Cisco Firepower Out-of-the-box Response Integration
To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.
The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM); Security Orchestration, Automation, and Response (SOAR); Endpoint Detection and Response (EDR); incident response systems; and more.
In this article, you will find out how to configure Cisco Firepower to receive and block adversaries detected by Lumu and improve the detection & response capabilities of your organization.
Requirements
- Valid License for Cisco Firepower appliance
- Threat license to use Security Intelligence. To learn how to enable this optional license, refer to Cisco Firepower’s official documentation.
- Firewall Management Center, FMC, Software version
- 7.0.0 (build 94) or greater
- Lumu Defender Active subscription
- SSL Inspection feature enabled
- Lumu may provide https URLs in its list, which requires the use of this feature, for more information, refer to Cisco’s official documentation.
Integration Setup - Lumu Portal
This section of the article describes the steps that must be completed on the Lumu Portal to properly set up the Cisco Firepower Integration. To start, log into your Lumu account through the Lumu Portal.
Integrations are also available for Lumu MSP accounts. To access them, log into the Lumu MSP Portal.
1. In the Lumu Portal, head to the panel on the left and open the Integrations drop-down menu. Then,click on Apps. Click on the Response tab on the right to filter the available integrations accordingly.
2. Locate the Firepower integration in the available apps area and click on Add.
3. Familiarize yourself with the integration details available in the app description and activate the integration using the corresponding option.
4. Provide a meaningful Name. Under Threat Types, choose the specific threat mappings you want to push to Cisco Firepower. When done, click on the orange Next button.
5. Once you create the integration, you will be provided with the Integration ID and Blocklist URL:
To integrate Lumu with Cisco Firepower you may need an MD5 URL. To obtain it, just replace the .txt extension with .md5 in the provided URL. This is an example of an MD5 URL:
https://defender.lumu.io/static/<integration_uuid>.md5
You will only need this type of URL if you plan on setting the feed’s refresh rate to 30 minutes or less.
Integration Setup - Cisco Firepower
Configure FMC
Add a new Security Intelligence URL feed by following the instructions in the Firepower Management Center Configuration Guide.
The recommended update frequency for this type of integration is 60 minutes. This interval should be evaluated keeping in mind your environment’s particular needs. If after this evaluation you decide to set the refresh rate to a value equal to or lower than 30 minutes, the FMC will request an MD5 checksum file. You can find instructions to generate this URL at the end of the previous section.
Once the new URL feed object has been added, you may use it in your blocking rules/policies by following the configuration workflow provided by Cisco in their documentation.
If you delete your integration from Lumu, the integration URL feed will not be valid any longer; however, the FMC will still block the adversaries obtained from the last available version of the feed. If you wish to unblock the adversaries from this previous version, you will need to delete the created URL feed object.
Integration Setup - Installing without Firepower Management Center
If by any chance you don’t have Firepower Management Center available to complete the Cisco Firepower OOTB response integration, it is possible to carry out this procedure using a tool provided by Lumu. In the links below, you can find different repositories where the required code and instructions are provided. You can choose the one that best fits your needs and run the code using the tool that you prefer.
Related Articles
Cisco Umbrella Out-of-the-box Response Integration
To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Requirements A Cisco Umbrella DNS Security Essentials subscription package or above Lumu Defender Subscription Setup Cisco Umbrella Rest API Client To ...Lumu Out-of-the-box Integrations
For getting started with Lumu integrations with third-party solutions, consult our Integrations guide. Lumu's Out-of-the-box (OOTB) integrations are a seamless and convenient way to integrate Lumu with other solutions in your cyberdefense stack to ...Cisco Umbrella Out-of-the-Box Data Collection Integration
To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Requirements A Cisco Umbrella DNS Security Essentials subscription or above An active Lumu Defender Subscription Setup Cisco Umbrella Rest API Client To ...Cisco Meraki Out-of-the-Box Response Integration
This article describes the required procedure to integrate Cisco Meraki with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements Cisco Meraki A Cisco deployment with MX devices is ...Cisco Secure Endpoint Out-of-the-Box Response Integration
This article describes the required procedure to integrate Cisco Secure Endpoint with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements A Cisco Secure Endpoint Essentials or above ...