenance local db purpose

Usage Examples

Task: query IOCs related to Lumu incidents with default options

To query all the hashes related to Lumu incidents triggered in the days defined in your configuration files, run the following command.

python3 run.py

Task: Clean records

To clean the existing records, just set up the clean flag in the integrations.yml file to true.
clean:true

Then, run the integration script as follows:
python3 run.py [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH]

Notes
The records not manipulated by the integration will be preserved.

Other tasks

According to your needs, you can combine the examples shown. If you need more details on the steps executed by the integration script, you can add the –logging {file, screen} and –verbose arguments. These arguments can be used for troubleshooting.

Deploy as a Docker container (Optional)

If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <app_lumu_root> folder, and follow these instructions:
1. Build the container by running the following command.
docker build \
      --tag img-gcp-response \
      --file DockerfileAllInOne .
Notes
Do not forget the dot "."
2. Run the container by using the following command.

docker run -d \

      -v ./integrations.yml:/app/integrations.yml \

      -v ./companies.yml:/app/companies.yml \

      --restart unless-stopped \

      --log-driver json-file \

      --log-opt max-size=30m \

      --log-opt max-file=3 \

      --name lumu-gcp-response \

      img-gcp-response

With this mode, your integration will run every 5 minutes.

Troubleshooting

For troubleshooting purposes, you can run the following commands.

To log in to your container using an interactive shell:
docker exec -it lumu-gcp-response bash

To collect integration logs:
docker logs -f lumu-gcp-response
Notes
If you must reset your credentials frequently, you can run your container by adding the following argument to the docker run create command: 

      -v AUTH-FILE-PATH:/app/AUTH_FILENAME

Where AUTH_FILE_PATH is the full path to Google’s credential file on the Docker device and  AUTH_FILENAME is the value of the parameter auth_filename within the integrations.yml configuration file.

Expected results

After running the integration, you will see new rules in the Network Firewall Policy Rules section, if there was any detection related either IP addresses or Domains.



Troubleshooting and known issues

To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.

The application logs will be redirected to the lumu.log file. The file errors.log stores only the errors to make them easier to find and aid the troubleshooting process.

Input Validation

If you receive errors like this:
ValidationError: 1 validation error for CompanyPyModel
app.api.gh
  Extra inputs are not permitted [type=extra_forbidden, input_value='kh', input_type=str]

It means you are using the wrong key parameters or values. Review your configuration files and run the integration again.

Another instance is running

If you receive the following error.

Stopping the integration 39, it might have another older instance running, check if is feasible or not
older pid: 25 - cwd: /app - since: 2024-10-04 14:50:01.560000
cmdline: /usr/local/bin/python3 /app/run.py

There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process ID if it’s running.

Further steps

Now that the integration manages IP and Domain IOCs in the Network Firewall Policy, you must associate the Firewall Policies with the VPC Networks. Follow these steps in your Google Cloud console to associate the Firewall Policy to a VPC Network:
1. Go to VPC Network Security> Firewall in the navigation menu. Click on the Firewall Policies left menu under the Cloud NGFW section
2. Look for the Network firewall policies section and click on the selected Policy Name
3, Click on the ASSOCIATIONS tab in the Firewall Policy configuration.
4. Click on ADD ASSOCIATION.
5. Check the VPC networks to associate this policy and then click on the ASSOCIATE button


        • Related Articles

        • Google Cloud Platform VPC Out-of-the-box Data Collection Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure Google Cloud Platform (GGP) VPC to pull and collect data from your network in the form of logs, and ...
        • Acronis Cyber Protect Cloud Custom Response Integration

          This article shows how to leverage Acronis Cyber Protect Cloud API and Lumu Defender API to enhance your Response capabilities. Response integration between Acronis Cyber Protect Cloud and Lumu Requirements An Acronis Cyber Protect Cloud subscription ...
        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...
        • Azure Custom Response Integration

          This article shows how to leverage Azure Virtual Networks REST API and Lumu Defender API to enhance your Response capabilities. Response integration between Azure and Lumu Requirements An Azure subscription with Compute services deployed. An Azure ...
        • Akamai SIA Custom Response Integration

          This article shows how to leverage the Lumu Defender API and Akamai SIA (ETP) Configuration API to mitigate security risks. Requirements An Akamai SIA subscription. An Akamai Control Center access is required for setting up and collecting Akamai ...