This article shows how to leverage the Lumu Defender API and the Sophos Central REST API to mitigate security risks.
If you are deploying the integration package in your Lumu Virtual Appliance, change the commands as follows:
If you are working with the previous version of the script lumu-sophos.py , you need to clean up your Sophos Central console before proceeding. Run the following command to clean up your environment.
- python lumu-sophos.py --clientID <sophos_client_id> --clientSecret <sophos_client_secret> --company-key <lumu-company-key> --sha_unlocked True --web_unlocked True
Please, allow all the traffic to the following hosts. These are required for the operation of this integration:
Using a global administrator user in your Sophos Central console, follow these steps:
For Partner and Organization accounts, you need to identify the tenant you want to use for the integration. Check your Sophos Central console for the exact name of the tenant. Save it for later usage.
First, contact the
Lumu Support Team
to request the package we created to deploy the required files.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <sophos_lumu_root>.
In the package, you will find the script required to run the integration. To use it, you must locate yourself on the path selected for deployment (<sophos_lumu_root>). In the following directions, you can find specific instructions to set up and use it.
The file requirements.txt contains the list of dependencies for this data collector. After deploying the package locally, run the following command from the deployment folder:
- [sudo] pip install -r ./requirements.txt
To use the script, you must locate yourself on the path selected for deployment (<sophos_lumu_root>). Use the following command to show all options available for the package:
- python sophos_lumu.py --help
Usage: sophos_lumu.py [options]
Options |
Description |
-h, --help |
show this help message and exit |
--config CONFIG |
Load options from config file |
--company-key COMPANY_KEY |
Lumu Company Key (Defender API). |
--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
|
Proxy host (if required) |
--proxy-port PROXY_PORT --proxy_port PROXY_PORT |
Proxy port (if required) |
--proxy-user PROXY_USER --proxy_user PROXY_USER |
Proxy user (if required) |
--proxy-password PROXY_PASSWORD --proxy_password PROXY_PASSWORD |
Proxy password (if required) |
--logging {screen,file} |
Logging option (default screen). |
--verbose, -v |
Verbosity level. |
--client-id CLIENT_ID --client_id CLIENT_ID
|
Sophos Central API Client ID |
--client-secret CLIENT_SECRET --client_secret CLIENT_SECRET
|
Sophos Central API Client Secret |
--tenant-name TENANT_NAME |
Sophos Central tenant (required if party type is 'partner' or 'organization'). |
--clean |
Cleans all rules and objects created by the Lumu integration. |
--adversary-types {C2C,Malware,Mining,Spam,Phishing}
|
Lumu adversary types to be filtered. |
--days DAYS |
The number of days backward from now to query Lumu incidents (default 30). |
--ioc-types {url,hash} --ioc_types {url,hash} |
IOC types to be collected and processed by the integration. |
Use the following command to fetch and push to your Sophos Central Web console URLs and hashes related to incidents found in your organization by Lumu in the last 30 days:
- python sophos_lumu.py --client-id <sophos_client_id> --client-secret <sophos_client_secret> --company-key <lumu_company_key> [--tenant-name <sophos_tenant_name>]
After running the integration, you can find the uploaded IOCs in the
Global Settings
window. The URLs are stored under the
Website Management
section.
To push a defined type of IOCs (URLs or hashes) to your Sophos Central Web console, use the argument --ioc-types IOC_TYPE . IOC_TYPE can have the value url or hash:
- python sophos_lumu.py --client-id <sophos_client_id> --client-secret <sophos_client_secret> --company-key <lumu_company_key> [--tenant-name <sophos_tenant_name>] --ioc-types hash
This example will only create new hashes under the Blocked Items section.
By default, the script queries open and closed incidents of all adversary types (Phishing, Malware, DAG, Spam, others). If you need to collect specific types of incidents, you can use the argument --adversary-types ADVERSARY_TYPE . If you need to get two or more adversary types, you only need to append a new instance of the argument.
- python sophos_lumu.py --client-id <sophos_client_id> --client-secret <sophos_client_secret> --company-key <lumu_company_key> [--tenant-name <sophos_tenant_name>] --adversary-types Phishing --adversary-types Malware
In this example, the adversary types queried are Phishing and Malware .
If you need to delete all Anti-Phishing block lists created by the integration, use the --clean flag with the authentication arguments.
- python sophos_lumu.py --client-id <sophos_client_id> --client-secret <sophos_client_secret> --company-key <lumu_company_key> [--tenant-name <sophos_tenant_name>] --clean
By default, you will see the execution log on the screen console. Use the argument --logging file to store a record of all tasks run in the lumu.log file in the script root path.
- python sophos_lumu.py --client-id <sophos_client_id> --client-secret <sophos_client_secret> --company-key <lumu_company_key> [--tenant-name <sophos_tenant_name>] --logging file
This file is useful for scheduled tasks or processes running in the background. When you open this file, you will see the following. The information displayed aids in checking the execution progress.
You can run the integration using a configuration file where you can save the required arguments with the form of <argument_name>=<value> , one argument per line. In the integration root path, save a file named .config with your configuration. Following, you have a sample of the format of the file.
- ## Lumu Sophos configuration file
# Lumu
company-key=COMPANY_KEY
# Sophos
client-id=CLIENT_ID
client-secret=CLIENT_SECRET
The file .config_sample in this repo can be tailored according to your needs. Remember to rename it to .config
According to your needs, you can combine the examples shown.
If you are working with URLs, configure your Sophos policies to block navigation to the tag Lumu . To do so, follow these steps in your Sophos Central Web console.
To run the script on a timely basis, consider implementing a Scheduled task in Windows or a Cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.
Following, you have an example of how this Cron job should look using the recommended time.
- */30 * * * * python <repo_root>/sophos_lumu.py --client-id <sophos_client_id> --client-secret <sophos_client_secret> --company-key <lumu_company_key> [--tenant-name <sophos_tenant_name>]
It's recommended to add the --logging file argument to any scheduled task. It will record all the output in the log file for further reference. If you have created a configuration file, your crontab entry doesn't need arguments. It should look as follows:
- */30 * * * * python <repo_root>/sophos_lumu.py
If you need to work with another scheduling time, you can use the crontab guru service.
To avoid race conditions, you can run only one instance. If you have one running, others will be terminated immediately.
To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
If you receive the following error.
- Error: Another instance is running. Quitting.
There could be another instance running. To check this, open the
pid.pid
file in the integration folder. This file stores the process id if it's running. Search for this process in your system. The following pictures show the process in Windows and Linux.