SentinelOne Custom Response Integration
This article shows how to leverage the Lumu Defender API and SentinelOne REST API to mitigate security risks.
Requirements
- SentinelOne Singularity Control subscription
- A SentinelOne Singularity Control subscription is required to use the Blacklisting hashes and Firewall control features.
- SentinelOne API token.
- A quick reference of how to create an API token can be found here.
- For role segregation, it’s recommended to create a dedicated user with a role with the Blacklist and the Firewall Control permissions.
Keep in mind you need to renew this token every 6 months. This frequency is enforced by the SentinelOne Management console.
-
Lumu Defender API key.
- Scripting host with Python v3.6+.
- The host must be able to reach both SentinelOne REST API and Lumu Defender REST API.
- Script package.
- Contact the Lumu support team to request the package we created to deploy the required files.
Set up SentinelOne
SentinelOne basic information
First, you need to get the SentinelOne host information and the scope you want to operate on. The host to be used to connect to the SentinelOne REST API is the same one you use to log in to your management console
Login to your management console and identify the operation scope you want to use to push Lumu IOCs. Use the navigation bar on the left side of your console and identify the account, site, or group to operate with. This information will be required to run the integration script.
Enabling Firewall control in the operation scope
In your SentinelOne console, please navigate to the scope you want to operate with. Select the required scope using the top navigation bar. Select the desired account, site, or group. Please refer to the previous step if needed.
After selecting the desired scope, select the Sentinels option on the left navigation bar, then click on the Network Control tab. Make sure the Firewall toggle is enabled and click on the gear button
In the Firewall Settings window, make sure the Enable Firewall Control is toggled on
Deploy the script
First, contact the
Lumu Support team to request the deployment package.
Scripts location
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <sentinelone_lumu_root>.
In the package, you will find the scripts required to run the integration. For using the scripts, you must locate yourself in the path selected for deployment (<sentinelone_lumu_root >). Specific directions are included in the next sections.
Install requirements
The file
requirements.txt
contains the list of requirements for this integration. After deploying the package locally, run the following command from the deployment folder:
[sudo] pip install -r ./requirements.txt
Script details
For using the script, you must locate yourself on the path selected for deployment (<sentinelone_lumu_root>). Use the following command to show all options available for the package:
python sentinelone_lumu.py --help
Usage: sentinelone_lumu.py [options]
|
Options
|
Description
|
|
-h, --help
|
Show this help message and exit
|
|
--config CONFIG
|
Load options from config file
|
|
--company-key COMPANY_KEY
--company_key COMPANY_KEY
|
Lumu Company Key (Defender API).
|
|
--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
|
Proxy host (if required)
|
|
--proxy-port PROXY_PORT
--proxy_port PROXY_PORT
|
Proxy port (if required)
|
|
--proxy-user PROXY_USER
--proxy_user PROXY_USER
|
Proxy user (if required)
|
|
--proxy-password PROXY_PASSWORD
--proxy_password PROXY_PASSWORD
|
Proxy password (if required)
|
|
--logging {screen,file}
|
Logging option (default screen).
|
|
--verbose, -v
|
Verbosity level.
|
|
--hostname HOSTNAME
|
SentinelOne console hostname.
|
|
--api_token API_TOKEN
--api-token API_TOKEN
|
SentinelOne API token
|
|
--account ACCOUNT
|
SentinelOne account to operate with.
|
|
--site SITE
|
SentinelOne site to operate with.
|
|
--group GROUP
|
SentinelOne group to operate with.
|
|
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing}
--adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing}
|
Lumu adversary types to be filtered.
|
|
--ioc-types {ip,domain,hashes}
--ioc_types {ip,domain,hashes}
|
IOC types to be pushed into SentinelOne.
|
|
--days DAYS
|
The number of days from now to query Lumu incidents backward.
|
Usage Examples
Task: query and add indicators (IP, domains, hashes) related to Lumu open incidents
Use the following command to fetch and push to SentinelOne all IOCs related to open incidents found in your organization by Lumu.
python sentinelone_lumu.py --hostname <sentinelone_host>.sentinelone.net --api_token <sentinelone_api_token> --company-key <lumu_company_key> [--account <sentinelone_account> --site <sentinelone_group> --group <sentinelone_group>]
All hashes will be created under the scope indicated with one of the parameters
--account
,
--site
or
--group
.
NOTES FOR SENTINEL ONE:
- Only one of the arguments --account, --site, or --group must be defined. Using more than one of these arguments in the same command will raise an error.
- Domains and IP addresses will be created inside Firewall rules within the Network Control module. Hashes will be added inside the Blacklist module.
- The previously created rules and hashes are overwritten each time the integration runs.
