Lumeta Spectre amplifies the value of your security stack by correlating the comprehensive and authoritative data about your network with integrated data connectors. The following table shows the Integrations available with Spectre along with their overview and how to verify their configurations. Integrations are available at Settings=>Integrations menu item.
Integrations | Description | Configuration Input | How to test if feed is accessible | Tables Populated | Dashboards/Reports |
|---|---|---|---|---|---|
Open Source Feeds: | |||||
Emerging Threats | http://rules.emergingthreats.net/blockrules/compromised-ips.txt provides you with a list of IPs that have been compromised. Spectre ingests this list and compares it to your discovered devices. | Polling Interval | Go to the emerging threats URL and verify that you can view the results | threat_feed_ip (_source: openthreat)
| Breach Detection => Zombie Devices |
Tor | Enabling Tor feed helps you find if any of your organization’s trusted network assets are behaving as TOR relays or exit addresses. URLs that Spectre gets the TOR relays and exit addresses from are: https://onionoo.torproject.org/summary?type=relay https://check.torproject.org/exit-addresses
| Polling Interval | Go to the TOR URLs and verify that you can view the results | tor | Breach Detection => Tor Nodes and Tor Flow Charting |
ISC | https://isc.sans.edu/services.html provides Spectre with a list of ports that have been compromised. Spectre ingests this list and compares it against the open ports of your discovered devices. | Polling Interval | Go to ISC URL and verify that you can view the results | portlookup | Breach Detection => Nefarious Ports Summary |
Subscription Feeds: | |||||
Emerging Threats Pro | With a valid customer key, http://rules.emergingthreatspro.com provides Spectre with a list of IPs that have been compromised. Spectre ingests this list and compares it with your discovered devices. | Polling Interval Customer Key | Go to Emerging Threats Pro URL and verify that you can view the results | threat_feed_ip (_source: emergingthreat) | Breach Detection => Zombie Devices |
iDefense | Verisign iDefense is a closed-source threat intelligence feed available to all Spectre customers. This feed correlates iDefense IPs against your network's IPs to produce actionable lists of zombie devices and threat flows in your network. | Polling Interval Customer Key | Go to https://api.intelgraph.verisign.com/rest/threatindicator/v0 and login with your username/password and verify that you can view the results | threat_feed_ip (_source: idefense)
| Breach Detection => Threat Flow Charting |
Other Solutions: | |||||
Gigamon | Spectre uses NetFlow data to identify threat conversations between your network and external adversaries. This NetFlow data comes to Spectre as a result of its integration with a Gigamon solution. | Enable Netflow Packet Capture Service | Once you enable netflow, make sure nfcapd files are created under /var/spool/netflow directory. Gigamon (GigaSMART engine) can create only one type of record – either IPFIX, v9 or v5. We have tested Spectre with v9 only. As per our Development team, IPFIX is not supported.
| Not tables under /var/spool/netflow directory, you will see nfcapd files | Breach Detection => Threat Flow Charting |
Carbon Black | The integration of Carbon Black Endpoint Detection and Response capabilities to Spectre enables you to know whether hosts on your enterprise network are either unmanaged by Carbon Black, unmanaged by Spectre, or managed by both. | Polling Interval Customer Key Server Name |
| managed_hosts_v (_source: bit9) bit9_managed_hosts_regex | Endpoint Management |
McAfee | Lumeta Spectre fetches McAfee ePO-managed data, compares it to Spectre-discovered data within the same network space, and then pushes the findings back to the ePO server. This ensures on a continual basis that ePO has the complete set of networks and devices to manage. | Polling Interval Server Name Username Password |
| managed_hosts_v (_source: epo) epo_managed_hosts
| ePO Management |
Infoblox | This integration reconciles data between Spectre and Infoblox (an IP address management solution) and enables you to export an IP list with which to update the IP assets managed on Infoblox. | Polling Interval Server Name Username Password |
| managed_hosts_v (_source: infoblox) infoblox_managed_hosts | IP Address Management |
Cisco PxGrid | The Cisco pxGrid integration enables you to exchange context with Cisco products to retrieve endpoint, identity group, security group, and session data from a Cisco ISE server. To make use of this integration, your network must be running the Cisco pxGrid agent and be monitored by Lumeta Spectre. | Server Name Username Keystore File Keystore Password Truststore File Truststore Password
|
| cisco_ise_endpointprofile cisco_ise_identity_group cisco_ise_securitygroup cisco_ise_session | Search=>Devices=> Pxgrip IP Sessions |
Qualys | Spectre helps your Qualys Enterprise server work better by comparing Qualys-subscribed and Qualys-scanned IPs with Spectre-indexed hosts in the same network space. Qualys receives a list of endpoint data information from Spectre at every polling interval, enabling Qualys to add the endpoints to its network space, thereby eliminating any gaps in coverage and ensuring the comprehensive provision of vulnerability management to Qualys customers. | Polling Interval Server Name Username Password Auto-Subscribe
|
| qualys_scanned_ips_raw qualys_subscribed_ips qualys_subscribed_ips_v | Vulnerability Management |
McAfee DXL | Spectre targets on extending McAfee integration to such that events will be published to DXL message bus. | Server Name Host Name Broker Chain certs Unique Broker Id Broker Port
|
| No tables created | No Reports/Dashboards |
RedSeal | RedSeal integration will only include ingesting RedSeal managed hosts into Spectre | Polling Interval Server Name Username Password |
| redseal_managed_hosts | RedSeal Management |
Integration Feeds (Data Pulled) | Integration Feeds (Data Pulled and Pushed) |
|
|
Lumeta Spectre Extension to McAfee ePO
...