This article shows how to leverage the Lumu Defender API and Trend Micro Vision One (XDR)  API to mitigate security risks.

Requirements

• Trend Micro Vision One subscription
• Lumu Defender API key
  
• To retrieve an API token, please refer to the Defender API document.
• Script host.
  
• Host with Python 3.10+ with internet visibility over Lumu Defender endpoints and Trend Micro Vision One Cloud.
  
• Script package
  
• Contact the Lumu support team to request the package we created to deploy the required files.
  

Set up your Trend Micro Vision One instance

Create a Custom User Role

• Suspicious Object Management (Under Threat Intelligence section)
  
• View, filter and search
• Manage list and configure settings
  
• Search (Under XDR Threat Investigation section)
• View, list and search
• Response Management  (Under Workflow and Automation section)
  
• View, filter and search (Task List Tab)
• Add to block list
  

Custom Role Settings - Permissions for Suspicious Object Management

Custom Role Settings - Permissions for Search

Custom Role Settings - Permissions for Response Management

Create an API key for the integration

To create a new API key, use your Trend Micro Vision One Web console. Using the left navigation pane, click on the API Keys menu under the Account section (look for the Gear icon). Add a new API key clicking on the Add API Key button. Fill in the required data following these directions:

• For the Role field, select the role created before.
• For the Expiration time field, set No expiration date.
  
   If you decide to set up the expiration date, keep in mind that you need to renew and modify the integration accordingly.

Click on the Add button. Copy the API key shown.

Remember to copy and store the API key. It cannot be retrieved later.

Deploy the integration

There are 2 environment options to deploy the script, select the one that fits better in your current infrastructure. Whatever alternative you select, you need to unpack first the integration package shared by our Support team. Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <trend_lumu_root> .

The integration works with Python 3.10. If your environment has prior versions, we recommend deploying the integration as a Docker Container.

Deploy as script

In the package, you will find the script required to run the integration. To use the script, you must locate yourself on the path selected for deployment ( <trend_lumu_root> ). Specific directions are included in the next sections.

Install requirements

If you are running different Python scripts in the selected host, it’s recommended to create a virtual environment to preserve the integrity of other tools. To do so, follow these steps:

1. Using a command line tool, locate yourself in the <trend_lumu_root> folder

2. Run the following command to create the virtual environment

python3 -m venv <venv_folder>

3. Activate the virtual environment running the following

source <venv_folder>/bin/activate

The file requirements.txt contains the list of requirements for this integration. After deploying the package locally, run the following command from the deployment folder:

Script details

To use the script, you must locate yourself on the path selected for deployment (<trend_lumu_root>). Use the following command to show all options available for the package:

usage: trend_lumu.py [options]

Usage Examples

Task: query IoCs related to Lumu incidents for the last 30 days

To query all the IoCs related to Lumu incidents triggered in the last 30 days, run the following command.

Task: query IoCs related to Lumu incidents for the last X days

By default, the integration script will query incidents for the last 30 days. If you need to change this value, you can use the --days flag as follows.

In this example, the integration will query and push to Trend Micro lists, IOCs related to incidents in the last 5 days

Task: query IoCs related to specific adversary types

By default, the integration script will query incidents related to all adversary types. If you need to filter the query to specific adversary types, you can use the --adversary-types flag as follows

In this example, the integration will query and push to Trend Micro lists, IOCs from incidents related to adversaries classified as C&C and Malware.

Task: query specific IoCs types

By default, the integration script will collect all the supported IOC types (IPs, domains, URLs, and hashes). If you need to filter the query to collect specific IOC types, you can use the --ioc-types flag as follows

In this example, the integration will query and push to Trend lists, URLs and hashes from Lumu incidents.

Task: run with .config file

You can run the integration using a configuration file where you can save the required arguments in the form of <argument_name>=<value>, one argument per line. In the <trend_lumu_root> path, save a file named .config with your configuration. Following, you have a sample of the format of the file.

# Configuration file example
company_key=ABC
Trend Micro Vision ONE
https://automation.trendmicro.com/xdr/Guides/Regional-Domains
trend_token=XYZ
trend_hostname=api.xdr.trendmicro.com
ioc-types=ip
ioc-types=url
ioc-types=domain
ioc-types=hash
adversary-types=C2C
adversary-types=Malware
adversary-types=Mining
adversary-types=Spam
adversary-types=Phishing
days=15            
         

If you need to add flags (arguments without values like -v or --clean, those need to be added on the command line). In the repo files, you will find a sample file named .config_sample. You can tailor its content according to your needs. Remember to rename it to .config before running the integration script.

Task: Clean records

When the script is run with the –clean flag, it will erase all Lumu records created. Using this flag, you will return the Trend lists to their original state.

The records not manipulated by the integration will be preserved

Other tasks

According to your needs, you can combine the examples shown.

Further considerations

To run the script on a timely basis, consider implementing a Scheduled task in Windows or a Cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.

Following, you have an example of how this Cron job should look using the recommended time.

It’s recommended to add the --logging file argument to any scheduled task. It will record all the output in the log file for further reference. If you have created a configuration file, your crontab entry doesn’t need arguments. It should look as follows:

If you need to work with another scheduling time, you can use the crontab guru service.

