CrowdStrike Falcon Out-of-the-box Response Integration
To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.
The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information and Event Management (SIEM); Security Orchestration, Automation, and Response (SOAR); Endpoint Detection and Response (EDR); incident response systems; and more.
This article is intended to serve as a reference guide on setting up CrowdStrike Falcon to monitor the confirmed compromise incidents found by Lumu in your infrastructure.
Requirements
- CrowdStrike’s Falcon platform (Falcon Insight or Falcon Prevent) with API administrator access
- A Lumu Defender subscription.
Integration Setup - CrowdStrike
The first step is to define a CrowdStrike API client. For this, you must have admin access to CrowdStrike’s Falcon Platform.
1. Once logged into the CrowdStrike Falcon platform, use the hamburger button at the top left size of the screen, and navigate to Support and resources > API Clients and Keys.2. Extract the API base URL from the OAuth2 API clients window. It is located in the top left corner of the window.3. On the OAuth2 API clients window, click on the Create API client button. Within the Create API client window, provide a descriptive name and select the appropriate API scopes. For the Lumu configuration, you should mark the options Read and Write for the IOC Management scope.4. Once a new API Client is added, you will have access to the Information needed for the next step in the Lumu Portal.Make sure to save the API secret, as according to the CrowdStrike documentation, the secret will only be shown once when a new API Client is created, and should be stored in a secure place. If the Client Secret is lost, a reset must be performed and a new Lumu integration should be created with the new credentials.It is recommended to create one API Client per integration to avoid throttling issues with CrowdStrike. Using the same credential for many integrations might cause CrowdStrike to limit the number of API requests that can be made in a certain period.
Integration Setup - Lumu Portal
This section of the article describes the steps that must be completed on the Lumu Portal to properly set up the Cisco Firepower Integration. To start, log into your Lumu account through the Lumu Portal.
Integrations are also available for Lumu MSP accounts. To access them, log into the Lumu MSP Portal.
1. In the Lumu Portal, head to the panel on the left and open the Integrations drop-down menu. Then,click on Apps. Click on the Response tab on the right to filter the available integrations accordingly.
2. Locate the CrowdStrike Falcon integration in the available apps area and click on Add.
3. Familiarize yourself with the integration details available in the app description and click the Activate button to activate the integration.
4. To generate the integration URL, add a description and select the threat types you want to include in the list. You may define a custom severity per threat type.
5. Enter the information provided by your CrowdStrike account in Step 4 of the Integration Setup - Lumu Portal section to proceed with the creation of automatic lists.
6. Once you create an integration, it will be shown in the portal
New incidents detected by Lumu will be added to your CrowdStrike IOC list with the retrodetections parameter, meaning your CrowdStrike Falcon Cloud can monitor for events related to the created IOC before the date of uploading. This allows detecting adversarial contacts that took place before integrating Lumu with CrowdStrike.
The ‘lumu’ custom tag will be added to uploaded IOCs to identify them as pushed by Lumu.
Deleting an integration will cause the purging of all custom IOCs pushed by Lumu. This action cannot be undone. To reintegrate, you will have to generate a new CrowdStrike integration.
Related Articles
Lumu Out-of-the-box Integrations
For getting started with Lumu integrations with third-party solutions, consult our Integrations guide. Lumu's Out-of-the-box (OOTB) integrations are a seamless and convenient way to integrate Lumu with other solutions in your cyberdefense stack to ...Microsoft Defender Out-of-the-Box Response Integration
To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Microsoft Azure is now called Entra ID Requirements One of the following Microsoft plans: Microsoft 365 Business Premium Microsoft 365 E3/E5 Microsoft ...OPNsense Out-of-the-box Response Integration
This article guides you through the integration process of OPNsense with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements OPNsense version 21.1 or above. An active Lumu Defender ...WatchGuard Out-of-the-Box Response Integration
This article guides you through the integration process of WatchGuard Cloud with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements A WatchGuard Cloud license. It can be any of the ...FortiGate Out-of-the-box Response Integration
To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. This article shows how to create an external block list using Fortigate by Fortinet to generate automatic block lists with the adversaries found by Lumu ...