The Palo Alto Cortex XSOAR Out-of-the-box SecOps integration with the Lumu Content Pack for Cortex XSOAR allows you to operate all of your Lumu detections as Cortex incidents. After installing and configuring a new instance of the Lumu Content Pack for Cortex XSOAR, you will be able to operate on new and updated adversarial activity detected by Lumu using commands to close, mute, unmute, comment, and collect context-detailed information. All the operation of Lumu incidents within Cortex will be reflected in your Lumu portal and vice versa.

You can combine the Lumu Content pack with other integrations according to your needs (Firewalls, Endpoint solutions, and so on) to define actionable playbooks. According to the context given by Lumu, you can run complimentary commands to define blocking rules, isolate compromised endpoints, and other activities that fit your incident response plan.

Requirements

To integrate Lumu with your Cortex XSOAR deployment you need:

• Lumu Insights or Defender tier.
• A Cortex XSOAR deployment on version 6.5+.
• The Lumu Content pack for Cortex XSOAR from the Cortex Marketplace.

Add integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen.

2. Locate the Palo Alto Cortex XSOAR integration in the available apps area. Add the integration using the corresponding option to view more details. Familiarize yourself with the integration details available in the app description. Begin the activation process by clicking on the Activate button.

3. Fill in the name of the integration. Then, click on Create.

4. Once you create the integration, you will get the required information to configure the Lumu Content pack in your Palo Alto Cortex XSOAR deployment.

Take note of the Integration Key. It will be needed for configuring the Lumu Content Pack in your Palo Alto Cortex XSOAR deployment.

Setting the Lumu Content pack

Installing and configuring the Lumu Content Pack

To install the Lumu Content Pack for Cortex XSOAR, you need to use a Cortex user with the Administrator role. Follow these steps to install the Lumu Content Pack:

1. Using your Web console, go to the Marketplace, search for “Lumu” and install the integration pack.

2. After the Lumu Content Pack for Cortex XSOAR is installed, go to the Settings menu using the left navigation bar. Under the Integrations tab, go to the Instances tab. Search for Lumu, and add a new instance.

3. Fill in the required data following these directions:

a. In the Name field, give a distinctive name to the integration. Do not use spaces or special characters.

b. Enable the Fetches incident radio button.

c. In the Incident type field, use the dropdown list and select Lumu.

d. Fill in the API key extracted from your Lumu portal under the API Key field.

e. In the Incident Mirroring Direction field, use the dropdown list and select Incoming And Outgoing.

If your Cortex XSOAR deployment is behind a Proxy, set these parameters accordingly.

4. Test the integration using the Test button. Check for errors in the test. If any, fix them according to the message. Save your changes and exit.

Operating the Lumu Content pack

After setting up the Lumu Content pack, you can check Lumu incidents under the Incidents menu.

You can select any of the Lumu incidents listed under this window and operate them.

In the War room tab, you will see complementary information collected from Lumu.

Also, you will be able to run Lumu commands to interact with Lumu.

You can update the incident status within Cortex. Use the field lumu_status under the Lumu tab. You can write one of the following statuses:

• mute: this will mute the incident in the Lumu portal
• unmute: this will unmute the incident in Lumu portal

To close the incident, use the regular Cortex process. Use the Action > Close incident option. These changes will be reflected in the Lumu portal. All these changes will be pushed and detected by the Content Pack in both ways, from Cortex to Lumu and from Lumu to Cortex

The status changes will be reflected after one minute. This is due to the mirroring mode used by the content pack.

Suggested Usages

You can use your newly configured Lumu instance in conjunction with other packs to define playbooks. The main goal of the playbooks is to aid your Cybersecurity analysts to act and respond in an efficient manner to security events and incidents.

Following, you can find a sample playbook designed to respond to a Phishing adversary contact detected by Lumu.

You can include notification tasks like sending an email, or sending a message using a specific channel, Slack, Teams, Google Chat.

Troubleshooting

If you see unexpected behavior in your integration instance, it is recommended to check first the integration_instance.log file. You can find it under the /var/log/demisto folder in your Cortex server. You can narrow your investigation using the following command in your Cortex server:

Where <integration_instance> is the name given to the integration instance when it was created.