Infoblox Custom Response Integration

Infoblox Custom Response Integration

Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.
This article shows how to leverage the Lumu Defender API and Infoblox DNS to mitigate security risks. This integration script is offered as-is. No further support will be provided.
Lumu Event API data collection configurationLumu Event API data collection configuration

Requirements

  1. Infoblox DNS User and Password values. Please follow the directions given in the article Create User API Keys on Infoblox official documentation.
  2. Lumu Defender active subscription and API key.
  3. Scripting host with Python 3.6+ to deploy script code.
  4. Script deployed.
  5. Clone the code from the provided repository into a scripting host.

Prepare Python on your environment

As a recommended practice, we encourage you to create a Virtual environment for each integration to avoid conflicts between them and your operating system tools. Make sure you follow the steps in our Preparing Environment for Custom Integrations article.

Deploy the script

First, contact the Lumu Support Team to request the deployment package.

Script location

Unpack the deployed package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <infoblox_lumu_root> .

Installation requirements

The file requirements.txt contains the list of requirements for this data collector. After deploying the package locally, run the following command from the deployment folder:

[sudo] pip install -r ./requirements.txt

Script details

For using the script, you must locate yourself on the path selected for deployment ( <infoblox_response> ). Use the following command to show all options available for the package:

python infoblox_response.py --help

Usage: infoblox_response.py [options]

Options
Description
-h, --help
Show this help message and exit
--company-key or --company-key COMPANY_KEY
Lumu Company Key (Defender API).
--adversary-types or --adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing}
Lumu adversary types to be filtered.

--client-key or --client_key CLIENT_KEY
--collector-id or --collector_id COLLECTOR_ID
Lumu Client Key.
Lumu Custom Collector ID.
--logging or -log {screen,file}
--verbose or -v
Logging option (default screen
Verbosity level.
--proxy-host or --proxy_host PROXY_HOST
--proxy-port or --proxy_port PROXY_PORT
--proxy-user or --proxy_user PROXY_USER
--proxy-password or -proxy_password PROXY_PASSWORD
Proxy host (if required)
Proxy port (if required)
Proxy user (if required)
Proxy password (if required)
--host or -host HOSTNAME
--user or -user USERNAME
--pass or -pass PASSWORD
--api_key
--security_policy
Address of host(Grid Master).
User(Grid Master).
Credentials of Grid Master
Api Key of BloxOne
Name of Security Policy if required

Usage examples

By default
Use the following command to fetch and push all adversaries detected by Lumu in the last 7 days to Infoblox.
python infoblox_response.py --company-key <lumu-defender-api-key> -host <ip-address> --user <username> --pass <password>

Each time the script is run, it will overwrite the locks and execute locks by web access.

By Cloud
Use the following command to fetch and push all adversaries detected by Lumu in the last 7 days to Infoblox.

Option 1
python infoblox_response.py --company-key <lumu-defender-api-key> –api_key <BloxOne Api Key> –security_policy <Name_Security_Policy>

Option 2
python infoblox_response.py --company-key <lumu-defender-api-key> –api_key <BloxOne Api Key>

Each time the script is run, it will overwrite the locks and execute locks by web access.

Expected results

After running the script, all query adversaries will be pushed into the Infoblox administrator console. Administration/Logs/AuditLog
Infoblox administrator consoleInfoblox administrator console

Troubleshooting

To identify failures on the script, use the -v flag. This will allow you to identify failures in the script execution.
        • Related Articles

        • DNSFilter Custom Response Integration

          This article shows how to leverage the Lumu Response API and DNSFilter API to mitigate security risks. Requirements An active DNSFilter subscription. A DNSFilter Pro subscription or up is required. Script host. A scripting host is required to deploy ...
        • Azure Custom Response Integration

          This article shows how to leverage Azure Virtual Networks REST API and Lumu Defender API to enhance your Response capabilities. Response integration between Azure and Lumu Requirements An Azure subscription with Compute services deployed. An Azure ...
        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...
        • Akamai SIA Custom Response Integration

          This article shows how to leverage the Lumu Defender API and Akamai SIA (ETP) Configuration API to mitigate security risks. Requirements An Akamai SIA subscription. An Akamai Control Center access is required for setting up and collecting Akamai ...
        • CylanceENDPOINT Custom Response Integration

          This article shows how to leverage the Lumu Defender API and CylanceENDPOINT API to mitigate security risks. Requirements CylanceENDPOINT subscription A CylanceENDPOINT Standard subscription or above is required (formerly CylancePROTECT) Lumu ...