Symantec Endpoint Protection Custom Response Integration

Symantec Endpoint Protection Custom Response Integration

Before going through this article, check our  Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.
This article shows how to leverage the Lumu Defender API, Symantec Endpoint Protection Manager REST API, and Web Services to mitigate security risks.
Response setup leveraging Lumu detections with Symantec Endpoint ProtectionResponse setup leveraging Lumu detections with Symantec Endpoint Protection

Requirements

  1. Symantec Endpoint Protection Manager.
    1. You need access to your Symantec Endpoint Protection Manager Console with version 14MP1 or higher. An admin user is required.
  2. Lumu Defender API key.
  3. Scripting host with Python v3.6+.
    1. The host must be able to reach both Symantec Endpoint Protection Manager REST API and Web Services (ports 8446 and 8443), and Lumu Defender REST API endpoints.
  4. Script package.
    1. Contact the Lumu support team to request the package we created to deploy the required files.

Response alternatives

According to your needs, you can leverage the following response alternatives:

Maintain a fingerprint list

With this alternative, you can feed hashes related to Lumu detections into a fingerprint list. This option will block related processes to run in the protected devices.
Symantec will only block executable files related to the hashes uploaded into the fingerprint list.

Quarantine devices after an adversarial contact

If Lumu detects an adversary contact, this model will allow you to quarantine the compromised host avoiding further contact, including lateral movement.
Please consider having your organization’s security team doing the pertaining incident investigation before quarantining a device. This enforcement alternative may cause denial of service for the compromised workstation preventing any investigation procedures. Please be careful when using this alternative.

Set up Symantec Endpoint Protection Manager

To set up the integration, you need the admin user from your deployment. Custom admin users created using the SEPM console don't have the required privileges to use the REST API. If you try to use a custom admin user, you will get the following error:

Unable to access the web service. Your administrator account does not have sufficient access rights.

Based on the method selected to respond, you must configure your Symantec Endpoint Protection Manager accordingly.

Maintain a fingerprint list

First, set a System Lockdown policy and link it to your company or a particular group of protected endpoints. For further reference, please refer to the Symantec Configuring system lockdown guide.
You can create or load a file fingerprint list according to the guide. Alternatively, you can have the script create it for you. If you use the latter, remember to associate the Fingerprint list with your System Lockdown policy.

Quarantine devices after an adversarial contact

First, create a Quarantine Firewall policy to block all traffic from the quarantined endpoint to any device inside or outside your network. For further reference, please refer to the Symantec Creating a firewall policy guide.
You must define a rule to block all traffic from any application to any network. The device must be completely isolated. 
After you have created the firewall policy, assign it to a Host Integrity check configuration. For further reference, please refer to the Symantec Creating a Quarantine policy for a failed Host Integrity check guide. Add the policy you just created in the previous step.

Prepare Python on your environment

As a recommended practice, we encourage you to create a Virtual environment for each integration to avoid conflicts between them and your operating system tools. Make sure you follow the steps in our Preparing Environment for Custom Integrations article.

Deploy the scripts

First, contact the Lumu support team to request the deployment package.

Scripts location

Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <sepm_lumu_root>

In the package, you will find two scripts you can use according to the selected response method. For using the scripts, you must locate yourself on the path selected for deployment (<sepm_lumu_root>). Specific directions are included in the next sections.

Install requirements

The file requirements.txt contains the list of dependencies for this data collector. After deploying the package locally, run the following command from the deployment folder:
[sudo] pip install -r ./requirements.txt

Response method: Fingerprint list

Script details
Use the following command to show all options available for the package:
python sepm_lumu.py --help

Usage: sepm_lumu.py [options]

Options
Description
-h, --help
Show this help message and exit
--config CONFIG
Load options from config file
--company-key COMPANY_KEY
--company_key COMPANY_KEY
Lumu Company Key (Defender API).

--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
Proxy host (if required)

--proxy-port PROXY_PORT
--proxy_port PROXY_PORT
Proxy port (if required)

--proxy-user PROXY_USER
--proxy_user PROXY_USER
Proxy user (if required)

--proxy-password PROXY_PASSWORD
--proxy_password PROXY_PASSWORD
Proxy password (if required)

--logging {screen,file}

Logging option (default screen).

--verbose, -v
Verbosity level.
--host HOST
Symantec Endpoint Protection Manager host.
--username USERNAME
Symantec Endpoint Protection Manager username.
--password PASSWORD
Symantec Endpoint Protection Manager password.
--domain DOMAIN
Symantec Endpoint Protection Manager domain (default 'empty').
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing}
--adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing}
Lumu adversary types to be filtered.

--fingerprint-list FINGERPRINT_LIST
--fingerprint_list FINGERPRINT_LIST
Fingerprint list to maintain.