To avoid race conditions, you can run only one instance. If you have one running, the second one will be canceled immediately.

Deploy as a Docker container (Optional)

If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <trend_lumu_root> folder, and follow these instructions:

1. To build the container, run the following command. Change all the flags based on the reference given in the script section above.

docker build --build-arg company_key='xxx' --build-arg trend_token='xxx' --build-arg trend_hostname='abc.dom.do' --tag python-lumu-trend .NOTE : Do not forget the dot "." at the end of the line

2. To run the container, run the following command:

docker run -d --name lumu-trend python-lumu-trend

With this mode, your integration will run every 30 minutes.

Troubleshooting

For troubleshooting purposes, you can run the following commands:

To log in to your container using an interactive shell:

To collect integration logs:

Expected results

After running the integration, you will see new objects in your lists inside your Trend Micro Vision One Web Console.

Use Cases

The suspicious object list can be applied into different Trend Micro solutions and Vision One deployments. Following, you will see reference to some Trend Micro solutions and how each can handle the IOCs fed to the Trend Micro Vision One console:

• Trend Micro Apex One as a Service.
  Lumu’s integrations support either this Trend Micro Vision One connected to Apex one use case, or check the direct Apex One integration here .
  

To take action on File SHA-1 objects, you must first activate Application Control for Apex One as a Service.

1. The Log and Block actions for File SHA-1 are only supported for PE and ELF file formats.
   
2. The Block / Quarantine action applies only to process objects. The agent does not actually block objects, it terminates specific processes whose file hash matches the rules in the Suspicious Object list after the processes have been created.
   
3. Script files (,sh, ps1, ...) are not executable files. This means they are not process objects when executing their scripts and the agent cannot terminate the execution of the script files .
   

• Trend Micro Cloud App Security

After identifying a suspicious URL, file, or sender address in an email message, Cloud App Security quarantines the message from all supported mailboxes protected by Cloud App Security .

• Trend Micro Cloud One - Endpoint & Workload Security

Endpoint & Workload Security supports the Log action for Deep Security Agent version 20.0.0-4185 or later for Linux.||The Log and Block actions for File SHA-1 and File SHA-256 are only supported for PE and ELF file formats .

• Trend Micro Deep Security Software

File SHA-1 objects added through third-party intelligence and manual operations are not supported.

• Service Gateway Management

Endpoint & Workload Security supports the Log action for Deep Security Agent version 20.0.0-4185 or later for Linux.

• Zero Trust Secure Access - Internet Access (SASE-SWG)

Further details for The Trend Micro Vision One solution use cases for Suspicious object list (IoC) can be found here .

A quick review for Cloud One Endpoint & Workload Security use case

Check the requirements here. 

• Install the agent version 20.0.0-4185+ (for Windows or Linux) or version 20.0.0-198+ (for macOS).
• Exported the agent software from the Workload Security console

• Install agent.
• Activate agent
• Attach agent to a policy

• Register with Trend Micro Vision One (XDR).
• Obtain the enrollment token from your organization's administrator. Your organization's XDR administrator can follow the steps to obtain the token.
• Copy the enrollment token used in the Trend Micro Cloud One console to identify your Trend Vision One console.
• In the Trend Vision One console, go to Point Product Connection > Product Connector .
• Click Connect.
• Select Trend Micro Cloud One .
• Click the Click to generate the enrollment token link.
• Copy the enrollment token.

• Use the enrollment token to integrate your Trend Micro Cloud One environment with Trend Vision One.
• Open your Trend Micro Cloud One console and click Integrations at the bottom of the screen
• Click Trend Micro Vision One ™ on the navigation bar.
• In the Enrollment Token section, click Register enrollment token.
• Paste the enrollment token and click Register

• Enable Activity Monitoring
•  Enable Activity Monitoring on Deep Security Agents.
• Go to Policies , select a policy and click Details .
• Go to Activity Monitoring > General .
• Set the Activity Monitoring State to On .
• Click Save .

• Set up a connection to Trend Micro Vision One.
• go to Administration > System Settings > Threat Intelligence .
• Select Trend Micro Vision One Suspicious Object Management and click Save .

• Configure the scan action for a suspicious file.
• You can view the suspicious objects list in Trend Micro Vision One and configure the action (Log or Quarantine / Block) that should be taken when a suspicious object is found.
• If you have configured Workload Security to obtain the suspicious object list from Trend Micro Vision One, Workload Security will perform the action specified by Trend Micro Vision One when a suspected object is found.

A quick review for SASE-SWG use case

Activate the Internet Access Configuration , associate the Suspicious object to a Threat Protection Rule and this to an Internet Access Rule.

Once Internet access control is configured and dives on a user web browser the IoC match can be logged or blocked, regarding the previous IoC action set.

Troubleshooting and known issues

To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.

Another instance is running

If you receive the following error.

There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process id if it’s running. Search for this process in your system. The following pictures show the process in Windows and Linux.

If the previous validation indicates that another instance is running, please, check its progress using the integration’s log lumu.log .