Before going through this article, check our
Out-of-the-Box App Integrations category. Out-of-the-Box Integration is highly recommended for to easily integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is among the software solutions listed in there, it is advised to use that integration instead.
This article shows how to leverage the Lumu Defender API and McAfee Web Gateway REST API to mitigate security risks. This integration script is offered as-is. No further support will be provided.
Lumu Event API data collection configuration.
Requirements
-
McAfee Web Gateway version 8.2.x or higher.
-
McAfee Web Gateway Console access with admin role
-
Access to the Rest Interface
-
Lumu Defender API key.
-
Scripting host with Python v3.6+.
-
The host must be able to reach both McAfee Web Gateway REST API and Lumu Defender REST API endpoints. (By default, the McAfee Web Gateway listens on ports TCP/4711 and TCP/4712 )
-
Script package.
Deploy the Script
Script Location
Unpack the deployment package provided by Lumu in your preferred path/folder. Take note of this exact location, as it will be required for further configurations. As an example, we will refer to this folder as
<mwgl_lumu_root>
. This location should be in the same path as any other McAfee projects from other clients.
Installation Requirements
The file
requirements.txt
contains the list of requirements for this data collector. After deploying the package locally, run the following command from the deployment folder:
[sudo] pip install -r ./requirements.txt
Script Details
In order to use the script, you must locate yourself on the path selected for deployment (
<mwgl_lumu_root>
). Use the following command to show all options available for the package:
python mwg-response-api.py --help
Usage: mwg-response.py [options]
Options | Description |
| Display a help message and exit. |
--company-key or --company-key COMPANY_KEY | Lumu Company Key (Defender API). |
--adversary-types or --adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing} | Lumu adversary types to be filtered. |
--client-key or --client_key CLIENT_KEY | |
--logging or -log {screen,file} --verbose or -v | Logging option (default screen) Verbosity level. |
--proxy-host or --proxy_host PROXY_HOST --proxy-port or --proxy_port PROXY_PORT --proxy-user or --proxy_user PROXY_USER --proxy-password or -proxy_password PROXY_PASSWORD | Proxy host (if required) Proxy port (if required) Proxy user (if required) Proxy password (if required) |
--ip <ip-address-mcAfee> --port <port-mcafee> --username <user-name-mcafee> --password <password-mcafee> --listname <listname> --time_days <days> | IP Address of McAfee Web Gateway Port of McAfee Web Gateway (default 4711) Username of McAfee Web Gateway access Password of McAfee Web Gateway access Name of list in McAfee Web Gateway Days to search adversaries(Default 7 days) |
In the
Rule Set
, go to
URL Filtering
>
Default
and click on the
Add Rule
button. In the name field, enter
Lumu_Block_Adversaries
. In the
Rule Criteria
add the following rules:
-
Rule 1:
-
Property: URL Domain
-
Operator: matches in list
-
Operand: Lumu_List_Adversaries
-
Rule 2:
-
Property: URL Host
-
Operator: matches in list
-
Operand: Lumu_List_Adversaries
McAfee Web Gateway set list configuration.
-
Action:
- Action: Block
- Settings: URL Blocked
McAfee Web Gateway set action configuration.
Usage Examples
By default
Use the following command to create a list with adversaries to be fetched by McAfee Web Gateway’s List module:
python mwg-response-api.py --company-key <lumu-defender-api-key> --ip <ip-address-mcAfee> --port <port-mcafee>--username <user-name-mcafee> --password <password-mcafee>
Each time the script is executed, it will overwrite the file with the new list of adversaries.
Other tasks
The above samples could be combined according to your needs.
Expected Results
After executing the script, all queried adversaries will be closed in the Lumu Administrator Console as shown in the following images:
Update list.
Block message.
Troubleshooting
To identify failures on the script, please use the -v flag. This will allow you to identify failures in the script execution.