--days DAYS
The number of days backward from now to query Lumu incidents (default 30).
--clean
Cleans all rules and objects created by the Lumu integration.
--hash-type {md5, sha256}
Hash type to be added to fingerprint list (default 'md5').



Usage Examples

Task: query and add hashes related to Lumu incidents
Use the following command to fetch and push to Symantec Endpoint Protection Manager hashes related to incidents found in your organization by Lumu in the last 30 days.

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key>

The integration creates a new Fingerprint list called Lumu. This list contains all the hashes related to Lumu incidents. It can be identified by accessing the Symantec Endpoint Protection Manager console under the Policies > Policy Components > File Fingerprint Lists menu
Each time the script runs, it will overwrite existing hashes into the fingerprint list defined in the script arguments.

Task: query and add SHA256 hashes related to Lumu incidents
By default, the integration will query and push hashes related to Lumu incidents in MD5. If you need to push the hashes in SHA256 format, you can use the argument --hash-type sha256.

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --hash-type sha256

Support for SHA256 hashes was included in Symantec Endpoint Protection Manager 14.3 RU4 and later. For earlier versions, you can work with MD5.
If you find issues changing an existing fingerprint list from one hash type to another, it's recommended to delete the list first to recreate it using the integration.

Task: query and add indicators related to Lumu incidents with contacts in the last X days
Use the following command to fetch and push to Symantec Endpoint Protection Manager hashes related to incidents found in your organization by Lumu with contacts in the last X days.

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --days X

All previously created block lists will be replaced, even if they correspond to incidents with contacts before X days.

Task: query and add hashes related to Lumu incidents of specific types
By default, the script queries open and closed incidents of all adversary types (Phishing, Malware, DAG, Spam, and others). If you need to collect specific types of incidents, you can use the argument --adversary-types ADVERSARY_TYPE. If you need to get two or more adversary types, you only need to append a new instance of the argument.

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --adversary-types Phishing --adversary-types Malware

In this example, the adversary types queried are Phishing and Malware.

Task: clean all changes made by Lumu integration
If you need to delete the fingerprint list created by the integration, use the --clean flag with the authentication arguments.

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --clean

Task: save log output to file
By default, you will see the execution log on the screen console. 

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --logging file

This file is useful for scheduled tasks or processes running in the background. When you open this file, you will see the following. The information displayed aids in checking the execution progress.

Task: use a configuration file to run the integration
You can run the integration using a configuration file where you can save the required arguments in form of <argument_name>=<value>, one argument per line. In the integration root path, save a file named .config with your configuration. Following, you have a sample of the format of the file.
  1. ## Sample config file # Lumu company_key=<lumu_company_key> # SEPM host=<sepm_host_or_ip> username=<sepm_username> password=<sepm_password> # Misc adversary_types=<adversary_type_1> ... adversary_types=<adversary_type_n> days=<days> logging=<screen|file>
The file .config_sample in this repo can be tailored according to your needs. Remember to rename it to .config.
if you need to add flags (arguments without values like -v or --clean, those need to be added on the command line)
Other tasks

According to your needs, you can combine the examples shown.


Response method: Quarantine device

Script details
Use the following command to show all options available for the package:

python sepm_lumu_quarantine.py --help

Usage: sepm_lumu_quarantine.py [options
Options
Description
-h, --help
show this help message and exit
--config CONFIG
Load options from config file
--company-key COMPANY_KEY
--company_key COMPANY_KEY
Lumu Company Key (Defender API).

--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
Proxy host (if required)

--proxy-port PROXY_PORT
--proxy_port PROXY_PORT
Proxy port (if required)

--proxy-user PROXY_USER
--proxy_user PROXY_USER
Proxy user (if required)

--proxy-password PROXY_PASSWORD
--proxy_password PROXY_PASSWORD
Proxy password (if required)

--logging {screen,file}
Logging option (default screen).
--verbose, -v
Verbosity level.

--host HOST
Symantec Endpoint Protection Manager host.
--username USERNAME
Symantec Endpoint Protection Manager username.
--password PASSWORD
Symantec Endpoint Protection Manager password.
--domain DOMAIN
Symantec Endpoint Protection Manager domain (default 'empty').
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing}
--adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing}
Lumu adversary types to be filtered.

--unquarantine, -u
Unquarantine hosts included in the quarantine report (use with caution).

Usage Examples

Task: quarantine all affected endpoints related to open incidents in Lumu
Use the following command to fetch all affected endpoints related to open incidents and issue the quarantine command to the Symantec Endpoint Protection Manager.

python sepm_lumu_quarantine.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key>
To keep control of quarantined devices, the script will maintain a report in a file called quarantine.json . This file will contain the information of the quarantined devices, the result, and the date of the process.

