Lumu collects threat intelligence from various sources to detect and confirm instances of compromise within the network. However, organizations may sometimes need to investigate specific domains or IPs of interest for threat hunting. There may also be cases where an IoC has not yet been added to Lumu’s knowledge base or situations where organizations want to manage the lifecycle of their own IoCs. In these cases, organizations can submit their own intelligence to Lumu.

Bear in mind that any IoCs reported using the BYOTI feature will be processed by Lumu according to the list they are added to: if they are added to the blacklist and Lumu matches an IoC with a contact, it will be reported as an incident and sent to any corresponding integrations to be processed and automatically responded as such. If added to a whitelist, it will be excluded from analysis and no incidents from that IoC will be reported as incidents.

How can I use BYOTI on Lumu?

You can provide your own TI for analysis through our support team. You can do so from the Lumu Portal by clicking on the help widget on the bottom of the portal to your right.

Then, click on Support.

This will open a ticket form where you must provide all required contact information and details of your request. There are two main use cases for BYOTI: Whitelisting and Blacklisting. We will take a look at both use cases and how to properly provide the required threat Intelligence.

Lumu does not manage the threat intelligence lifecycle of IoCs delivered through BYOTI; this responsibility rests with the organization’s cybersecurity team. While this process can be challenging, Maltiverse by Lumu can help analyze IoCs and streamline lifecycle management.

BYOTI - Whitelisting

You can make use of Lumu BYOTI to prevent Lumu from creating any incidents for specific IoCs. This can be useful in cases such as:

• The organization has an IoC that they do not want reported as malicious under any circumstances.
• The organization has a recurring incident creating unnecessary noise and, although muting the incident would be the recommended approach, it has been decided that whitelisting the IoC is the better solution.

Lumu carefully curates and maintains its whitelist to prevent false positives as much as possible, especially when it comes to popular hosting services such as Google, Amazon, and Dropbox, for example. By adding or removing elements from your private lists, you can adjust how Lumu functions and performs within your organization.

Lumu will only receive the provided IoCs and either present them as incidents or exclude them from analysis depending on your request, this means that the data that you deliver must be properly examined by the organization to ensure that any operation actions taken as a consequence are appropriate. Determining whether a provided IoC is malicious or not is the responsibility of the organization’s cybersecurity team.

To send a whitelist BYOTI request, carry out the following steps:

1. Start creating a support ticket by following the previously mentioned steps.

2. Use an appropriate and descriptive subject. This will make it easier for our support team to process it.

3. Enter all the necessary information in the ticket’s description. Below, you will find a useful template to do so. Bear in mind that using the template properly will ensure that Lumu receives the information correctly. The template is structured as follows:

• UUID: Your organization's UUID in the Lumu Portal. E.g.: aa11bb22bb33-123a-456b-789c-11aa22bb33cc

It can be found in the top corner to the left of the portal as seen in the following screenshot:

• Type: Type of request. Can be either WL (whitelist) or BL (Blacklist). E.g.: WL insert
• IOCs: Provide the network artifacts that you would like to whitelist. This request supports domains/subdomains, and hostnames.

If you see example parameters such as IoC_Public_IP_Address, replace them with the real public IP address you want to provide as an IoC in the correct format. E.g.: 1.1.1.1

Bear in mind that, if you provide a domain such as .domain.com, any subdomains under it, such as good.domain.com and suspicious.domain.com, will be whitelisted as well. To whitelist only particular subdomains, make sure to provide them specifically.

BYOTI - Blacklisting

You can use Lumu BYOTI to provide your own IoCs and have Lumu treat them as adversaries to show them as incidents in the Lumu Portal. If you have any threat intelligence of domains or IPs that you want to have reported, include them using this feature.

To send a blacklist BYOTI request, carry out the following steps:

1. Start creating a support ticket by following the previously mentioned steps.

2. Use an appropriate and descriptive subject. This will make it easier for our support team to process it.

3. Enter all the necessary information in the ticket’s description. Below, you will find a useful template to do so. Bear in mind that using the template properly will ensure that Lumu receives the information correctly. The template is structured as follows:

• UUID: Your organization's UUID as found in the Lumu Portal. E.g.: aa11bb22bb33-123a-456b-789c-11aa22bb33cc
• Type: Type of request. Can be either WL (whitelist) or BL (Blacklist). E.g.: BL insert
• Malware family: Family of malware associated with the provided IoCs. E.g.: Cuba ransomware
• IoCs: Indicators of compromise that you want to include in the template. This supports URLs, hostnames, and file hashes (sha256 or sha1).
• If you want to add several entries, separate them with the following array of symbols as shown in the template: +++++++++++++++++++++++++++++++

These are some examples of data that can be provided as IoCs that you can use for reference purposes. Remember that this is only an example and these are not real IoCs.

1. Public IP: 2.2.x.x
2. Public IP with port: 1.1.x.x:80

By default, if no port is specified, the system matches on ports 443 and 80.

If you plan to submit a large volume of indicators or do so frequently, we can also provide integrated automation using one of the following alternatives:

1. Place a file in our SFTP folder with the following format. You must request access to the Lumu SFTP folder from our support team:
1. Filename: the malware family-name of the iocs
2. IoCs: 1 Valid IoC per row. A valid IoC should be a SHA256 or SHA1 hash, A URL, host, domain name, or IP address.
2. Expose the IoCs using an HTTP endpoint. Lumu will get them from there.
1. The format for this method would be agreed upon previously between the CTI team and the organization.

Get in touch with our support team to learn more about BYOTI automation.

Expected Results

After you submit the ticket, our support team will contact you promptly. Once the threat intelligence is processed in Lumu, you will either stop seeing incidents from the provided IoCs (for whitelist requests) or see any contacts with the specified domains/IPs appear as incidents in the Lumu Portal (for blacklist requests).