NOTES FOR FIREWALL RULES:
- The maximum number of allowed domains in Firewall rules is 50. If the integration finds more than that amount of domains, it will only push the most recently contacted domains.
- The maximum number of indicators supported per rule is 50. If the integration finds more than 50 IOCs, it will create multiple rules with the prefix Lumu Defender N, where N is the number of the rule.
Task: query and add indicators (IP, domains, hashes) related to Lumu open incidents with contacts in the last X days
Use the following command to fetch and push to SentinelOne all IOCs related to open incidents found in your organization by Lumu with contacts in the last X days.
python sentinelone_lumu.py --hostname <sentinelone_host>.sentinelone.net --api_token <sentinelone_api_token> --company-key <lumu_company_key> [--account <sentinelone_account> --site <sentinelone_group> --group <sentinelone_group>] --days X
All previously pushed IOC to SentinelOne will be replaced, even if they correspond to incidents with contacts before X days.
Task: query and add specific types of indicators related to Lumu open incidents
If you need to fetch specific types of IOCs (IPs, domains, hashes), you can use the argument --ioc-types IOC_TYPE. For two or more types, you only need to append a new instance of the argument.
python sentinelone_lumu.py --hostname <sentinelone_host>.sentinelone.net --api_token <sentinelone_api_token> --company-key <lumu_company_key> [--account <sentinelone_account> --site <sentinelone_group> --group <sentinelone_group>] --ioc-types domains --ioc-types hashes
In this example, you are only selecting and pushing domains and hashes into SentinelOne defined scope.
Previously created objects from other types different to the ones present in the script won’t be affected.
Task: query and add indicators (IP, domains, hashes) related to Lumu open incidents of specific types
By default, the script queries open incidents of all adversary types (Phishing, Malware, DAG, Spam, others). If you need to collect specific types of incidents, you can use the argument --adversary-types ADVERSARY_TYPE. If you need to collect two or more specific types, you only need to append a new instance of the argument.
python sentinelone_lumu.py --hostname <sentinelone_host>.sentinelone.net --api_token <sentinelone_api_token> --company-key <lumu_company_key> --account <sentinelone_account> [--site <sentinelone_group> --group <sentinelone_group>] --adversary-types Phishing --adversary-types Malware
In this example, the adversary types queried are Phishing and Malware.
Previously created objects from other types different to the ones depicted in the script won’t be affected.
Task: save log output to file
Use the argument --logging file to store a record of all executed tasks. Using this, the entire script output will be redirected to a file named lumu.log in the script root path (<sentinelone_lumu_root
>).
python sentinelone_lumu.py --hostname <sentinelone_host>.sentinelone.net --api_token <sentinelone_api_token> --company-key <lumu_company_key> [--account <sentinelone_account> --site <sentinelone_group> --group <sentinelone_group>] --logging file
This file is useful for scheduled tasks or processes running in the background. When you open this file, you will see the following. This aids you to check the execution progress.
Other tasks
The above samples can be combined according to your needs.
Expected results
After the integration’s execution, the Blacklist module, and the Network control module will be populated with new hashes and new rules. After the policy changes are pushed to the endpoints within the operation scope, the execution of binaries and malicious traffic will be blocked.
Further considerations
To run the script on a timely basis, consider implementing a Scheduled task in Windows or a cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.
To avoid race conditions, you can run only one instance of the integration at the same time. If there is another instance running, the second one will be terminated immediately.
Troubleshooting and known issues
To identify failures on the script, please use the
-v
flag. This will allow you to identify failures in the script execution.
Another instance is running
If you receive the following error.
Error: Another instance is running. Quitting.
There could be another instance running. To check this, open the
pid.pid
file found in the integration’s folder. This file stores the id of the process related to the integration. If it’s running, search for this process in your system. The following pictures show the process in Windows and Linux.
If the previous validation indicates that another instance of the integration is running, please, check the progress of the execution using the integration’s log
lumu.log
.
Related Articles
Bitdefender Custom Response Integration
Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...Infoblox Custom Response Integration
Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...Akamai SIA Custom Response Integration
This article shows how to leverage the Lumu Defender API and Akamai SIA (ETP) Configuration API to mitigate security risks. Requirements An Akamai SIA subscription. An Akamai Control Center access is required for setting up and collecting Akamai ...CylanceENDPOINT Custom Response Integration
This article shows how to leverage the Lumu Defender API and CylanceENDPOINT API to mitigate security risks. Requirements CylanceENDPOINT subscription A CylanceENDPOINT Standard subscription or above is required (formerly CylancePROTECT) Lumu ...DNSFilter Custom Response Integration
This article shows how to leverage the Lumu Response API and DNSFilter API to mitigate security risks. Requirements An active DNSFilter subscription. A DNSFilter Pro subscription or up is required. Script host. A scripting host is required to deploy ...