Task: quarantine all affected endpoints related to Lumu open incidents filtering by adversary type
To filter your query to specific types of adversaries, you can use the option --adversary-types ADVERSARY-TYPE. If you need to set more types of adversaries, you can repeat the option as follows:

python sepm_lumu_quarantinelumu-sepm-quarantine.py --host <sepm-host> --username <sepm_usernamesepm-username> --password <sepm_passwordsepm-password> [--domain <sepm_domain>]  --company-key <lumu_company_keylumu-defender-api-key> --adversary-types C2C --adversary-types Mining

For this example, the script will fetch affected endpoints related to adversaries of types C&C and Mining.

Task: un-quarantine devices quarantined by the script
(Use with caution) If you need to un-quarantine all devices quarantined by the script, use the flag -u or --unquarantine.

python sepm_lumu_quarantinelumu-sepm-quarantine.py --host <sepm-host> --username <sepm_usernamesepm-username> --password <sepm_passwordsepm-password> [--domain <sepm_domain>]  --company-key <lumu_company_keylumu-defender-api-key> --unquarantine
The script will use the devices recorded in quarantine.json . All devices un-quarantined will be removed from the report after the process finishes.

Expected results

Response method: Fingerprint list

After the script’s execution, the Fingerprint list will be populated with new hashes. After the policy is updated in every protected host, the execution of binaries that match the uploaded hashes will be restricted.

Response method: Quarantine device

After a device is quarantined, the device will be isolated from the corporate network. The isolated device will show the following status:

Isolated device messageIsolated device message

Further considerations

Set up Lockdown Policy in Symantec Endpoint Manager Console

After running the integration for the first time, you need to associate the Lumu fingerprint list with your System Lockdown policy. To do so, follow these steps:

To run the script on a timely basis, consider implementing a Scheduled job in Windows or a cron task in Unix-based systems. According to your enforcement needs, we recommend scheduling these tasks to run 2 or 3 times per hour (with a frequency of 20 to 30 minutes).

  1. With an administrator user, log in to your SEPM console. Go to Clients and select the desired scope.

  2. Under the selected scope, go to the Policies tab. Click on the System Lockdown link under the Policies section. The System Lockdown for <scope> window will appear. Set the Application File Lists to Deny Mode. Finally, add the fingerprint list Lumu and click on the OK button.


Schedule periodic execution of the integration

To run the script on a timely basis, consider implementing a Scheduled task in Windows or a Cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.
Following, you have an example of how this Cron job should look using the recommended time.

*/30 * * * * python3 <repo_root>/sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key>

It's recommended to add the --logging file argument to any scheduled task. It will record all the output in the log file for further reference. If you have created a configuration file, your crontab entry doesn't need any arguments. It should look as follows:

*/30 * * * * python3 <repo_root>/sepm_lumu.py

If you need to work with another scheduling time, you can use the crontab guru.
To avoid race conditions, you can run only one instance. If you have one running, others will be terminated immediately.

Troubleshooting and known issues

To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.

Another instance is running

If you receive the following error.


Error: Another instance is running. Quitting.

There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process id if it's running. Search for this process in your system. The following pictures show the process in Windows and Linux.




If the previous validation indicates that another instance is running, please, check its progress using the integration's log lumu.log.

Cannot update the fingerprint list. Invalid MD5 hash value

If you receive the following error.

Error running integration. Cannot update the fingerprint list. Invalid MD5 hash value XXXX

It's possible you are working with a Symantec Endpoint Protection Manager with version 14.3 RU3 or earlier and you are trying to push SHA256 hashes. Set the hash-type to MD5 and run the integration again.









        • Related Articles

        • ESET Endpoint Security Custom Response Integration

          This article shows how to leverage ESET Endpoint Security through its ESET Protect Web Console and Lumu Defender API to enhance your Response capabilities. Response integration between ESET Endpoint and Lumu Requirements ESET PROTECT deployment An ...
        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...
        • Kaspersky Endpoint Security Custom Response Integration

          This article shows how to leverage Kaspersky Endpoint Security, also known as KES through its Kaspersky Security Center (KSC) Web Console and Lumu Defender API to enhance your Response capabilities. Response integration between Kaspersky Endpoint and ...
        • CylanceENDPOINT Custom Response Integration

          This article shows how to leverage the Lumu Defender API and CylanceENDPOINT API to mitigate security risks. Requirements CylanceENDPOINT subscription A CylanceENDPOINT Standard subscription or above is required (formerly CylancePROTECT) Lumu ...
        • Akamai SIA Custom Response Integration

          This article shows how to leverage the Lumu Defender API and Akamai SIA (ETP) Configuration API to mitigate security risks. Requirements An Akamai SIA subscription. An Akamai Control Center access is required for setting up and collecting Akamai ...