This article describes the required procedure to integrate SonicWall Capture Client (EDR) with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations.

Requirements

• Sonicwall Capture Client - Advanced Subscription
  • Sonicwall account with the appropriate permissions to create admin users.
    
• An active Lumu Defender Subscription or a Lumu for MSP account.

Capture Client on Linux endpoints does not support content filtering and Capture ATP integration. This means Linux endpoints will just process hashes managed by Lumu integration. Further reference on Capture Client agents for Linux can be found here.

Preliminary Checklist

We encourage you to create a dedicated admin role account to operate with the Lumu integration. A dedicated admin account in Capture Client will allow the Lumu integration to interact with the Web filtering and Blocklist services without interference, helping you to better trace the activities performed by Lumu (manage Web filtering forbidden domains and blocklist hashes). If you use an existing user, it will be harder to trace integration activities.

• An Administrator account.
  • Keep in mind that you will need access to an account that can create Administrator accounts to proceed with this step.
• A SonicWall Tenant that will receive the indicators pushed by Lumu.
  • To learn more about SonicWall Capture Client and tenants, please refer to SonicWall’s documentation.

Integration Setup - SonicWall

Creating an Admin Role account

If you choose to use an existing admin account, make sure you have its credentials on hand and move to the next section.

1. First, access SonicWall Capture Client Management with a user that has the capability to create Administrator accounts.

2. Click on the Management(1) header on the left hand menu, and access the Administrators sub-header. In the corresponding panel, click on the Plus(2) sign to add a new account.

3. In the panel that opens, fill out the form as follows:

a. Under Email(1), use an email that is active, and that can receive notifications. Keep this email address on hand, since it will be needed for a later step.

b. Under Name(2), enter a descriptive name for this account. It will describe its role as Lumu’s communication account.

c. Under Role(3), make sure Admin is selected.

d. Under Inactivity Logout(4), enter a time for the account to logout. Follow the guidelines given by your organization’s security protocols

e. Under Password(5), enter a strong password. Keep this password on hand, since it will be needed for a later step.

f. Verify the Password and click on the Create(6) button.

Integration Setup - Lumu Portal

Integrations are also available for Lumu MSP accounts. To access them, log into the Lumu MSP Portal.

1. In the Lumu Portal, head to the panel on the left and open the Integrations drop-down menu. Then, click on Apps. Click on the Response tab on the right to filter the available integrations accordingly.

2. Locate the SonicWall Capture Client integration. The list is organized in alphabetical order from A to Z. Click on the Add button.

3. Familiarize yourself with the integration details in the app description and click the Activate button to start the integration setup process.

4. Provide a meaningful Name. Under Threat Types, choose the specific threat mappings you want to push to SonicWall Capture Client. Select the option Include IP Indicators to include IP addresses in the information sent to your feed list. When done, click on the orange Next
button.

If you leave the Include IP Indicators option unselected, you won’t be able to change it later. You will need to remove the integration and repeat all the steps again.

Please note that you cannot modify the information on this screen. Exercise caution when selecting Threat Types, as changes cannot be made later.

5. Fill in the required information, as follows

a. Under Email(1) enter the email address you entered in Step 3a of the Creating an Admin Role account section.

b. Under Password(2) enter the password you entered in Step 3b of the Creating an Admin Role account section.

c. Under Region(3) choose the Region under which your account is registered.

d. Once done, click on Next to continue

6. Next, select the Tenant you want to receive the threat indicators with from the dropdown. When done, click on Activate.

7. The integration is now created and active. The Lumu Portal will display the details of the created integration.

Final Steps - Validate the Integration

Once the integration is active, you can monitor updates through your Web Content Filtering Policy. From the dashboard, go to the Policies(1) header. From there, open the Web Content Filtering(2) panel. Under the Manage advanced settings > Forbidden web domains option, you'll find confirmed compromises found by Lumu within the preceding 3 days. The Blacklist section will also be updated with compromises.

Capture Client for Linux devices does not support Web content filtering. If you have Linux devices in your SonicWall Capture Client deployment, they will be only covered by SentinelOne features (hash blocklists).