This article shows how to leverage the Lumu Defender API and Harmony Endpoint Configuration API to mitigate security risks.
On Check Point Infinity portal go to Global Settings, then click on the API Keys submenu in the left panel:
1. Click on the New button. In the Create a new API key, set the Service field to Harmony Endpoint, fill out the Expiration, and Description.
2. For the Role field, select a role with entitlement to write/read actions as Admin, Primary Admin or Power User role.
Copy the details shown: Client ID, Secret Key, Authentication URL. These will be required later to configure the integration.
There are two environment options to deploy the script; select the one that fits better in your current infrastructure. Whatever alternative you select, you need to first unpack the integration package shared by our Support team. Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <harmony_lumu_root>.
In the package, you will find the script required to run the integration. To use the script, you must locate yourself on the path selected for deployment (<harmony_lumu_root>). Specific directions are included in the next sections.
If you are running different Python scripts in the selected host, it’s recommended to create a virtual environment to preserve the integrity of other tools. To do so, follow these steps:
1. Using a command line tool, locate yourself in the <harmony_lumu_root> folder
2. Run the following command to create the virtual environment
python3 -m venv <venv_folder>3. Activate the virtual environment running the following
source <venv_folder>/bin/activate
The file requirements.txt contains the list of requirements for this integration. After deploying the package locally, run the following command from the deployment folder:
To use the script, you must locate yourself on the path selected for deployment (<harmony_lumu_root>). Use the following command to show all options available for the package:
usage: harmony_endpoint_lumu.py [options]
Options | Description |
---|---|
-h, --help | show this help message and exit |
--config CONFIG | Load options from config file |
--proxy-host PROXY_HOST--proxy_host PROXY_HOST | Proxy host (if required) |
--proxy-port PROXY_PORT--proxy_port PROXY_PORT | Proxy port (if required) |
--proxy-user PROXY_USER--proxy_user PROXY_USER | Proxy user (if required) |
--proxy-password PROXY_PASSWORD--proxy_password PROXY_PASSWORD | Proxy password (if required) |
--company-key COMPANY_KEY--company_key COMPANY_KEY | Lumu Company Key (Defender API). |
--logging {screen,file} | Logging option (default screen). |
--verbose, -v | Verbosity level. |
--adversary-types {C2C,Malware,Mining,Spam,Phishing--adversary_types {C2C,Malware,Mining,Spam,Phishing} | Lumu adversary types to be filtered. |
--days DAYS | The number of days backward from now to query Lumu incidents (default 30). |
--test, -t | Runs a test with one incident only. |
--clean | Cleans all rules and objects created by the Lumu integration. |
--hrmny_ext_auth_url HRMNY_EXT_AUTH_URL | Infinity Auth URL given when API Key is created, e.g. https://cloudinfra-gw-us.portal.checkpoint.com/auth/external |
--hrmny_client_id HRMNY_CLIENT_ID | Harmony client id given when API Key is created |
--hrmny_secret_key HRMNY_SECRET_KEY | Harmony secret key given when API Key is created |
--hrmny_base_host HRMNY_BASE_HOST | [OPTIONAL] Harmony Endpoint Host (domain)if it is not set the app extract the data from hrmny_ext_auth_url, e.g. cloudinfra-gw.portal.checkpoint.com |
--ioc-types {ip,url,domain,hash}--ioc_types {ip,url,domain,hash} | IOC types to be collected and processed by the integration. |
To query all the IoCs related to Lumu incidents triggered in the last 30 days, run the following command.
By default, the integration script will query incidents for the last 30 days. If you need to change this value, you can use the --days flag as follows.
In this example, the integration will query and push to Akamai ETP lists, IOCs related to incidents in the last 5 days
By default, the integration script will query incidents related to all adversary types. If you need to filter the query to specific adversary types, you can use the --adversary-types flag as follows
In this example, the integration will query and push to Harmony Endpoint lists, IOCs from incidents related to adversaries classified as C2C and Malware.
By default, the integration script will collect all the supported IOC types (IPs, domains, URLs, and hashes). If you need to filter the query to collect specific IOC types, you can use the --ioc-types flag as follows
In this example, the integration will query and push to Harmony Endpoint lists, URLs and hashes from Lumu incidents.
You can run the integration using a configuration file where you can save the required arguments in the form of <argument_name>=<value>, one argument per line. In the <harmony_lumu_root> path, save a file named .config with your configuration. Following, you have a sample of the format of the file.
- ## Configuration file # Lumu company_key=<LUMU_COMPANY_KEY> # App hrmny_ext_auth_url=<HARMONY_AUTH_URL> hrmny_client_id=<HARMONY_CLIENT_ID> hrmny_secret_key=<HARMONY_SECRET_KEY> hrmny_base_host=[<HARMONY_BASE_HOST>] # Misc # Optional arguments ioc-types=ip ioc-types=url ioc-types=domain ioc-types=hash # Optional arguments (default all adversary types) adversary-types=C2C adversary-types=Malware adversary-types=Mining adversary-types=Spam adversary-types=Phishing # Optional (default days: 30) days=8 # Output trace destination. For Docker deployments leave this as screen logging=[screen|file]
When the script is run with the –clean flag, it will erase all Lumu records created. Using this flag, you will return the Harmony Endpoint lists to their original state.
According to your needs, you can combine the examples shown.
To run the script on a timely basis, consider implementing a Scheduled task in Windows or a Cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.
Following, you have an example of how this Cron job should look using the recommended time.
It’s recommended to add the --logging file argument to any scheduled task. It will record all the output in the log file for further reference. If you have created a configuration file, your crontab entry doesn’t need arguments. It should look as follows:
If you need to work with another scheduling time, you can use the crontab guru service.
To avoid race conditions, you can run only one instance. If you have one running, the second one will be canceled immediately.
If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <harmony_lumu_root> folder, and follow these instructions:
1. To build the container, run the following command. Change all the flags based on the reference given in the script section above.
docker build --build-arg hrmny_ext_auth_url='xxx' --build-arg hrmny_client_id='xxx' --build-arg hrmny_secret_key='xxx' --build-arg hrmny_base_host='xxx' --build-arg company_key='xxx' --tag python-lumu-harmony-response .
Or
docker build --build-arg hrmny_ext_auth_url='xxx' --build-arg hrmny_client_id='xxx' --build-arg hrmny_secret_key='xxx' --build-arg company_key='xxx' --tag python-lumu-harmony-response .Do not forget the dot "." at the end of the line2. To run the container, run the following command:
docker run -d --restart unless-stopped --name lumu-harmony-response python-lumu-harmony-response
With this mode, your integration will run every 30 minutes.
For troubleshooting purposes, you can run the following commands:
To log in to your container using an interactive shell:
To collect integration logs:
Make sure that your Threat Prevention Policy capabilities for Anti-Bot Mode in the Behavioral Protection section are set to Prevent.
After running the integration, you will see Manage IoCs list over the Policy > Threat Prevention > Policy Capabilities -> Manage IoC module.
Check the records updated by the integration in the Manage IoCs Module. All IOCs added to this module will be blocked.
To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
If you receive the following error.
There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process id if it’s running. Search for this process in your system. The following pictures show the process in Windows and Linux.
If the previous validation indicates that another instance is running, please, check its progress using the integration’s log lumu.log.